The person responsible for engagement communication distribution should be the
The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Show
Interpretation The internal audit activity is effectively managed when:
The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance. 2010 – PlanningThe chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals. InterpretationTo develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. 2020 – Communication and Approval The chief audit executive must communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. 2030 – Resource ManagementThe chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. InterpretationAppropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. 2040 – Policies and ProceduresThe chief audit executive must establish policies and procedures to guide the internal audit activity. InterpretationThe form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work. 2050 – Coordination and RelianceThe chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts. InterpretationIn coordinating activities, the chief audit executive may rely on the work of other assurance and consulting service providers. A consistent process for the basis of reliance should be established, and the chief audit executive should consider the competency, objectivity, and due professional care of the assurance and consulting service providers. The chief audit executive should also have a clear understanding of the scope, objectives, and results of the work performed by other providers of assurance and consulting services. Where reliance is placed on the work of others, the chief audit executive is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity. 2060 – Reporting to Senior Management and the BoardThe chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board. InterpretationThe frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board. The frequency and content of reporting depends on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board. The chief audit executive’s reporting and communication to senior management and the board must include information about:
These and other chief audit executive communication requirements are referenced throughout the Standards. 2070 – External Service Provider and Organizational Responsibility for Internal AuditingWhen an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity. InterpretationThis responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Code of Ethics and the Standards. 2100 – Nature of WorkThe internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. 2110 – GovernanceThe internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:
2110.A1 - The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities. 2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives. 2120 – Risk ManagementThe internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. InterpretationDetermining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. 2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2200 – Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement. 2201 – Planning ConsiderationsIn planning the engagement, internal auditors must consider:
2201.A1 - When planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records. 2201.C1 - Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented. 2210 – Engagement ObjectivesObjectives must be established for each engagement. 2220 – Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement. 2230 – Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. InterpretationAppropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quantity of resources needed to accomplish the engagement with due professional care. 2240 – Engagement Work ProgramInternal auditors must develop and document work programs that achieve the engagement objectives. 2300 – Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement's objectives. 2310 – Identifying InformationInternal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives. InterpretationSufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals. 2320 – Analysis and EvaluationInternal auditors must base conclusions and engagement results on appropriate analyses and evaluations. 2330 – Documenting InformationInternal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions. 2340 – Engagement Supervision Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. InterpretationThe extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained. 2400 – Communicating ResultsInternal auditors must communicate the results of engagements. 2410 – Criteria for CommunicatingCommunications must include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans. 2420 – Quality of Communications Communications must be accurate, objective, clear, concise, constructive, complete, and timely. InterpretationAccurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action. 2421 – Errors and OmissionsIf a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication. 2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”Indicating that engagements are "conducted in conformance with the International Standards for the Professional Practice of Internal Auditing" is appropriate only if supported by the results of the quality assurance and improvement program. 2431 – Engagement Disclosure of NonconformanceWhen nonconformance with the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the:
The chief audit executive must communicate results to the appropriate parties. InterpretationThe chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility. 2450 – Overall Opinions When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organization; and the expectations of senior management, the board, and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant, and useful information. InterpretationThe communication will include:
The reasons for an unfavorable overall opinion must be stated. 2500 – Monitoring ProgressThe chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. 2500.A1- The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 2600 – Communicating the Acceptance of Risks When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board. InterpretationThe identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk. Who is responsible for reviewing and approving the final engagement communication?The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility. 2440.
Which of the following should be communicated by the auditor to the audit committee?09 The auditor should communicate to the audit committee an overview of the overall audit strategy, including the timing of the audit,7 and discuss with the audit committee the significant risks identified during the auditor's risk assessment procedures.
Which one of the following is an appropriate statement of an engagement objective?Which of the following is an appropriate statement of an engagement objective? To determine whether inventory stocks are sufficient to meet projected sales.
Which engagement planning tool is general in nature?Which internal audit planning tool is general in nature and is used to ensure adequate engagement coverage over time? The Audit Plan.
|