+ All Categories
Home > Economy & Finance > IIA standards

IIA standards

Date post: 22-Jan-2015
Category:
Upload: parth-agnihotri
View: 1,553 times
Download: 2 times
Share this document with a friend
Description:
 
33
IIA Standards Evaluation ABC ORGANIZATION Tool 19
Transcript
Page 1: IIA standards

IIA Standards Evaluation

ABC ORGANIZATION

Tool 19

Page 2: IIA standards

ACKNOWLEDGEMENTS This is a revision of Tool 19 released in August 2006 in order to provide a more standardized and Standards-based approach to facilitate the consistent evaluation of the conformance, by internal audit activities undergoing quality assessments, to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (Standards). This revised control plan, adapted from similar methods from affiliates in France (IFACI), Germany (IRR), Belgium, and South Africa, was prepared by a task force of the IIA’s Committee on Quality, with special assistance of Deborah F. Ridel CISA and Ronald J. Ridel, CISA

Page 3: IIA standards

TOOL 19 – STANDARDS COMPLIANCE EVALUATION SUMMARY (Circle Evaluator’s Decision) OVERALL EVALUATION GC PC DNC 1. ATTRIBUTE STANDARDS GC PC DNC

1000 Purpose, Authority, and Responsibility (Charter) GC PC DNC 1100 Independence and Objectivity GC PC DNC

1110 Organizational Independence GC PC DNC 1120 Individual Objectivity GC PC DNC 1130 Impairments to Independence or

Objectivity GC PC DNC 1200 Proficiency and Due Professional Care GC PC DNC

1210 Proficiency GC PC DNC 1220 Due Professional care GC PC DNC 1230 Continuing Professional Development GC PC DNC

1300 Quality Assurance/Improvement Program GC PC DNC 1310 Quality Program Assessments GC PC DNC 1311 Internal Assessments GC PC DNC 1312 External Assessments GC PC DNC 1320 Reporting on the Quality Program GC PC DNC 1330 Use of “Conducted in Accordance with

Standards” GC PC DNC 1340 Disclosure of Noncompliance GC PC DNC

2. PERFORMANCE STANDARDS GC PC DNC 2000 Managing the Internal Audit Activity GC PC DNC

2010 Planning GC PC DNC 2020 Communication and Approval GC PC DNC 2030 Resource Management GC PC DNC 2040 Policies and Procedures GC PC DNC 2050 Coordination GC PC DNC 2060 Reporting to the Board and Senior

Management GC PC DNC 2100 Nature of Work GC PC DNC

2110 Risk Management GC PC DNC 2120 Control GC PC DNC 2130 Governance GC PC DNC

2200 Engagement Planning GC PC DNC 2201 Planning Considerations GC PC DNC 2210 Engagement Objectives GC PC DNC 2220 Engagement Scope GC PC DNC 2230 Engagement Resource Allocation GC PC DNC 2240 Engagement Work Program GC PC DNC

Page 4: IIA standards

2300 Performing the Engagement GC PC DNC 2310 Identifying Information GC PC DNC 2320 Analysis and Evaluation GC PC DNC 2330 Recording Information GC PC DNC 2340 Engagement Supervision GC PC DNC

2400 Communicating Results GC PC DNC 2410 Criteria for Communicating GC PC DNC 2420 Quality of Communications GC PC DNC 2421 Errors and Omissions GC PC DNC 2430 Engagement Disclosure of Noncompliance with Standards GC PC DNC 2440 Disseminating Results GC PC DNC

2500 Monitoring Progress GC PC DNC 2600 Management’s Acceptance of Risks GC PC DNC

3. IIA Code of Ethics GC PC DNC Evaluator’s name/signature: Date:

Page 5: IIA standards

Evaluation of Conformance with IIA Standards – General Instructions/Definitions Together with completion of all of the applicable tools in the IIA Quality Assessment Manual, Tool 19 should be used to provide an overall assessment of the organization’s conformance with the Standards. Evaluation Procedures

When evaluating conformance to the Standards, carefully read the Standard and consider only the Standard, not the ideal situation, “best practice”, etc.

Consider each individual Standard (1110 – Organizational Independence, 2420–

Quality of Communications, etc.), including the relevant Implementation Standards (which give additional guidance on assurance and consulting services), and conclude as to the degree of conformity by the activity to each one using the Key Conformance Criteria and examples of evidence for guidance.

In the table below, any of the Key Conformance Criteria not achieved strongly

suggest a rating of “does not conform” or at least only “partially conforms” for that individual Standard.

Consider each section of the Standards (numbers ending in “00”): 1200 –

Proficiency and Due Professional Care, 2300 – Performing the Engagement, etc.), and conclude as to the degree of conformity by the activity to each section taken as a whole, based on conclusions reached for the related individual Standards in the section and on other relevant observations made during the quality assessment. If all underlying Standards are non-conforms, then the overall standard is does not conform. Otherwise, the team must make a judgment based on the number of non-conforms and the specific conditions present as to whether the overall rating is “does not conform” or “partially conforms”.

On the same basis as for sections of the Standards, conclude as to the degree of

conformity by the activity to the major categories of the Standards (ATTRIBUTE and PERFORMANCE); then make an overall evaluation as to the activity’s conformance to the Standards as a whole (the first line of this evaluation form).

Consider the four principles and related rules of conduct in the Code of Ethics and

conclude whether or not the activity’s management and staff uphold each of the principles and apply the related rules of conduct.

Definitions GC – “Generally Conforms” means the evaluator has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all

Page 6: IIA standards

material respects. For the sections and major categories, this means that there is general conformity to a majority of the individual Standards or elements of the Code of Ethics, and at least partial conformity to the others, within the section/category. There may be significant opportunities for improvement, but these should not represent situations where the activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives. As indicated above, general conformance does not require complete/perfect conformance, the ideal situation, “best practice”, etc. PC – “Partially Conforms” means the evaluator has concluded that the activity is making good-faith efforts to comply with the requirements of the individual Standard or element of the Code of Ethics, section, or major category, but falls short of achieving some major objectives. These will usually represent significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the activity and may result in recommendations to senior management or the board of the organization.

DNC – “Does Not Conform” means the evaluator has concluded that the activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives of the individual Standard or element of the Code of Ethics, section, or major category,. These deficiencies will usually have a significant negative impact on the activity’s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board.

Often, the most difficult evaluation is the distinction between “general” and “partial”. It is a judgment call keeping in mind the definition of “general conformance” above. Carefully read the Standard to determine if basic compliance exists. The existence of “opportunities for improvement”, better alternatives, or other best practices do not reduce a “generally conforms” rating.

Page 7: IIA standards

TOOL 19 – STANDARDS COMPLIANCE EVALUATION – MASTER FRAMEWORK

OVERALL EVALUATION GC PC DNC ATTRIBUTE STANDARDS GC PC DNC PERFORMANCE STANDARDS GC PC DNC 1. ATTRIBUTE STANDARDS

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1000-Purpose authority and responsibility The purpose, authority and responsibility of the internal audit activity should be formally defined in a charter consistent with the Standards and approved by the board. 1000. A1 The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter. 1000.C1 The nature of consulting should be defined in the audit charter.

There is a charter containing the purpose, authority, and responsibility of the internal audit activity. The charter has been approved by the board.

Internal Audit Activity charter: o The charter is approved by senior management. o The purpose, authority, and responsibilities of the internal audit

activity defined in the charter. o The charter establishes the position of the internal audit

department within the organization. o The charter provides unrestricted access to records, personnel,

and physical properties relevant to the performance of engagements.

o The charter sets the tone for the internal audit activity's interaction with the board.

o Charter defines the nature of activities to be performed. Minutes of board meetings. Interviews of the CAE, senior management, etc.

1000 Purpose, Authority, and Responsibility (Charter)

GC PC DNC

1100 Independence and objectivity. The internal audit activity should be independent and internal auditors should be objective in performing work.

Sum of 1110-1130

Page 8: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1100 Independence and Objectivity GC PC DNC

1110 Organizational Independence. The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. 1110.A1 – The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.

The chief audit executive reports to a level in the organization that is adequate to discharge his or her responsibilities. Any reporting relationship (administrative or total) to management does not interfere with the chief audit executive’s responsibility to the board. There are no restrictions to the scope, resources, and access of internal audit activity.

• Organizational charts. • Annual audit plan. • Engagement work programs. • Interviews of the CAE, senior management, etc. • The internal audit activity reports directly to the highest executive

levels of the organization (e.g. senior management, the board). • Audit Committee charter:

o Appointment and removal of CAE o Salary of CAE o CAE Performance Appraisal

• Annual planning of audit engagements; • Resource allocations; • Coverage of engagement objectives; • Implementation of audit procedures; • Communication of results; • Budget and Staffing; and • Major restrictions on the scope of internal audit activities, are

systematically reported to board

1110 Organizational Independence GC PC DNC

1120 Individual Objectivity- Internal auditors should have an impartial unbiased attitude and avoid conflicts of interest.

Auditors do not have assignments in conflict. Audit staff has background and experience that does not conflict with audit assignment. Results and conclusions of engagements are based on factual evidence and observation.

Interviews with audit staff. Interviews with senior management. Examination of auditor assignments – e.g., should not audit a

function for which they were responsible. Evaluation of auditor background. Evidence of supervision. There is linkage between the audit objectives, factual evidence,

and conclusions.

1120 Individual Objectivity GC PC DNC

Page 9: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1130 Impairments to Independence or Objectivity- If independence or objectivity is impaired in fact or appearance, the details of impairment should be disclosed to appropriate parties. The nature of the disclosure will be dependent on the impairment. 1130.A1 – Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. 1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity. 1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement.

Auditors are aware they should report any real or perceived conflict of interest as soon as such conflict arises. Assignment of internal audit personnel takes into account previous responsibilities.

List of auditors including their date of appointment and responsibilities held prior to appointment.

Engagement records. Internal auditors' assignments for previous three years. Policies and procedures of the internal audit department. Disclosures on independence have been made to board per minutes of the AC meetings.

Formal commitment to Code of Ethics. An outside party oversees assurance services over functions for which the chief audit executive has been responsible.

Objectivity may be impaired if assigned to operations for which they were previously responsible within the previous year and relationships with the audited activities potential conflicts of interest.

Areas of responsibility are rotated on a regular basis, thus ensuring that the same processes, activities, and entities are not audited by the same auditors.

1130 Impairments to Independence or Objectivity

GC PC DNC

1200 Engagements should be performed with proficiency and due professional care.

Sum of 1210-1230

1200 Proficiency and Due Professional Care GC PC DNC

Page 10: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1210 Proficiency – Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills ands competencies needed to perform its responsibilities. 1210.A1- The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge skills other competencies needed to perform all or part of the engagement. 1210. A2 The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.A3 Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 1210. C1 - The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge skills or other competencies needed to perform all or part of the engagement.

Auditors undergo specific training based on collective staff training needs analysis. Staff performance is reviewed on a regular basis and criterion used is adequate and appropriate for the needs of the activity. Where skills are lacking, CAE has engaged capable assistance. Auditors have fraud training or proficiency in identification of fraud indicators. Auditors have training or proficiency in IT concepts and computer aided audit tools. Where skills are lacking, the CAE has engaged capable assistance or has declined the engagement.

Job Descriptions and competency requirements (especially information systems and fraud).

Staff date of appointment, prior held responsibilities. and qualifications.

Hiring plans and selection procedures. Training plans. Annual and engagement performance evaluations Interviews of clients. Contracts for supplemental resources or outsourcing. Review of third party reports. Reports and work papers of third party. Performance and knowledge requirements are clearly documented

in the contract. Professional certifications. Resumes of staff. There is evidence that IT tools are used when appropriate in audit

plans. Performance and knowledge requirements are clearly documented

in the contract. Autonomous data extraction.

1210 Proficiency GC PC DNC

Page 11: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1220 Due Professional Care - Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 - The internal auditor should exercise due professional care by considering the: • Extent of work needed to achieve the

engagement’s objectives. • Relative complexity, materiality, or

significance of matters to which assurance procedures are applied.

• Adequacy and effectiveness of risk management, control, and governance processes.

• Probability of significant errors, irregularities, or noncompliance.

• Cost of assurance in relation to potential benefits.

1220. A2 - In exercising due professional care the internal auditor should consider the use of computer-assisted audit tools and other data analysis techniques.

1220. A3 – The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C1 - The internal auditor should exercise due professional care during a consulting engagement by considering the:

Audit work papers provide evidence of due professional care in the conduct of the work performed.

Audit engagements are supported by appropriate tools, including information systems and used in an appropriate manner.

There is evidence of a risk assessment of the audit engagement. Consulting engagement documentation provides evidence of due professional care in the conduct of the work performed.

Audit work papers. Reports. Tools used by internal auditors. Conclusions based on appropriate tests, analyses and supporting

documentation, indexed and classified working papers, effective coverage of engagement work program objectives, etc.

When making recommendations, the internal auditors consider the cost of implementing controls in relation to potential benefits.

Data extraction and analysis techniques, risk assessment tools, tools for engagement planning and performance, communication, etc.

Audit engagement risk assessment. Conclusions based on appropriate tests, analyses and supporting

documentation, indexed and classified working papers, effective coverage of engagement work program objectives, etc.

When making recommendations, the internal auditors consider the cost of implementing controls in relation to potential benefits.

Page 12: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

• Needs and expectations of clients, including the nature, timing, and communication of engagement results.

• Relative complexity and extent of work needed to achieve the engagement’s objectives.

• Cost of the consulting engagement in relation to potential benefits.

1220 Due Professional care GC PC DNC

1230 – Continuing Professional Development Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.

There is continuing professional development to enhance the knowledge and competencies of internal auditors.

Training and continuous development policy for internal audit function.

List of CIA auditors or of auditors having obtained similar professional certifications.

Training program fulfilling criteria for maintaining certification. Auditors participate in the activities of professional bodies. Auditors participate in conferences, seminars, and working groups. Auditors take part in internal and external training. The internal audit activity encourages internal auditors to obtain

relevant professional certifications such as the CIA.

1230 Continuing Professional Development GC PC DNC

Page 13: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1300 – Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.

The internal audit activity has a process to monitor and assess the overall effectiveness of the quality program.

• Documented quality assurance and improvement program. • Quality program procedures. • Performance indicators for the internal audit activity. • Formal results of assessments performed. • Responses given to assessment recommendations. • Activity reports. • Measurement of value added such as surveys. • Assessments include the following aspects:

o Adherence to the Standards and Code of Ethics, o Adequacy of the Internal Audit charter, objectives, policies and

procedures, and o Contribution to risk management, control, and governance

processes. o Value added according to key stakeholders

• Assessments include ongoing reviews of the performance of the internal audit activity; and periodic reviews performed through self-assessment or by other persons within the organization who have knowledge of internal audit practices and the Standards.

1300 Quality Assurance and Improvement Program

GC PC DNC

1310 – Quality Program Assessments The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments.

The internal audit activity has a process to monitor and assess the overall effectiveness of the quality program.

Evidence of plan for reviews from interviews, board minutes, or other documentation.

Documented policy.

1310 Quality Program Assessments GC PC DNC

Page 14: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1311 – Internal Assessments Internal assessments should include:

Ongoing reviews of the performance of the internal audit activity; and

Periodic reviews performed through self-assessment or by other persons within the organization, with knowledge of internal audit practices and the Standards.

There is evidence of ongoing reviews of the performance of the internal audit activity. Periodic reviews were performed through self-assessment or by other persons within the organization, with knowledge of internal audit practices and the Standards.

Reports and documentation of internal reviews including action plan

Periodic assessment of internal audit staff Client surveys Work paper reviews Board minutes Performance indicators

1311 Internal Assessments GC PC DNC

1312 – External Assessments External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.

There is evidence of comprehensive external reviews by qualified, independent reviewers.

• Committee/board minutes • Report of external reviewer • List of competencies for the team leader and team

1312 External Assessments GC PC DNC

1320 – Reporting on the Quality Program The chief audit executive should communicate the results of external assessments to the board.

Reports of the results of external assessments are submitted to the board.

• Board minutes • Action plan • External assessment report

1320 Reporting on the Quality Program GC PC DNC

Page 15: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

1330 – Use of "Conducted in Accordance with the Standards" Internal auditors are encouraged to report that their activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing." However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards.

There is appropriate wording in audit reports.

Audit Reports Audit Procedures Manual IA Activity Charter External assessment report with a general conform opinion.

1330 1330 – Use of "Conducted in Accordance with the Standards"

GC PC DNC

1340 – Disclosure of Noncompliance Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.

There is appropriate wording in report to the board.

Interview with board or senior management Board minutes External assessment report

1340 Disclosure of Noncompliance GC PC DNC

Page 16: IIA standards

2. Performance Standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2000 – Managing the Internal Audit Activity The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.

Sum of 2000 sub items

2000 Managing the Internal Audit Activity GC PC DNC

2010 – Planning The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals. 2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process. 2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization’s operations. Those engagements that have been accepted should be included in the plan.

The chief audit executive has established risk-based plans in consultation with the board and senior management.

Where appropriate, consulting engagements are in the annual audit plan.

Annual audit plan: o The audit plan risk assessment establishes a link between the

proposed audit topics and the operational and strategic risks of the organization.

o The audit plan risk assessment takes account of feedback received from operational managers.

Formal opinions of senior management and of board, e.g. final approval of annual audit plan.

Formal risk assessment. Strategic plan of Organization. Annual audit plan. Formal risk assessment. Strategic plan of Organization. The engagement work program is based on a periodic, at least

annual, comprehensive risk assessment.

2010 Planning GC PC DNC

Page 17: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2020 – Communication and Approval The chief audit executive should communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations

The chief audit executive has communicated the internal audit activity's annual plans, including significant interim changes, to senior management and the board.

The CAE also has communicated to senior management and the board the impact of resource limitations.

Annual audit plan. Final approval of annual audit plan. Evidence of action taken by CAE in the event of resource

limitations. Formal assessment of needs prepared by CAE. The chief audit executive informs senior management and the

board of any audit engagements that have been rescheduled as well as the reasons for rescheduling and the degree of risk associated with the rescheduled engagements.

2020 Communication and Approval GC PC DNC

2030 – Resource Management The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

Staffing plans and financial budgets are determined from annual audit plans and activities of the internal audit department.

The internal audit activity is organized to ensure proper coverage of the organization's audit universe.

Staffing analysis and annual operating plans. Annual audit plan. Program for selecting and developing human resources. Interviews of senior management. Interviews of the chief audit executive. Procedures to notify chief audit executive or any internal audit

manager of any problems that arise during the audit. Evidence that the internal audit activity is organized to reflect the

activities of the organization and to encourage interaction between internal auditors and their audit clients (e.g.: internal audit is organized similar to audited organization).

Administrative activities, training requirements, etc. Staffing plans make provisions for the knowledge, skills and other

competencies required to perform the internal audit responsibilities. Utilization of staff. Budget to actual time. The chief audit executive established a program for selecting and

developing the human resources of the internal audit department. On-time performance of audit engagements monitored:

o If yes, budget to actual time comparisons are performed. o If yes, comparisons are analyzed.

2030 Resource Management GC PC DNC

Page 18: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2040 – Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity.

There are appropriate policies and procedures and they are communicated to and understood by the staff of the internal audit activity.

Policies and procedures. Audit Manual Interviews with staff. There is evidence that policies and procedures are followed. Policies and procedures are well documented.

2040 Policies and Procedures GC PC DNC

2050 – Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

Internal audit work is coordinated with that of the external auditors and with internal providers of assurance and consulting services.

Annual audit plans of internal and external auditors. Reports on meetings. Delegation of personnel or resource sharing. Common training courses. Compatible methods and tools. Follow-up by internal audit of the external auditors'

recommendations. Comprehensiveness of their respective plans, proper coverage of

the organization's audit universe, etc. Internal and external auditors share information about the results of

their work (reciprocal exchanges of activity reports, etc.).

Internal auditors meet regularly with the external auditors to discuss matters of mutual interest or concern.

2050 Coordination GC PC DNC

Page 19: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2060 – Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.

There is evidence that CAE reports appropriately to the board and senior management on the internal audit activity purpose, authority, responsibility, and performance.

Board minutes. CAE presentation to board. Activity reports. Interviews, management reports, reports on meetings. Senior management's responses to internal audit reports. Any tangible evidence (e-mail records, internal memos, reports on

meetings, etc.) demonstrating that the board had been informed. Status of action plans from audit findings. Interview, where necessary, of a member of the board. CAE report includes:

o Performance measures o Risk exposures o Control issues o Governance issues

2060 Reporting to the Board and Senior Management

GC PC DNC

2100 – Nature of Work The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

Sum of 2100 elements below

2100 Nature of Work GC PC DNC

2110 – Risk Management The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. 2110.A1 - The internal audit activity should

The scope of internal audit includes appropriate evaluation of risk management and control systems.

Consulting projects cover all significant risk activities within the scope.

Risk mapping. Internal audit activity report. Annual audit plan. Charter. Engagement records. Audit report. Memoranda resulting from meetings or discussions with the Risk

Page 20: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

monitor and evaluate the effectiveness of the organization's risk management system. 2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations.

• Safeguarding of assets. Compliance with laws, regulations, and contracts. 2110.C1 – During consulting engagements, internal auditors should address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. 2110. C2 – Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.

department. Results of risk and controls self-assessments. Preliminary risk assessment report performed prior to

commencement of the audit assignment. Does the audit engagement verify the existence of a risk

management program? If such a program exists, is evaluation performed? If no program exists, do the internal auditors notify senior

management? Assurance engagements periodically evaluate the risk exposure

of the organization in respect of the: o Reliability and integrity of financial information and

operational management reporting o Effectiveness and efficiency of operations o Safeguarding of assets o Compliance with laws, regulation and contracts

Are auditors permitted and encouraged to identify risks not identified in the original plan?

There is a mechanism for auditors to take input from engagements into the risk evaluation process.

2110 Risk Management GC PC DNC

2120 – Control The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2120. A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's

Where appropriate, audit work papers reflect the elements specified in the implementation Standards.

Where appropriate, audit work papers reflect the elements specified in the consulting implementation Standards.

Audit work Papers Interview with auditors Interview with clients Audit work papers and reports reflect :

o Reliability and integrity of financial and operational information.

o Effectiveness and efficiency of operations.

o Safeguarding of assets.

Page 21: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

governance, operations, and information systems. This should include:

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations.

• Safeguarding of assets. • Compliance with laws, regulations,

and contracts. 2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2120. A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. 2120. A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. 2120.C1 - During consulting engagements, internal auditors should address controls consistent with the engagement’s objectives and be alert to the existence of any

o Compliance with laws, regulations, and contracts. Audits address effectiveness of controls encompassing

governance, operations, and information systems. Work papers adequately reflect an identification and evaluation of

the operating and program goals and objectives of the area audited.

Work papers adequately reflect identification of the goals and objectives of the area audited. Evaluation (testing) should determine if results of the operation achieved the objectives.

Work papers reflect auditor has analyzed extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished.

The audit program reflects that the auditor use criteria in their evaluation if criteria existed.

If inadequate, did the auditors work with management to develop appropriate evaluation criteria according to the work papers?

Work papers adequately reflect an evaluation of the operating and program goals and objectives of the area audited to determine whether operations and programs are implemented or performed as intended.

• There is a mechanism by which knowledge of controls from consulting engagements is an input to risk assessment.

Page 22: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

significant control weaknesses. 2120.C2 - Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2120 Control GC PC DNC

2130 – Governance The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization.

• Ensuring effective organizational performance management and accountability.

• Effectively communicating risk and control information to appropriate areas of the organization.

• Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

2130.A1 – The internal audit activity should evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs and activities. 2130.C1 – Consulting engagement objectives should be consistent with the overall values and goals of the organization.

Internal audit activity assesses and makes appropriate recommendations for improving the governance process in its accomplishment of the objectives specified in the Standards.

Code of Ethics. Activity reports. Engagement records. Minutes of board meetings. Memoranda resulting from meetings with senior management. Job description for CAE. Working paper review. Annual audit plan. Promoting appropriate ethics and values within the organization. Establishing objectives, monitoring their accomplishment, and

ensuring their accountability. Effectively communicating risk and control information to

appropriate areas of the organization. Effectively coordinating the activities of and communicating

information among the board, external and internal auditors, and management.

The internal audit activity evaluates the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities?

The internal audit activity actively contributes to improving the ethical culture within the organization?

The internal audit activity ensures that the operations and projects are consistent with the overall values and goals of the organization?

The internal audit activity has close relations with senior management?

The internal audit activity has periodic relations with the board, e.g.

Page 23: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

participation by the CAE in board meetings, opportunities for the CAE to meet privately with the board chair, reporting to the board, relevancy of topics raised, etc.?

2130 Governance GC PC DNC

2200 – Engagement Planning Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.

Sum of items below

2200 Engagement Planning GC PC DNC

2201 - Planning Considerations In planning the engagement, internal auditors should consider:

• The objectives of the activity being reviewed and the means by which the activity controls its performance.

• The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.

• The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model.

• The opportunities for making significant improvements to the activity’s risk management and control systems.

2201.A1 – When planning an engagement for parties outside the organization, internal

Internal auditors systematically conduct a preliminary risk assessment of the organization's audit universe in order to determine the engagement objectives. Internal auditors develop and record a program for each engagement.

In the case of outside engagements, the internal auditors establish a written understanding about the objectives, scope, and respective responsibilities of each party.

Audit procedure. Audit engagement letter. Engagement work program. Engagement records. Agreement between the consulting engagement client and the

internal auditor. Evidence that fraud is considered in each audit engagement plan. IT risks and controls are considered when appropriate in the audit

plans. Does this plan specify the:

o scope of work, o audit objectives, o engagement dates, o timing, o Resources allocated?

The engagement plan reflects the expectations of senior management.

The engagement plan is based on a preliminary survey of the activity to be audited

The preliminary survey takes into account: o The objectives of the activity being reviewed, o The significant risks to the activity, o The means by which the activity controls its performance,

Page 24: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

auditors should establish a written understanding with them about objectives, scope, respective responsibilities and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records. 2201.C1 - Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.

o The adequacy and effectiveness of the activity's risk management and control systems

Outside engagement documentation or contracts Interviews with audit management Consulting engagement documentation Interviews with audit management Interviews with consulting clients

2201 Planning Considerations GC PC DNC

2210 – Engagement Objectives Objectives should be established for each engagement. 2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of this assessment. 2210.A2 - The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. 2210.C1 – Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client.

Internal auditors refer back to the preliminary risk assessment (Standard 2201) of the organization's audit universe in order to determine the engagement objectives.

Audit procedure. Audit engagement letter. Engagement work program. Engagement records. Agreement between the consulting engagement client and the

internal auditor. Internal auditors develop and record a program for each

engagement? If yes:

o Plan specifies the, scope of work, audit objectives, engagement dates, timing, and resources allocated.

o Reflects the expectations of senior management. o Is based on a preliminary survey of the activity to be audited.

The preliminary survey takes into account: the objectives of the activity being reviewed, the significant risks to the activity, the means by which the activity controls its performance, The adequacy and effectiveness of the activity's risk management

and control systems. In the case of consulting engagements, the internal auditors

establish a written understanding with consulting engagement

Page 25: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

clients about the objectives, scope,, and respective responsibilities of each party.

2210 Engagement Objectives GC PC DNC

2220 – Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. 2220. A1 - The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. 2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. 2220.C1 – In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement.

The engagement scope is consistent with the audit objectives.

If relevant, a written understanding and communication of consulting objectives, scope, and responsibilities.

There is evidence that results are communicated in accordance with consulting standards

Engagement work program. Client Interviews Consulting documentation including formal agreement and other

correspondence Consulting standards and practices Interview with staff

2220 Engagement Scope GC PC DNC

2230 – Engagement Resource Allocation Internal auditors should determine appropriate

There is evidence of appropriate evaluation of staffing after scoping that is

Staffing analysis Interviews of audit management and staff.

Page 26: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

based on nature and complexity of engagement, time constraints, and available resources.

Staffing allocation makes provision for the knowledge, skills and other competencies required to perform the internal audit.

On-time performance of audit engagements is monitored:

o If yes, budget to actual time comparisons are performed. o If yes, are comparisons are analyzed.

2230 Engagement Resource Allocation GC PC DNC

2240 – Engagement Work Program Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded. 2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to its implementation, and any adjustments approved promptly. 2240.C1 - Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.

The internal auditor has developed a formal engagement work program outlining the resources and procedures needed to achieve the audit objectives.

Fraud was considered in the program.

The engagement work program and subsequent program adjustments are approved in writing by the chief audit executive or designee before the engagement is commenced.

Engagement work programs

2240 Engagement Work Programs GC PC DNC

2300 – Performing the Engagement Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

Sum of 2300 items below

Page 27: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2300 Performing the Engagement GC PC DNC

2310 – Identifying Information Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

Working papers include all the relevant information to achieve the objectives.

Audit work papers. Interview with auditors. Interview with clients. Working papers are clear, properly indexed and classified,

referenced to the engagement work program and the audit documentation, etc.

2310 Identifying Information GC PC DNC

2320 – Analysis and Evaluation Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

Audit conclusions and engagement results are based on appropriate analyses and evaluations that identify the root cause(s) of irregularities.

Audit work papers. Interview with auditors. Interview with clients. Working papers clearly show the results of tests and the

conclusions and recommendations arising from such tests. Actual testing was conducted and sufficient to support the scope

and objectives. Substantive testing was done where appropriate. Evidence by interview was also validated by secondary source. The elements of criteria, condition, cause, effect, and

recommendation were considered. 2320 Analysis and Evaluation GC PC DNC

2330 – Recording Information Internal auditors should record relevant information to support the conclusions and engagement results. 2330. A1 - The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. 2330. A2 - The chief audit executive should develop retention requirements for engagement records. These retention

Sufficient information was recorded to support the conclusions and audit results.

Work papers have controlled access according to the policy of the organization

There is evidence that CAE obtains appropriate approvals prior to releasing records

There is evidence of policy on retention requirements

Audit work papers Summary of findings CAE interview Approval documents Audit policies Organization and regulatory requirements Requirements consistent with organization guidelines and other

regulatory requirements Findings and recommendations can easily be traced to supporting

evidence.

Page 28: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

requirements should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2330. C1 - The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2330 Recording Information GC PC DNC

2340 – Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed

There is evidence engagements are properly supervised as specified in the Standards.

Internal policies and procedures for the internal audit activity. Approved engagement work program. Any written instructions issued by the supervisor. Signed working papers (or initialed and signed by the supervisor). Audit reports signed by the supervisor. Review reports with resolution of review comments. Annual training plans for auditors. Annual competency reviews for auditors and evaluations of training

received. Audit plans and reports for decentralized audit departments. Where a centralized internal audit department has a decentralized

internal control structure: o A common audit methodology has been adopted. o The centralized internal audit department coordinates the audit

plans if applicable.

2340 Engagement Supervision GC PC DNC

2400 – Communicating Results Internal auditors should communicate the engagement results.

Sum of items below

Page 29: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2400 Communicating Results GC PC DNC

2410 – Criteria for Communicating Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1 – Final communication of engagement results should, where appropriate, contain the internal auditor’s overall opinion and or conclusions. 2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. 2410.A3 – When releasing engagement results to parties outside the organization, the communication should include limitations on distribution and use of the results. 2410.C1 – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.

There is evidence of appropriate, timely communication with management.

An overall opinion or conclusion is included in the audit report. Satisfactory performance is acknowledged in engagement communications. Communications outside the organization are limited in distribution and use of results. There is evidence of progress and results on consulting engagements that is reasonable to the engagement.

Records, internal memos, e-mail, etc. Report on opening kick-off meeting with audit client. Interviews of operational management of the audited organization. • work program, objectives and scope of the engagement; • engagement period covered and estimated completion dates; • The procedures for validating and reporting audit results and

following up to determine that corrective action is taken. The elements of criteria, condition, cause, effect, and

recommendation are included., Audit Report Engagement communications Outside communications Consulting documentation

2410 Criteria for Communicating GC PC DNC

2420 – Quality of Communications Communications should be accurate, objective, clear, concise, constructive, complete, and timely.

Communications are appropriate as stated in the Standard. Audit reports are timely.

Audit records. Report on client debriefing meetings. Interviews of operational management of the audited organization. Audit reports should be understandable by anyone (not contain

technical jargon). Audit reports should be concise in outlining what was tested, what

was found, and its significance. Audit reports should clearly contain facts to support the

conclusions.

Page 30: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS Determine that discussions, which help ensure that there have

been no misunderstandings or misinterpretations of fact, have taken place during the audit engagement and during client debriefing meetings.

2420 Quality of Communications GC PC DNC

2421 – Errors and Omissions If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all parties who received the original communication.

Where appropriate, there is communication of corrected information to all parties.

Corrected correspondence

2421 Errors and Omissions GC PC DNC

2430 – Engagement Disclosure of Noncompliance with the Standards When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the:

• Standard(s) with which full compliance was not achieved,

• Reason(s) for noncompliance, and • Impact of noncompliance on the

engagement.

Where appropriate, communication of results discloses noncompliance.

Audit report or any other written summary of the results of the audit. There is a procedure to determine compliance with the Standards

in audit engagements. Supervision policies. Communication of results discloses the:

o Standard(s) with which full compliance was not achieved. o Reason(s) for noncompliance. o Impact of noncompliance on the engagement.

2430 Engagement Disclosure of Noncompliance with the Standards

GC PC DNC

2440 – Disseminating Results The chief audit executive should communicate results to the appropriate parties.

Sum of items below Audit reports are distributed to an appropriate level of senior managers.

Assessed the potential risk to the organization. Consulted with senior management and/or legal counsel as

appropriate Controlled dissemination by restricting the use of the results.

Page 31: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

2440. A1 - The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration. 2440.A2 - If not otherwise mandated by legal, statutory or regulatory requirements, prior to releasing results to parties outside the organization, the chief audit executive should:

• Assess the potential risk to the organization.

• Consult with senior management and/or legal counsel as appropriate

• Control dissemination by restricting the use of the results.

2440.C1 - The chief audit executive is responsible for communicating the final results of consulting engagements to clients. 2440.C2 – During consulting engagements, risk management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board.

If applicable, That CAE has properly considered the elements of the Standard prior to disclosure outside the organization

Consulting engagement reports are distributed appropriately.

Audit report distribution Correspondence with sr. management or legal Interview with CAE Consulting results communications Board meeting minutes Correspondence with sr. management CAE interview

2440 Disseminating Results GC PC DNC

2500 – Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2500. A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior

The CAE has established a follow-up process to monitor and ensure that management actions have been effectively implemented or risk accepted.

Records (e.g.: follow-up report) or reports on meetings. The process includes a formal procedure for setting out reasons for

not implementing follow-up action.

If a management action has not been effectively implemented, the CAE has ensured that senior management has accepted the risk of not taking action and communicated this to relevant stakeholders.

Page 32: IIA standards

STANDARD KEY CONFORMANCE CRITERIA EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER CONSIDERATIONS

management has accepted the risk of not taking action. 2500. C1 – The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 2500 Monitoring Progress GC PC DNC

2600 – Resolution of Management’s Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

Decisions regarding residual risk that are not resolved are reported by the CAE to the board for resolution.

The subsequent resolution/disposition of such residual risk issues is appropriately documented.

Interview with CAE Interview with board members Board Minutes

2600 Resolution of Management’s Acceptance of Risks

GC PC DNC

Page 33: IIA standards

3. Code of Ethics The auditors adhere to a Code of Ethics (Code).

Department policy establishes the expectation that audit staff will conform to the Code of Ethics requirements. There is evidence that the policy is communicated to and understood by the internal audit activity staff.

Audit Policies and procedures. Interviews of selected auditors. Interviews of selected auditees. Annual evaluation. The Code of Ethics is included in department policies and

procedures. Based on surveys of a cross-section of auditors and clients,

determine if internal auditors are familiar with and adhere to the code of ethics.

Instances of non-compliance have been adequately addressed.

Code of Ethics Code of Ethics GC PC DNC


Recommended