ACKNOWLEDGEMENTSThis is a revision of Tool 19 released in August 2006 in order to provide a morestandardized and Standards-based approach to facilitate the consistentevaluation of the conformance, by internal audit activities undergoing qualityassessments, to the Institute of Internal Auditors’ International Standards for theProfessional Practice of Internal Auditing (Standards).This revised control plan, adapted from similar methods from affiliates in France(IFACI), Germany (IRR), Belgium, and South Africa, was prepared by a taskforce of the IIA’s Committee on Quality, with special assistance of Deborah F.Ridel CISA and Ronald J. Ridel, CISA
TOOL 19 – STANDARDS COMPLIANCE EVALUATION SUMMARY (Circle Evaluator’s Decision)OVERALL EVALUATION GC PC DNC1. ATTRIBUTE STANDARDS GC PC DNC 1000 Purpose, Authority, and Responsibility (Charter) GC PC DNC 1100 Independence and Objectivity GC PC DNC 1110 Organizational Independence GC PC DNC 1120 Individual Objectivity GC PC DNC 1130 Impairments to Independence or Objectivity GC PC DNC 1200 Proficiency and Due Professional Care GC PC DNC 1210 Proficiency GC PC DNC 1220 Due Professional care GC PC DNC 1230 Continuing Professional Development GC PC DNC 1300 Quality Assurance/Improvement Program GC PC DNC 1310 Quality Program Assessments GC PC DNC 1311 Internal Assessments GC PC DNC 1312 External Assessments GC PC DNC 1320 Reporting on the Quality Program GC PC DNC 1330 Use of “Conducted in Accordance with Standards” GC PC DNC 1340 Disclosure of Noncompliance GC PC DNC2. PERFORMANCE STANDARDS GC PC DNC 2000 Managing the Internal Audit Activity GC PC DNC 2010 Planning GC PC DNC 2020 Communication and Approval GC PC DNC 2030 Resource Management GC PC DNC 2040 Policies and Procedures GC PC DNC 2050 Coordination GC PC DNC 2060 Reporting to the Board and Senior Management GC PC DNC 2100 Nature of Work GC PC DNC 2110 Risk Management GC PC DNC 2120 Control GC PC DNC 2130 Governance GC PC DNC 2200 Engagement Planning GC PC DNC 2201 Planning Considerations GC PC DNC 2210 Engagement Objectives GC PC DNC 2220 Engagement Scope GC PC DNC 2230 Engagement Resource Allocation GC PC DNC 2240 Engagement Work Program GC PC DNC
2300 Performing the Engagement GC PC DNC 2310 Identifying Information GC PC DNC 2320 Analysis and Evaluation GC PC DNC 2330 Recording Information GC PC DNC 2340 Engagement Supervision GC PC DNC 2400 Communicating Results GC PC DNC 2410 Criteria for Communicating GC PC DNC 2420 Quality of Communications GC PC DNC 2421 Errors and Omissions GC PC DNC 2430 Engagement Disclosure of Noncompliance with Standards GC PC DNC 2440 Disseminating Results GC PC DNC 2500 Monitoring Progress GC PC DNC 2600 Management’s Acceptance of Risks GC PC DNC3. IIA Code of Ethics GC PC DNCEvaluator’s name/signature: Date:
Evaluation of Conformance with IIA Standards – GeneralInstructions/DefinitionsTogether with completion of all of the applicable tools in the IIA Quality AssessmentManual, Tool 19 should be used to provide an overall assessment of the organization’sconformance with the Standards.Evaluation Procedures When evaluating conformance to the Standards, carefully read the Standard and consider only the Standard, not the ideal situation, “best practice”, etc. Consider each individual Standard (1110 – Organizational Independence, 2420– Quality of Communications, etc.), including the relevant Implementation Standards (which give additional guidance on assurance and consulting services), and conclude as to the degree of conformity by the activity to each one using the Key Conformance Criteria and examples of evidence for guidance. In the table below, any of the Key Conformance Criteria not achieved strongly suggest a rating of “does not conform” or at least only “partially conforms” for that individual Standard. Consider each section of the Standards (numbers ending in “00”): 1200 – Proficiency and Due Professional Care, 2300 – Performing the Engagement, etc.), and conclude as to the degree of conformity by the activity to each section taken as a whole, based on conclusions reached for the related individual Standards in the section and on other relevant observations made during the quality assessment. If all underlying Standards are non-conforms, then the overall standard is does not conform. Otherwise, the team must make a judgment based on the number of non-conforms and the specific conditions present as to whether the overall rating is “does not conform” or “partially conforms”. On the same basis as for sections of the Standards, conclude as to the degree of conformity by the activity to the major categories of the Standards (ATTRIBUTE and PERFORMANCE); then make an overall evaluation as to the activity’s conformance to the Standards as a whole (the first line of this evaluation form). Consider the four principles and related rules of conduct in the Code of Ethics and conclude whether or not the activity’s management and staff uphold each of the principles and apply the related rules of conduct.DefinitionsGC – “Generally Conforms” means the evaluator has concluded that the relevant structures,policies, and procedures of the activity, as well as the processes by which they are applied,comply with the requirements of the individual Standard or element of the Code of Ethics in all
material respects. For the sections and major categories, this means that there is generalconformity to a majority of the individual Standards or elements of the Code of Ethics, and atleast partial conformity to the others, within the section/category. There may be significantopportunities for improvement, but these should not represent situations where the activity hasnot implemented the Standards or the Code of Ethics, has not applied them effectively, or hasnot achieved their stated objectives. As indicated above, general conformance does not requirecomplete/perfect conformance, the ideal situation, “best practice”, etc.PC – “Partially Conforms” means the evaluator has concluded that the activity is makinggood-faith efforts to comply with the requirements of the individual Standard or element of theCode of Ethics, section, or major category, but falls short of achieving some major objectives.These will usually represent significant opportunities for improvement in effectively applying theStandards or Code of Ethics and/or achieving their objectives. Some deficiencies may bebeyond the control of the activity and may result in recommendations to senior management orthe board of the organization.DNC – “Does Not Conform” means the evaluator has concluded that the activity is not awareof, is not making good-faith efforts to comply with, or is failing to achieve many/all of theobjectives of the individual Standard or element of the Code of Ethics, section, or majorcategory,. These deficiencies will usually have a significant negative impact on the activity’seffectiveness and its potential to add value to the organization. These may also representsignificant opportunities for improvement, including actions by senior management or the board.Often, the most difficult evaluation is the distinction between “general” and “partial”. It isa judgment call keeping in mind the definition of “general conformance” above. Carefullyread the Standard to determine if basic compliance exists. The existence of“opportunities for improvement”, better alternatives, or other best practices do notreduce a “generally conforms” rating.
TOOL 19 – STANDARDS COMPLIANCE EVALUATION – MASTER FRAMEWORKOVERALL EVALUATION GC PC DNCATTRIBUTE STANDARDS GC PC DNCPERFORMANCE STANDARDS GC PC DNC1. ATTRIBUTE STANDARDS EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1000-Purpose authority There is a charter containing the Internal Audit Activity charter:and responsibility purpose, authority, and responsibility of o The charter is approved by senior management.The purpose, authority and responsibility of the internal audit activity. o The purpose, authority, and responsibilities of the internal auditthe internal audit activity should be formally activity defined in the charter.defined in a charter consistent with the The charter has been approved by the o The charter establishes the position of the internal auditStandards and approved by the board. board. department within the organization. o The charter provides unrestricted access to records, personnel,1000. A1 The nature of assurance services and physical properties relevant to the performance ofprovided to the organization should be engagements.defined in the audit charter. If assurances o The charter sets the tone for the internal audit activitysare to be provided to parties outside the interaction with the board.organization, the nature of these assurances o Charter defines the nature of activities to be performed.should also be defined in the charter. Minutes of board meetings. Interviews of the CAE, senior management, etc.1000.C1 The nature of consulting should bedefined in the audit charter.1000 Purpose, Authority, and Responsibility GC PC DNC (Charter)1100 Independence and objectivity. The Sum of 1110-1130internal audit activity should be independentand internal auditors should be objective inperforming work.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1100 Independence and Objectivity GC PC DNC1110 Organizational Independence. The The chief audit executive reports to a • Organizational charts.chief audit executive should report to a level level in the organization that is adequate • Annual audit plan.within the organization that allows the to discharge his or her responsibilities. • Engagement work programs.internal audit activity to fulfill its • Interviews of the CAE, senior management, etc.responsibilities. Any reporting relationship (administrative • The internal audit activity reports directly to the highest executive or total) to management does not levels of the organization (e.g. senior management, the board).1110.A1 – The internal audit activity should interfere with the chief audit executive’s • Audit Committee charter:be free from interference in determining the responsibility to the board. o Appointment and removal of CAEscope of internal auditing, performing work, o Salary of CAEand communicating results. There are no restrictions to the scope, o CAE Performance Appraisal resources, and access of internal audit • Annual planning of audit engagements; activity. • Resource allocations; • Coverage of engagement objectives; • Implementation of audit procedures; • Communication of results; • Budget and Staffing; and • Major restrictions on the scope of internal audit activities, are systematically reported to board1110 Organizational Independence GC PC DNC1120 Individual Objectivity- Internal Auditors do not have assignments in Interviews with audit staff.auditors should have an impartial unbiased conflict. Interviews with senior management.attitude and avoid conflicts of interest. Examination of auditor assignments – e.g., should not audit a Audit staff has background and function for which they were responsible. experience that does not conflict with Evaluation of auditor background. audit assignment. Evidence of supervision. There is linkage between the audit objectives, factual evidence, Results and conclusions of engagements and conclusions. are based on factual evidence and observation.1120 Individual Objectivity GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1130 Impairments to Independence or Auditors are aware they should report List of auditors including their date of appointment andObjectivity- If independence or objectivity is any real or perceived conflict of interest responsibilities held prior to appointment.impaired in fact or appearance, the details of as soon as such conflict arises. Engagement records.impairment should be disclosed to Internal auditors assignments for previous three years.appropriate parties. The nature of the Assignment of internal audit personnel Policies and procedures of the internal audit department.disclosure will be dependent on the takes into account previous Disclosures on independence have been made to board per minutesimpairment. responsibilities. of the AC meetings. Formal commitment to Code of Ethics. 1130.A1 – Internal auditors should refrain from An outside party oversees assurance services over functions for assessing specific operations for which they which the chief audit executive has been responsible. were previously responsible. Objectivity is Objectivity may be impaired if assigned to operations for which they presumed to be impaired if an internal auditor were previously responsible within the previous year and provides assurance services for an activity for relationships with the audited activities potential conflicts of interest. which the internal auditor had responsibility within the previous year. Areas of responsibility are rotated on a regular basis, thus ensuring that the same processes, activities, and entities are not audited by 1130.A2 – Assurance engagements for the same auditors. functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity. 1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement.1130 Impairments to Independence or GC PC DNC Objectivity1200 Engagements should be performed Sum of 1210-1230with proficiency and due professional care.1200 Proficiency and Due Professional Care GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1210 Proficiency – Internal auditors should Auditors undergo specific training based Job Descriptions and competency requirements (especiallypossess the knowledge, skills, and other on collective staff training needs information systems and fraud).competencies needed to perform their analysis. Staff date of appointment, prior held responsibilities. andindividual responsibilities. The internal audit qualifications.activity collectively should possess or obtain Staff performance is reviewed on a Hiring plans and selection procedures.the knowledge, skills ands competencies regular basis and criterion used is Training plans.needed to perform its responsibilities. adequate and appropriate for the needs Annual and engagement performance evaluations of the activity. Interviews of clients.1210.A1- The chief audit executive should Contracts for supplemental resources or outsourcing.obtain competent advice and assistance if the Where skills are lacking, CAE has Review of third party reports.internal audit staff lacks the knowledge skills engaged capable assistance. Reports and work papers of third party.other competencies needed to perform all or part Performance and knowledge requirements are clearly documentedof the engagement. Auditors have fraud training or in the contract. proficiency in identification of fraud Professional certifications.1210. A2 The internal auditor should have indicators. Resumes of staff.sufficient knowledge to identify the indicators of There is evidence that IT tools are used when appropriate in auditfraud but is not expected to have the expertise ofa person whose primary responsibility is Auditors have training or proficiency in IT plans.detecting and investigating fraud. concepts and computer aided audit tools. Performance and knowledge requirements are clearly documented in the contract.1210.A3 Internal auditors should have Where skills are lacking, the CAE has Autonomous data extraction.knowledge of key information technology risks engaged capable assistance or hasand controls and available technology-based declined the engagement.audit techniques to perform their assigned work.However, not all internal auditors are expected tohave the expertise of an internal auditor whoseprimary responsibility is information technologyauditing.1210. C1 - The chief audit executive shoulddecline the consulting engagement or obtaincompetent advice and assistance if the internalaudit staff lacks the knowledge skills or othercompetencies needed to perform all or part of theengagement.1210 Proficiency GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1220 Due Professional Care - Internal Audit work papers provide evidence of Audit work papers.auditors should apply the care and skill due professional care in the conduct of Reports.expected of a reasonably prudent and the work performed. Tools used by internal auditors.competent internal auditor. Due professional Conclusions based on appropriate tests, analyses and supportingcare does not imply infallibility. Audit engagements are supported by documentation, indexed and classified working papers, effective appropriate tools, including information coverage of engagement work program objectives, etc.1220.A1 - The internal auditor should systems and used in an appropriate When making recommendations, the internal auditors consider theexercise due professional care by manner. cost of implementing controls in relation to potential benefits.considering the: Data extraction and analysis techniques, risk assessment • Extent of work needed to achieve the There is evidence of a risk assessment engagement’s objectives. tools, tools for engagement planning and performance, of the audit engagement. communication, etc. • Relative complexity, materiality, or significance of matters to which assurance Audit engagement risk assessment. Consulting engagement documentation Conclusions based on appropriate tests, analyses and supporting procedures are applied. • Adequacy and effectiveness of risk provides evidence of due professional documentation, indexed and classified working papers, effective management, control, and governance care in the conduct of the work coverage of engagement work program objectives, etc. processes. performed. When making recommendations, the internal auditors consider the • Probability of significant errors, irregularities, cost of implementing controls in relation to potential benefits. or noncompliance. • Cost of assurance in relation to potential benefits.1220. A2 - In exercising due professionalcare the internal auditor should consider theuse of computer-assisted audit tools andother data analysis techniques.1220. A3 – The internal auditor should bealert to the significant risks that might affectobjectives, operations, or resources.However, assurance procedures alone, evenwhen performed with due professional care,do not guarantee that all significant risks willbe identified.1220.C1 - The internal auditor should exercisedue professional care during a consultingengagement by considering the:
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS• Needs and expectations of clients, including the nature, timing, and communication of engagement results.• Relative complexity and extent of work needed to achieve the engagement’s objectives.• Cost of the consulting engagement in relation to potential benefits.1220 Due Professional care GC PC DNC1230 – Continuing Professional There is continuing professional Training and continuous development policy for internal auditDevelopment development to enhance the knowledge function.Internal auditors should enhance their and competencies of internal auditors. List of CIA auditors or of auditors having obtained similarknowledge, skills, and other competencies professional certifications.through continuing professional Training program fulfilling criteria for maintaining certification.development. Auditors participate in the activities of professional bodies. Auditors participate in conferences, seminars, and working groups. Auditors take part in internal and external training. The internal audit activity encourages internal auditors to obtain relevant professional certifications such as the CIA.1230 Continuing Professional Development GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1300 – Quality Assurance and The internal audit activity has a process • Documented quality assurance and improvement program.Improvement Program to monitor and assess the overall • Quality program procedures.The chief audit executive should develop and effectiveness of the quality program. • Performance indicators for the internal audit activity.maintain a quality assurance and • Formal results of assessments performed.improvement program that covers all aspects • Responses given to assessment recommendations.of the internal audit activity and continuously • Activity reports.monitors its effectiveness. This program • Measurement of value added such as surveys.includes periodic internal and external quality • Assessments include the following aspects:assessments and ongoing internal o Adherence to the Standards and Code of Ethics,monitoring. Each part of the program should o Adequacy of the Internal Audit charter, objectives, policies andbe designed to help the internal auditing procedures, andactivity add value and improve the o Contribution to risk management, control, and governanceorganization’s operations and to provide processes.assurance that the internal audit activity is in o Value added according to key stakeholdersconformity with the Standards and the Code • Assessments include ongoing reviews of the performance of theof Ethics. internal audit activity; and periodic reviews performed through self- assessment or by other persons within the organization who have knowledge of internal audit practices and the Standards.1300 Quality Assurance and Improvement GC PC DNC Program1310 – Quality Program Assessments The internal audit activity has a process Evidence of plan for reviews from interviews, board minutes, orThe internal audit activity should adopt a to monitor and assess the overall other documentation.process to monitor and assess the overall effectiveness of the quality program. Documented policy.effectiveness of the quality program. Theprocess should include both internal andexternal assessments.1310 Quality Program Assessments GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1311 – Internal Assessments There is evidence of ongoing reviews of Reports and documentation of internal reviews including actionInternal assessments should include: the performance of the internal audit plan Ongoing reviews of the performance of activity. Periodic assessment of internal audit staff the internal audit activity; and Client surveys Periodic reviews performed through Periodic reviews were performed through Work paper reviews self-assessment or by other persons self-assessment or by other persons Board minutes within the organization, with knowledge within the organization, with knowledge Performance indicators of internal audit practices and the of internal audit practices and the Standards. Standards.1311 Internal Assessments GC PC DNC1312 – External Assessments There is evidence of comprehensive • Committee/board minutesExternal assessments, such as quality external reviews by qualified, • Report of external reviewerassurance reviews, should be conducted at independent reviewers. • List of competencies for the team leader and teamleast once every five years by a qualified,independent reviewer or review team fromoutside the organization.1312 External Assessments GC PC DNC1320 – Reporting on the Quality Program Reports of the results of external • Board minutesThe chief audit executive should assessments are submitted to the board. • Action plancommunicate the results of external • External assessment reportassessments to the board.1320 Reporting on the Quality Program GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS1330 – Use of "Conducted in Accordance There is appropriate wording in audit Audit Reportswith the Standards" reports. Audit Procedures ManualInternal auditors are encouraged to report IA Activity Charterthat their activities are "conducted in External assessment report with a general conform opinion.accordance with the International Standardsfor the Professional Practice of InternalAuditing." However, internal auditors mayuse the statement only if assessments of thequality improvement program demonstratethat the internal audit activity is in compliancewith the Standards.1330 1330 – Use of "Conducted in GC PC DNC Accordance with the Standards"1340 – Disclosure of Noncompliance There is appropriate wording in report to Interview with board or senior managementAlthough the internal audit activity should the board. Board minutesachieve full compliance with the Standards External assessment reportand internal auditors with the Code of Ethics,there may be instances in which fullcompliance is not achieved. Whennoncompliance impacts the overall scope oroperation of the internal audit activity,disclosure should be made to seniormanagement and the board.1340 Disclosure of Noncompliance GC PC DNC
2. Performance Standards EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2000 – Managing the Internal Audit Activity Sum of 2000 sub itemsThe chief audit executive should effectivelymanage the internal audit activity to ensure itadds value to the organization.2000 Managing the Internal Audit Activity GC PC DNC2010 – Planning The chief audit executive has established Annual audit plan:The chief audit executive should establish risk- risk-based plans in consultation with the o The audit plan risk assessment establishes a link between thebased plans to determine the priorities of the board and senior management. proposed audit topics and the operational and strategic risks ofinternal audit activity, consistent with the the organization. Where appropriate, consultingorganizations goals. engagements are in the annual audit plan. o The audit plan risk assessment takes account of feedback2010.A1 - The internal audit activitys plan of received from operational managers.engagements should be based on a riskassessment, undertaken at least annually. The Formal opinions of senior management and of board, e.g. finalinput of senior management and the board approval of annual audit plan.should be considered in this process. Formal risk assessment.2010.C1 - The chief audit executive should Strategic plan of Organization.consider accepting proposed consulting Annual audit plan.engagements based on the engagements Formal risk assessment.potential to improve management of risks, add Strategic plan of Organization.value, and improve the organization’s The engagement work program is based on a periodic, at leastoperations. Those engagements that have annual, comprehensive risk assessment.been accepted should be included in the plan.2010 Planning GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2020 – Communication and Approval The chief audit executive has Annual audit plan.The chief audit executive should communicate communicated the internal audit activitys Final approval of annual audit plan.the internal audit activity’s plans and resourceannual plans, including significant interim Evidence of action taken by CAE in the event of resourcerequirements, including significant interim changes, to senior management and the limitations.changes, to senior management and to the board. Formal assessment of needs prepared by CAE.board for review and approval. The chief audit The chief audit executive informs senior management and the The CAE also has communicated to board of any audit engagements that have been rescheduled asexecutive should also communicate the impact senior management and the board the well as the reasons for rescheduling and the degree of riskof resource limitations impact of resource limitations. associated with the rescheduled engagements.2020 Communication and Approval GC PC DNC2030 – Resource Management Staffing plans and financial budgets are Staffing analysis and annual operating plans.The chief audit executive should ensure that determined from annual audit plans and Annual audit plan.internal audit resources are appropriate, activities of the internal audit department. Program for selecting and developing human resources.sufficient, and effectively deployed to achieve Interviews of senior management. The internal audit activity is organized to Interviews of the chief audit executive.the approved plan. ensure proper coverage of the Procedures to notify chief audit executive or any internal audit organizations audit universe. manager of any problems that arise during the audit. Evidence that the internal audit activity is organized to reflect the activities of the organization and to encourage interaction between internal auditors and their audit clients (e.g.: internal audit is organized similar to audited organization). Administrative activities, training requirements, etc. Staffing plans make provisions for the knowledge, skills and other competencies required to perform the internal audit responsibilities. Utilization of staff. Budget to actual time. The chief audit executive established a program for selecting and developing the human resources of the internal audit department. On-time performance of audit engagements monitored: o If yes, budget to actual time comparisons are performed. o If yes, comparisons are analyzed.2030 Resource Management GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2040 – Policies and Procedures There are appropriate policies and Policies and procedures.The chief audit executive should establish procedures and they are communicated to Audit Manualpolicies and procedures to guide the internal and understood by the staff of the internal Interviews with staff.audit activity. audit activity. There is evidence that policies and procedures are followed. Policies and procedures are well documented.2040 Policies and Procedures GC PC DNC2050 – Coordination Internal audit work is coordinated with that Annual audit plans of internal and external auditors.The chief audit executive should share of the external auditors and with internal Reports on meetings.information and coordinate activities with other providers of assurance and consulting Delegation of personnel or resource sharing.internal and external providers of relevant services. Common training courses.assurance and consulting services to ensure Compatible methods and tools.proper coverage and minimize duplication of Follow-up by internal audit of the external auditorsefforts. recommendations. Comprehensiveness of their respective plans, proper coverage of the organizations audit universe, etc. Internal and external auditors share information about the results of their work (reciprocal exchanges of activity reports, etc.). Internal auditors meet regularly with the external auditors to discuss matters of mutual interest or concern.2050 Coordination GC PC DNC
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2060 – Reporting to the Board and Senior There is evidence that CAE reports Board minutes.Management appropriately to the board and senior CAE presentation to board.The chief audit executive should report management on the internal audit activity Activity reports.periodically to the board and senior purpose, authority, responsibility, and Interviews, management reports, reports on meetings.management on the internal audit activity’s performance. Senior managements responses to internal audit reports.purpose, authority, responsibility, and Any tangible evidence (e-mail records, internal memos, reports onperformance relative to its plan. Reporting meetings, etc.) demonstrating that the board had been informed.should also include significant risk exposures Status of action plans from audit findings.and control issues, corporate governance Interview, where necessary, of a member of the board.issues, and other matters needed or requested CAE report includes:by the board and senior management. o Performance measures o Risk exposures o Control issues o Governance issues2060 Reporting to the Board and Senior GC PC DNC Management2100 – Nature of Work Sum of 2100 elements belowThe internal audit activity should evaluate andcontribute to the improvement of riskmanagement, control, and governanceprocesses using a systematic and disciplinedapproach.2100 Nature of Work GC PC DNC2110 – Risk Management The scope of internal audit includes Risk mapping.The internal audit activity should assist the appropriate evaluation of risk Internal audit activity report.organization by identifying and evaluating management and control systems. Annual audit plan.significant exposures to risk and contributing Charter. Consulting projects cover all significant Engagement records.to the improvement of risk management and risk activities within the scope. Audit report.control systems. Memoranda resulting from meetings or discussions with the Risk2110.A1 - The internal audit activity should
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSmonitor and evaluate the effectiveness of the department.organizations risk management system. Results of risk and controls self-assessments.2110.A2 - The internal audit activity should Preliminary risk assessment report performed prior toevaluate risk exposures relating to the commencement of the audit assignment.organizations governance, operations, and Does the audit engagement verify the existence of a riskinformation systems regarding the management program? If such a program exists, is evaluation performed? • Reliability and integrity of financial If no program exists, do the internal auditors notify senior and operational information. management? • Effectiveness and efficiency of Assurance engagements periodically evaluate the risk exposure operations. of the organization in respect of the: • Safeguarding of assets. o Reliability and integrity of financial information andCompliance with laws, regulations, and operational management reportingcontracts. o Effectiveness and efficiency of operations2110.C1 – During consulting engagements, o Safeguarding of assetsinternal auditors should address risk o Compliance with laws, regulation and contractsconsistent with the engagement’s objectives Are auditors permitted and encouraged to identify risks notand be alert to the existence of other identified in the original plan?significant risks. There is a mechanism for auditors to take input from engagements into the risk evaluation process.2110. C2 – Internal auditors shouldincorporate knowledge of risks gained fromconsulting engagements into the process ofidentifying and evaluating significant riskexposures of the organization.2110 Risk Management GC PC DNC2120 – Control Where appropriate, audit work papers Audit work PapersThe internal audit activity should assist the reflect the elements specified in the Interview with auditorsorganization in maintaining effective controls implementation Standards. Interview with clientsby evaluating their effectiveness and efficiency Audit work papers and reports reflect : Where appropriate, audit work papersand by promoting continuous improvement. reflect the elements specified in the o Reliability and integrity of financial and operational information.2120. A1 - Based on the results of the risk consulting implementation Standards.assessment, the internal audit activity should o Effectiveness and efficiency of operations.evaluate the adequacy and effectiveness ofcontrols encompassing the organizations o Safeguarding of assets.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSgovernance, operations, and information o Compliance with laws, regulations, and contracts.systems. This should include: Audits address effectiveness of controls encompassing • Reliability and integrity of financial and governance, operations, and information systems. operational information. Work papers adequately reflect an identification and evaluation of • Effectiveness and efficiency of the operating and program goals and objectives of the area operations. audited. • Safeguarding of assets. Work papers adequately reflect identification of the goals and objectives of the area audited. Evaluation (testing) should • Compliance with laws, regulations, determine if results of the operation achieved the objectives. and contracts. Work papers reflect auditor has analyzed extent to which2120.A2 - Internal auditors should ascertain management has established adequate criteria to determinethe extent to which operating and program whether objectives and goals have been accomplished.goals and objectives have been established The audit program reflects that the auditor use criteria in theirand conform to those of the organization. evaluation if criteria existed.2120. A3 - Internal auditors should review If inadequate, did the auditors work with management to developoperations and programs to ascertain the appropriate evaluation criteria according to the work papers?extent to which results are consistent with Work papers adequately reflect an evaluation of the operating andestablished goals and objectives to determine program goals and objectives of the area audited to determinewhether operations and programs are being whether operations and programs are implemented or performedimplemented or performed as intended. as intended.2120. A4 - Adequate criteria are needed toevaluate controls. Internal auditors should • There is a mechanism by which knowledge of controls fromascertain the extent to which management has consulting engagements is an input to risk assessment.established adequate criteria to determinewhether objectives and goals have beenaccomplished. If adequate, internal auditorsshould use such criteria in their evaluation. Ifinadequate, internal auditors should work withmanagement to develop appropriateevaluation criteria.2120.C1 - During consulting engagements,internal auditors should address controlsconsistent with the engagement’s objectivesand be alert to the existence of any
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSsignificant control weaknesses.2120.C2 - Internal auditors should incorporateknowledge of controls gained from consultingengagements into the process of identifyingand evaluating significant risk exposures of theorganization.2120 Control GC PC DNC2130 – Governance Internal audit activity assesses and makes Code of Ethics.The internal audit activity should assess and appropriate recommendations for Activity reports.make appropriate recommendations for improving the governance process in its Engagement records.improving the governance process in its accomplishment of the objectives Minutes of board meetings.accomplishment of the following objectives: specified in the Standards. Memoranda resulting from meetings with senior management. Job description for CAE. • Promoting appropriate ethics and Working paper review. values within the organization. Annual audit plan. • Ensuring effective organizational Promoting appropriate ethics and values within the organization. performance management and Establishing objectives, monitoring their accomplishment, and accountability. ensuring their accountability. • Effectively communicating risk and Effectively communicating risk and control information to control information to appropriate appropriate areas of the organization. areas of the organization. Effectively coordinating the activities of and communicating • Effectively coordinating the activities information among the board, external and internal auditors, and of and communicating information management. among the board, external and The internal audit activity evaluates the design, implementation, internal auditors and management. and effectiveness of the organizations ethics-related objectives,2130.A1 – The internal audit activity should programs, and activities?evaluate the design, implementation, and The internal audit activity actively contributes to improving theeffectiveness of the organization’s ethics- ethical culture within the organization?related objectives, programs and activities. The internal audit activity ensures that the operations and projects2130.C1 – Consulting engagement objectives are consistent with the overall values and goals of theshould be consistent with the overall values organization?and goals of the organization. The internal audit activity has close relations with senior management? The internal audit activity has periodic relations with the board, e.g.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS participation by the CAE in board meetings, opportunities for the CAE to meet privately with the board chair, reporting to the board, relevancy of topics raised, etc.?2130 Governance GC PC DNC2200 – Engagement Planning Sum of items belowInternal auditors should develop and record aplan for each engagement, including thescope, objectives, timing and resourceallocations.2200 Engagement Planning GC PC DNC2201 - Planning Considerations Internal auditors systematically conduct Audit procedure.In planning the engagement, internal auditors a preliminary risk assessment of the Audit engagement letter.should consider: organizations audit universe in order to Engagement work program. determine the engagement objectives. Engagement records. • The objectives of the activity being Agreement between the consulting engagement client and the reviewed and the means by which Internal auditors develop and record a internal auditor. the activity controls its performance. program for each engagement. Evidence that fraud is considered in each audit engagement plan. • The significant risks to the activity, its IT risks and controls are considered when appropriate in the audit objectives, resources, and In the case of outside engagements, the plans. operations and the means by which internal auditors establish a written Does this plan specify the: the potential impact of risk is kept to understanding about the objectives, o scope of work, an acceptable level. scope, and respective responsibilities of o audit objectives, each party. o engagement dates, • The adequacy and effectiveness of o timing, the activity’s risk management and o Resources allocated? control systems compared to a The engagement plan reflects the expectations of senior relevant control framework or model. management. • The opportunities for making The engagement plan is based on a preliminary survey of the significant improvements to the activity to be audited activity’s risk management and The preliminary survey takes into account: control systems. o The objectives of the activity being reviewed,2201.A1 – When planning an engagement o The significant risks to the activity,for parties outside the organization, internal o The means by which the activity controls its performance,
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSauditors should establish a written o The adequacy and effectiveness of the activitys riskunderstanding with them about objectives, management and control systemsscope, respective responsibilities and other Outside engagement documentation or contractsexpectations, including restrictions on Interviews with audit managementdistribution of the results of the engagement Consulting engagement documentationand access to engagement records. Interviews with audit management2201.C1 - Internal auditors should establish Interviews with consulting clientsan understanding with consultingengagement clients about objectives, scope,respective responsibilities, and other clientexpectations. For significant engagements,this understanding should be documented.2201 Planning Considerations GC PC DNC2210 – Engagement Objectives Internal auditors refer back to the Audit procedure.Objectives should be established for each preliminary risk assessment (Standard Audit engagement letter.engagement. 2201) of the organizations audit universe Engagement work program. in order to determine the engagement Engagement records.2210.A1 – Internal auditors should conduct a objectives. Agreement between the consulting engagement client and thepreliminary assessment of the risks relevant to internal auditor.the activity under review. Engagement Internal auditors develop and record a program for eachobjectives should reflect the results of this engagement?assessment. If yes:2210.A2 - The internal auditor should consider o Plan specifies the, scope of work, audit objectives,the probability of significant errors, engagement dates, timing, and resources allocated.irregularities, noncompliance, and other o Reflects the expectations of senior management.exposures when developing the engagement o Is based on a preliminary survey of the activity to be audited.objectives. The preliminary survey takes into account: the objectives of the activity being reviewed,2210.C1 – Consulting engagement objectives the significant risks to the activity,should address risks, controls, and the means by which the activity controls its performance,governance processes to the extent agreed The adequacy and effectiveness of the activitys risk managementupon with the client. and control systems. In the case of consulting engagements, the internal auditors establish a written understanding with consulting engagement
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS clients about the objectives, scope,, and respective responsibilities of each party.2210 Engagement Objectives GC PC DNC2220 – Engagement Scope The engagement scope is consistent with Engagement work program.The established scope should be sufficient to the audit objectives. Client Interviewssatisfy the objectives of the engagement. Consulting documentation including formal agreement and other2220. A1 - The scope of the engagement If relevant, a written understanding and correspondenceshould include consideration of relevant communication of consulting objectives, Consulting standards and practicessystems, records, personnel, and physical scope, and responsibilities. Interview with staffproperties, including those under the control ofthird parties. There is evidence that results are communicated in accordance with2220.A2 - If significant consulting opportunities consulting standardsarise during an assurance engagement, aspecific written understanding as to theobjectives, scope, respective responsibilitiesand other expectations should be reached andthe results of the consulting engagementcommunicated in accordance with consultingstandards.2220.C1 – In performing consultingengagements, internal auditors should ensurethat the scope of the engagement is sufficientto address the agreed-upon objectives. Ifinternal auditors develop reservations aboutthe scope during the engagement, thesereservations should be discussed with theclient to determine whether to continue withthe engagement.2220 Engagement Scope GC PC DNC2230 – Engagement Resource Allocation There is evidence of appropriate Staffing analysisInternal auditors should determine appropriate evaluation of staffing after scoping that is Interviews of audit management and staff.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSresources to achieve engagement objectives. based on nature and complexity of Staffing allocation makes provision for the knowledge, skills andStaffing should be based on an evaluation of engagement, time constraints, and other competencies required to perform the internal audit.the nature and complexity of each available resources.engagement, time constraints, and available On-time performance of audit engagements is monitored:resources. o If yes, budget to actual time comparisons are performed. o If yes, are comparisons are analyzed.2230 Engagement Resource Allocation GC PC DNC2240 – Engagement Work Program The internal auditor has developed a Engagement work programsInternal auditors should develop work formal engagement work programprograms that achieve the engagement outlining the resources and proceduresobjectives. These work programs should be needed to achieve the audit objectives.recorded. Fraud was considered in the program.2240.A1 - Work programs should establish theprocedures for identifying, analyzing, The engagement work program andevaluating, and recording information during subsequent program adjustments arethe engagement. The work program should be approved in writing by the chief auditapproved prior to its implementation, and any executive or designee before theadjustments approved promptly. engagement is commenced.2240.C1 - Work programs for consultingengagements may vary in form and contentdepending upon the nature of theengagement.2240 Engagement Work Programs GC PC DNC2300 – Performing the Engagement Sum of 2300 items belowInternal auditors should identify, analyze,evaluate, and record sufficient information toachieve the engagements objectives.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2300 Performing the Engagement GC PC DNC2310 – Identifying Information Working papers include all the relevant Audit work papers.Internal auditors should identify sufficient, information to achieve the objectives. Interview with auditors.reliable, relevant, and useful information to Interview with clients.achieve the engagement’s objectives. Working papers are clear, properly indexed and classified, referenced to the engagement work program and the audit documentation, etc.2310 Identifying Information GC PC DNC2320 – Analysis and Evaluation Audit conclusions and engagement results Audit work papers.Internal auditors should base conclusions and are based on appropriate analyses and Interview with auditors.engagement results on appropriate analyses evaluations that identify the root cause(s) Interview with clients.and evaluations. of irregularities. Working papers clearly show the results of tests and the conclusions and recommendations arising from such tests. Actual testing was conducted and sufficient to support the scope and objectives. Substantive testing was done where appropriate. Evidence by interview was also validated by secondary source. The elements of criteria, condition, cause, effect, and recommendation were considered.2320 Analysis and Evaluation GC PC DNC2330 – Recording Information Sufficient information was recorded to Audit work papersInternal auditors should record relevant support the conclusions and audit Summary of findingsinformation to support the conclusions and results. CAE interviewengagement results. Approval documents Work papers have controlled access Audit policies2330. A1 - The chief audit executive should according to the policy of the Organization and regulatory requirementscontrol access to engagement records. The organization Requirements consistent with organization guidelines and otherchief audit executive should obtain the regulatory requirementsapproval of senior management and/or legal There is evidence that CAE obtains Findings and recommendations can easily be traced to supportingcounsel prior to releasing such records to appropriate approvals prior to evidence.external parties, as appropriate. releasing records2330. A2 - The chief audit executive should There is evidence of policy ondevelop retention requirements for retention requirementsengagement records. These retention
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSrequirements should be consistent with theorganization’s guidelines and any pertinentregulatory or other requirements.2330. C1 - The chief audit executive shoulddevelop policies governing the custody andretention of engagement records, as well astheir release to internal and external parties.These policies should be consistent with theorganization’s guidelines and any pertinentregulatory or other requirements.2330 Recording Information GC PC DNC2340 – Engagement Supervision There is evidence engagements are Internal policies and procedures for the internal audit activity.Engagements should be properly supervised properly supervised as specified in the Approved engagement work program.to ensure objectives are achieved, quality is Standards. Any written instructions issued by the supervisor.assured, and staff is developed Signed working papers (or initialed and signed by the supervisor). Audit reports signed by the supervisor. Review reports with resolution of review comments. Annual training plans for auditors. Annual competency reviews for auditors and evaluations of training received. Audit plans and reports for decentralized audit departments. Where a centralized internal audit department has a decentralized internal control structure: o A common audit methodology has been adopted. o The centralized internal audit department coordinates the audit plans if applicable.2340 Engagement Supervision GC PC DNC2400 – Communicating Results Sum of items belowInternal auditors should communicate theengagement results.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2400 Communicating Results GC PC DNC2410 – Criteria for Communicating There is evidence of appropriate, timely Records, internal memos, e-mail, etc.Communications should include the communication with management. Report on opening kick-off meeting with audit client.engagement’s objectives and scope as well as Interviews of operational management of the audited organization.applicable conclusions, recommendations, and An overall opinion or conclusion is • work program, objectives and scope of the engagement;action plans. included in the audit report. • engagement period covered and estimated completion dates; • The procedures for validating and reporting audit results and2410.A1 – Final communication of Satisfactory performance is acknowledged following up to determine that corrective action is taken.engagement results should, where in engagement communications. The elements of criteria, condition, cause, effect, andappropriate, contain the internal auditor’s recommendation are included.,overall opinion and or conclusions. Communications outside the organization Audit Report2410.A2 – Internal auditors are encouraged to are limited in distribution and use of Engagement communicationsacknowledge satisfactory performance in results. Outside communicationsengagement communications. Consulting documentation There is evidence of progress and results2410.A3 – When releasing engagement on consulting engagements that isresults to parties outside the organization, the reasonable to the engagement.communication should include limitations ondistribution and use of the results.2410.C1 – Communication of the progress andresults of consulting engagements will vary inform and content depending upon the natureof the engagement and the needs of the client.2410 Criteria for Communicating GC PC DNC2420 – Quality of Communications Communications are appropriate as Audit records.Communications should be accurate, stated in the Standard. Report on client debriefing meetings.objective, clear, concise, constructive, Interviews of operational management of the audited organization.complete, and timely. Audit reports are timely. Audit reports should be understandable by anyone (not contain technical jargon). Audit reports should be concise in outlining what was tested, what was found, and its significance. Audit reports should clearly contain facts to support the conclusions.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS Determine that discussions, which help ensure that there have been no misunderstandings or misinterpretations of fact, have taken place during the audit engagement and during client debriefing meetings.2420 Quality of Communications GC PC DNC2421 – Errors and Omissions Where appropriate, there is Corrected correspondenceIf a final communication contains a significant communication of corrected information toerror or omission, the chief audit executive all parties.should communicate corrected information toall parties who received the originalcommunication.2421 Errors and Omissions GC PC DNC2430 – Engagement Disclosure of Where appropriate, communication of Audit report or any other written summary of the results of the audit.Noncompliance with the Standards results discloses noncompliance. There is a procedure to determine compliance with the StandardsWhen noncompliance with the Standards in audit engagements.impacts a specific engagement, Supervision policies.communication of the results should disclose Communication of results discloses the:the: o Standard(s) with which full compliance was not achieved. • Standard(s) with which full compliance o Reason(s) for noncompliance. was not achieved, o Impact of noncompliance on the engagement. • Reason(s) for noncompliance, and • Impact of noncompliance on the engagement.2430 Engagement Disclosure of GC PC DNC Noncompliance with the Standards2440 – Disseminating Results Sum of items below Assessed the potential risk to the organization.The chief audit executive should communicate Consulted with senior management and/or legal counsel asresults to the appropriate parties. Audit reports are distributed to an appropriate appropriate level of senior managers. Controlled dissemination by restricting the use of the results.
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS2440. A1 - The chief audit executive is Audit report distributionresponsible for communicating the final results If applicable, That CAE has properly Correspondence with sr. management or legalto parties who can ensure that the results are considered the elements of the Standard Interview with CAEgiven due consideration. prior to disclosure outside the organization Consulting results communications2440.A2 - If not otherwise mandated by legal, Board meeting minutes Consulting engagement reports are Correspondence with sr. managementstatutory or regulatory requirements, prior to distributed appropriately. CAE interviewreleasing results to parties outside theorganization, the chief audit executive should: • Assess the potential risk to the organization. • Consult with senior management and/or legal counsel as appropriate • Control dissemination by restricting the use of the results.2440.C1 - The chief audit executive isresponsible for communicating the final resultsof consulting engagements to clients.2440.C2 – During consulting engagements,risk management, control, and governanceissues may be identified. Whenever theseissues are significant to the organization, theyshould be communicated to seniormanagement and the board.2440 Disseminating Results GC PC DNC2500 – Monitoring Progress The CAE has established a follow-up Records (e.g.: follow-up report) or reports on meetings.The chief audit executive should establish and process to monitor and ensure that The process includes a formal procedure for setting out reasons formaintain a system to monitor the disposition of management actions have been effectively not implementing follow-up action.results communicated to management. implemented or risk accepted. If a management action has not been effectively implemented, the2500. A1 - The chief audit executive should CAE has ensured that senior management has accepted the risk ofestablish a follow-up process to monitor and not taking action and communicated this to relevant stakeholders.ensure that management actions have beeneffectively implemented or that senior
EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHERSTANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONSmanagement has accepted the risk of nottaking action.2500. C1 – The internal audit activity shouldmonitor the disposition of results of consultingengagements to the extent agreed upon withthe client.2500 Monitoring Progress GC PC DNC2600 – Resolution of Management’s Decisions regarding residual risk that are Interview with CAEAcceptance of Risks not resolved are reported by the CAE to Interview with board membersWhen the chief audit executive believes that the board for resolution. Board Minutessenior management has accepted a level of The subsequent resolution/disposition ofresidual risk that may be unacceptable to the such residual risk issues is appropriatelyorganization, the chief audit executive should documented.discuss the matter with senior management. Ifthe decision regarding residual risk is notresolved, the chief audit executive and seniormanagement should report the matter to theboard for resolution.2600 Resolution of Management’s GC PC DNC Acceptance of Risks
3. Code of EthicsThe auditors adhere to a Code of Ethics Department policy establishes the Audit Policies and procedures.(Code). expectation that audit staff will conform to Interviews of selected auditors. the Code of Ethics requirements. Interviews of selected auditees. Annual evaluation. There is evidence that the policy is The Code of Ethics is included in department policies and communicated to and understood by the procedures. internal audit activity staff. Based on surveys of a cross-section of auditors and clients, determine if internal auditors are familiar with and adhere to the code of ethics. Instances of non-compliance have been adequately addressed.Code of Ethics Code of Ethics GC PC DNC