IIA standards

IIA Standards
Evaluation
ABC ORGANIZATION

Tool 19

ACKNOWLEDGEMENTS

This is a revision of Tool 19 released in August 2006 in order to provide a more
standardized and Standards-based approach to facilitate the consistent
evaluation of the conformance, by internal audit activities undergoing quality
assessments, to the Institute of Internal Auditors’ International Standards for the
Professional Practice of Internal Auditing (Standards).

This revised control plan, adapted from similar methods from affiliates in France
(IFACI), Germany (IRR), Belgium, and South Africa, was prepared by a task
force of the IIA’s Committee on Quality, with special assistance of Deborah F.
Ridel CISA and Ronald J. Ridel, CISA

TOOL 19 – STANDARDS COMPLIANCE EVALUATION SUMMARY
(Circle Evaluator’s Decision)
OVERALL EVALUATION GC PC DNC
1. ATTRIBUTE STANDARDS GC PC DNC
1000 Purpose, Authority, and Responsibility (Charter) GC PC DNC
1100 Independence and Objectivity GC PC DNC
1110 Organizational Independence GC PC DNC
1120 Individual Objectivity GC PC DNC
1130 Impairments to Independence or
Objectivity GC PC DNC
1200 Proficiency and Due Professional Care GC PC DNC
1210 Proficiency GC PC DNC
1220 Due Professional care GC PC DNC
1230 Continuing Professional Development GC PC DNC
1300 Quality Assurance/Improvement Program GC PC DNC
1310 Quality Program Assessments GC PC DNC
1311 Internal Assessments GC PC DNC
1312 External Assessments GC PC DNC
1320 Reporting on the Quality Program GC PC DNC
1330 Use of “Conducted in Accordance with
Standards” GC PC DNC
1340 Disclosure of Noncompliance GC PC DNC
2. PERFORMANCE STANDARDS GC PC DNC
2000 Managing the Internal Audit Activity GC PC DNC
2010 Planning GC PC DNC
2020 Communication and Approval GC PC DNC
2030 Resource Management GC PC DNC
2040 Policies and Procedures GC PC DNC
2050 Coordination GC PC DNC
2060 Reporting to the Board and Senior
Management GC PC DNC
2100 Nature of Work GC PC DNC
2110 Risk Management GC PC DNC
2120 Control GC PC DNC
2130 Governance GC PC DNC
2200 Engagement Planning GC PC DNC
2201 Planning Considerations GC PC DNC
2210 Engagement Objectives GC PC DNC
2220 Engagement Scope GC PC DNC
2230 Engagement Resource Allocation GC PC DNC
2240 Engagement Work Program GC PC DNC

2300 Performing the Engagement GC PC DNC
2310 Identifying Information GC PC DNC
2320 Analysis and Evaluation GC PC DNC
2330 Recording Information GC PC DNC
2340 Engagement Supervision GC PC DNC
2400 Communicating Results GC PC DNC
2410 Criteria for Communicating GC PC DNC
2420 Quality of Communications GC PC DNC
2421 Errors and Omissions GC PC DNC
2430 Engagement Disclosure of Noncompliance
with Standards GC PC DNC
2440 Disseminating Results GC PC DNC
2500 Monitoring Progress GC PC DNC
2600 Management’s Acceptance of Risks GC PC DNC
3. IIA Code of Ethics GC PC DNC

Evaluator’s name/signature: Date:

Evaluation of Conformance with IIA Standards – General
Instructions/Definitions
Together with completion of all of the applicable tools in the IIA Quality Assessment
Manual, Tool 19 should be used to provide an overall assessment of the organization’s
conformance with the Standards.

Evaluation Procedures
When evaluating conformance to the Standards, carefully read the Standard and
consider only the Standard, not the ideal situation, “best practice”, etc.

Consider each individual Standard (1110 – Organizational Independence, 2420–
Quality of Communications, etc.), including the relevant Implementation
Standards (which give additional guidance on assurance and consulting
services), and conclude as to the degree of conformity by the activity to each one
using the Key Conformance Criteria and examples of evidence for guidance.

In the table below, any of the Key Conformance Criteria not achieved strongly
suggest a rating of “does not conform” or at least only “partially conforms” for
that individual Standard.

Consider each section of the Standards (numbers ending in “00”): 1200 –
Proficiency and Due Professional Care, 2300 – Performing the Engagement,
etc.), and conclude as to the degree of conformity by the activity to each section
taken as a whole, based on conclusions reached for the related individual
Standards in the section and on other relevant observations made during the quality
assessment. If all underlying Standards are non-conforms, then the overall standard is
does not conform. Otherwise, the team must make a judgment based on the number of
non-conforms and the specific conditions present as to whether the overall rating is
“does not conform” or “partially conforms”.

On the same basis as for sections of the Standards, conclude as to the degree of
conformity by the activity to the major categories of the Standards (ATTRIBUTE and
PERFORMANCE); then make an overall evaluation as to the activity’s conformance to
the Standards as a whole (the first line of this evaluation form).

Consider the four principles and related rules of conduct in the Code of Ethics and
conclude whether or not the activity’s management and staff uphold each of the
principles and apply the related rules of conduct.

Definitions
GC – “Generally Conforms” means the evaluator has concluded that the relevant structures,
policies, and procedures of the activity, as well as the processes by which they are applied,
comply with the requirements of the individual Standard or element of the Code of Ethics in all

material respects. For the sections and major categories, this means that there is general
conformity to a majority of the individual Standards or elements of the Code of Ethics, and at
least partial conformity to the others, within the section/category. There may be significant
opportunities for improvement, but these should not represent situations where the activity has
not implemented the Standards or the Code of Ethics, has not applied them effectively, or has
not achieved their stated objectives. As indicated above, general conformance does not require
complete/perfect conformance, the ideal situation, “best practice”, etc.
PC – “Partially Conforms” means the evaluator has concluded that the activity is making
good-faith efforts to comply with the requirements of the individual Standard or element of the
Code of Ethics, section, or major category, but falls short of achieving some major objectives.
These will usually represent significant opportunities for improvement in effectively applying the
Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be
beyond the control of the activity and may result in recommendations to senior management or
the board of the organization.
DNC – “Does Not Conform” means the evaluator has concluded that the activity is not aware
of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the
objectives of the individual Standard or element of the Code of Ethics, section, or major
category,. These deficiencies will usually have a significant negative impact on the activity’s
effectiveness and its potential to add value to the organization. These may also represent
significant opportunities for improvement, including actions by senior management or the board.
Often, the most difficult evaluation is the distinction between “general” and “partial”. It is
a judgment call keeping in mind the definition of “general conformance” above. Carefully
read the Standard to determine if basic compliance exists. The existence of
“opportunities for improvement”, better alternatives, or other best practices do not
reduce a “generally conforms” rating.

TOOL 19 – STANDARDS COMPLIANCE EVALUATION – MASTER FRAMEWORK

OVERALL EVALUATION GC PC DNC
ATTRIBUTE STANDARDS GC PC DNC
PERFORMANCE STANDARDS GC PC DNC

1. ATTRIBUTE STANDARDS

EXAMPLES OF EVIDENCE, SOUND PRACTICES AND OTHER
STANDARD KEY CONFORMANCE CRITERIA CONSIDERATIONS
1000-Purpose authority There is a charter containing the Internal Audit Activity charter:
and responsibility purpose, authority, and responsibility of o The charter is approved by senior management.
The purpose, authority and responsibility of the internal audit activity. o The purpose, authority, and responsibilities of the internal audit
the internal audit activity should be formally activity defined in the charter.
defined in a charter consistent with the The charter has been approved by the o The charter establishes the position of the internal audit
Standards and approved by the board. board. department within the organization.
o The charter provides unrestricted access to records, personnel,
1000. A1 The nature of assurance services and physical properties relevant to the performance of
provided to the organization should be engagements.
defined in the audit charter. If assurances o The charter sets the tone for the internal audit activity's
are to be provided to parties outside the interaction with the board.
organization, the nature of these assurances o Charter defines the nature of activities to be performed.
should also be defined in the charter. Minutes of board meetings.
Interviews of the CAE, senior management, etc.
1000.C1 The nature of consulting should be
defined in the audit charter.

1000 Purpose, Authority, and Responsibility GC PC DNC
(Charter)
1100 Independence and objectivity. The Sum of 1110-1130
internal audit activity should be independent
and internal auditors should be objective in
performing work.

1100 Independence and Objectivity GC PC DNC

1110 Organizational Independence. The The chief audit executive reports to a • Organizational charts.
chief audit executive should report to a level level in the organization that is adequate • Annual audit plan.
within the organization that allows the to discharge his or her responsibilities. • Engagement work programs.
internal audit activity to fulfill its • Interviews of the CAE, senior management, etc.
responsibilities. Any reporting relationship (administrative • The internal audit activity reports directly to the highest executive
or total) to management does not levels of the organization (e.g. senior management, the board).
1110.A1 – The internal audit activity should interfere with the chief audit executive’s • Audit Committee charter:
be free from interference in determining the responsibility to the board. o Appointment and removal of CAE
scope of internal auditing, performing work, o Salary of CAE
and communicating results. There are no restrictions to the scope, o CAE Performance Appraisal
resources, and access of internal audit • Annual planning of audit engagements;
activity.
• Resource allocations;
• Coverage of engagement objectives;
• Implementation of audit procedures;
• Communication of results;
• Budget and Staffing; and
• Major restrictions on the scope of internal audit activities, are
systematically reported to board

1110 Organizational Independence GC PC DNC

1120 Individual Objectivity- Internal Auditors do not have assignments in Interviews with audit staff.
auditors should have an impartial unbiased conflict. Interviews with senior management.
attitude and avoid conflicts of interest. Examination of auditor assignments – e.g., should not audit a
Audit staff has background and function for which they were responsible.
experience that does not conflict with Evaluation of auditor background.
audit assignment. Evidence of supervision.
There is linkage between the audit objectives, factual evidence,
Results and conclusions of engagements and conclusions.
are based on factual evidence and
observation.
1120 Individual Objectivity GC PC DNC

1130 Impairments to Independence or Auditors are aware they should report List of auditors including their date of appointment and
Objectivity- If independence or objectivity is any real or perceived conflict of interest responsibilities held prior to appointment.
impaired in fact or appearance, the details of as soon as such conflict arises. Engagement records.
impairment should be disclosed to Internal auditors' assignments for previous three years.
appropriate parties. The nature of the Assignment of internal audit personnel Policies and procedures of the internal audit department.
disclosure will be dependent on the takes into account previous Disclosures on independence have been made to board per minutes
impairment. responsibilities. of the AC meetings.
Formal commitment to Code of Ethics.
1130.A1 – Internal auditors should refrain from An outside party oversees assurance services over functions for
assessing specific operations for which they which the chief audit executive has been responsible.
were previously responsible. Objectivity is Objectivity may be impaired if assigned to operations for which they
presumed to be impaired if an internal auditor were previously responsible within the previous year and
provides assurance services for an activity for
relationships with the audited activities potential conflicts of interest.
which the internal auditor had responsibility
within the previous year.
Areas of responsibility are rotated on a regular basis, thus ensuring
that the same processes, activities, and entities are not audited by
1130.A2 – Assurance engagements for the same auditors.
functions over which the chief audit executive
has responsibility should be overseen by a party
outside the internal audit activity.

1130.C1 – Internal auditors may provide
consulting services relating to operations for
which they had previous responsibilities.

1130.C2 – If internal auditors have potential
impairments to independence or objectivity
relating to proposed consulting services,
disclosure should be made to the engagement
client prior to accepting the engagement.

1130 Impairments to Independence or GC PC DNC
Objectivity
1200 Engagements should be performed Sum of 1210-1230
with proficiency and due professional care.

1200 Proficiency and Due Professional Care GC PC DNC

1210 Proficiency – Internal auditors should Auditors undergo specific training based Job Descriptions and competency requirements (especially
possess the knowledge, skills, and other on collective staff training needs information systems and fraud).
competencies needed to perform their analysis. Staff date of appointment, prior held responsibilities. and
individual responsibilities. The internal audit qualifications.
activity collectively should possess or obtain Staff performance is reviewed on a Hiring plans and selection procedures.
the knowledge, skills ands competencies regular basis and criterion used is Training plans.
needed to perform its responsibilities. adequate and appropriate for the needs Annual and engagement performance evaluations
of the activity. Interviews of clients.
1210.A1- The chief audit executive should Contracts for supplemental resources or outsourcing.
obtain competent advice and assistance if the Where skills are lacking, CAE has Review of third party reports.
internal audit staff lacks the knowledge skills engaged capable assistance. Reports and work papers of third party.
other competencies needed to perform all or part Performance and knowledge requirements are clearly documented
of the engagement. Auditors have fraud training or in the contract.
proficiency in identification of fraud Professional certifications.
1210. A2 The internal auditor should have indicators. Resumes of staff.
sufficient knowledge to identify the indicators of
There is evidence that IT tools are used when appropriate in audit
fraud but is not expected to have the expertise of
a person whose primary responsibility is
Auditors have training or proficiency in IT plans.
detecting and investigating fraud. concepts and computer aided audit tools. Performance and knowledge requirements are clearly documented
in the contract.
1210.A3 Internal auditors should have Where skills are lacking, the CAE has Autonomous data extraction.
knowledge of key information technology risks engaged capable assistance or has
and controls and available technology-based declined the engagement.
audit techniques to perform their assigned work.
However, not all internal auditors are expected to
have the expertise of an internal auditor whose
primary responsibility is information technology
auditing.

1210. C1 - The chief audit executive should
decline the consulting engagement or obtain
competent advice and assistance if the internal
audit staff lacks the knowledge skills or other
competencies needed to perform all or part of the
engagement.

1210 Proficiency GC PC DNC

1220 Due Professional Care - Internal Audit work papers provide evidence of Audit work papers.
auditors should apply the care and skill due professional care in the conduct of Reports.
expected of a reasonably prudent and the work performed. Tools used by internal auditors.
competent internal auditor. Due professional Conclusions based on appropriate tests, analyses and supporting
care does not imply infallibility. Audit engagements are supported by documentation, indexed and classified working papers, effective
appropriate tools, including information coverage of engagement work program objectives, etc.
1220.A1 - The internal auditor should systems and used in an appropriate When making recommendations, the internal auditors consider the
exercise due professional care by manner. cost of implementing controls in relation to potential benefits.
considering the:
Data extraction and analysis techniques, risk assessment
• Extent of work needed to achieve the There is evidence of a risk assessment
engagement’s objectives.
tools, tools for engagement planning and performance,
of the audit engagement. communication, etc.
• Relative complexity, materiality, or
significance of matters to which assurance Audit engagement risk assessment.
Consulting engagement documentation Conclusions based on appropriate tests, analyses and supporting
procedures are applied.
• Adequacy and effectiveness of risk
provides evidence of due professional documentation, indexed and classified working papers, effective
management, control, and governance care in the conduct of the work coverage of engagement work program objectives, etc.
processes. performed. When making recommendations, the internal auditors consider the
• Probability of significant errors, irregularities, cost of implementing controls in relation to potential benefits.
or noncompliance.
• Cost of assurance in relation to potential
benefits.
1220. A2 - In exercising due professional
care the internal auditor should consider the
use of computer-assisted audit tools and
other data analysis techniques.

1220. A3 – The internal auditor should be
alert to the significant risks that might affect
objectives, operations, or resources.
However, assurance procedures alone, even
when performed with due professional care,
do not guarantee that all significant risks will
be identified.

1220.C1 - The internal auditor should exercise
due professional care during a consulting
engagement by considering the:

• Needs and expectations of clients,
including the nature, timing, and
communication of engagement results.
• Relative complexity and extent of work
needed to achieve the engagement’s
objectives.
• Cost of the consulting engagement in
relation to potential benefits.

1220 Due Professional care GC PC DNC

1230 – Continuing Professional There is continuing professional Training and continuous development policy for internal audit
Development development to enhance the knowledge function.
Internal auditors should enhance their and competencies of internal auditors. List of CIA auditors or of auditors having obtained similar
knowledge, skills, and other competencies professional certifications.
through continuing professional Training program fulfilling criteria for maintaining certification.
development. Auditors participate in the activities of professional bodies.
Auditors participate in conferences, seminars, and working groups.
Auditors take part in internal and external training.
The internal audit activity encourages internal auditors to obtain
relevant professional certifications such as the CIA.

1230 Continuing Professional Development GC PC DNC

1300 – Quality Assurance and The internal audit activity has a process • Documented quality assurance and improvement program.
Improvement Program to monitor and assess the overall • Quality program procedures.
The chief audit executive should develop and effectiveness of the quality program. • Performance indicators for the internal audit activity.
maintain a quality assurance and • Formal results of assessments performed.
improvement program that covers all aspects • Responses given to assessment recommendations.
of the internal audit activity and continuously • Activity reports.
monitors its effectiveness. This program • Measurement of value added such as surveys.
includes periodic internal and external quality • Assessments include the following aspects:
assessments and ongoing internal o Adherence to the Standards and Code of Ethics,
monitoring. Each part of the program should o Adequacy of the Internal Audit charter, objectives, policies and
be designed to help the internal auditing procedures, and
activity add value and improve the o Contribution to risk management, control, and governance
organization’s operations and to provide processes.
assurance that the internal audit activity is in o Value added according to key stakeholders
conformity with the Standards and the Code • Assessments include ongoing reviews of the performance of the
of Ethics. internal audit activity; and periodic reviews performed through self-
assessment or by other persons within the organization who have
knowledge of internal audit practices and the Standards.
1300 Quality Assurance and Improvement GC PC DNC
Program
1310 – Quality Program Assessments The internal audit activity has a process Evidence of plan for reviews from interviews, board minutes, or
The internal audit activity should adopt a to monitor and assess the overall other documentation.
process to monitor and assess the overall effectiveness of the quality program. Documented policy.
effectiveness of the quality program. The
process should include both internal and
external assessments.
1310 Quality Program Assessments GC PC DNC

1311 – Internal Assessments There is evidence of ongoing reviews of Reports and documentation of internal reviews including action
Internal assessments should include: the performance of the internal audit plan
Ongoing reviews of the performance of activity. Periodic assessment of internal audit staff
the internal audit activity; and Client surveys
Periodic reviews performed through Periodic reviews were performed through Work paper reviews
self-assessment or by other persons self-assessment or by other persons Board minutes
within the organization, with knowledge within the organization, with knowledge Performance indicators
of internal audit practices and the of internal audit practices and the
Standards. Standards.

1311 Internal Assessments GC PC DNC

1312 – External Assessments There is evidence of comprehensive • Committee/board minutes
External assessments, such as quality external reviews by qualified, • Report of external reviewer
assurance reviews, should be conducted at independent reviewers. • List of competencies for the team leader and team
least once every five years by a qualified,
independent reviewer or review team from
outside the organization.
1312 External Assessments GC PC DNC

1320 – Reporting on the Quality Program Reports of the results of external • Board minutes
The chief audit executive should assessments are submitted to the board. • Action plan
communicate the results of external • External assessment report
assessments to the board.

1320 Reporting on the Quality Program GC PC DNC

1330 – Use of "Conducted in Accordance There is appropriate wording in audit Audit Reports
with the Standards" reports. Audit Procedures Manual
Internal auditors are encouraged to report IA Activity Charter
that their activities are "conducted in External assessment report with a general conform opinion.
accordance with the International Standards
for the Professional Practice of Internal
Auditing." However, internal auditors may
use the statement only if assessments of the
quality improvement program demonstrate
that the internal audit activity is in compliance
with the Standards.
1330 1330 – Use of "Conducted in GC PC DNC
Accordance with the Standards"

1340 – Disclosure of Noncompliance There is appropriate wording in report to Interview with board or senior management
Although the internal audit activity should the board. Board minutes
achieve full compliance with the Standards External assessment report
and internal auditors with the Code of Ethics,
there may be instances in which full
compliance is not achieved. When
noncompliance impacts the overall scope or
operation of the internal audit activity,
disclosure should be made to senior
management and the board.
1340 Disclosure of Noncompliance GC PC DNC

2. Performance Standards
2000 – Managing the Internal Audit Activity Sum of 2000 sub items
The chief audit executive should effectively
manage the internal audit activity to ensure it
adds value to the organization.

2000 Managing the Internal Audit Activity GC PC DNC

2010 – Planning The chief audit executive has established Annual audit plan:
The chief audit executive should establish risk- risk-based plans in consultation with the o The audit plan risk assessment establishes a link between the
based plans to determine the priorities of the board and senior management. proposed audit topics and the operational and strategic risks of
internal audit activity, consistent with the the organization.
Where appropriate, consulting
organization's goals.
engagements are in the annual audit plan. o The audit plan risk assessment takes account of feedback
2010.A1 - The internal audit activity's plan of received from operational managers.
engagements should be based on a risk
assessment, undertaken at least annually. The Formal opinions of senior management and of board, e.g. final
input of senior management and the board approval of annual audit plan.
should be considered in this process. Formal risk assessment.
2010.C1 - The chief audit executive should Strategic plan of Organization.
consider accepting proposed consulting Annual audit plan.
engagements based on the engagement's Formal risk assessment.
potential to improve management of risks, add Strategic plan of Organization.
value, and improve the organization’s The engagement work program is based on a periodic, at least
operations. Those engagements that have annual, comprehensive risk assessment.
been accepted should be included in the plan.

2010 Planning GC PC DNC

2020 – Communication and Approval The chief audit executive has Annual audit plan.
The chief audit executive should communicate communicated the internal audit activity's Final approval of annual audit plan.
the internal audit activity’s plans and resourceannual plans, including significant interim Evidence of action taken by CAE in the event of resource
requirements, including significant interim changes, to senior management and the limitations.
changes, to senior management and to the board. Formal assessment of needs prepared by CAE.
board for review and approval. The chief audit The chief audit executive informs senior management and the
The CAE also has communicated to board of any audit engagements that have been rescheduled as
executive should also communicate the impact
senior management and the board the well as the reasons for rescheduling and the degree of risk
of resource limitations
impact of resource limitations. associated with the rescheduled engagements.

2020 Communication and Approval GC PC DNC

2030 – Resource Management Staffing plans and financial budgets are Staffing analysis and annual operating plans.
The chief audit executive should ensure that determined from annual audit plans and Annual audit plan.
internal audit resources are appropriate, activities of the internal audit department. Program for selecting and developing human resources.
sufficient, and effectively deployed to achieve Interviews of senior management.
The internal audit activity is organized to Interviews of the chief audit executive.
the approved plan.
ensure proper coverage of the Procedures to notify chief audit executive or any internal audit
organization's audit universe. manager of any problems that arise during the audit.
Evidence that the internal audit activity is organized to reflect the
activities of the organization and to encourage interaction between
internal auditors and their audit clients (e.g.: internal audit is
organized similar to audited organization).
Administrative activities, training requirements, etc.
Staffing plans make provisions for the knowledge, skills and other
competencies required to perform the internal audit responsibilities.
Utilization of staff.
Budget to actual time.
The chief audit executive established a program for selecting and
developing the human resources of the internal audit department.
On-time performance of audit engagements monitored:
o If yes, budget to actual time comparisons are performed.
o If yes, comparisons are analyzed.

2030 Resource Management GC PC DNC

2040 – Policies and Procedures There are appropriate policies and Policies and procedures.
The chief audit executive should establish procedures and they are communicated to Audit Manual
policies and procedures to guide the internal and understood by the staff of the internal Interviews with staff.
audit activity. audit activity. There is evidence that policies and procedures are followed.
Policies and procedures are well documented.

2040 Policies and Procedures GC PC DNC

2050 – Coordination Internal audit work is coordinated with that Annual audit plans of internal and external auditors.
The chief audit executive should share of the external auditors and with internal Reports on meetings.
information and coordinate activities with other providers of assurance and consulting Delegation of personnel or resource sharing.
internal and external providers of relevant services. Common training courses.
assurance and consulting services to ensure Compatible methods and tools.
proper coverage and minimize duplication of Follow-up by internal audit of the external auditors'
efforts. recommendations.
Comprehensiveness of their respective plans, proper coverage of
the organization's audit universe, etc.
Internal and external auditors share information about the results of
their work (reciprocal exchanges of activity reports, etc.).

Internal auditors meet regularly with the external auditors to
discuss matters of mutual interest or concern.

2050 Coordination GC PC DNC

2060 – Reporting to the Board and Senior There is evidence that CAE reports Board minutes.
Management appropriately to the board and senior CAE presentation to board.
The chief audit executive should report management on the internal audit activity Activity reports.
periodically to the board and senior purpose, authority, responsibility, and Interviews, management reports, reports on meetings.
management on the internal audit activity’s performance. Senior management's responses to internal audit reports.
purpose, authority, responsibility, and Any tangible evidence (e-mail records, internal memos, reports on
performance relative to its plan. Reporting meetings, etc.) demonstrating that the board had been informed.
should also include significant risk exposures Status of action plans from audit findings.
and control issues, corporate governance Interview, where necessary, of a member of the board.
issues, and other matters needed or requested CAE report includes:
by the board and senior management. o Performance measures
o Risk exposures
o Control issues
o Governance issues

2060 Reporting to the Board and Senior GC PC DNC
Management
2100 – Nature of Work Sum of 2100 elements below
The internal audit activity should evaluate and
contribute to the improvement of risk
management, control, and governance
processes using a systematic and disciplined
approach.
2100 Nature of Work GC PC DNC

2110 – Risk Management The scope of internal audit includes Risk mapping.
The internal audit activity should assist the appropriate evaluation of risk Internal audit activity report.
organization by identifying and evaluating management and control systems. Annual audit plan.
significant exposures to risk and contributing Charter.
Consulting projects cover all significant Engagement records.
to the improvement of risk management and
risk activities within the scope. Audit report.
control systems.
Memoranda resulting from meetings or discussions with the Risk
2110.A1 - The internal audit activity should

monitor and evaluate the effectiveness of the department.
organization's risk management system. Results of risk and controls self-assessments.
2110.A2 - The internal audit activity should Preliminary risk assessment report performed prior to
evaluate risk exposures relating to the commencement of the audit assignment.
organization's governance, operations, and Does the audit engagement verify the existence of a risk
information systems regarding the management program?
If such a program exists, is evaluation performed?
• Reliability and integrity of financial If no program exists, do the internal auditors notify senior
and operational information. management?
• Effectiveness and efficiency of Assurance engagements periodically evaluate the risk exposure
operations. of the organization in respect of the:
• Safeguarding of assets. o Reliability and integrity of financial information and
Compliance with laws, regulations, and operational management reporting
contracts. o Effectiveness and efficiency of operations
2110.C1 – During consulting engagements, o Safeguarding of assets
internal auditors should address risk o Compliance with laws, regulation and contracts
consistent with the engagement’s objectives Are auditors permitted and encouraged to identify risks not
and be alert to the existence of other identified in the original plan?
significant risks. There is a mechanism for auditors to take input from
engagements into the risk evaluation process.
2110. C2 – Internal auditors should
incorporate knowledge of risks gained from
consulting engagements into the process of
identifying and evaluating significant risk
exposures of the organization.
2110 Risk Management GC PC DNC

2120 – Control Where appropriate, audit work papers Audit work Papers
The internal audit activity should assist the reflect the elements specified in the Interview with auditors
organization in maintaining effective controls implementation Standards. Interview with clients
by evaluating their effectiveness and efficiency Audit work papers and reports reflect :
Where appropriate, audit work papers
and by promoting continuous improvement.
reflect the elements specified in the o Reliability and integrity of financial and operational information.
2120. A1 - Based on the results of the risk consulting implementation Standards.
assessment, the internal audit activity should o Effectiveness and efficiency of operations.
evaluate the adequacy and effectiveness of
controls encompassing the organization's o Safeguarding of assets.

governance, operations, and information o Compliance with laws, regulations, and contracts.
systems. This should include:
Audits address effectiveness of controls encompassing
• Reliability and integrity of financial and governance, operations, and information systems.
operational information. Work papers adequately reflect an identification and evaluation of
• Effectiveness and efficiency of the operating and program goals and objectives of the area
operations. audited.
• Safeguarding of assets. Work papers adequately reflect identification of the goals and
objectives of the area audited. Evaluation (testing) should
• Compliance with laws, regulations, determine if results of the operation achieved the objectives.
and contracts. Work papers reflect auditor has analyzed extent to which
2120.A2 - Internal auditors should ascertain management has established adequate criteria to determine
the extent to which operating and program whether objectives and goals have been accomplished.
goals and objectives have been established The audit program reflects that the auditor use criteria in their
and conform to those of the organization. evaluation if criteria existed.
2120. A3 - Internal auditors should review If inadequate, did the auditors work with management to develop
operations and programs to ascertain the appropriate evaluation criteria according to the work papers?
extent to which results are consistent with Work papers adequately reflect an evaluation of the operating and
established goals and objectives to determine program goals and objectives of the area audited to determine
whether operations and programs are being whether operations and programs are implemented or performed
implemented or performed as intended. as intended.
2120. A4 - Adequate criteria are needed to
evaluate controls. Internal auditors should • There is a mechanism by which knowledge of controls from
ascertain the extent to which management has consulting engagements is an input to risk assessment.
established adequate criteria to determine
whether objectives and goals have been
accomplished. If adequate, internal auditors
should use such criteria in their evaluation. If
inadequate, internal auditors should work with
management to develop appropriate
evaluation criteria.
2120.C1 - During consulting engagements,
internal auditors should address controls
consistent with the engagement’s objectives
and be alert to the existence of any

significant control weaknesses.
2120.C2 - Internal auditors should incorporate
knowledge of controls gained from consulting
engagements into the process of identifying
and evaluating significant risk exposures of the
organization.

2120 Control GC PC DNC

2130 – Governance Internal audit activity assesses and makes Code of Ethics.
The internal audit activity should assess and appropriate recommendations for Activity reports.
make appropriate recommendations for improving the governance process in its Engagement records.
improving the governance process in its accomplishment of the objectives Minutes of board meetings.
accomplishment of the following objectives: specified in the Standards. Memoranda resulting from meetings with senior management.
Job description for CAE.
• Promoting appropriate ethics and Working paper review.
values within the organization. Annual audit plan.
• Ensuring effective organizational Promoting appropriate ethics and values within the organization.
performance management and Establishing objectives, monitoring their accomplishment, and
accountability. ensuring their accountability.
• Effectively communicating risk and Effectively communicating risk and control information to
control information to appropriate appropriate areas of the organization.
areas of the organization. Effectively coordinating the activities of and communicating
• Effectively coordinating the activities information among the board, external and internal auditors, and
of and communicating information management.
among the board, external and The internal audit activity evaluates the design, implementation,
internal auditors and management. and effectiveness of the organization's ethics-related objectives,
2130.A1 – The internal audit activity should programs, and activities?
evaluate the design, implementation, and The internal audit activity actively contributes to improving the
effectiveness of the organization’s ethics- ethical culture within the organization?
related objectives, programs and activities. The internal audit activity ensures that the operations and projects
2130.C1 – Consulting engagement objectives are consistent with the overall values and goals of the
should be consistent with the overall values organization?
and goals of the organization. The internal audit activity has close relations with senior
management?
The internal audit activity has periodic relations with the board, e.g.

participation by the CAE in board meetings, opportunities for the
CAE to meet privately with the board chair, reporting to the board,
relevancy of topics raised, etc.?

2130 Governance GC PC DNC

2200 – Engagement Planning Sum of items below
Internal auditors should develop and record a
plan for each engagement, including the
scope, objectives, timing and resource
allocations.
2200 Engagement Planning GC PC DNC

2201 - Planning Considerations Internal auditors systematically conduct Audit procedure.
In planning the engagement, internal auditors a preliminary risk assessment of the Audit engagement letter.
should consider: organization's audit universe in order to Engagement work program.
determine the engagement objectives. Engagement records.
• The objectives of the activity being Agreement between the consulting engagement client and the
reviewed and the means by which Internal auditors develop and record a internal auditor.
the activity controls its performance. program for each engagement. Evidence that fraud is considered in each audit engagement plan.
• The significant risks to the activity, its IT risks and controls are considered when appropriate in the audit
objectives, resources, and In the case of outside engagements, the plans.
operations and the means by which internal auditors establish a written Does this plan specify the:
the potential impact of risk is kept to understanding about the objectives, o scope of work,
an acceptable level. scope, and respective responsibilities of o audit objectives,
each party. o engagement dates,
• The adequacy and effectiveness of
o timing,
the activity’s risk management and
o Resources allocated?
control systems compared to a
The engagement plan reflects the expectations of senior
relevant control framework or model.
management.
• The opportunities for making The engagement plan is based on a preliminary survey of the
significant improvements to the activity to be audited
activity’s risk management and The preliminary survey takes into account:
control systems. o The objectives of the activity being reviewed,
2201.A1 – When planning an engagement o The significant risks to the activity,
for parties outside the organization, internal o The means by which the activity controls its performance,

auditors should establish a written o The adequacy and effectiveness of the activity's risk
understanding with them about objectives, management and control systems
scope, respective responsibilities and other Outside engagement documentation or contracts
expectations, including restrictions on Interviews with audit management
distribution of the results of the engagement Consulting engagement documentation
and access to engagement records. Interviews with audit management
2201.C1 - Internal auditors should establish Interviews with consulting clients
an understanding with consulting
engagement clients about objectives, scope,
respective responsibilities, and other client
expectations. For significant engagements,
this understanding should be documented.

2201 Planning Considerations GC PC DNC

2210 – Engagement Objectives Internal auditors refer back to the Audit procedure.
Objectives should be established for each preliminary risk assessment (Standard Audit engagement letter.
engagement. 2201) of the organization's audit universe Engagement work program.
in order to determine the engagement Engagement records.
2210.A1 – Internal auditors should conduct a objectives. Agreement between the consulting engagement client and the
preliminary assessment of the risks relevant to internal auditor.
the activity under review. Engagement Internal auditors develop and record a program for each
objectives should reflect the results of this engagement?
assessment. If yes:
2210.A2 - The internal auditor should consider o Plan specifies the, scope of work, audit objectives,
the probability of significant errors, engagement dates, timing, and resources allocated.
irregularities, noncompliance, and other o Reflects the expectations of senior management.
exposures when developing the engagement o Is based on a preliminary survey of the activity to be audited.
objectives. The preliminary survey takes into account:
the objectives of the activity being reviewed,
2210.C1 – Consulting engagement objectives
the significant risks to the activity,
should address risks, controls, and
the means by which the activity controls its performance,
governance processes to the extent agreed
The adequacy and effectiveness of the activity's risk management
upon with the client.
and control systems.
In the case of consulting engagements, the internal auditors
establish a written understanding with consulting engagement

clients about the objectives, scope,, and respective responsibilities
of each party.

2210 Engagement Objectives GC PC DNC

2220 – Engagement Scope The engagement scope is consistent with Engagement work program.
The established scope should be sufficient to the audit objectives. Client Interviews
satisfy the objectives of the engagement. Consulting documentation including formal agreement and other
2220. A1 - The scope of the engagement If relevant, a written understanding and correspondence
should include consideration of relevant communication of consulting objectives, Consulting standards and practices
systems, records, personnel, and physical scope, and responsibilities. Interview with staff
properties, including those under the control of
third parties. There is evidence that results are
communicated in accordance with
2220.A2 - If significant consulting opportunities consulting standards
arise during an assurance engagement, a
specific written understanding as to the
objectives, scope, respective responsibilities
and other expectations should be reached and
the results of the consulting engagement
communicated in accordance with consulting
standards.
2220.C1 – In performing consulting
engagements, internal auditors should ensure
that the scope of the engagement is sufficient
to address the agreed-upon objectives. If
internal auditors develop reservations about
the scope during the engagement, these
reservations should be discussed with the
client to determine whether to continue with
the engagement.

2220 Engagement Scope GC PC DNC

2230 – Engagement Resource Allocation There is evidence of appropriate Staffing analysis
Internal auditors should determine appropriate evaluation of staffing after scoping that is Interviews of audit management and staff.

resources to achieve engagement objectives. based on nature and complexity of Staffing allocation makes provision for the knowledge, skills and
Staffing should be based on an evaluation of engagement, time constraints, and other competencies required to perform the internal audit.
the nature and complexity of each available resources.
engagement, time constraints, and available On-time performance of audit engagements is monitored:
resources.
o If yes, budget to actual time comparisons are performed.
o If yes, are comparisons are analyzed.

2230 Engagement Resource Allocation GC PC DNC

2240 – Engagement Work Program The internal auditor has developed a Engagement work programs
Internal auditors should develop work formal engagement work program
programs that achieve the engagement outlining the resources and procedures
objectives. These work programs should be needed to achieve the audit objectives.
recorded.
Fraud was considered in the program.
2240.A1 - Work programs should establish the
procedures for identifying, analyzing, The engagement work program and
evaluating, and recording information during subsequent program adjustments are
the engagement. The work program should be approved in writing by the chief audit
approved prior to its implementation, and any executive or designee before the
adjustments approved promptly. engagement is commenced.

2240.C1 - Work programs for consulting
engagements may vary in form and content
depending upon the nature of the
engagement.

2240 Engagement Work Programs GC PC DNC

2300 – Performing the Engagement Sum of 2300 items below
Internal auditors should identify, analyze,
evaluate, and record sufficient information to
achieve the engagement's objectives.

2300 Performing the Engagement GC PC DNC

2310 – Identifying Information Working papers include all the relevant Audit work papers.
Internal auditors should identify sufficient, information to achieve the objectives. Interview with auditors.
reliable, relevant, and useful information to Interview with clients.
achieve the engagement’s objectives. Working papers are clear, properly indexed and classified,
referenced to the engagement work program and the audit
documentation, etc.
2310 Identifying Information GC PC DNC

2320 – Analysis and Evaluation Audit conclusions and engagement results Audit work papers.
Internal auditors should base conclusions and are based on appropriate analyses and Interview with auditors.
engagement results on appropriate analyses evaluations that identify the root cause(s) Interview with clients.
and evaluations. of irregularities. Working papers clearly show the results of tests and the
conclusions and recommendations arising from such tests.
Actual testing was conducted and sufficient to support the scope
and objectives.
Substantive testing was done where appropriate.
Evidence by interview was also validated by secondary source.
The elements of criteria, condition, cause, effect, and
recommendation were considered.
2320 Analysis and Evaluation GC PC DNC

2330 – Recording Information Sufficient information was recorded to Audit work papers
Internal auditors should record relevant support the conclusions and audit Summary of findings
information to support the conclusions and results. CAE interview
engagement results. Approval documents
Work papers have controlled access Audit policies
2330. A1 - The chief audit executive should according to the policy of the Organization and regulatory requirements
control access to engagement records. The organization Requirements consistent with organization guidelines and other
chief audit executive should obtain the regulatory requirements
approval of senior management and/or legal There is evidence that CAE obtains Findings and recommendations can easily be traced to supporting
counsel prior to releasing such records to appropriate approvals prior to evidence.
external parties, as appropriate. releasing records
2330. A2 - The chief audit executive should There is evidence of policy on
develop retention requirements for retention requirements
engagement records. These retention

requirements should be consistent with the
organization’s guidelines and any pertinent
regulatory or other requirements.
2330. C1 - The chief audit executive should
develop policies governing the custody and
retention of engagement records, as well as
their release to internal and external parties.
These policies should be consistent with the
organization’s guidelines and any pertinent
regulatory or other requirements.

2330 Recording Information GC PC DNC

2340 – Engagement Supervision There is evidence engagements are Internal policies and procedures for the internal audit activity.
Engagements should be properly supervised properly supervised as specified in the Approved engagement work program.
to ensure objectives are achieved, quality is Standards. Any written instructions issued by the supervisor.
assured, and staff is developed Signed working papers (or initialed and signed by the supervisor).
Audit reports signed by the supervisor.
Review reports with resolution of review comments.
Annual training plans for auditors.
Annual competency reviews for auditors and evaluations of training
received.
Audit plans and reports for decentralized audit departments.
Where a centralized internal audit department has a decentralized
internal control structure:
o A common audit methodology has been adopted.
o The centralized internal audit department coordinates the audit
plans if applicable.

2340 Engagement Supervision GC PC DNC

2400 – Communicating Results Sum of items below
Internal auditors should communicate the
engagement results.

2400 Communicating Results GC PC DNC

2410 – Criteria for Communicating There is evidence of appropriate, timely Records, internal memos, e-mail, etc.
Communications should include the communication with management. Report on opening kick-off meeting with audit client.
engagement’s objectives and scope as well as Interviews of operational management of the audited organization.
applicable conclusions, recommendations, and An overall opinion or conclusion is • work program, objectives and scope of the engagement;
action plans. included in the audit report. • engagement period covered and estimated completion dates;
• The procedures for validating and reporting audit results and
2410.A1 – Final communication of Satisfactory performance is acknowledged
following up to determine that corrective action is taken.
engagement results should, where in engagement communications.
The elements of criteria, condition, cause, effect, and
appropriate, contain the internal auditor’s
recommendation are included.,
overall opinion and or conclusions. Communications outside the organization Audit Report
2410.A2 – Internal auditors are encouraged to are limited in distribution and use of Engagement communications
acknowledge satisfactory performance in results. Outside communications
engagement communications. Consulting documentation
There is evidence of progress and results
2410.A3 – When releasing engagement
on consulting engagements that is
results to parties outside the organization, the
reasonable to the engagement.
communication should include limitations on
distribution and use of the results.
2410.C1 – Communication of the progress and
results of consulting engagements will vary in
form and content depending upon the nature
of the engagement and the needs of the client.

2410 Criteria for Communicating GC PC DNC

2420 – Quality of Communications Communications are appropriate as Audit records.
Communications should be accurate, stated in the Standard. Report on client debriefing meetings.
objective, clear, concise, constructive, Interviews of operational management of the audited organization.
complete, and timely. Audit reports are timely. Audit reports should be understandable by anyone (not contain
technical jargon).
Audit reports should be concise in outlining what was tested, what
was found, and its significance.
Audit reports should clearly contain facts to support the
conclusions.

Determine that discussions, which help ensure that there have
been no misunderstandings or misinterpretations of fact, have
taken place during the audit engagement and during client
debriefing meetings.

2420 Quality of Communications GC PC DNC

2421 – Errors and Omissions Where appropriate, there is Corrected correspondence
If a final communication contains a significant communication of corrected information to
error or omission, the chief audit executive all parties.
should communicate corrected information to
all parties who received the original
communication.

2421 Errors and Omissions GC PC DNC

2430 – Engagement Disclosure of Where appropriate, communication of Audit report or any other written summary of the results of the audit.
Noncompliance with the Standards results discloses noncompliance. There is a procedure to determine compliance with the Standards
When noncompliance with the Standards in audit engagements.
impacts a specific engagement, Supervision policies.
communication of the results should disclose Communication of results discloses the:
the:
o Standard(s) with which full compliance was not achieved.
• Standard(s) with which full compliance o Reason(s) for noncompliance.
was not achieved, o Impact of noncompliance on the engagement.
• Reason(s) for noncompliance, and
• Impact of noncompliance on the
engagement.

2430 Engagement Disclosure of GC PC DNC
Noncompliance with the Standards
2440 – Disseminating Results Sum of items below Assessed the potential risk to the organization.
The chief audit executive should communicate Consulted with senior management and/or legal counsel as
results to the appropriate parties. Audit reports are distributed to an appropriate
appropriate level of senior managers. Controlled dissemination by restricting the use of the results.

2440. A1 - The chief audit executive is Audit report distribution
responsible for communicating the final results If applicable, That CAE has properly Correspondence with sr. management or legal
to parties who can ensure that the results are considered the elements of the Standard Interview with CAE
given due consideration. prior to disclosure outside the organization Consulting results communications
2440.A2 - If not otherwise mandated by legal, Board meeting minutes
Consulting engagement reports are Correspondence with sr. management
statutory or regulatory requirements, prior to
distributed appropriately. CAE interview
releasing results to parties outside the
organization, the chief audit executive should:
• Assess the potential risk to the
organization.
• Consult with senior management
and/or legal counsel as appropriate
• Control dissemination by restricting
the use of the results.
2440.C1 - The chief audit executive is
responsible for communicating the final results
of consulting engagements to clients.
2440.C2 – During consulting engagements,
risk management, control, and governance
issues may be identified. Whenever these
issues are significant to the organization, they
should be communicated to senior
management and the board.

2440 Disseminating Results GC PC DNC

2500 – Monitoring Progress The CAE has established a follow-up Records (e.g.: follow-up report) or reports on meetings.
The chief audit executive should establish and process to monitor and ensure that The process includes a formal procedure for setting out reasons for
maintain a system to monitor the disposition of management actions have been effectively not implementing follow-up action.
results communicated to management. implemented or risk accepted.
If a management action has not been effectively implemented, the
2500. A1 - The chief audit executive should CAE has ensured that senior management has accepted the risk of
establish a follow-up process to monitor and not taking action and communicated this to relevant stakeholders.
ensure that management actions have been
effectively implemented or that senior

management has accepted the risk of not
taking action.
2500. C1 – The internal audit activity should
monitor the disposition of results of consulting
engagements to the extent agreed upon with
the client.

2500 Monitoring Progress GC PC DNC

2600 – Resolution of Management’s Decisions regarding residual risk that are Interview with CAE
Acceptance of Risks not resolved are reported by the CAE to Interview with board members
When the chief audit executive believes that the board for resolution. Board Minutes
senior management has accepted a level of
The subsequent resolution/disposition of
residual risk that may be unacceptable to the
such residual risk issues is appropriately
organization, the chief audit executive should
documented.
discuss the matter with senior management. If
the decision regarding residual risk is not
resolved, the chief audit executive and senior
management should report the matter to the
board for resolution.

2600 Resolution of Management’s GC PC DNC
Acceptance of Risks

IIA standards

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (16)

Ähnlich wie IIA standards

Ähnlich wie IIA standards (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

IIA standards