Performance Standards Revised PDF

Performance Standards
Page 1
Internal Audit Process
Page 2
Planning
Monitoring Performing
Communicating
Page 3
ISPPIA
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination
2060 Reporting to Senior Management and the Board
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program
Page 4
ISPPIA
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Professional
2430
Practice of Internal Auditing”
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks
Page 5
ISPPIA
2000 – Managing the Internal Audit Activity

The chief audit executive must effectively manage the internal audit activity to
ensure it adds value to the organization.
Page 6
ISPPIA
2000 – Managing the Internal Audit Activity

Interpretation:
The internal audit activity is effectively managed when:
• The results of the internal audit activity’s work achieve the purpose and
responsibility included in the internal audit charter;
• The internal audit activity conforms with the Definition of Internal Auditing and the
Standards; and
• The individuals who are part of the internal audit activity demonstrate conformance
with the Code of Ethics and the Standards.
The internal audit activity adds value to the organization (and its stakeholders) when
it provides objective and relevant assurance, and contributes to the effectiveness and
efficiency of governance, risk management, and control processes.
Page 7
ISPPIA
2010 – Planning
The chief audit executive must establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Page 8
ISPPIA
2010 – Planning
Accounting Liquidity
Capital
and and Market Tax
structure
reporting credit
Market Sales and
Dynamics Marketing
Major Supply
initiatives Financial Chain
reporting
Mergers,
Acquisitions, Information
and Technology
divestiture
Strategic Audit Universe Operations
Planning
People/
and
Human
Resource
Resources
Allocation
Compliance
Governance Hazards
Communication Physical
and investor Code of Assets
Relations Regulatory Legal
Conduct
Page 9
ISPPIA
2010 – Planning
Audit Universe
- List of all the possible audits that could be performed
- Include components of strategic plan
- Based to audit plan
- Should be assessed at least annually
Page 10
ISPPIA
2010 – Planning
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The chief
audit executive takes into account the organization’s risk management framework,
including using risk appetite levels set by management for the different activities or
parts of the organization. If a framework does not exist, the chief audit executive uses
his/her own judgment of risks after consideration of input from senior management
and the board. The chief audit executive must review and adjust the plan, as
necessary, in response to changes in the organization’s business, risks, operations,
programs, systems, and controls.
Page 11
ISPPIA
2010 – Planning
Enterprise Risk Management
A process, effected by an entity’s board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.
Page 12
ISPPIA
2010 – Planning
2010.A1 – The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of senior
management and the board must be considered in this process.
2010.A2 – The chief audit executive must identify and consider the expectations of
senior management, the board, and other stakeholders for internal audit opinions
and other conclusions.
Page 13
ISPPIA
2010 – Planning
2010.C1 – The chief audit executive should consider accepting proposed consulting
engagements based on the engagement’s potential to improve management of
risks, add value, and improve the organization’s operations. Accepted engagements
must be included in the plan.
Page 14
Page 15
Page 16
Page 17
Page 18
ISPPIA
2020 – Communication and Approval

The chief audit executive must communicate the internal audit activity’s plans and
resource requirements, including significant interim changes, to senior
management and the board for review and approval. The chief audit executive
must also communicate the impact of resource limitations.
Submit annually
- IA plan
- Work schedule
- Staffing plan
- Financial budget
Page 19
ISPPIA
2030 – Resource Management

The chief audit executive must ensure that internal audit resources are appropriate,
sufficient, and effectively deployed to achieve the approved plan.
IA Resources
- Employees
- External service providers
- Financial supports
- Technology-based audit techniques
Page 20
ISPPIA

Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to
perform the plan. Sufficient refers to the quantity of resources needed to accomplish
the plan. Resources are effectively deployed when they are used in a way that
optimizes the achievement of the approved plan.
Page 21
ISPPIA

CAE should:
- Conduct period skills assessment to determine specific skills required to perform
IA
- Assign competent and qualified staff for specific assignments
- Considers succession planning, staff evaluation and development programs
- Address resourcing needs, whether those skills are present or not
- Maintaining ongoing communications and dialog with Senior Management and
the Board on the adequacy of resources
- Develop appropriate metrics, goals, and objectives to monitor overall adequacy
of resources
Page 22
ISPPIA
2040 – Policies and Procedures

The chief audit executive must establish policies and procedures to guide the
internal audit activity.
Page 23
ISPPIA
2040 – Policies and Procedures

Interpretation:
The form and content of policies and procedures are dependent upon the size and
structure of the internal audit activity and the complexity of its work.
- Formal administrative and technical audit

manuals may not be needed by all IAA
- Small IAA may be managed informally
- Large IAA should have formal and
comprehensive policies and procedures
Page 24
ISPPIA
2050 – Coordination
The chief audit executive should share information and coordinate activities with
other internal and external providers of assurance and consulting services to
ensure proper coverage and minimize duplication of efforts.
- Risk Management - External Auditors

Department - Regulators
- Compliance Department - Government
- Environment Related
Department
Page 25
ISPPIA
2050 – Coordination
Three Classes of Assurance Provider
1. Report to/part of management – control self-assessment, quality auditors,
environmental auditors and other management-designated
2. Report to the Board – internal audit
3. Report to external stakeholders – external audit
Page 26
ISPPIA
2060 – Reporting to Senior Management and the Board

The chief audit executive must report periodically to senior management and the
board on the internal audit activity’s purpose, authority, responsibility, and
performance relative to its plan. Reporting must also include significant risk
exposures and control issues, including fraud risks, governance issues, and other
matters needed or requested by senior management and the board.
Page 27
ISPPIA
2060 – Reporting to Senior Management and the Board

Interpretation:
The frequency and content of reporting are determined in discussion with senior
management and the board and depend on the importance of the information to be
communicated and the urgency of the related actions to be taken by senior
management or the board.
Page 28
ISPPIA
2070 – External Service Provider and Organizational

Responsibility for Internal Auditing
When an external service provider serves as the internal audit activity, the provider
must make the organization aware that the organization has the responsibility for
maintaining an effective internal audit activity.
Page 29
ISPPIA
2070 – External Service Provider and Organizational

Responsibility for Internal Auditing
Interpretation:
This responsibility is demonstrated through the quality assurance and improvement
program which assesses conformance with the Definition of Internal Auditing, the
Code of Ethics, and the Standards.
Page 30
THE CORRECT
ANSWER IS..
Practice Question
Which of the following is most essential for guiding

the internal audit staff?
A. Quality program assessments.
B. Policies and procedures.
C. Performance appraisals.
D. Position descriptions.
Page 31
THE CORRECT
ANSWER IS..
Practice Question
Which of the following is not a true statement about the

relationship between internal auditors and external
auditors?
A. There may be an exchange of engagement
communications and management letters.
B. Internal auditors may provide engagement work
programs and working papers to external auditors.
C. There may be periodic meetings between internal and
external auditors to discuss matters of mutual interest.
D. External auditors must assess the competence and
objectivity of internal auditors.
Page 32
THE CORRECT
ANSWER IS..
Practice Question
The key factor in the success of an internal audit

activity’s human resources program is
A. A program for recognizing the special interests of
individual staff members.
B. A compensation plan based on years of experience.
C. A well-developed set of selection criteria.
D. An informal program for developing and counseling
staff.
Page 33
THE CORRECT
ANSWER IS..
Practice Question
Policies and procedures must be established to guide the

internal audit activity. Which of the following statements is
false with respect to this requirement?
A. A small internal audit activity may be managed informally
through close supervision and memoranda.
B. All internal audit activities must have a detailed policies and
procedures manual.
C. The form and content of written policies and procedures
depend on the size of the internal audit activity.
D. Formal administrative and technical manuals may not be
needed by all internal audit activities.
Page 34
THE CORRECT
ANSWER IS..
Practice Question
You are the chief audit executive of a parent organization that has foreign
subsidiaries. Independent external audits performed for the parent are not
conducted by the same firm that conducts the foreign subsidiary audits. Because
the internal audit activity occasionally provides direct assistance to both external
firms, you have copies of audit programs and selected working papers produced by
each firm.
The foreign subsidiary’s auditors would like to rely on some of the work performed
by the parent organization’s audit firm, but they need to review the working papers
first. They have asked you for copies of the working papers of the parent
organization’s audit firm. What is the most appropriate response to the foreign
subsidiary’s auditors?
A. Provide copies of the working papers without notifying the parent’s audit firm.
B. Refuse to provide the working papers under any circumstances.
C. Notify the parent’s auditors of the situation and request that they either provide
the working papers or authorize you to do so.
D. Provide copies of the working papers and notify the parent’s audit firm that you
have done so.
Page 35
THE CORRECT
ANSWER IS..
Practice Question
You are the chief audit executive of a parent organization that has foreign
subsidiaries. Independent external audits performed for the parent are not
conducted by the same firm that conducts the foreign subsidiary audits.
Because the internal audit activity occasionally provides direct assistance to
both external firms, you have copies of audit programs and selected working
papers produced by each firm.
The foreign subsidiary’s external audit firm wants to rely on an audit of a

function at the parent organization. The audit was conducted by the internal
audit activity. To place reliance on the work performed, the foreign
subsidiary’s auditors have requested copies of the working papers. What is the
most appropriate response to the foreign subsidiary’s auditors?
A. Ask the board for permission to release the working papers.
B. Refuse to provide the working papers under any circumstances.
C. Ask the parent’s audit firm if it is appropriate to release the working papers.
D. Provide copies of the working papers.
Page 36
ISPPIA
Audit Cycle
Planning
Communicating
Page 37
ISPPIA
2200 – Engagement Planning

Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations.
Page 38
Steps on Engagement Planning

1. Understanding The Process
2. Risk and Controls Matrix
3. Objectives
4. Scope
5. Resource Allocation
6. Work Program
Page 39

Understanding The Process
➢ Interview Proper
- Understand & be aware of communication process and dynamics
- Body Language
- Listening Skills
- Objectivity and critical thinking
➢ Recording & Documentation
- Proper note taking
➢ Post-Evaluation and Feedback
Page 40

Risk and Control Matrix
➢ Match high-risks to identified relevant controls
➢ Prioritize inadequate controls and key controls for testing
➢ Note inherent risks
USE YOUR PROFESSIONAL

JUDGMENT
Page 41
Page 42
Page 43
Page 44
ISPPIA
2201 – Planning Considerations

2201.A1 – When planning an engagement for parties outside the organization, internal
auditors must establish a written understanding with them about objectives, scope,
respective responsibilities, and other expectations, including restrictions on distribution of
the results of the engagement and access to engagement records.
Page 45
ISPPIA
2201 – Planning Considerations

2201.C1 – Internal auditors must establish an understanding with consulting engagement
clients about objectives, scope, respective responsibilities, and other client expectations. For
significant engagements, this understanding must be documented.
Page 46
ISPPIA
2210 – Engagement Objectives

Objectives must be established for each engagement.
Page 47
ISPPIA

IAA should:
- Consider management’s assessment of risks
- Obtain or update background information to determine the impact of the engagement
objectives and scope
- Conduct a survey to become familiar with the activities, risks, and controls to identify
areas for emphasis and to invite comments and suggestions
Summarize the results

- Significant issues and reasons
- Objectives and procedures
- Methodology
- Control deficiencies/excessiveness
- If applicable, reason for not continuing
Page 48
ISPPIA

2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to
the activity under review. Engagement objectives must reflect the results of this assessment.
2210.A2 – Internal auditors must consider the probability of significant errors, fraud,
noncompliance, and other exposures when developing the engagement objectives.
Page 49
Page 50
ISPPIA

2210.A3 – Adequate criteria are needed to evaluate controls. Internal auditors must
ascertain the extent to which management has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal auditors must
use such criteria in their evaluation. If inadequate, internal auditors must work with
management to develop appropriate evaluation criteria.
Page 51

Interpretation:
Types of criteria may include:
• Internal (e.g., policies and procedures of the organization).
• External (e.g., laws and regulations imposed by statutory bodies).
• Leading practices (e.g., industry and professional guidance).
Page 52
ISPPIA

2210.C1 – Consulting engagement objectives must address governance, risk management,
and control processes to the extent agreed upon with the client.
2210.C2 – Consulting engagement objectives must be consistent with the organization's

values, strategies, and objectives.
Page 53
ISPPIA
2220 – Engagement Scope

The established scope must be sufficient to satisfy the objectives of the engagement.
Page 54
ISPPIA

2220.A1 – The scope of the engagement must include consideration of relevant systems,
records, personnel, and physical properties, including those under the control of third
parties.
2220.A2 – If significant consulting opportunities arise during an assurance engagement, a

specific written understanding as to the objectives, scope, respective responsibilities, and
other expectations should be reached and the results of the consulting engagement
communicated in accordance with consulting standards.
Page 55
ISPPIA

2220.C1 – In performing consulting engagements, internal auditors must ensure that the
scope of the engagement is sufficient to address the agreed-upon objectives. If internal
auditors develop reservations about the scope during the engagement, these reservations
must be discussed with the client to determine whether to continue with the engagement.
2220.C2 – During consulting engagements, internal auditors must address controls consistent
with the engagement’s objectives and be alert to significant control issues.
Page 56
ISPPIA
2230 – Engagement Resource Allocation

Internal auditors must determine appropriate and sufficient resources to achieve
engagement objectives based on an evaluation of the nature and complexity of each
engagement, time constraints, and available resources.
Page 57

Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform
the engagement. Sufficient refers to the quantity of resources needed to accomplish the
engagement with due professional care.
Page 58
ISPPIA

IAA should consider the following when determining appropriateness and sufficiency of
resources:
- Number and experience level
- Knowledge, skills, and experience/other competencies
- Availability of external resources
- Trainings
Page 59
ISPPIA
2240 – Engagement Work Program

Internal auditors must develop and document work programs that achieve the engagement
objectives.
Audit Methodologies/Procedures
Page 60
ISPPIA

2240.A1 – Work programs must include the procedures for identifying, analyzing, evaluating,
and documenting information during the engagement. The work program must be approved
prior to its implementation, and any adjustments approved promptly.
Page 61
ISPPIA

2240.C1 – Work programs for consulting engagements may vary in form and content
depending upon the nature of the engagement.
Page 62
THE CORRECT
ANSWER IS..
Practice Question
Which of the following parties is (are) primarily responsible for

resource management in an internal auditing engagement?
1. The chief audit executive
2. Senior management
3. The board of directors
A. 1 and 3.
B. 1 and 2.
C. 1 only.
D. 2 and 3.
Page 63
THE CORRECT
ANSWER IS..
Practice Question
Internal auditors must develop and document a plan for each

engagement. The planning process should include all the
following except
A. Identifying sufficient information to achieve engagement
objectives.
B. Determining how, when, and to whom the engagement
results will be communicated.
C. Obtaining background information about the activities to be
reviewed.
D. Establishing engagement objectives and scope of work.
Page 64
THE CORRECT
ANSWER IS..
Practice Question
An approved audit plan for the internal audit activity is

an essential part of
A. Scheduling support for the external audit.
B. Providing senior management with information about
the quality of the internal audit activity’s performance.
C. Establishing standards for employee performance.
D. Planning for the internal audit activity.
Page 65
THE CORRECT
ANSWER IS..
Practice Question
Which of the following statements most accurately reflects the

chief audit executive’s responsibilities for internal audit
resources?
A. The CAE is not responsible for such human resource
functions as evaluation and development.
B. The CAE is responsible for ensuring that audit coverage is
based on the periodic skills assessment.
C. The CAE is responsible for evaluating the detailed summary
of audit resources presented by management to the board.
D. The CAE is responsible for communicating resource needs to
the board but has no explicit responsibility for administering
the organization’s compensation program.
Page 66
THE CORRECT
ANSWER IS..
Practice Question
The chief audit executive of a manufacturer is updating the long-range

engagement work schedule. There are several possible assignments that can
fill a given time spot. Information on potential monetary exposure and key
internal controls has been gathered. Based on perceived risk, select the
assignment of greatest merit.
A. Precious metals inventory -- carrying amount, US $1,000,000; separately
stored, but access not restricted.
B. Branch office petty cash -- ledger amount, US $50,000; 10 branch offices,
equal amounts; replenishment of accounts requires three separate approvals.
C. Sales force travel expenses -- budget, US $1,000,000; 50 sales people; all
expenditures over US $25 must be receipted.
D. Expendable tools inventory -- carrying amount, US $500,000; issued by tool
crib attendant upon receipt of authorization form.
Page 67
THE CORRECT
ANSWER IS..
Practice Question
The chief audit executive of a manufacturer is updating the long-range

engagement work schedule. Several possible engagements can be assigned to
a given time slot. Information on potential monetary exposure and key
internal controls has been gathered. Based on perceived risk, select the
assignment of greatest merit.
A. Expendable tools inventory -- carrying amount, US $1,100,000; Stored with
other inventory.
B. Sales force travel expenses -- budget, US $1,200,000; 50 sales people; all
expenditures over US $25 must be receipted.
C. Precious metals inventory -- carrying amount, US $10,000; separately
stored, access restricted by keycard and management approval.
D. Branch office petty cash -- ledger amount, US $75,000; 10 branch offices,
equal amounts; replenishment of accounts requires three separate approvals.
Page 68
Planning
Communicating
Page 69
ISPPIA
2300 – Performing the Engagement

Internal auditors must identify, analyze, evaluate, and document sufficient information to
achieve the engagement’s objectives.
Page 70
Engagement Work Program
Collecting
➢The process of - Analyzing - - information –
Interpreting
Documenting
needs to supervised - to provide – reasonable
assurance that:
✓Engagement objective are met
✓Internal Auditor objectivity is maintained
ISPPIA
2310 – Identifying Information

Internal auditors must identify sufficient, reliable, relevant, and useful information to
achieve the engagement’s objectives.
Page 72
ISPPIA
2310 – Identifying Information

Interpretation:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person
would reach the same conclusions as the auditor. Reliable information is the best attainable
information through the use of appropriate engagement techniques. Relevant information
supports engagement observations and recommendations and is consistent with the objectives
for the engagement. Useful information helps the organization meet its goals.
Page 73
GATHERING AUDIT EVIDENCE
Sufficient – information is factual, adequate, and
convincing so that a prudent, informed person would
reach the same conclusions as the internal auditor
➢ Evidence is sufficient if there is enough of it to
support the auditors’ findings
➢ In determining the sufficiency of evidence, it may be
helpful to ask: Is there enough evidence to persuade
a reasonable person of the validity of the findings?
➢ Sufficiency deals with the persuasiveness of the
evidence
Sufficient evidence
➢Statistical methods may be used to establish
sufficiency. When sampling methods are used, the
concept of sufficiency of evidence means that the
samples selected provide reasonable assurance
that they are representative of the sampled
population
➢Interviewing the auditee is not enough to provide
sufficient evidence.
Example: Sufficient evidence
o Verifying the quantity of fixed assets on hand by physical
observation would provide the most persuasive evidence of
quantity on hand.
o Using test data, an auditor has processed both normal and
atypical transactions through a computerized payroll system
to test calculations of regular and overtime pay amounts.
Sufficient competent evidence of controls exists if test data
results are compared to predetermined results or
expectations.
o The audit procedure that provides the most persuasive
evidence about the loan’s collectibility is to examine the
documentation of a recent, independent appraisal of the
real estate that was used a security.
o The most persuasive evidence that the incoming supply counts
are made by the receiving department is a periodic observation
by the internal auditor over the course of the audit.
o “A positive confirmation received directly from the customer” is
the most persuasive evidence
concerning the existence and valuation of a receivable.
o If the audit objective is to gain evidence that payment has actually
been made for a specific invoice from a vendor, the most
persuasive evidence would be obtained by a canceled check,
made out to the vendor and referenced to the invoice, included in
a cutoff bank statement, which the auditor received directly from
the bank.
o If an auditor wants assurance of the existence of inventory stored
in a warehouse, the most persuasive evidence is to physically
observe the inventory in the warehouse.
o Externally prepared documents (e.g., invoice) would provide
the most persuasive evidence regarding an asset value that
was acquired.
o A physical examination would provide the most persuasive
evidence for testing the existence of an asset.
Reliable/Competent evidence – competent and best
attainable using appropriate methods.
➢ Information is reliable when the internal auditor’s result
can be verified by others
➢ Information should consist of what may be collected using
reasonable efforts subject to such inherent limitations as
the cost-benefit constraint
➢ Competent” evidence is satisfied by an original signed
document, but copies do not provide
competent evidence.
➢ Evidence that is both available and reliable is competent.
➢ Competent information is reliable and the best available
through the use of appropriate audit functions.
➢Evidence is more reliable if it is
✓ Obtained from sources independent of the
engagement client
o Confirmation of receivables
o Expert appraisals
✓ Corroborated by other information

✓ Direct – such as the internal auditor’s personal
observation, rather than indirect, such as hearsay
✓ An original document, not a copy
✓ Evidence is competent to the extent that it is
consistent with fact
➢Reliable/Competent evidence
o Evidence obtained from a credible independent
source is more competent than that secured from
the audited organization.
▪ An external source of evidence should impact audit conclusions
most.
o Evidence developed under an effective system of
management controls is more competent than that
obtained where such control is weak or nonexistent.
o Evidence obtained through the auditors’ direct
physical examination, observation, computation,
and inspection is more competent than evidence
obtained indirectly.
➢ Reliable/Competent evidence
o An example of external and internal evidence is when an
auditor reviews the count sheets, inventory printouts, and
memos from the last inventory during determination of causes
of inventory shortages shown by the physical inventories.
o An audit objective of an accounts receivable function is to
determine if prescribed standard procedures are followed when
credit is granted.
▪ An audit procedure providing the most competent evidence would be
selecting a statistical sample of credit applications and testing them for
conformance with prescribed procedures.
o The most “reliable” (competent) evidence of determining a
company’s legal title to inventories is paid vendor invoices.
➢Reliable/Competent evidence
o A contract dispute has arisen between a company and a
major supplier. To resolve the dispute, the most
competent evidence would be the original contract.
o A positive confirmation of an accounts receivable that
proves that it actually exists is competent evidence
o In deciding whether recorded sales are valid, most
“competent” evidence would be obtained by looking at
the shipping document, the independent bill of lading,
and the invoice for the merchandise.
➢Relevant evidence – emphasizes the need for
work to be restricted to achieving objectives
✓ Relevant information has a logical relationship to
what it purports to prove
✓Relevant evidence is consistent with the audit
objectives and supports audit findings and
recommendations.
✓Example:
o Vouching journal entries to the original documents does not
support the completeness assertion about reported transactions.
o Tracing transactions to the accounting records would provide
relevant information
➢Useful evidence – It helps the organization meets
its goals
✓ The identification of information that is useful to the
organization is the ultimate justification for the
existence of an internal audit activity
ISPPIA
2320 – Analysis and Evaluation

Internal auditors must base conclusions and engagement results on appropriate analyses and
evaluations.
Page 86
2320 – Analysis and Evaluation

Root Cause Analysis
- Identification of why and issue occurred
- Identifying the underlying cause(s) of an issue
Page 87
ISPPIA
2330 – Documenting Information

Internal auditors must document relevant information to support the conclusions and
engagement results.
Page 88
ISPPIA

Working Papers
- Document the information obtained, the analyses made, and the support for the
conclusions and engagement results
- Aid in the planning, performance and review
- Principal support to engagement results
- Documents whether engagement objectives were achieved
- Support accuracy and completeness of work performed
- Basis for QAIP
- Third-party reviews
Page 89
ISPPIA

2330.A1 – The chief audit executive must control access to engagement records. The chief
audit executive must obtain the approval of senior management and/or legal counsel prior to
releasing such records to external parties, as appropriate.
2330.A2 – The chief audit executive must develop retention requirements for engagement
records, regardless of the medium in which each record is stored. These retention
requirements must be consistent with the organization’s guidelines and any pertinent
regulatory or other requirements.
Page 90
ISPPIA

2330.C1 – The chief audit executive must develop policies governing the custody and
retention of consulting engagement records, as well as their release to internal and external
parties. These policies must be consistent with the organization’s guidelines and any
pertinent regulatory or other requirements.
Page 91
TYPES OF AUDIT EVIDENCE
A. Observed processes and existence of physical
items
B. Documentary audit evidence
C. Representations
D. Analysis
A. Observed processes and existence of physical
items:
✓Observation of:
o Activities
o Property
o Information System functions
✓ Example
o Inventory of media in an offsite storage location
o Computer room security system in operation
B. Documentary audit evidence – recorded on
paper or other media
✓ Results of data extraction
✓Records of transactions
✓Program listings
✓Invoices
✓Activity and control logs
✓ System development documentation
C. Representations –of those being audited
✓Written policies and procedures
✓System flowcharts
✓Written or oral statements
D. Analysis – the results of analyzing information
through the following can also used as audit
evidence:
✓Comparisons
✓Simulations
✓Calculations
✓Reasoning
➢ Example:
✓ Benchmarking IS performance against other organizations or
past periods
✓ Comparison of error rates among applications, transactions,
and users
SELECTION OF AUDIT EVIDENCE
A. Primary information - is first hand
information from an original source. Primary
information is usually expensive to gather
B. Secondary information - is second hand and
inexpensive.
C. Internal sources - involve facts about an
organization (sales data, customer data,
financial data, and product data).
➢Internal sources are used in planning and
performance measurement.
D. External sources - are facts about the world
outside the organization.
➢ This information involves facts about
competitors, markets, demographics, the
environment, and the economy.
EVALUATE OF AUDIT EVIDENCE
Audit evidence - is information that provides a
factual basis for audit opinions.
A. Physical evidence - obtained by direct inspection
or observation of people, property, or events.
➢Such evidence may be documented in the form of
memoranda summarizing the matters inspected or
observed, photographs, charts, maps, or actual
samples.
➢An auditor’s observation of the functioning of an
internal control system produces physical evidence.
➢Example
o taking a photograph of the auditees’ workplace
o observing conditions
o test counting a batch of inventory
o testing the existence of an asset
B. Documentary evidence - consists of created
information, such as letters, contracts, accounting
records, invoices, and management information on
performance.
➢Example
o a page of the general ledger containing irregularities
placed there by perpetrator of a fraud
o determining whether erroneous billings occurred when the
auditor for a construction contractor finds material costs
increasing as a percentage of billings and suspects that materials
billed to the company are being delivered to another contractor.
o A contract is the most appropriate evidence for the auditor to
obtain and review when evaluating the propriety of a payment to
a consultant.
C. Testimonial evidence - obtained from others through statements received
in response to inquiries, through interviews, or through responses to
questionnaires.
➢ Testimonial evidence needs to be evaluated from the standpoint of

whether the individual may be biased or have only partial knowledge
about the area.
➢ Testimonial evidence obtained under conditions where persons may
speak freely is more credible than testimonial evidence obtained under
compromising conditions (e.g., where persons may be intimidated).
➢ Example:
o a written, signed statement from an interviewee in response to a
question asked by an auditor during an interview.
o written statement by or a letter from an auditee in response to a specific
inquiry made by an auditor
o letter from the company’s attorney in response to inquiries about
possible litigation
C. Analytical evidence - includes computations,
comparisons, reasoning, and separation of
information into components
➢Example:
o to evaluate the reasonableness of the quantity of
scrap material resulting from a certain production
process compared to industry standards
o to evaluate the reasonableness of account balances
o concluding that there was an adequate separation of
duties in the counting and recording of cash receipts
Analytical Procedures
- Studying and comparing relationships among both financial and nonfinancial information
- Efficient and effective means of obtaining evidence
Types of Analytical Procedures

- Trending over time
- Comparison against budget or forecast
- Meaningful ratios
- Relationships with non-financial information and/or economic indicators
- Internal & external benchmarking
Useful in identifying
- Potential errors
- Potential fraud
- Other unusual transactions
Page 105
ANALYSIS AND EVALUATION
➢ Analytical auditing procedures – may include
✓ Comparison of current period information with similar
information for prior periods
✓Comparison of current period information with budgets or
forecasts
✓Study of relationships of financial information with the
appropriate nonfinancial information (for example, recorded
payroll expense compared with changes in average number of
employees)
✓Study of relationships among elements of information (for
example fluctuation in recorded interest expense compared with
changes in related debt balances)
✓Comparison of information with similar information for
organizational units
✓Comparison of information with similar information for the
industry in which the organization operates
ANALYSIS AND EVALUATION
➢Analytical auditing procedures – may be
performed using:
✓ monetary amounts
✓Physical quantities
✓Ratios
✓Percentages
➢ Specific analytical auditing procedures –
✓ Ratio
✓ Trend
✓ Regression analysis
✓ Reasonableness test
✓ Period to period comparisons
✓ Comparison with budgets, forecast, and external economic information
AUDIT PROCEDURES
A. Interviewing
B. Recomputing
C. Detail Listing
D. Observation
E. Scanning
F. Statistical sampling
G. Verification
AUDIT PROCEDURES
A. Interviewing – means of gathering vital information
✓ Vital Skill – Standards requires auditors to be skilled in interviewing
✓ Helpful in obtaining an understanding of client operations – opportunity to
ask questions to clarify preceding answers or to pursue additional
information
✓ The results should be promptly and accurately recorded to provide
documentation
o Avoids the ill effects of memory lapses by both internal auditors
and clients
✓ Given the inherent unreliability of client testimony – it should be
corroborated whenever possible
o Testimonial information provided by an independent third party
may sometimes be sufficient
AUDIT PROCEDURES
B. Recomputing – means of gathering information that is reliable but
limited in value
✓ A computation done directly by the internal auditors provides
strong and unbiased information regarding accuracy
✓One limitation of recomputation is that it does not provide
information about the reliability of the input
o Recomputing interest income may be of little use if the underlying
receivables are unlikely to be collected
AUDIT PROCEDURES
C. Detail testing – examination of documents created as part of the
activities and transactions being reviewed
✓ Vouching – verifying recorded amounts by examining the
underlying documents from final documents to the original
documents
o Working backward
o Provide information that recorded amounts reflect valid transactions
o Supports existence or occurrence assertion
✓ Tracing – following transactions forward through the records

from the original documents to the final summary amounts
o Direction of testing is the opposite of that vouching
o Supports the completeness assertion
AUDIT PROCEDURES
D. Observation and inspection – procedures that involve examination of
physical information
✓ Internal auditor’s direct experience – highly reliable
o Records may be falsified – so observation/inspection serves as corroboration
✓ Observation – internal auditor’s examination of activities
✓ Inspection – examination of physical assets
✓ These are procedures of limited usefulness
o The expertise of the observer or inspector may be insufficient to
produce reliable information
Ex. Internal auditor may not be trained to appraise the assets.
In this case an outside service provider might be consulted
o It does not establish whether the engagement client has title to
what or whether other parties may have liens on such assets.
o It lend to prove existence and possession at a given moment in
time.
AUDIT PROCEDURES
E. Scanning – search for obvious exceptions in al large quantity of
data
✓ Useful and efficient when unusual items are readily definable and
the auditor is willing to accept a broad range of acceptable values.
o scanning easily detects debit balances in accounts payable or
credit balances in cash accounts.
AUDIT PROCEDURES
F. Statistical sampling – allows the internal auditor assess
quantitatively how closely the sample represents the population at a
given level of reliability.
✓ By randomly selecting a sample of appropriate size - auditor
can assert at a specified level of confidence – that the precision
interval constructed - will contain the true value of the
population.
✓Statistical techniques permit the auditor to control for the risk
(sampling risk) created, for reasons of efficiency, samples a
population instead of examining every item.
o These methods do not affect nonsampling risk – which may arise from
selecting an inappropriate procedure, performing an appropriate
procedure improperly, or misevaluating the sample results.
AUDIT PROCEDURES
G. Verification – process of determining the truth of previously
provided information
✓ Corroborative information – evidence from another source that supplements
and confirms other information
✓Confirmation - request are sent by the auditor to parties external to the client
o The replies which are returned directly to the auditor, are purely external information
o Confirmation request are used most commonly to test accounts receivable - commonly used
to confirm cash balances held in financial institution and liabilities
❖ Negative confirmation - request the recipient to respond only if she disagrees with the
information stated
• Unreturned negative confirmation - provides some information about existence
because it has not been returned with an indication that the addressee is unknown
– it provides no explicit inference that the intended recipient verified the
information
❖ Positive confirmation – most reliable information (other than payment ) that the
receivable is a valid asset and that it is properly valued.
• Reliable because:
a. The customer has no incentive to confirm a non-existing obligation
b. The documentation has not been under the client’s control
• If auditor fails to receive a positive confirmation – alternative procedures,
including second and third request should be performed.
DEGREE OF PERSUASIVENESS
➢ Auditor fully relies on information when no additional corroboration
is needed
➢ Most information merits only partial reliance and must be

corroborated
✓ Ex. Testimonial information – should be supplemented by
detailed testing and analytical procedures
✓ Information that at some time has passed through the client’s
operations (internal, internal –external, or external – internal
information) should be reinforced.
DEGREE OF PERSUASIVENESS
STRONG WEAK
Objective Subjective
Documents Opinions
Knowledgeable or expert opinion Poorly informed opinions
Direct Indirect
From systems with good internal From systems with poor internal
control control
Independent of engagement Prepared by engagement client
client’s operations
Statistical samples Nonstatistical samples
Corroborated Uncorroborated
Records prepared on a timely basis From records prepared after a
lapse of time
ISPPIA
2340 – Engagement Supervision

Engagements must be properly supervised to ensure objectives are achieved, quality is
assured, and staff is developed.
Page 118
ISPPIA
2340 – Engagement Supervision

Interpretation:
The extent of supervision required will depend on the proficiency and experience of internal
auditors and the complexity of the engagement. The chief audit executive has overall
responsibility for supervising the engagement, whether performed by or for the internal audit
activity, but may designate appropriately experienced members of the internal audit activity to
perform the review. Appropriate evidence of supervision is documented and retained.
Page 119
THE CORRECT
ANSWER IS..
Practice Question
Which of the following activities does not constitute

engagement supervision?
A. Preparing a preliminary engagement work program.
B. Ensuring that engagement communications meet
appropriate criteria.
C. Reviewing engagement working papers.
D. Providing appropriate instructions to the internal
auditors.
Page 120
THE CORRECT
ANSWER IS..
Practice Question
When reviewing engagement working papers, the primary

responsibility of an engagement supervisor is to determine that
A. Each worksheet is properly identified with a descriptive
heading.
B. Working papers adequately support the engagement
observations, conclusions, and recommendations.
C. Working papers are properly referenced and kept in logical
groupings.
D. Standard internal audit activity procedures are adhered to with
regard to working paper preparation and technique.
Page 121
THE CORRECT
ANSWER IS..
Practice Question
Which of the following documents provides the most persuasive

information concerning the existence and valuation of a
receivable?
A. A customer’s purchase order in the engagement client’s records
related to the credit sale.
B. A copy of a sales invoice to the customer in the engagement
client’s records.
C. A positive confirmation received directly from the customer.
D. A credit approval document supported by the customer’s
audited financial statements.
Page 122
THE CORRECT
ANSWER IS..
Practice Question
During an engagement to evaluate travel expenses, the

accounting supervisor tells the internal auditor that each expense
report is reviewed and approved before costs are reimbursed to
the traveler. Which of the following is the best course of action for
the internal auditor to take?
A. Conserve engagement resources by accepting the statement
and redirect work into another area.
B. Request the supervisor to put the statement in writing.
C. Corroborate this information with the controller.
D. Review a sample of expense reports for proper approval.
Page 123
THE CORRECT
ANSWER IS..
Practice Question
Observation is considered a reliable engagement procedure, but one

that is limited in usefulness. However, it is used in a number of
different engagement situations. Which of the following statements is
true regarding observation as an engagement technique?
A. It is the most persuasive technique for determining if fraud has
occurred.
B. It is rarely sufficient to satisfy any assertion other than existence.
C. It is the most effective engagement methodology to use in filling
out internal control questionnaires.
D. It is the most persuasive methodology to learn how transactions
are really processed during the period under review.
Page 124
THE CORRECT
ANSWER IS..
Practice Question
Which of the following procedures provides the most relevant

information to determine the adequacy of the allowance for
doubtful accounts receivable?
A. Confirm the receivables.
B. Analyze the allowance through an aging of receivables and
an analysis of current economic data.
C. Analyze the following month’s payments on the accounts
receivable balances outstanding.
D. Test the controls over the write-off of accounts receivable to
ensure that management approves all write-offs.
Page 125
Planning
Communicating
Page 126
ISPPIA
2400 – Communicating Results

Internal auditors must communicate the results of engagements.
Page 127
ISPPIA
2410 – Criteria for Communicating

Communications must include the engagement’s objectives and scope as well as applicable
conclusions, recommendations, and action plans.
At a minimum, must contain

purpose, scope and results
Page 128

2410.A1 - Final communication of engagement results must include applicable conclusions,
as well as applicable recommendations and/or action plans. Where appropriate, the internal
auditors’ opinion should be provided. An opinion must take into account the expectations of
senior management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
Interpretation:
Opinions at the engagement level may be ratings, conclusions, or other descriptions of the
results. Such an engagement may be in relation to controls around a specific process, risk, or
business unit. The formulation of such opinions requires consideration of the engagement
results and their significance.
Page 129
ISPPIA

Purpose – describe the objectives
Scope – identify the audited activities and include supportive information
Results – include observations, conclusions, opinions, recommendations, and action plans
Page 130

Conclusions and opinions – evaluation of the effects of the observations and
recommendations
Recommendations – improvements, acknowledgements of satisfactory performance and

corrective actions
Action Plans – agreement on the results of the engagement
Page 131
ISPPIA

Observations – statement of facts
Attributes of Observation and Recommendations

1. Criteria – standards, measures, or expectations
2. Condition – factual evidence
3. Cause – reason for the difference of criteria and condition
4. Effect – risk or exposure that condition is not consistent with the criteria
Page 132
➢ Observation and Recommendation should be
based on the following attributes:
✓ Criteria – standards, measures, or expectations
used in making an evaluation and or verification
(what should exist)
✓Condition – The factual evidence that the internal
auditor found in the course of the examination
(what does exist)
✓Cause – the reason for the difference between the
expected and actual conditions (why the
difference exist)
✓Effect – The risk or exposure the organization or
others encounter because the condition is not
consistent with the criteria( impact of the
difference)
ISPPIA

2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in
engagement communications.
2410.A3 – When releasing engagement results to parties outside the organization, the
communication must include limitations on distribution and use of the results.
Page 134
ISPPIA

2410.C1 – Communication of the progress and results of consulting engagements will vary in
form and content depending upon the nature of the engagement and the needs of the client.
Page 135
ISPPIA
2420 – Quality of Communications

Communications must be accurate, objective, clear, concise, constructive, complete, and
timely.
Page 136
➢ The FINAL COMMUNICATION at a minimum
should contain the following
✓ Purpose
✓Scope
✓Result
➢ It should include background information and summaries
✓ Background Information - includes activities reviewed and status
of Observation, Conclusion and , Recommendation from prior
reports
o It may show indication of whether the report covers a
scheduled engagement or is responding to request.
✓ Summaries – balanced representation of the engagement
communication’s content.
➢ Purpose statement – should describe the
engagement objective and may, if necessary
inform the reader why the engagement was
conducted and what it was expected top
achieve
➢Scope – should identify the reviewed activities
and include, when appropriate, supportive
information such as time period reviewed.
✓ Related activities not reviewed should be identified if
necessary to delineate the boundaries of the
engagement.
✓The nature and extent of engagement work performed
should also be described.
➢ Results –should include:
✓ Observation
✓Conclusion (opinions)
✓ Recommendations
✓Action plans
➢ Observations – pertinent statement of fact
✓ Also know as findings
✓ Observations necessary to support or prevent
misunderstanding of the internal auditor’s
conclusions and recommendations- should be
included in the final engagement communications.
✓Less significant observations or recommendations
may be communicated informally
✓Whether or not there is a difference - the internal
auditor has a foundation on which to build a
report
o When conditions meet the criteria , acknowledgment
in the engagement communications of satisfactory
performance may be appropriate.
➢Conclusions (Opinions) – internal auditors
evaluations of the effects of the observation
and recommendations on the activities
reviewed
✓ If included in the engagement report, should be
clearly identified
✓Example:
o Whether operating or program objectives and goals
conform with those of the organization
o Whether the organization’s objective and goals are
being met
o Whether the activity under review is functioning as
intended.
➢Recommendations – based on the internal
auditor’s observations and conclusions
✓ Include recommendations for potential
improvements, acknowledgment of satisfactory
performance, and corrective actions
✓They call for action to correct existing conditions
or improve operations
✓It may suggest approaches to correcting or
enhancing performance as a guide for
management in achieving desired results
➢Engagement client accomplishments may be
included in the engagement final
communications
✓ This information may be necessary to fairly
present the existing conditions and to provide a
proper perspective and appropriate balance to the
engagement final communications
➢ Engagement client’s views about engagement

conclusions or recommendations may be included
in the engagement communications.
➢The internal auditor should try to obtain
agreement on the results of the engagement
and on a plan of action to improve operations,
as needed
✓ If the internal auditor and engagement client
disagree about the engagement results, the
engagement communications may state both
positions and the reasons for the disagreement
✓The engagement client’s written comments may
be included as an appendix to the engagement
report
➢ Interim reports may be written or oral and
may be transmitted formally or informally
✓ It may be used to communicate information that:
o requires immediate attention
o communicate a change in engagement
scope for the activity under review
o to keep management informed of
engagement progress when engagements
extend over a long period.
✓ The use of interim reports does not diminish or
eliminate the need for a final report.
➢ A signed report should be issued after the
engagement is completed .
✓ Summary reports highlighting
engagement results may be appropriate
for levels of management above the
engagement client.
✓ They may be issued separately from or in
conjunction with the final report.
✓ The term signed means that the authorized
internal auditors name should be manually signed
in the report
➢Additional Considerations for Formal
Consulting Engagements
✓ The reporting requirements are usually set by
requesting parties. However, the format should
describe the nature of the engagement and other
factors of which the users should be aware.
➢ Format of Communications
a. No format is required – However, the standards prescribe
the minimum content and make suggestions for additional inclusions.
✓ The format varies with the type of communication:

1. Formal communications – have carefully structured formats
2. Informal communications – include letters or memoranda to
operating management
3. Progress communications – contain brief statements of conditions
requiring immediate attention
4. Oral communication – range from formal audiovisual
presentations to informal comments
5. Overall communications - state a conclusion (opinion) on the
entire operation reviewed.
6. Deficiency communication – comment only on those matters
needing corrective action
7. Financial communication – includes financial position, results of
operations, etc
8. Operational communication – discuss the adequacy and
effectiveness of risk management and control processes relating to the
effectiveness and efficiency of operations.
➢Oral communications – should be used to
complement and support written ones
✓ Oral communications have the following purposes
(advantages)
a. Timeliness – immediate feedback
b. Improved IA – client relationship
➢Progress (interim) communications – provide a
prompt means of documenting a situation
requiring immediate action.
➢ Quality of Communication –
a. Accurate
b. Objective
c. Clear
d. Concise
e. Constructive
f. Complete
g. Timely
➢Accurate – free from errors and distortions
✓ the manner in which the data and evidence are
gathered, evaluated, and summarized for presentation
should be done with care and precision.
➢ Objective – fair, impartial, unbiased, and are
the result of a fair-minded and balanced
assessment of all relevant facts and
circumstances
➢Clear - are easily understood and logical
✓ Clarity can be improved by avoiding
unnecessary technical language and providing all
significant and relevant information.
➢ Concise – direct to the point and avoid
unnecessary elaboration, superfluous detail,
redundancy, and wordiness
➢Constructive – helpful to the client and lead to
improvements where needed
➢Complete – includes all significant and
relevant information and observation to
support recommendations and conclusions.
➢Timely – enable prompt and effective action.
➢Internal auditors should discuss conclusions
and recommendation with appropriate levels
of management before issuing final
engagement communications
➢Discussion of conclusions and
recommendations is usually accomplished
during the course of the engagement or at
post-engagement meetings (exit interviews)
✓ It helps ensure that there have been no
misunderstandings or misinterpretations of fact by
providing the opportunity for the engagement client to
clarify specific items and to express views.
➢Participants in the discussion? – includes
those individuals who are knowledgeable of
detailed operations and those who can
authorize the implementation of corrective
action.
➢The CAE should review and approve the final
engagement communications before issuance
and should decide to whom the report will be
distributed
➢ Final engagement communications should be
distributed to those members of the organization
who are able to ensure that engagement results
are given due consideration.
✓ This means that the report should go to those who
are in position to take corrective action or ensure that
corrective action is taken.
✓The final engagement communications should be
distributed to management of activity under review.
✓Higher-level members in the organization may receive
only a summary communication.
✓Communications may also be distributed to other
interested or affected parties such as external auditors
and the board.
➢Additional consideration for formal consulting
engagements
✓ Results may need to be communicated beyond
those who received or requested consulting
services
✓The auditor considers:
a. the agreement
b. whether the receiving or requesting parties will
voluntarily expand the communication
c. the IAA charter, policies, and procedures
d. the organization’s code of ethics and policies
e. the Standards and the IIA Code of Ethics
➢ The auditor should disclose to management
and the board the nature, extent, and overall
results of a formal consulting engagement
along with other IAA reports.
✓ Details need not be reported
✓Appropriate descriptions and significant
recommendations should be communicated.
ISPPIA
2421 – Errors and Omissions

If a final communication contains a significant error or omission, the chief audit executive
must communicate corrected information to all parties who received the original
communication.
Page 159
ISPPIA
2430 – Use of “Conducted in Conformance with the

International Standards for the Professional Practice of
Internal Auditing”
Internal auditors may report that their engagements are “conducted in conformance with the
International Standards for the Professional Practice of Internal Auditing”, only if the results
of the quality assurance and improvement program support the statement.
Page 160
ISPPIA
2431 – Engagement Disclosure of Nonconformance

When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the
Standards impacts a specific engagement, communication of the results must disclose the:
• Principle or rule of conduct of the Code of Ethics or Standard(s) with which full
conformance was not achieved;
• Reason(s) for nonconformance; and
• Impact of nonconformance on the engagement and the communicated engagement
results.
Page 161
ISPPIA
2440 – Disseminating Results

The chief audit executive must communicate results to the appropriate parties.
Exit meetings – discuss conclusions and

recommendations with auditee before
issues final engagement communication
Page 162
ISPPIA

Interpretation:
The chief audit executive or designee reviews and approves the final engagement
communication before issuance and decides to whom and how it will be disseminated.
Page 163
ISPPIA

2440.A1 – The chief audit executive is responsible for communicating the final results to
parties who can ensure that the results are given due consideration.
2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, prior to

releasing results to parties outside the organization the chief audit executive must:
• Assess the potential risk to the organization;

• Consult with senior management and/or legal counsel as appropriate; and
• Control dissemination by restricting the use of the results.
Page 164
ISPPIA

2440.C1 – The chief audit executive is responsible for communicating the final results of
consulting engagements to clients.
2440.C2 – During consulting engagements, governance, risk management, and control issues
may be identified. Whenever these issues are significant to the organization, they must be
communicated to senior management and the board.
Page 165
ISPPIA
2450 – Overall Opinions

When an overall opinion is issued, it must take into account the expectations of senior
management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
Page 166
ISPPIA
2450 – Overall Opinions

Interpretation:
The communication will identify:
• The scope, including the time period to which the opinion pertains;
• Scope limitations;
• Consideration of all related projects including the reliance on other assurance providers;
• The risk or control framework or other criteria used as a basis for the overall opinion; and
• The overall opinion, judgment, or conclusion reached.
The reasons for an unfavorable overall opinion must be stated.
Page 167
THE CORRECT
ANSWER IS..
Practice Question
A relatively new internal auditor is completing a final

engagement communication. The communication should
most appropriately be signed by the
A. Internal auditor and the manager of the activity under
review to indicate that they concur with the report.
B. Chief audit executive.
C. Internal auditor because of a greater level of detailed
knowledge of the report.
D. Chair of the audit committee.
Page 168
THE CORRECT
ANSWER IS..
Practice Question
The content and format of engagement

communications may vary. However, according to
the Standards, a necessary element is statement of
A. Engagement objectives.
B. The status of observations from prior
engagement communications.
C. Documentation of previous oral communications.
D. Related activities not reviewed.
Page 169
THE CORRECT
ANSWER IS..
Practice Question
Communication skills are important to internal auditors.

They should be able to convey effectively all of the
following to engagement clients except
A. Recommendations that are generated in relationship to a
specific engagement client.
B. The risk assessment used in selecting the area for
investigation.
C. The engagement evaluations based on a survey.
D. The objectives designed for a specific engagement.
Page 170
THE CORRECT
ANSWER IS..
Practice Question
In beginning an engagement, an internal auditor reviews

written procedures that detail segregations of responsibility
adopted by management to strengthen internal controls.
These written procedures should be viewed as which
attribute of an observation?
A. Criteria.
B. Effect.
C. Condition.
D. Cause.
Page 171
Planning
Communicating
Page 172
ISPPIA
2500 – Monitoring Progress

The chief audit executive must establish and maintain a system to monitor the disposition of
results communicated to management.
Page 173
ISPPIA

CAE establishes procedures:
- Time frame within which management’s response
- Evaluation of management’s response
- Verification of the response
- Follow-up
- Escalation of unsatisfactory responses/actions
Page 174
ISPPIA

2500.A1 – The chief audit executive must establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.
IAA evaluate the adequacy, effectiveness,

and timeliness of actions taken by
management
Page 175
ISPPIA

2500.C1 – The internal audit activity must monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
Page 176
ISPPIA
2600 – Resolution of Senior Management’s

Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of
residual risk that may be unacceptable to the organization, the chief audit executive must
discuss the matter with senior management. If the decision regarding residual risk is not
resolved, the chief audit executive must report the matter to the board for resolution.
Page 177
THE CORRECT
ANSWER IS..
Practice Question
What action must the chief audit executive take

when (s)he believes that senior management has
accepted a level of residual risk that is unacceptable
to the organization?
A. Discuss the matter with external auditors.
B. Discuss the matter with senior management.
C. Report the matter to an external authority.
D. Report the matter to the board for resolution.
Page 178
THE CORRECT
ANSWER IS..
Practice Question
Follow-up activity may be required to ensure that corrective

action has taken place for certain observations made in an
assurance engagement. The internal audit activity’s responsibility
to perform follow-up activities as required is defined in the
A. Engagement memo issued prior to each engagement.
B. Internal audit activity’s written charter or the agreement with
the client.
C. Purpose statement within applicable engagement
communications.
D. Mission statement of the audit committee.
Page 179
THE CORRECT
ANSWER IS..
Practice Question
A follow-up review found that a significant internal control weakness had not
been corrected. The chief audit executive (CAE) discussed this matter with
senior management and was informed of management’s willingness to accept
the risk. The CAE should
A. Assess the reasons that senior management decided to accept the risk and
inform the board of senior management’s decision.
B. Inform senior management that the weakness must be corrected and
schedule another follow-up review.
C. Do nothing further because management is responsible for deciding the
appropriate action to be taken in response to reported engagement
observations and recommendations.
D. Initiate a fraud investigation to determine if employees had taken
advantage of the internal control weakness.
Page 180
Questions
► Mark Anthony M. Ramos

► mark.prycpa@gmail.com
Page 184

Performance Standards Revised PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Performance Standards Revised PDF

Uploaded by

Copyright:

Available Formats

Performance Standards

2000 – Managing the Internal Audit Activity

2000 – Managing the Internal Audit Activity

2020 – Communication and Approval

2030 – Resource Management

2030 – Resource Management

2030 – Resource Management

2040 – Policies and Procedures

2040 – Policies and Procedures

- Formal administrative and technical audit

- Risk Management - External Auditors

2060 – Reporting to Senior Management and the Board

2060 – Reporting to Senior Management and the Board

2070 – External Service Provider and Organizational

2070 – External Service Provider and Organizational

Which of the following is most essential for guiding

Which of the following is not a true statement about the

The key factor in the success of an internal audit

Policies and procedures must be established to guide the

The foreign subsidiary’s external audit firm wants to rely on an audit of a

2200 – Engagement Planning

Steps on Engagement Planning

2200 – Engagement Planning

2200 – Engagement Planning

USE YOUR PROFESSIONAL

2200 – Engagement Planning

2200 – Engagement Planning

2200 – Engagement Planning

2201 – Planning Considerations

2201 – Planning Considerations

2210 – Engagement Objectives

2210 – Engagement Objectives

Summarize the results

2210 – Engagement Objectives

2210 – Engagement Objectives

2210 – Engagement Objectives

2210 – Engagement Objectives

2210 – Engagement Objectives

2210.C2 – Consulting engagement objectives must be consistent with the organization's

2220 – Engagement Scope

2220 – Engagement Scope

2220.A2 – If significant consulting opportunities arise during an assurance engagement, a

2220 – Engagement Scope

2230 – Engagement Resource Allocation

2230 – Engagement Resource Allocation

2230 – Engagement Resource Allocation

2240 – Engagement Work Program

2240 – Engagement Work Program

2240 – Engagement Work Program

Which of the following parties is (are) primarily responsible for

Internal auditors must develop and document a plan for each

An approved audit plan for the internal audit activity is

Which of the following statements most accurately reflects the

The chief audit executive of a manufacturer is updating the long-range

The chief audit executive of a manufacturer is updating the long-range

2300 – Performing the Engagement

2310 – Identifying Information

2310 – Identifying Information

✓ Corroborated by other information

2320 – Analysis and Evaluation

2320 – Analysis and Evaluation

2330 – Documenting Information

2330 – Documenting Information