PART 2 (SECTION-1) MANAGING IA ACTIVITY

IA Policies & Procedures:

They are important tool with CAE for confirming that IA dept. is following a systematic & disciplined
approach to internal audit operations. And IA is meeting the expectation laid out by standard and senior
management. They should be reviewed periodically, and any changes may be communicated through in
writing, IA staff meetings & training.

Polices Procedures
 Overall, Purpose of IA dept.  Preparing Risk based Audit plan
 Adhering the guidance provided by IPPF  Planning Audit engagements
 Independence  Performing audit engagement
 Confidentiality  Documenting audit engagement
 Ethics  Reporting results
 Record retention  Monitoring & follow up processes

IA Administration - Resource management

First CAE will get a deeper understanding about Board pre-approved resources including:

 Total staff available

 Number of Hours available
 Collective skill, knowledge and experience of staff
 Total funds available for training, technology and additional staffing

CAE will then address if there are any issues regarding quality/quantity of IA resources by:

 Training to existing staff

 Hiring additional staff
 Co-sourcing and Out-sourcing
 Using guest auditors
 Developing a rotational audit plane (Inbound/Outbound)

CAE should develop a program for selecting and developing human resources of IA dept.

For Internal staff Portion For Externally Sourced Portion

 Written JDs
 Training & CPE
 Counselling on auditors’ performance
 Performing appraisal for each auditor annually
 Succession planning for IA management
 Selecting competent and qualified
individuals aligned with overall risk
and resource needs
 Pre-actively addressing areas for
improvement, Service excellence

CAE will develop a schedule for engagements as part of audit plan and will consider

 Organization schedule  Auditor schedule  Auditee availability

 Potential Engagement Sources- Planning
Planning is done by CAE with senior management to understand Organizational strategies,
Business objectives, Associated risks and RM process.
Plan should be based on documented risk assessment (at least annually) of different areas of
Org. and input/expectations of senior management/board must be considered in this process.
Both internal and external risks must be examined and linked to specific objectives & business
processes to prioritize & organize the risk. Once all info is gathered, CAE will develop plan which
includes:
 List of all engagements & whether the engagement is assurance or consulting
 Rational for selecting each proposed engagement
 Objectives and scope of each engagement
 List of other projects as part of audit strategy not be directly related to internal audit
Created Plan is discussed with board/ Senior management to align with their priorities.
Unaddressed risks may also be pointed out at this stage.

Organization’s Strategic Plan

By analyzing the Organization environment e.g., SWOT analysis to identify & classify elements
that can help or hinder organization or its strategic plan / activities.

Management of Employees
As they are very close to business activities, they can provide valuable insight on risk facing by
organization. Techniques include (i) Interviews (ii) Focus groups (iii) Questionnaires/surveys

Regulatory Mandates
Arise from self regulating bodies and professional societies e.g., privacy Law.

Market Trends & emerging issues

Risks faced by industry or economic situations could be a valid source of potential engagement.
Changes & trends in technology, environment, health & safety and society.

RM Framework & Engagement Prioritization

First audit dept. will look for any RM framework in organization use, if there is no framework then
management can develop a new one or can use a third-party framework such as COSO. If auditor design
any part of framework, he cannot give objective assurance about that framework or that part.

IA dept. uses engagement risk assessment activities such as Assurance Map which help identify all
internal/external risk and assurance providers who cover those risks. It also helps in development of
audit plan and in engagement prioritization. Steps include in assurance map are:

1. Identify sources of information

2. Organizing risk into categories
3. Identify assurance providers who cover those risks
4. Gathering & documenting information about assurance activities
5. Periodically reviewing, monitoring, and updating the assurance map
Assurance Engagement types - Operational Engagements

Focus on providing assurance related to Risk, control and governance in regard to efficiency &
effectiveness of operations.

Objective – specific objective will depend on Org. or Dept. under audit, but 3 key considerations will be
made in evaluation of overall effectiveness of governance, Risk and controls associated with a business
process are:

1. Were significant discrepancies discovered from audit work?

2. If so, corrections or improvements were made after discovery?
3. Do the results indicate that a pervasive condition exists resulting in unacceptable level of
business risk?

Stakeholders – Board & business process owners

Risks –risk related to operational effectiveness include a business process that failed to work achieve
the organizations’ objective. Risk related to operational efficiency includes achieving goals in a manner
that is more costly to the organization that the value it has added. Suboptimization (Departments Silo
mentality) can affect both efficiency and effectiveness.

Security Engagements

Objective –Focus on risk, governance and control related to safeguarding of assets and integrity &
reliability of information.
Stakeholders – includes all stakeholders responsible for the security of their areas. E.g security guards or
IT professionals. Board & senior management are also the stakeholders to whom CAE will report the
security issues.

Risk–Unauthorized physical access, Theft, Fraud by employees, industry/region specific risks

Financial & Financial reporting Engagements

Objective – Focus is on giving assurance over the effectiveness of controls that help the organization
financial reporting to be: timely, reliable, complete and transparent.

Stakeholders – Board & senior management, Audit committee, other stakeholders (regulators etc.)

Risk - Restructuring, mergers & acquisition, new products & systems, Regulatory compliance, fraud risk

Compliance Engagements

Evaluating Adequacy & effectiveness of controls that keep the organization in compliance with
applicable laws, regulations contracts etc.

Objective –Objective of an effective compliance program are:

 Detecting violations & illegal activities

 Organization wide compliance training program
 Encourage proper behavior by providing incentives
 Enhancing corporate image
Stakeholders – Board, management, compliance professionals &process owners

Risk –Many risks including environmental compliance risk, health & safety risk etc.

Performance Audit

Objective –to assure management has adequate monitoring & controlling activities to assess the
performance of organization as a whole, specific unit and specific job or individual

 Measure performance in areas relating to key business objective

 Gather and prepare sufficient information in a timely manner
 Use the information effectively for management control

Stakeholders – Board & senior management

Risk–Measuring wrong KPI, measuring too may KPI’s instead of key one, receiving info too late to use

Privacy Engagements

Objective – to assess (i) Possible privacy breaches (ii) Record retention issues (iii) privacy assessment
performed by other assurance providers

Stakeholders – Board & audit committee, Senior management, employees &Others (e.g., court)

Risk –Reputational damage of Org. or individual, sanctions imposed, bad practices, legal liability

Consulting Engagement Types

(a) Advisory (b) Training (c) Facilitative

(a) (Advisory) System Development Lifecycle Review (SDLC)

Auditors play various roles in SDLC at different stages.

(i) System Analysis Audit for feasibility

(ii) System design & selection Audit to ensure controls are designed in
(iii) Conversion & implementation Audit to ensure system meets acceptance criteria or objective
(iv) Feedback for continues improvement

Privacy

Auditors can give board/management advice to (i) help them keep updated regarding latest trends,
values regarding privacy and (ii) advice in selection of most appropriate privacy framework & most cost-
effective investment in privacy.

Due Diligence

Advice regarding a proposed transaction’s contribution on organization strategic objectives&

transaction’s impact on core business activities.
(b)Training Consulting Engagements - Business Process Mapping

Method to understand what should be done VS what is being done but is not adding any value to end
customer. System owners perform walkthrough to auditor. Auditor then make a flowchart of the
process to see where more value & business improvements can be made.

Internal Controls Training

Training on internal controls e.g COSO make client more comfortable with audit of internal controls and
in this way can provide more timely/accurate information to auditors.

(c ) Facilitative Consulting Engagements

Internal audit more involved with the activity in question rather than just offering knowledge to
individuals. Examples include Benchmarking, Facilitating Risk assessment process, management controls
self-assessment, facilitating a task force charged with redesigning of controls or procedures.

Benchmarking

Internal benchmarking Within same organization

Competitive benchmarking
Industry benchmarking
Functional benchmarking
Generic benchmarking
Best in-class benchmarking
With direct competitors
Within same industry with same process
Within other industries with same function
Within other industries with same process
Other org. with best in-class function

Control Self-Assessment (CSA)

A process where management and employee teams continuously make awaring of factors affecting
achieving the organization objective enabling them to make appropriate adjustments. Internal auditors
will be involved in the process & will report to senior management and board committees. CSA
integrates business objectives & risks with control processes.

Reliance & Coordination on other assurance provider’s work

To ensure full coverage and avoid duplicate of work. CAE is still responsible for his work‘s conclusion.
Communication is informal in small and formal in large org. CAE should have clear understanding of
scope, objective and results of other assurance provider’s work.CAE will discuss annual report discussing
(i) Assurance Framework
(ii) How it is employed
(iii) Results of assurance engagements to be shared with board & Executive management

CAE will have a criteria to determine reliance of others work including:

 Their independence, objectivity, competency, due professional care, scope, obj., result of actual
work performed

Common questions to be asked when coordinating with external assurance providers:

  Are they sufficiently qualified, competent, objective to perform necessary work?
 Impact of their work on annual audit plan
 Is there any need to reperform their work and doing any additional work?
 Objective and scope of their work to address key risk issues of org.
 Should CAE pursue co-sourcing arrangements with external assurance providers?

CAE annual Audit Plan Communication - Communication the plan

Prior to communicating plan to the board CAE will determine the resources (people, technology,
fund) needed. Consulting engagement and required resources should also be included in the
plan. A portion of current resources is saved for any unplanned changes to audit plan.Before
presenting plan to board CAE meets with individual senior executives to take their input to:
 Address their concerns  Incorporate their feedback  Obtain their support
 Gather more information about the
timing of proposed engagement and staff availability

Gaining Board Approval

CAE presentation to the board will include:

 List of proposed engagements and rational for selecting each engagement

 Objective and scope of each engagement
 List of initiative and projects as part of internal audit strategy not directly linked to an
engagement
 Discussing risk assessment on which internal audit plan is based. It means those risk that can be
addressed and those that cannot be addressed due to resource constraints.

Once approved, CAE should communicate the plan with senior management to include the plan in
overall budget and so on.

Internal audit KPI reporting

Checklist of reporting to senior management & board:

 Internal audit charter (Purpose, authority & responsibility of IA dept. CAE will periodically review
it and approve it from board)
 Organizational independence of IA dept. (Any interference in engagement scope, reporting or
work performing along with interference magnitude will be reported to board)
 QAIP reporting (internal & external assessments)
 IA dept. plans, resource requirements & performance relative to its plans
 Results of audit engagements (engagement communication, protocols in case of error or
omission or non-conformance with code of ethics)
 Conformance or non-conformance of IA dept. with code of ethics & standards and disclosure of
reasons of non-conformance
 Significant risk & control issues and management acceptance of risks
Engagement reporting can be presented in 3 ways: By

(i) providing a summary of audit work by area (ii) Discussing only major issues
(iii) distributing copies of all audit reports

KPI reporting

KPI's should be aligned with org. strategic objectives and goals. CAE can periodically benchmark with
peer organizations. KPI allows CAE to:

 Identify shortcomings in dept.  Any remedial action plan

 Demonstrate IA value to customers  Support request for resources need to board

Common KPIs for IA dept:

 Cycle time of audit engagement  IA dept. Workforce satisfaction

 Recommendations accepted by client  % IA plan completion
 Board expectations met  Performance against IA financial budget
 Budgeted to actual audit times  Professional development plan initiatives
completion

CAE will report on QAIP to board regarding internal assessment (at least annually) and may recommend
for any improvement or external assessment (at least every 5 years). External assessment discussion
must cover external assessor’s qualification, independence and any potential conflict of interest.
 SECTION-2 (PLANNING THE ENGAGEMENT)

Engagement Objective

Audit Engagement objective should be aligned with related organizational objective and should reflect
preliminary risk assessment related to the activity/process under review.

Source of information for preliminary objective development include:

 Review of internal audit plan Review of previous audit result

 Discussion with stakeholders Considering mission, vision & obj. of
process/dept. under review
Source of information for preliminary risk assessment include:

 Org. wide risk assessment  Previous audit working papers

 Fraud risk assessment  Other assurance providers results

Information from discussion with stakeholders can also be obtained by interview to better understand
design, operation and environment of the activity/process under review.

 Persons involved in the process steps  Management (documented policies etc.)

 IT Personnel (controls deficiency)  Legal/compliance officer (litigation etc)
 Other stakeholders (customer/supplier)

Objectives fall into 3 categories:

i. Operational – How entity strives to efficiently & effectively manage its business operations
ii. Reporting –reporting obj. related to developing reliable Financial & non-financial reports
iii. Compliance – Obj. relate to entity compliance with applicable laws & regulations

Engagement Criteria

Adequate criteria would be needed to evaluate Governance, Risk and control. Criteria can be Internal,
External or industry best practices. If there is no adequate criteria then auditor must identify adequate
criteria to use after discussion with management.

Engagement Scop

Engagement scope must be sufficient to achieve Engagement objective. Scope must include
consideration of relevant systems, records, personnel and physical properties including with 3rd parties.
Scope shows the boundaries under which to assess those activities that are to be reviewed and not to
be reviewed. Objective and procedures collectively define scope.Key consideration for setting scope
include:

 Boundaries of area or process  In-scope Vs Out-scope locations

 Components of area/process  Sub-processes
 Time Frame
Scope limitation is any restriction placed on IA activity that preclude it from achieving its objective.
Restriction may include:

 Scope defined in the charter  Access to record, personnel, properties

 Approved work schedule  Engagement Procedures
 Audit Staff and financial budget

Planning Consideration:In engagement planning auditors must consider:

 Objectives and operations of the department under review and how the dept. controls its
performance.
 Risk to Department’s Objectives, resources and operations and how it is kept this risk to an
acceptable level.
 Opportunities to make improvements to dept. governance, risk management and control
processes.
 Adequacy and effectiveness of dept. governance, risk management and control process
compared to relevant framework.

Risk & control matrix is a useful tool for auditors to ensure that auditors account for risks at engagement
level and all risks identified are addressed in subsequent fieldwork.

Risk Based Auditing: It requires auditors to first understand the entity & its environment in order to
identify risk. Understanding the entity involves documenting:

 Operational Objectives/goals  Level of Compliance with law, regulations

 Key processes  Org. structure
 Information system  Key risks & Current controls

This information can be gathered in many ways including initial client meeting, preliminary survey,
conducting interviews, observation, inspection of process, performing analytical procedures, prior audit
reports and benchmarking.
Result of risk assessment categorizes the audit engagement into significant and non-significant risk
areas.

Engagement Work Program

Before developing work program, auditors need to determine:

 Sample size for testing and methodologies used

 Risk register/matrix & how it applies to development of work program
 Scope of engagement & How engagement objectives will be achieved
 Whether necessary resources are available
 Judgements and conclusion made during engagement planning phase

Well-crafted work program:

 Starts by clearly identifying engagement objective

  Provide outline for work to be performed
 Evidencing that the work is adequately planned
 Provide a record for audit management review
 Provide assurance that all risky areas received proper consideration
 Help in assigning responsibilities

Audit Resources – staffing

In determining the level of audit staff for an engagement, Audit leader should consider:

 Objective of engagement  Nature of deadline

 Availability of staff with necessary  Engagement priority & resources in audit
knowledge & skills plan

How to best allocate resources to an engagement auditor should understand the engagement
Objectives, Scope, Nature and complexity.

Success of engagement is judge by:

 Level of standard achieved  Fulfillment of objectives

 Completion within budget
 SECTION-3 (PERFORMING THE ENGAGEMENT)

(a) Gathering information from different sources as part of preliminary survey

Previous Audit Report

Documents include workpapers, finding, reports, replies, auditor comments, related information.

Positive confirmation ask recipient to reply whether the info is correct or not while negative
confirmation ask to reply only if the info is incorrect.

Addition documents that are appropriate for review includes:

 Org. Information (charts)  Recent changes in Org.

 JDs , Procedure manual  Objectives and goals
 Project, plans, physical report  Budget info

Review of prior audit documents is important because it provides:

 Familiarity with the audit area  Overview what to expect in the area
 Prior auditors’ approach to assignment  Identify repeat problem areas
 Status of promise to correct any deficiency  Strength still exists identified previously

Walkthrough

Step by step demonstration to auditor about a process/task. It helps auditors to better understand a
process flow. It also helps to show the root cause of a control failure.

Observation

Obserwation can be in any form including walkthrough. Observation is generally a weak evidence but to
gain force in an audit report it needs to be backed up by other evidence& analysis that confirms what
the auditor has seen.

Interviews

A structured discussion where 1 person is asked question about his job or activity. Audit interview
occupies a middle ground between a polite conversation and interrogation. During engagement
planning process interviews are conducted to:
  Clarify information about an area
 Collect additional necessary information
 Provide an observation about activities of organizationbeing audited
 Secure the perspective of management responsibility for activity being audited

Checklist

is a visual tool to collect, analyze and track data. They are developed at planning stage at the end of
preliminary survey. A checklist can be used as a (i) Reminder (ii) Tracking tool (iii) method of getting
info from a respondent

 They can help to support important admin tasks such as travel arrangements
 They help to establish consistency throughout the audit team
 Help to ensure that audit team has addressed & collect information from all important areas

Questionnaires

IA can use questionnaire in preliminary survey & control self assessment. Their format can be in simple
Yes/No, Grading scale (in numbers or words), Limited/unlimited length narrative.

Advantages & disadvantages of Yes/No questionnaires are:

Advantages Disadvantages
They can be given to large number of informants Not suitable for all types of situations/issues
Easy to administer Reduce chance for auditor to observe respondent
behaviors & environment
Get uniform info from all informants for accurate Can not give auditor an in depth knowledge
comparison
Result of large response pool can be analyzed
easily

They can be best used for gathering information about (i) multiple branches having same SOPs,
objectives and risks (ii) Regulatory compliance matters

ICQs differ from an open ended questionnaire because the ICQ starts with a known answer. ICQs are
easy to administer & they help in further evaluation after an initial risk is identified. But they also do not
provide in-depth investigation.

ICQ can be completed by auditor or by the process owner. Observation is better than enquiry but not
better than testing.

Evidence Considerations
Auditors need to consider matters related to evidence such as source, reliability, confidentiality and
access to audit evidence.

Source: External evidence directly obtained is most reliable than internal one. Strength or weakness of
evidence depends on its persuasiveness. its persuasive if it results in a well-founded conclusion or
advice. To be persuasive source must be sufficient, reliable, relevant, and useful.

Availability: Auditor need to consider the time it will take for the evidence to be present for testing.

Confidentiality: Auditor need to consider not to distribute data to unauthorized individual and need to
keep special care while extracting the data from system to keep it safe from being corrupt.

Access: Auditors must have free access to evidence when it requires during engagement.

Evaluating source of evidence

Sufficient: There should be enough evidence that a prudent person would reach the same conclusion as
the auditor

Reliability: Evidence must come from a credible source whether auditor obtained it directly or
indirectly.

Relevant: Evidence must be relevant to the matter on hand. Non pertinence evidence can increase audit
risk.

Usefulness: Information is useful if its timely available and its relevant to the organization.

Analytical approaches & Processing mapping techniques

Auditors must base their conclusion on appropriate analysis & evaluation. First the work program
includes factors such as management assertions, Testing, Sampling methodology and size. Then auditor
seek to reach on a conclusion based on the procedures performed in work program that whether
existing controls are adequate enough to achieve the objectives of the process/area and its design and
effectiveness. If current testing doesn't provide sufficient info, then adjustment to testing should be
made and adjustment to work program must be approved promptly. Testing includes CAAT and manual
method including vouching, tracing, reperformance and external confirmation.

Processes that are examined in engagement are documented in a process map. forms include
Flowcharts, narratives, block diagram, spaghetti maps, RACI diagrams.

(i) Flowchart: Graphical representation of steps/sequence involved in a process or relationship between

parts. Easy to understand and practical to review with the audit client. It can be created using pencil
drawings, computer graphics etc. It help in assessing which steps are crucial, omitted, eliminated or
added. Formats include horizontal and vertical flowcharts.

Process Decision point Input/output

database online storage manual file/extract

Document Document (pages) Start/end process

 On-page connector off-page connector

(ii) Narratives: Show step by step picture of a process in a single document without using symbols/keys.
Purpose is to identify key controls & under or over control areas. They can provide more detailed
information than a flowchart.

(iii) Blocked Diagrams: Representation of process using boxes and connecting lines to show their
association. Easy to quickly construct and simple than flowchart. Appropriate for high level
representation and not for detailed analysis.

(iv) Spaghetti Maps: They are limited in scope to a particular area. They are used to track people,
process, paperwork. different line colors can be used to show different flows.

(v) RACI Chart: It list various stakeholders of a process or area in rows and columns for R,A,C,I & a
checkmark is placed on the chart to indicate whether a party has one or more of these designations.

 Responsible: Means that this person will perform the process or activity.
 Accountable: Means that the person will be accountable for the success or failure of the activity.
 Consulted: Means that the person performing the activity will have a say in various decisions
that has to be made regarding the activity.
 Informed: Means that stakeholder needs to be kept informed of the matters, but he would not
have any say in decision being made.

Engagement Conclusion with Risk & Control Assessment

Factors to consider when planning final engagement communication:

 Engagement Scope  Any Scope limitation

 Engagement results

Final communication includes the IA departments:

 Assessment of appropriateness and effectiveness of controls of area under review

 Rating of the area if a rating system is used

Evaluating effectiveness of control means assessing control in context of risk to objectives. To evaluate
the control, Auditor should consider:

 Whether any weakness discovered from audit work performed or information gathered?
 If yes, then whether it is corrected or improved?
 Do this weakness leads to the conclusion that a pervasive condition exist leading to
unacceptable level of business risk.

Just existence of weakness or risk doesn’t necessarily mean it leads to business risk. Factors to consider
whether it will lead to business risk includes.

 pattern of discoveries  Degree of intrusion

  Level of consequences & exposure

Findings generally have 5 C's:

 Criteria = expected State  Condition = Current state

 Cause = Reason for difference between  Consequence = Risk organization
criteria & condition encounter because condition not
consistent with criteria
 Corrective action = Recommendation

Opinion: Opinion may relate to an individual engagement (micro level) or relate to an overall GRC of
organization (macro level).

Opinion communication Overall Opinion communication

Opinion should clearly specify:
 Evaluation criteria used such as
COSO & scope to which opinion
applies
 that Management has
responsibility of establishing &
maintenance of Internal controls.
 Scope & time period to which opinion pertains
 Any scope limitation
 Summary of information that support opinion
 Risk & control framework or other criteria used
as a basis for overall opinion
 Overall opinion reached

Types of Opinion: (i) Positive Assurance (ii) Negative/limited assurance (iii) Qualified Opinion

Positive/Reasonable Negative/limited Qualified opinion

Highest level of assurance & Nothing came to auditor Specific finding contradict
Strongest type of opinion. attention that show overall opinion. where there
inadequate internal controls is an exception to general
opinion. "Except for"

Recommendation: In formulating recommendation considerations includes:

 Course of action that is most practical & economical

 Objectives that should be kept in mind when recommending corrective action
 The choices & how they measure up when compared with objectives
 best choice with few side effects
 Mechanism that should be suggested to control the corrective action after it is taken

Engagement Supervision

Engagement must be properly supervised to ensure objectives are achieved, quality is assured and staff
is developed. It also depends on auditors experience/skills and engagement complexity.
CAE can use IA policies & procedures to :

 specify software programs or templates to establish consistent formats

 Address opportunities for staff development

Engagement supervisor is responsible for approving work program and other aspects of planning
process. He will also review work papers, evaluates whether information, testing and results are
sufficient, reliable, relevant and useful. And will review engagement communication to ensure they are
timely, accurate, complete, concise, clear and objective.

Coordination: In initial meeting supervisor meet with audit team to ensure all aspects of program are
covered and work is not duplicated. Coordination can be challenging in large/complex audits, multiple
sites with remote sites also, in global organization audits with different cultures and business practices.
In initial meeting its also discussed:

 What to be reported and to whom

 When communication should be occurred
 What will be the preferred method?
 Any legal restrictions on communication

Progress memos and meeting minutes can be issued to document:

(i) Assignments (ii) Agreement on procedures (iii) Commitments (iv) Open issues

Working paper Review: CAE or supervisor can review working paper to ensure that:

 Engagement is carried out with high quality standards

 To evaluate current skill level of each individual auditors
 To identify future development opportunities

He may use a checklist when reviewing working papers quality. Working papers will be then initialed and
dated by supervisor. If he has a question regarding working papers, he may make a written record:”
“Review notes” for the auditor to consider.

Performance Appraisal: It focus on several levels:

 Entire Audit department based on audit plan

 Audit team based on specific engagement
 Individual auditor based on different aspects like performance on specific engagement, annual
review by CAE, post audit appraisal can be delivered & discussed immediately.

Performance review provide an opportunity to auditor to define professional objectives, cooperate with
audit manager to design an action plan and periodically discuss problems to the plan.

Annual Review: It consider job competencies and it may vary organization to organization. Global
competency framework includes four areas for competencies which can be used during an annual
review. Each of these competencies may be rated as general awareness, applied and Expert.

(i) Professionalism: Competencies required to demonstrate authority, credibility and ethical

conduct
 (ii) Performance: competencies required to plan and perform audits with high standards
(iii) Environment: competencies required to identify & address specific risks to organization and
to the environment in which it operates
(iv) Leadership & communication: competencies required to provide strategic direction,
maintain relationship and managing internal auditors and process.

Face to Face meeting guidelines:

 Schedule the interview in advance and be specific about the time it will take and agenda
 Start with a discussion what will be covered. Negative news should be delivered without an
accusatory tone of voice.
 Be straightforward during discussion. Objective of the reviewer is to develop the auditor
 Summarize the review at the end and gain commitment from the auditor whatever action have
been agreed upon.

SECTION-4 (COMMUNICATING AUDIT RESULT & MONITORING)

1. Preliminary Engagement communication

CAE should understand the expectation of board & senior management regarding communication
related to engagement results. Auditor must understand any policies & procedures in the audit
manual and the use of any templates to ensure consistency in developing observation &
conclusions. Auditor may develop engagement communication plan to understand how
communication will take place during engagement and how final results will be communicated.

In communicating results, auditor must consider communication plan including:

 Criteria for communication (Standard 2410)

 Quality of communication (Standard 2420)
 Dissemination of results (Standard 2440)

Once these standards are met, auditor will consider how results will be communicated. Workpapers will
indicate which result will be communicated verbally and which in writing.

2400 series can be documented by Internal audit policies & procedures manual which contains:

 Policies regarding communication of non-compliance with laws & regulation

 Policies regarding communication of any sensitive information within inside/outside chain of
command
 Policies regarding communication outside organization
 Other documentation e.g., communication plan, observation record, interim & final
communication documents, monitoring & follow-up communication document.

2. Communication Elements & Quality

Communication Element: "Criteria for communicating" Communications must include Engagement
Objectives, Scope & results. Objective & scope are discussed during engagement when engagement
letter is shared with client and when there is deviation from original objective & scope and in final
engagement communication. When planning final engagement communication, all working papers with
summaries will be considered as well as:

 Engagement Objective  Scope and any limitation  Engagement result

 Stakeholder expectation  Strategic goals of area under review

Final communication must include conclusion, recommendation and action plan. Opinion should also be
provided where possible. opinion must take into account expectations of senior management, board &
other stakeholders.

Auditors are encouraged to acknowledge satisfactory performance in engagement communications.

When distributing results outside organization, communication must include limitation on distribution
and use of result.

Report Elements include Objective of engagement, scope, Audit methods, Results and other optional
sections including background information, summaries, client accomplishment, Client view or client
perspective regarding engagement conclusion or recommendation.

Communication quality : Accurate, Complete, Concise, Constructive, Clear, Objective, Timely

Accurate : Communication must be free from error and are faithful to underlying facts. Auditor must
present all the facts known to them & precise wording should be used. if an error occur CAE must
communicate the corrected information as per standard 2421.
Complete: Communication must contain everything including significant information that is essential to
the target audience.

Concise: Communication must be to the point & avoid unnecessary details.

Constructive: Communication must be helpful to the client and organization and lead to improvements
where needed.

Clear: Communications must be clearly understood and logical avoiding any unnecessary technical
language. Clarity is enhanced when auditor communicate important observation & logically support
recommendation and conclusion for a particular engagement.

Objective: Communications are fair, unbiased and are the results of a balanced assessment of all
relevant facts and circumstances.

Timely: Communication must be present within the deadlines.

3. Interim Reporting: may be verbal, written, transmitted formally or informally. may used to:
 Communicate information that required immediate attention
 If there is any change in objective or scope of engagement
 If engagement extends over a long period of time
 Inform management of matters not related to the engagement
Interim reporting has advantages such as:

 Engagement process become more efficient as auditors can clarify issues before unnecessary
work is done
 Engagement process become more effective as information is uncovered and understood before
evaluations are made & recommendations formulated.
 Auditor-client relationship is strengthened.
 Interim report can be a path to high quality & increase detail in final report and it also reduce
time to create a final report.

4. Recommendations: Effective working papers include Objective, observation, conclusion &

recommendation.
 Recommendations can be general or specific.
 Recommendations are based on auditor observations and conclusions.
 Recommendations call for an action to correct or improve existing conditions & suggest
approaches to enhance existing conditions.

SMART is an effective approach to develop recommendation.

Specific: recommendations are exactly what organization should aim to achieve.

Measurable: Recommendations should be evaluated whether they are accomplished
Action-oriented: Recommendation should specify the actions the organization will be able to take.
Relevant: Recommendations related to nature of organization and are attainable.
Time-based: Recommendations specify the time frame for accomplishing recommendations.

Auditor should maintain their objectivity when drawing conclusion. Auditors should consider:

 Does the recommendation add value?

 Will it address the root cause?
 Will the benefit increase from its cost?

5. Engagement Communication Reporting Process:

"Disseminating Results" CAE must communicate the result to appropriate parties.

CAE may give authority for this to any appropriate person but the responsibility rest with the CAE. To
whom and how to communicate the final result, CAE will consider the following:

 Organization chart OR Audit charter

 Organization communication protocol
 Discussion with board

CAE will need to consult with legal advisor when to communicate outside the organization as
ramification will be needed to sensitive information. he will also consider the party receiving the result
have any business need for this or have any responsibility for management action plan. CAE may
develop a distribution list including who will receive all communication and who will receive their
specific related area communications.
If CAE discover Error or Omission at a later stage in final communication, he must communicate it in the
best way to all parties who received the original communication. CAE will need to understand which
error or omission is significant to board/management. He will need to determine significance from
following questions:

 Does this error or omission will change the result of engagement?

 Or it will change some one mind about severity of the finding?
 Or it will change the opinion, Conclusion or recommended action?

Drafting: When drafting report, it is important to keep need of audience in mind. if there is 1 audience
then 1 or more than 1 version of report may be made. if there are different versions then the overall
objective substance (recommendation, opinion, management response) of report will not be change.

Basic principles of drafting include creating an outline & then two or three draft reports.

Outline may include headings with brief summaries and in what order? Then first draft will include
getting the information down. Then second and third draft will focus on cleaning up the writing, making
it clear and concise.

Reviewing: Audit client or audit supervisor can read and comment on the draft report. Reviewer will
consider whether the information in the report is factual, complete and Conclusions are supported by
evidence. it is important to emphasize on completion time line and urgency related to management
action plan.

Approving: CAE or a designated person by CAE will approve or sign all final communication and to whom
it should be communicated but CAE would still be responsible for all final communication. He may
designate:

 Audit In-charge  Lead Auditor  Audit supervisor

Distribution: CAE will be responsible to distribute the report to those who will be responsible for taking
corrective action, to board, external auditors or other who are effected or interested in the report. If
substantive correction have to be made to the report, CAE will have to ensure that it is distributed to all
recipients highlighting the changes made in final report.

Exit meeting: CAE is responsible to oversee that the report is:

 skillfully prepared and presented

 Brought to the attention of client decision makers
 Avoiding to go into hands of those who are not authorized to receive it

Same people attend the exit meeting who attended entrance meeting as they have know how of the
operations and power to take decision of the related area. Objective of exit meeting includes:

 Discuss the conclusions and recommendations

 Resolve any misunderstandings regarding any observation or item
 Reaching to a possible solution regarding a problem in the report
 Appreciating the client for co-operation with the audit team
 6. CAE Responsibility regarding Acceptance of Risk & its communication

If CAE determine unacceptable level of risk which management has accepted but unacceptable to
organization, he must discuss it with management responsible for the area under review then he must
communicate it with senior management, if the matter is still not resolved he should discuss it with
board. If Organizations has a formal risk management framework and formally accept risks, then
CAE/auditors should understand this. But CAE is not responsible for resolving residual risk. Residual risk
may be found from assurance/consulting engagement and actions taken on previous audit results. High
significance risk includes those:

 That may harm Organization reputation and people

 Result in Penalties/fines, Fraud/illegal acts
 Material misstatements and significant impediment in achieving Org. Strategic Objectives

CAE should know to whom typically high-risk issues are communicated in organization. CAE must be able
to identify unacceptable risky areas, he must have access to senior management and board and CAE
must have strong management & communication skills.

CAE use judgment to whom and when such matters will be reported based on:

 Nature of issue  Urgency of the issue

 Potential results of the issue if unresolved  Any policies that may be in place

7. Outcomes & Management Action Plan-Monitoring Progress

CAE is responsible to monitor the disposition of results communicated. The monitoring process must
capture relevant observation, corrective action and current status. CAE may develop or purchase a tool
to track, monitor and report such information. Tracked & captured information includes:

 Observation communicated to management  Agreed corrective action

 Timing/ deadline of corrective action  Owner responsible
 Current status of corrective action & whether auditor has confirmed the status

8. Monitoring & follow-up: CAE must establish a follow-up process to monitor & ensure that
management actions have been implemented or that management has accepted a risk by not
taking any action. Factors to consider when determining appropriate follow up procedures are:
 Significance of reported observation/recommendation
 Degree of Effort, Time and cost needed for corrective action
 Complexity of corrective action
 Impact if corrective action failed

An observation is not considered remedial until Re-testing is performed to confirm that implemented
controls are operating effectively and risk is reduced to acceptable level.

Follow-up actions should be documented & retained in the working papers.