COMMUNICATING AND

REPORTING TO SENIOR
MANAGEMENT AND THE
BOARD

LARONG, AIHZEL G.
MINGLANA, MITCH T.
MONTILLA, BAMBIE Y.
MONTILLA, BAMBOO Y.
RUBI, JECHEL MARIE
 COMMUNICATING AND
REPORTING TO SENIOR
MANAGEMENT AND THE BOARD

Communicate Annual Audit Plan

and Obtain Board Approval
What is Internal Audit
Plan?

The Annual Audit Plan (or just 'audit plan') is the list of audit
engagements to be conducted in the coming year. It is a report of
scheduled audits by process or location. The purpose of the plan is
to define the audit work that will be completed each fiscal year, and
it is a methodical approach that enables reviewers to focus on
important areas under review.

The most effective way to ensure that a company’s risk is properly

identified and eliminated 

A well prepared Annual Internal Audit plan will ensure the success
of the audit conducted.
SAMPLE
SAMPLE
SAMPLE
COMMUNICATION TOTHE BOARD
Why is there a need to communicate the audit
plan to the board and senior management?

Standard 2020 – Communication and Approval

The chief audit executive must communicate the internal audit
activity’s plans and resource requirements, including significant
interim changes, to senior management and the board for review
and approval. The chief audit executive must also communicate
the impact of resource limitations.

At least once a year, the CAE needs to communicate the audit plan
to the board and senior management for review and approval.
The plan will include:
• Information about the work schedule,
• The staffing plan, and
• The budget.
COMMUNICATING RISKS AND LIMITATIONS

Any significant risks and any areas in which the

CAE determines that the residual risk is too high
must be communicated to the Board.

In addition, any limitations that have been placed

on the scope of the plan need to be
communicated.
GETTING APPROVAL OF THE PLAN
The plan needs to be approved by the board.

What is the thing to be considered in order the

plan to be approved?

When the plan and other information allow the board to

determine the IAA is properly supporting the objectives
and plans of the organizations and if they are consistent
with what the IAA is allowed to do under the Internal Audit
Charter.
Standard 2020 – Communication and Approval
The chief audit executive must communicate the internal audit activity’s plans and
resource requirements, including significant interim changes, to senior
management and the board for review and approval. The chief audit executive
must also communicate the impact of resource limitations.

Practice Advisory 2020-1: Communication and Approval

1. The chief audit executive (CAE) will submit annually to senior
management and the board for review and approval a summary of the
internal audit plan, work schedule, staffing plan, and financial budget.
This summary will inform senior management and the board of the
scope of internal audit work and of any limitations placed on that scope.
The CAE will also submit all significant interim changes for approval and
information.
Practice Advisory 2020-1: Communication and Approval
2. The approved engagement work schedule, staffing plan, and financial
budget, along with all significant interim changes, are to contain
sufficient information to enable senior management and the board to
ascertain whether the internal audit activity’s objectives and plans
support those of the organization and the board and are consistent with
the internal audit charter.
 COMMUNICATING AND
REPORTING TO SENIOR
MANAGEMENT AND THE BOARD

Identify Significant Risks

Exposures to Report to the
Board
REPORTING TO THE BOARD
What are the other things to be reported to the
board?

In addition to the annual audit plan, the CAE

must also report to the board the following:
• Significant risk and control issues.
• Fraud risks.
• Governance issues.
• Any other matters that require the attention of
senior management.
REPORTING TOTHE BOARD
Standard 2060 – Reporting to Senior
Management and the Board: The chief audit
executive must report periodically to senior
management and the board on the internal audit
activity’s purpose, authority, responsibility, and
performance relative to its plan and on its
conformance with the Code of Ethics and the
Standards. Reporting must also include significant
risk and control issues, including fraud risks,
governance issues, and other matters that require
the attention of senior management and/or the
board.
TIMING, FREQUENCY AND FORMAT

The timing and format of the reporting

depends on the specific
circumstances and issues (The
Interpretation to Standard 2060
outlines this matter.)
TIMING – in reporting, it is the choice, judgment, or control of when something should
be done.
FREQUENCY – it pertains to “how many times” the communication and reporting
occurs.
FORMAT – the “content” of the of the reporting.
Interpretation:
The frequency and content of reporting are determined collaboratively by the chief audit
executive, senior management, and the board. The frequency and content of reporting depends
on the importance of the information to be communicated and the urgency of the related actions
to be taken by senior management and/or the board.

The chief audit executive’s reporting and communication to senior management and the board
must include information about:
• The audit charter.
• Independence of the internal audit activity.
• The audit plan and progress against the plan.
• Resource requirements.
• Results of audit activities.
• Conformance with the Code of Ethics and the Standards, and action plans to address any
significant conformance issues.
• Management’s response to risk that, in the chief audit executive’s judgment, may be
unacceptable to the organization.
 COMMUNICATING AND
REPORTING TO SENIOR
MANAGEMENT AND THE BOARD

Report on the Effectiveness of

the Organization’s Internal
Control & Risk Management
REPORTING ON INTERNAL CONTROLS AND RISK MANAGEMENT

What is this all about?

This report is another opportunity for

the CAE to educate the board about
the importance of controls and risk
management.
RISK MANAGEMENT

Standard 2120 addresses the IAA’s

responsibility connected to risk
management.

RISK MANAGEMENT – the continuing process to identify, analyze,

evaluate, and treat loss exposures and monitor risk control and
financial resources to mitigate the adverse effects of loss.
Standard 2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement
of risk management processes.
Interpretation:
Determining whether risk management processes are effective is a judgment resulting from
the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission.
• Significant risks are identified and assessed.
• Appropriate risk responses are selected that align risks with the organization’s risk
appetite.
• Relevant risk information is captured and communicated in a timely manner across the
organization, enabling staff, management, and the board to carry out their
responsibilities.
The internal audit activity may gather the information to support this assessment during
multiple engagements. The results of these engagements, when viewed together, provide an
understanding of the organization’s risk management processes and their effectiveness.
Risk management processes are monitored through ongoing management activities,
separate evaluations, or both.
INTERNAL CONTROLS
Standard 2130 sets forth the IAA’s role in
assisting the organization to maintain effective
controls and to evaluate their effectiveness and
efficiency.

INTERNAL CONTROL - a process for assuring of an organization's

objectives in operational effectiveness and efficiency, reliable
financial reporting, and compliance with laws, regulations and
policies.
Implementation Guide 2130: To promote continuous improvement in maintaining effective
controls, the internal audit activity typically provides the board and senior management with an
overall assessment or compiles the results of control evaluations accumulated from individual audit
engagements. The CAE may recommend the implementation of a control framework if one is not
already in place. Additionally, internal auditors may make recommendations that enhance the
control environment (e.g., a tone at the top that promotes a culture of ethical behavior and a low
tolerance for noncompliance).
Additional steps the internal audit activity may take to promote continuous improvement in control
effectiveness include:
• Providing training on controls and ongoing self-monitoring processes.
• Facilitating control (or risk and control) assessment sessions for management.
• Helping management establish a logical structure for documenting, analyzing, and assessing
the organization’s design and operation of controls.
• Assisting in the development of a process for identifying, evaluating, and remediating control
deficiencies.
• Helping management keep abreast of emerging issues, laws, and regulations related to control
requirements.
• Monitoring technological advancements that may assist with control efficiency and effectiveness.
 COMMUNICATING AND
REPORTING TO SENIOR
MANAGEMENT AND THE BOARD

THANK YOU!

LARONG, AIHZEL G.
MINGLANA, MITCH T.
MONTILLA, BAMBIE Y.
MONTILLA, BAMBOO Y.
RUBI, JECHEL MARIE