Acctg 46

Sustainability and Strategic Audit

Instructor : Cyra Mae M. Lanestosa, CPA

 Communicating
Assurance
Engagement results
Final Lecture 1
 01 Identify the different forms
Learning of assurance engagement
communications
Objectives
02 Identify the steps involved
in creating an effective
assurance engagement
communication
03 Discuss the distribution
process for effectively
communicating assurance
engagement outcomes
Page 495
COSO Category
Many organizations are subject to laws and regulations regarding
assessment of their internal controls over financial reporting using an
approved internal control framework (e.g., COSO’s Internal Control -
Integrated Framework in the US.) or have voluntarily adopted COSO’s
internal control framework to assess their internal controls. For those
organizations, once one or more observations have been identified, the next
step is to determine which COSO category the compromised control most
directly affects, recognizing that an observation may impact more than one
category. Controls mitigate V risks that threaten the achievement of
objectives in three COSO-defined categories (these categories are similar
across the three common frameworks):

Operations objectives. These pertain to effectiveness and efficiency of the

entity’s operations, including operational and financial performance goals,
and safeguarding assets against loss.
Reporting objectives. These pertain to internal and external financial and
nonfinancial reporting and may encompass reliability, timeliness,
transparency, or other terms as set forth by regulators, standard setters, or
the entity’s policies.
Compliance objectives. These pertain to adherence to laws and
regulations to which the entity is subject.
 CONDUCT INTERIM AND PRELIMINARY ENGAGEMENT
COMMUNICATIONS

Communication is an integral part of any assurance engagement and occurs throughout the
engagement process. During the course of performing an assurance engagement, the internal
audit function communicates routinely and regularly with the key individuals in the area subject to
audit. Much of this communication is done via email and in face-to-face meetings or on conference
calls. The purpose of these communications is to discuss observations as they are identified during
the engagement. This allows the internal audit function to make sure the facts are accurate and
also initiates dialogue regarding the best method of remediation for identified observations. When
an observation calls for immediate attention, interim communication allows it to be brought to the
attention of the appropriate individuals in a timely manner and increases the likelihood of prompt
resolution. The internal audit function will use the information gathered during these interim
communications to finalize the observations that will ultimately go into the final communication and
to formalize management’s action plan for inclusion in the final communication.
The internal audit function must confirm preliminary facts and conclusions with
appropriate management representatives of the area that was covered by the
engagement before it is distributed in its final form. This can be accomplished in
many ways, but it is most commonly done through a formal meeting with
management, typically referred to as an exit interview or closing conference,
followed by a draft of the final communication in whatever form it will take.
As part of this process, the internal audit function meets with appropriate
management representatives from the area covered by the engagement and
confirms agreement with preliminary observations and conclusions discussed
throughout the engagement. This allows all parties to review what is anticipated
to be contained in the formal engagement communication and provides a inal
opportunity for resolving any potential misunderstandings. Additionally, it
provides the management of the area that was the target of the assurance
engagement with a way to present their thoughts and planned actions regarding
the items to be covered in the final engagement communication and give
feedback regarding how well the engagement team executed the assurance
engagement
A primary difference between an assurance engagement and a consulting
engagement is that in an assurance engagement, three parties are involved:
1) the person or group directly involved Final Communication with the
process, system, or other subject matter -the auditee, 2) the person or group
making the independent assessment - the internal audit function, and 3)
internal audit function informs the person or group relying on the independent
assessment - the user. A consulting engagement, on the other hand, typically
involves only two parties: l) the person or group seeking and receiving the
advice - the customer, and 2) the person or group offering the advice - the
internal audit function. Because the results contained in the final assurance
engagement communication will be used by someone other than the auditee
(for example, the audit committee), it is imperative that the communication be
concise, comprehensive, and accurate.
DISTRIBUTE FORMAL AND INFORMAL FINAL
COMMUNICATIONS

Assurance engagement communications are formal or informal depending on the

outcome as determined by the observation evaluation and escalation process. For
every assurance engagement, however, there will always be a ifnal, formal communication,
even if there are no observations to report to management.
Formal

Typically, the recipients of formal assurance engagement communications are senior

management, the audit committee, the organization’s independent outside auditor, and/or
auditee management.

Historically, formal audit communications have been in traditional written

reports or, if distributed electronically, in a Word or PDF format. As technology
has become more pervasive, however, internal audit functions are beginning
to migrate to other formats such as analytic dashboards, heat maps, summary
charts, and tables. The format used to communicate is less important (as long as
it is appropriate to the information presented and the audience receiving it) than
covering all of the elements of a formal communication.
Formal

Typically, the recipients of formal assurance engagement communications are senior

management, the audit committee, the organization’s independent outside auditor, and/or
auditee management.

All formal communications should include:

oThe purpose and scope of the audit.

oThe time frame of the audit.
oThe observations and recommendations (results) of the audit, if any.
oThe conclusion (opinion and/or rating) of the internal audit function.
oManagement’s response (action plan) to the recommendations.
Informal

No matter the form or medium chosen, informal assurance engagement communications of

insignificant observations are still considered final communications and serve to fulfill the
internal audit function’s reporting obligations under the Standards. The audience for informal,
final communications is limited to management of the area that was the target of the audit.
Informal communication is considered appropriate only when, during the observation
evaluation and escalation process, all observations were assessed to be insignificant with no
key controls compromised.
Continued next page
Errors and Ommission
The internal audit function’s responsibilities do not
end when engagement results are distributed.

Remember that during the course of the engagement,

as observations were identified, management of the
area that was the target of the assurance
engagement either committed to take corrective
action to remediate the observations or they chose
not to take action.

The collaborative process that took place during the

engagement ensured the internal audit function was
in agreement with the proposed action plan as
documented in the final engagement communication.

The CAE is required by the Standards to “establish a

follow-up process to monitor and ensure that
management actions have been effectively
implemented or that senior management has
accepted the risk of not taking action" (Standard
2500.A1).
End of Lecture 1