Reporting to Board & Executive Management:

CAE to communicate and interact directly with the board

Frequency and content determined by discussing with board and senior management and importance and urgency of information

Confirm to the board at least annually independence of internal audit

Discuss internal audit definition, Code of Ethics and Standards with board and senior management

Charter

Purpose, Authority, and Responsibility (add)

consistent with the Code of Ethics
periodically reviewed

Definition Internal Auditing , Standards and Code of Ethics recognized in Charter

Managing Internal Audit Activity

Effectively manage internal audit activity

Audit results meet charter expectations
Audit conforms to the definition, Standards and Code of Ethics

Independence & Objectivity

Unbiased mental attitude permitting belief in work product and without quality compromises

Do not subordinate judgment on audit matters to others (**)

Confirm to the board at least annually independence of internal audit

CAE direct and unrestricted access to senior management and the board via possible dual reporting relationship

Threats to independence and objectivity managed at individual auditor, engagement, functional & organizational levels

Impairments can include conflict of interest, scope limitations, restrictions on access to records, personnel and properties, and resource limitations, such as funding

Disclosure of impairment depends upon department and CAE expectations, the charter and nature of impairment

Conflict when competing professional or personal interest exists, even if no ethical or improper act results

Due Professional Care

Encouraged to obtain professional certifications

Must evaluate potential for fraud and how organization manages fraud risk

Resource Management

(Audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan)

Appropriate: knowledge, skills, competence's needed to perform
Sufficient: quantity resources needed to accomplish plan
Effectively deployed: optimal use of resources to accomplish plan

Supervision

CAE overall responsible for supervision but may delegate (**)

Document evidence of supervision (**)

Extent of supervision depends upon proficiency and experience of auditor and complexity of audit (**)

Services Provided

(For Consulting Engagements) refrain from assuming management responsibility by actually managing risks when assisting in risk management

Audit Policies & Procedures

Form and content depend upon size and structure of department and complexity of work (**)

Audit Plan MACRO/Global

(Establish risk-based plans at least annually)

Consider organizations risk management processes, acceptable levels of risk set by management

Monitoring and evaluating the effectiveness of risk management system

Organizational objectives congruent with mission
Significant risks identified and assessed
Risk responses align with organizations risk appetite
Relevant risks are captured and communicated timely to permit staff, management and board to respond
Ongoing monitoring for risk management processes and separate evaluations

If no risk management framework, use own judgment after discussing with board and senior management

(Determine effectiveness of risk management system)

Organizational objectives congruent with mission
Significant risks identified and assessed
Risk responses align with organizations risk appetite
Relevant risks are captured and communicated timely to permit staff, management and board to respond
Ongoing monitoring for risk management processes and separate evaluations

Scope of Work

Assess if IT governance sustains and supports strategies and objectives of organization

Reporting

CAE or designee to review and approve report and decide on distribution (**)

(Communications to be)

Accurate: free from errors and distortions, based on facts (**)
Objective: fair, impartial, unbiased, balanced assessment of facts and circumstances (**)
Clear: easily understood and logical, avoid technical language when possible, and provides significant and relevant information (**)
Concise: to the point, avoids redundancy and wordiness (**)
Constructive: helps client and organization to make improvements (**)
Complete: lacks nothing essential and includes all significant and relevant information to support recommendations and conclusions (**)
Timely: timely depending upon significance of issues to allow for appropriate
corrective action (**)

If cannot comply with the Standards and it impacts engagement, report to senior management and board

Use "conducted in accordance with the International Standards" statement if results of quality assurance & improvement program support such statement

Quality Assurance & Improvement Program

(Program Objectives: Add Value, Improve Operations) and

Conforming to Professional Standards & Code of Ethics & definition of internal auditing
Assess efficiency & effectiveness
Identify opportunities for improvement

(Ongoing reviews of performance)

Incorporated into routine policies and procedures
Uses tools, processes, etc. to evaluate conformance to Standards, Code and internal auditing definition

(Periodic reviews from within)

Conducted to evaluate conformance to Standards, Code and internal auditing definition Sufficient knowledge of internal auditing necessary

(Independent reviewer/team)

(Outside the organization)
(No real or apparent conflict of interest)
Competent in internal auditing and external assessment process (**)
Familiar with business sector/industry or technical knowledge (**)
Qualified considering size and complexity of organization (**)

Results of external and internal assessments communicated when assessment completed, including degree of conformance

Results of ongoing monitoring communicated at least annually

Reporting form, content and frequency determined by board, senior management and charter

 

(Professional Standards comments, per Introduction to the Standards):

Principles-focused
Mandatory requirements
Attribute Standards address attributes in performing audit services
Performance Standards describe nature of audit and provide performance criteria Implementation Standards expand upon Attribute and Performance Standards
Assurance Services - assess an entity, operation, function, process, system or other subject matter
Consulting Services - advisory; generally provided at request of client as agreed

 

(*)Comments:

Official date to incorporate the revised Standards - January 1, 2009

Changes to the Standards have been updated in YourIAM, on-line internal audit manual (section, "Key Issues")

Above summary of changes are abbreviated; for the Standards in detail, click here

All but four of the "should" comments in the Standards were changed to read "must"

Several comments in Practice Advisories were officially made a part of the Standards via "Interpretations" (YourIAM, on-line internal audit manual has been updated to include these "Interpretations")

Practice Advisories were reduced in number from 83 to 42.

(**) Statement previously included in a Practice Advisory; now incorporated into the Standards via "Interpretations"