5 Steps of the Communicating Phase
* Perform observation evaluation and escalation * Conduct interim and preliminary engagement communications * Develop final engagement communications * Distribute formal and informal final communications * Perform monitoring and follow-up procedures
Exhibit 14-2 The Assurance Engagement Process
Engagement Communication Obligations
* Reporting on design adequacy and operating effectiveness of controls * COSO framework is useful when studying the engagement communication process * corresponding engagement communications provide independent feedback on the internal audit function's results of assessing such matters as assurance engagements's scope is intended to assess or evaluate controls related to narrowly focused matters.
Engagement Communication Obligations .....Con't
According to IIA Standard 2060, the CAE has the responsibility to report periodically to senior management and the board on the internal audit activity’s:
- Authority
- Responsibility
- Performance relative to its plan
- Conformance with the Standards
- Significant risk and control issues
- Fraud risks
- Governance issues
- Any other matters that require the attention of senior management and/or the board
The CAE evidences the completion of these professional responsibilities by
periodically reporting, among other things, the results of assurance engagements to senior management and the audit committee during routinely scheduled meetings throughout the year.
Engagement Communication Obligations....cont'd
* Communication occurs throughout the engagement process * Results communicated in various ways, final results communicated to affected parties. * The final engagement communication is often referred to as an “audit report” is the way an internal audit function communicates the results to management and other appropriate parties * the internal audit function tests controls to ensure that they are designed adequately and are operating effectively to meet specific (objectives)
Engagement Communication Obligations...Cont'd
* An observation is indicated if, during testing, the internal audit function concludes that any of the controls identified in the engagement are not designed adequately or operating effectively (as intended). * Once an observation is identified, however, there are several steps the internal audit function must go through to determine what impact, if any, the observation has on the internal audit function’s evaluation
of whether the related controls are designed adequately and operating effectively. * Even if no observations are identified in an engagement, a formal, final communication is still necessary to indicate this fact and to fully discharge the internal audit function’s obligations under the Standards.
Exhibit 14-3 Criteria for Assessing Management's Assertions
Observation Evaluation and Escalation Process
- IA function determines the comm. obligations indicated by taking steps that allow for evaluation of factors affecting each individual Observ. relative to its impact, likelihood, classification, and risk.
Exhibit 14-4 Observation Evaluation and Escalation Process
Assess Impact and Likelihood
Observation Evaluation and Escalation Process ...cont'd
Often, the risk tolerance parameters take into consideration planning materiality of the independent outside auditor, simplifying the observation assessment process and allowing the relevant terms and definitions to be consistently applied to controls
related to operations, compliance, and nonfinancial reporting in addition to internal control over financial reporting and disclosure controls and procedures.
Exhibit 14-6 Risk Prioritization Metrics
Exhibit 14-7 Observation Evaluation Criteria Impact(severity)
Conclusions reached can be documented in working paper templates
or checklists similar to the one in Exhibit 14-8.
Conduct Interim and Preliminary Engagement Communications
The internal audit function communicates with the key individuals in the area subject to audit via email and in face-to-face meetings or on conference calls throughout the engagement:
- To discuss observations as they are
identified
- To make sure the facts are accurate
- To initiate dialogue regarding the best method of remediation
- To be bring attention to observations calling for immediate attention in a timely manner
- To finalize the observations that will ultimately go into the final communication and to formalize management’s action plan
- To confirm preliminary facts and conclusions with appropriate management representatives
Develop Final Engagement Communications
The final assurance engagement communication:
- Communicates timely, pertinent information to management concerning deficiencies in controls (lack of design adequacy or operating effectiveness), strengths in controls, opportunities to maximize resource utilization or reduce costs, and
areas for increased productivity or efficiency,
- Documents the scope, conclusion, observations, recommendations, and resulting management action plans of an assurance engagement,
- Communicates timely, pertinent information to the audit committee and other non-auditee users (for example, external auditors),
- Evidences the internal audit function’s independent assessment of the area’s controls,
- Serves as the internal audit function’s permanent
record of the work performed, and
- Is the formal way an internal audit function discharges its professional communication obligation under the Standards.
Final Engagement Communications...cont'd
A well-designed final communication should include:
- Purpose and scope of the engagement,
- Time
frame covered by the engagement,
- Observations and recommendations,
- Engagement conclusions and rating (if applicable), and
- Management’s action plan to appropriately address reported observations (if applicable).
Distribute Formal and Informal Final Communications
Final communications:
- Must be reviewed and approved by the CAE or designee prior to distribution
- Must be distributed to all appropriate parties, including the management of the audited activity and members of the organization who can ensure appropriate action is taken
- Must send a summary communication to executive management when warranted
- Must be distributed to other interested or affected parties, for example, external auditors and the board as indicated by the
internal audit charter
Quality of Communications
Standard 2420: Quality of Communications states “communications must be accurate, objective, clear, concise, constructive, complete, and timely.” The interpretation to Standard 2420 defines these terms.
- Accurate communications are free from errors and distortions
and are faithful to the underlying facts.
- Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.
- Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information.
- Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy,
and wordiness.
- Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed.
- Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.
- Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take
appropriate corrective action.
- Standard 2421 Errors and Omissions: “If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.”
- An error is defined as an unintentional misstatement or omission of significant information in the final engagement
communication.
Performing Monitoring and Follow-Up
The CAE is instructed by the Standards to “establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action” (Standard 2500.A1).
- Follow-up timing depends on
the importance (insignificant, significant, or material) of the observation
- Follow-up is sooner and more frequent for more significant observations
- Follow-up includes confirming that the corrective action has been implemented and performing appropriate retesting procedures to ensure the applicable risk is mitigated