the last two sections have been combined in the communicate phase of the

engagement process illustrated in exhibit 2-6. the standards pertaining specifcally

to engagement process are internationally general in nature to accommodate the
varying nature of internal audit engagement.
standard 2200 engagement planning states that internal auditors must develop
and document a plan for each engagement! including the engagement"s ob#ectives!
scope! timing! and resource allocations. in planning the engagement! the internal
audit function must consider
the ob#ectives of the activity being reviewed and the means by which the
activity controls in performace$
the signifcant ris%s to the activity! its ob#ectives! resources! and operations
and the means by which the potential impact of ris%s is %ept to an acceptable
level$
the ade&uacy and e'ectiveness of the activity"s ris% management and
control processes compared to a relevant control framewor% or model$ and
the opportunities for ma%ing signifcant improvements to the activity"s ris%
management and control processes (standard 220) planning
considerations*
the following standards apply when planning the internal audit engagement
obe#ctives must be established for each engagement (standard 22)0
engagement obe#ectives*.
the established scope must be su+cient to satisfy the ob#ectives of the
engagement (standards 2220 engagement scope *
internal auditors must determine appropriate and su+cient resources the to
achieve engagement ob#ectives based on an evaluation of the nature and
complexity of each engagement! time constraints! and available resources
(standard 22,0 engagement resources allocation *
internal auditors must develop and document wor% programs that achieve
the engagement ob#ectives (standard 22-0 engagement wor% program*
while performing the engagement! the internal audit function must
identify su+cient! reliable! relevant! and useful information to achieve the
engagement"s ob#ectives (standard 2,)0 identifying information*
base conclusions and engagement results and appropriate analyses and
evaluations ( standard 2,20 analysis and evaluation*
document relevant information to support the conclusions and engagement
results (standard 22,0 documenting information *
ma%e sure that the engagement is properly supervised to ensure ob#ectives
are achieved! &uality is assured! and sta' is developed ( stadard 2,-0
engagement supervision *
for internal audit engagements to have value! their outcomes must be
communicated timely to the appropriate users! it is not enough! however! for the
users to receive a report. the communication must be in a form that minimi.es the
ris% of misinterpretation. standard 2-)0 criteria for communicating states that
communication must include the engagement"s ob#ectives and scope as well as
applicable conclusions! recommendations! and action plans. standard 2-20
&uality of communications further states that communication must be
accurate!ob#ectives! clear! concise! constructive complete! and timely. moreover!
standard 2-2) errors and omissions states! if a fnal communication contains a
signifcant error or omission! the chief audit executive must communicate corrected
information! to all parties who received the origianal communication.
internal audit function may report that their engagements are conducted in
conformance with the international standard for the professional practice of internal
auditing. only if the results of the &uality assurance and improvement program
support the statement (standard 2-,0 use ofconducted in conformance with the
international standards for the professional practice of internal auditing*. when
nonconformance with the defnition of internal auditing! the code of etchics! or the
standards impacts a specifc engagement! communication of the result must
disclose the
principle or rule of conduct of the code of ethics or standard with which full
conformance was not archieved
reasons for the nonconformance and
impact of nonconformance on the engagement and the communicated
engagement results ( standard 2-,) engagement disclosure of
nonconformance *
the /01 is responsible for the communicating internal audit engagement results to
the appropriate parties ( standard 2--0 disseminating results * and for
establishing and maintining a system to monitor the disposition of engagement
results communicated ( standard 2200 monitoring progress *. for assurance
engagement! this means that the /01 mus ascertain that management actions
have been e'ectively implemented or that senior management has accepted the
ris% of not ta%ing action (standard 2200.0)*. for consulting engagements! the
internal audit function must monitor the disposition of results. . to the extent
agreed upon with the customer* ( standard 2200.c) *
the engagement process is covered extensively in chapter )2! introduction to the
engagemenet process! chapter ),!conducting the assurance
engagement!chapter )-!communicating assurance engagement outcomes and
performing follow-up procedures! and chapter )2the consulting of engagement.
resolution of senior management"s acceptance of ris%s. standard 2600 resolution
of senior management"s acceptance of ris%s adresses the issue of accepting a
level of residual ris% that may be unaceptable to the organi.ation.. the glossary to
the standards defnies residual ris% as the ris% remaining after management ta%es
action to reduce the impact and li%elihood of an adverse event! including control
activities in responding to a ris%. the text boo% glosssary contains a slightly
di'erent! but consistent defnition of residual ris% the portion of inherent ris% that
remains after managements executes its ris% responses ( sometimes referred to as
net ris%*. when a potentially unacceptable level of residual ris% is believed to exist!
the chief audit executive must discuss the matter with senior management. if the
decision regarding residual ris% is not resolved! the chief audit executive must
report the matter to the board for resolution.
3trongly 4ecommended 5uidance
the 660"s mandatory guidance ( defonition of internal auditing! code of ethics and
standards 0 is relatively general in nature because it is applicable to all internal
audit activities. internal audit assurance and consulting engagements are
conducted in a wide variety of organi.ations! by in-house internal audit functions or
outside service providers! in a centrali.ed or decentrali.ed organi.ational structure!
and in diverse cultures and legal enviroments.
strongly recommended guidance ( practice advisories! position papers! and practice
gides * provide more specifc! nonmandatory guidance. in same cases! strongly
recommanded guidance may not be applicable to all internal audit functions. in
other cases! in may represent only one of many acceptable alternatives. however!
this guidance is authoritative in the sense at the 660 has endorsed it trough a formal
endorsements process! which includes review by the ethics committe and the
internal audit standards board for consistency with the mandatory guidance.
practices advisories. the practices advisories provide concise and timely guidance
as to how standards might be implemented. they address approaches!
methodologies! and factors for an internal audit function to consider! but are not
intended to provide detailed processes and procedures for internal audit functions
to follow. they may pertain to specifc types of engagements of clarify geographical
or industry internal audit practices. each practices advisory is correlated by number
to the standard to which it pertains and also refers to the code of ethics where
applicable.
the 660"s professional issues committee is responsible for developing practice
advisories. the professional issues committee may! however! wor% with other 660
committees such as ethics committee or the advanced technology committee to
develop advisories for which speciali.ed expertise is needed. as of 2007! more than
20 practice advisories have been issued. the practice advisories are available in the
published edition of the 6889! which is usually updated every three years! and the
accompanying /:! which is updated annually. all issued practice advisories are
available to 660 members on the 660"s website
exhibit 2-; present an example of a practice advisory. practice advisory )000-)
internal audit charter provides advice pertinent to standard )000 purpose!
authority! adn responsibility. in addition to the advisory text! the practice advisory
contains the related standard and if applicable! the interpretation. in this case! the
practice advisory augments the standard by providing supplemental guidance
regarding the internal audit charter.
position papers. postion papers provide guidance on issues that extend beyong the
specifcs of how the /01! internal audit function! and individual internal auditors
should conduct their wor%. they are written not only for internal auditors but for
other interested parties outside the profession. such parties include management!
board and audit committee members! and external sta%eholders such as legislator!
regulators! ang other professionals with whom internal auditors wor% ( for example!
independent outside auditors or other service providers involved in organi.ation"s
ethics and compliance programs or ris% management initiatives*. position papers
currently address the role of internal auditing in the organi.ation"s enterprise ris%
management system and how the organi.ation sources the internal audit function.
future position papers may address signifcant governence! ris% management! and
control issues with the intent of clarifying the issues and enhancing internal
auditors and sta%eholders understanding of the issues.
the 660"s professional issues commitee usually initiates position papers! but any
international committee or local 660 institute may do so. position papers drafted by
local 660 institutes must be submitted for review by and feedbac% from! the 660"s
international technical committees to ensure that the guidance is consistent with
the 6889. position papers also may be developed and issues in partnership with
other professional organi.ation. managing the development and writing of the
position papers rests with the professional issues committee. unli%e other types of
strongly recommended guidance! position papers re&uire a one-month exposure
period to local 660 institutes and other international technical committees before
they are issued.
8ractice 5uides. practice guides provide detailed guidance on internal audit tools
and techni&ues. practice guides are currently composed of the global technology
audit guides ( 5<05 * and the guide to the assessment of 6< ris% ( 506< * series! both
of which were developed bye the 660"s 0dvanced technology committee. =oth the
5<05 series and 506< series are available to 660 members on the 660"s website.
/hapter ;! information technology ris%s and controls! provides more information
about this 6<-related guidance.
any of the 660"s technical committees may purpose the concept for a practice guide!
but the professional practice advisory council ( composed of the chairs ofthe 660"s
international technical committees * oversees their development and issuance. the
professional practice advisory council approves the concept and assigns it to one of
the committees develop. the committees most li%ely to be as%ed to develop
practice guides are the professional issues committee! the advanced technology
committee! and the committee on &uality.
>?@ <>1 6A<14A0<6?A0B 84?91336?A0B 840/<6/13 940C1@?4D 63 D18<
/E441A<.
the 6889 is not intended to be a static body of guidance. it will continue to evolve as
the profession respond to a continuously changing enviroment.
the professional practices advisory council is responsible for coordinating in
initiation! development! issuance! and maintenance of the authoritative guidance
that ma%es up the 6889. the council comprises the 660"s vice president of
professional practices and the chairs of the 660"s six international technical
committees. these committees are the ethics committee! the internal audit
standards board! the professional issues commitee! the advanced technology
committe! the committe on &uality! and the board of regents. the frst three
committees have direct responsibility for maintaining specifc portions of the 6889.
each year! the professional practices advisory council develops a wor% plan for the
next year as well as a tentative plan for the following two years that lays out the
wor%s for ethics committee! the internal audit standards board! and the professional
issues committee. the council also coordinates the review of all exisiting guidance
on three years cycle.
the ethics committee. the ethics committee"s mission is to serve the global
profession of the internal auditing by maintaining the 660"s code of ethics $
promoting an understanding of and compliance with the 660"s code of ethics$
assesing$ investigating! ang sanctioning complaints concerning noncompliane with
the 660"s code of ethics$ and advocating ethics as part of the governence process.
the committe is re&uired to complete a formal review of the existing code of ethics
every three years. any changes in the code of ethics!such as adding additional
rules! must be initiated by this committee. adoption of new rules re&uires a 70-day
exposure period for public comment. fnal approval of changes to the code of ethics
rests with the 660"s board of directors. the ethics commitee also evaluates the
conduct of 660 members and candidates for! or holders of! 660 professional
certifcations! when necessary.
the international audit standards board. the international audit standards board"s
mission to promulgate! monitor! and the promote the standards on a worldwide
basis. the board is re&uired to complete of a review of the existing standards every
three years. new standards or modifcations to existing standards are initiated with
this committe and re&uire a 70-day exposure period for public comment. exposure
includes translation into spanish and french! and the often into other ma#or member
languages ( for example! chinese! italian! german! #apanese! and potentially
others*. after due considerations of responses to the exposure draft! a ma#ority vote
of the committee is re&uired for fnal issuance.
professional issues committee. the professional issues commite"s mission is to
provide thought leadership and timely professional guidance to the members and
sta%eholders of the internal audit profession on methodologies! techni&ues! and
authoritative positions include in the 6889 and to comment on or support other
matters that impact the internal audit profession. this committee initiates!
develops! and maintains the practice advisories and reviews existing practice
advisories on a three years cycle. the professional issues committee also is a
primary initiator and developer of position papers and practices guides. drafts of
proposed practice advisories! position papers! and practices guides are circulated to
the ethics committee and the internal audit standards board for a review of
consistency with existing mandatory guidance before they are issued. position
papers also re&uire a ,0-day exposure period to local 660 institutes.
the process for developing the mandatory and strongly recommended guidance
included in the 6889 is summari.ed in exhibit 2-F
to improve transparancy and enhance the trust that legislators! regulators! and
other users of internal audit services have in the profession"s authoritativegidance.
the 660"s 2006 vision for the future tas% force recommended the establishment of an
independent guidance oversight