4

Device

Chapter14PPT4thedition.pptx

Home >Business & Finance homework help >Accounting homework help >4

Internal Auditing: Assurance & Advisory Services

4th edition

COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Chapter 14

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Learning objectives

Understand why it is appropriate and necessary to communicate assurance engagement outcomes.

Identify the different forms of assurance engagement communications.

Identify the steps involved in creating an effective assurance engagement communication.

Understand the distribution process for effectively communicating assurance engagement outcomes.

Understand what is involved in effective monitoring of, and follow-up on, assurance engagement outcomes.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Standards Relevant to COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

The assurance engagement process – Communicating

The Communicating phase includes five steps:

Perform observation evaluation and escalation,

Conduct interim and preliminary engagement communications,

Develop final engagement communications,

Distribute formal and informal final communications, and

Perform monitoring and follow-up procedures.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

The assurance engagement process – Communicating (Phase III)

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

ENGAGEMENT COMMUNICATION OBLIGATIONS

Communications often involve reporting on the design adequacy and operating effectiveness of controls.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework (Framework) is useful when studying the engagement communication process.

When an assurance engagement’s scope is intended to assess or evaluate controls related to matters more narrowly focused than an overall assessment of controls of a business process or area, such as accuracy of account balances, compliance with certain regulations or operating policies and procedures, or the achievement of specific business objectives. In those cases, the corresponding engagement communications will focus on, and provide management with, independent feedback on the internal audit function’s results of assessing such matters.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

ENGAGEMENT COMMUNICATION OBLIGATIONS (cont’d)

According to IIA Standard 2060, the CAE has the responsibility to report periodically to senior management and the board on the internal audit activity’s:

The CAE evidences the completion of these professional responsibilities by periodically reporting, among other things, the results of assurance engagements to senior management and the audit committee during routinely scheduled meetings throughout the year.

Authority

Responsibility

Performance relative to its plan

Conformance with the Standards

Significant risk and control issues

Fraud risks

Governance issues

Any other matters that require the attention of senior management and/or the board

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

ENGAGEMENT COMMUNICATION OBLIGATIONS (cont’d)

Communication is an integral part of any assurance engagement and occurs throughout the engagement process.

Results are communicated in various ways, including memoranda, outlines, discussions, and draft working papers. In conjunction with concluding an engagement, final results are communicated to affected parties.

The final engagement communication is often referred to as an “audit report” and is the formal way an internal audit function communicates the results of an engagement to management and other appropriate parties relying on the engagement outcomes.

During the engagement, the internal audit function tests controls to ensure that they are designed adequately and are operating effectively to meet specific control assertions (objectives).

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

ENGAGEMENT COMMUNICATION OBLIGATIONS (cont’d)

An observation is indicated if, during testing, the internal audit function concludes that any of the controls identified in the engagement are not designed adequately or operating effectively (as intended).

Once an observation is identified, however, there are several steps the internal audit function must go through to determine what impact, if any, the observation has on the internal audit function’s evaluation of whether the related controls are designed adequately and operating effectively.

Even if no observations are identified in an engagement, a formal, final communication is still necessary to indicate this fact and to fully discharge the internal audit function’s obligations under the Standards.

Add exhibit 1-1

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Assessing Management’s

assertions

Exhibit 14-3 describes fundamental control assertions and financial statement assertions.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Observation Evaluation and Escalation Process

The internal audit function is able to determine the communication obligations indicated by the identified observations by progressing through a series of steps that allow them to evaluate factors affecting each individual observation relative to its impact, likelihood, classification, and the way it affects the mitigation of risk.

Exhibit 14-4 illustrates this complex process and shows the various combinations of judgments that the internal audit function will encounter when determining the appropriate escalation and form of assurance engagement communication.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Assess impact and likelihood

After each observation has the observation and escalation process, the observations will be aggregated and assessed for impact and likelihood.

Exhibit 14-5 provides for a visual depiction of the relationship and interdependency of impact and likelihood.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Observation Evaluation and Escalation Process

Often, the risk tolerance parameters take into consideration planning materiality of the independent outside auditor, simplifying the observation assessment process and allowing the relevant terms and definitions to be consistently applied to controls related to operations, compliance, and nonfinancial reporting in addition to internal control over financial reporting and disclosure controls and procedures.

Exhibit 14-6 provides an example of risk prioritization financial metrics, while exhibit 14-7 illustrates the observation evaluation criteria, including an example of tolerable error and independent outside auditor planning materiality calculation.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Evaluating Severity

and likelihood

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Observation assessment

Conclusions reached can be documented in working paper templates or checklists similar to the one in Exhibit 14-8.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Books R Us

Example 1

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Books R Us

Example 2

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

CONDUCT INTERIM AND PRELIMINARY ENGAGEMENT COMMUNICATIONS

The internal audit function communicates with the key individuals in the area subject to audit via email and in face-to-face meetings or on conference calls throughout the engagement:

To discuss observations as they are identified

To make sure the facts are accurate

To initiate dialogue regarding the best method of remediation

To be bring attention to observations calling for immediate attention in a timely manner

To finalize the observations that will ultimately go into the final communication and to formalize management’s action plan

To confirm preliminary facts and conclusions with appropriate management representatives

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

DEVELOP FINAL ENGAGEMENT COMMUNICATIONS

The final assurance engagement communication:

Communicates timely, pertinent information to management concerning deficiencies in controls (lack of design adequacy or operating effectiveness), strengths in controls, opportunities to maximize resource utilization or reduce costs, and areas for increased productivity or efficiency,

Documents the scope, conclusion, observations, recommendations, and resulting management action plans of an assurance engagement,

Communicates timely, pertinent information to the audit committee and other non-auditee users (for example, external auditors),

Evidences the internal audit function’s independent assessment of the area’s controls,

Serves as the internal audit function’s permanent record of the work performed, and

Is the formal way an internal audit function discharges its professional communication obligation under the Standards.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

DEVELOP FINAL ENGAGEMENT COMMUNICATIONS (cont’d)

A well-designed final communication should include:

Purpose and scope of the engagement,

Time frame covered by the engagement,

Observations and recommendations,

Engagement conclusions and rating (if applicable), and

Management’s action plan to appropriately address reported observations (if applicable).

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

FINAL ENGAGEMENT COMMUNICATION Example

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

FINAL ENGAGEMENT COMMUNICATION Example – Management discussion

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

DISTRIBUTE FORMAL AND INFORMAL

FINAL COMMUNICATIONS

Final communications:

Must be reviewed and approved by the CAE or designee prior to distribution

Must be distributed to all appropriate parties, including the management of the audited activity and members of the organization who can ensure appropriate action is taken

Must send a summary communication to executive management when warranted

Must be distributed to other interested or affected parties, for example, external auditors and the board as indicated by the internal audit charter

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Quality of Communications

Standard 2420: Quality of Communications states “communications must be accurate, objective, clear, concise, constructive, complete, and timely.” The interpretation to Standard 2420 defines these terms.

Accurate communications are free from errors and distortions and are faithful to the underlying facts.

Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.

Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information.

Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness.

Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed.

Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.

Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Errors and Omissions

Standard 2421 Errors and Omissions: “If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.”

An error is defined as an unintentional misstatement or omission of significant information in the final engagement communication.

Chapter 14: COMMUNICATING ASSURANCE ENGAGEMENT OUTCOMES AND PERFORMING FOLLOW-UP PROCEDURES

Performing MONITORING

AND FOLLOW-UP

The CAE is instructed by the Standards to “establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action” (Standard 2500.A1).

Follow-up timing depends on the importance (insignificant, significant, or material) of the observation

Follow-up is sooner and more frequent for more significant observations

Follow-up includes confirming that the corrective action has been implemented and performing appropriate retesting procedures to ensure the applicable risk is mitigated