Article
Domain V: Performing internal audit services
Aug. 26, 2024 · Authored by Ashley Deihr, Michael Brennan
The updated Global Internal Audit Standards (the Standards), released by the Institute of Internal Auditors (IIA) on Jan. 9, 2024, are set to take effect in January 2025. As we’ve explored notable changes and likely impacts within the Standards, our Baker Tilly internal audit specialists have produced several insights diving deep into each domain:
- Domain I (competency, independence and objectivity) and Domain II (ethics and professionalism)
- Domain III (greater expectations on board governance)
- Domain IV (managing the internal audit)
Below, we take a similar approach to Domain V: Performing internal audit services—which focuses extensively on internal audit engagement and communication.
The Standards, along with the methodologies established by the chief audit executive (CAE), form the foundation of internal audit’s engagement planning. Communicating at all stages of the engagement is the responsibility of internal audit.
Planning starts with understanding both the expectations for the engagement and why the activity was included in the internal audit plan. It also requires an assessment of the risks relevant to the activity. Internal audit uses the engagement risk assessment to:
- determine engagement objectives and scope
- identify resources needed to perform the engagement, and
- develop the work program.
What’s new/different in principle 13:
- Communication throughout the internal audit project has always been a critical part of the process. However, the new Standards stipulate that changes to objectives, scope and timing of the engagement must be communicated to management of the activity under review in a timely manner (Standard 13.1: Engagement Communication). The Standards acknowledge that communications may include formal, informal, written and oral.
- Performing an engagement risk assessment is an area clearly required by the new Standards. Further, the Standards state that the audit team should consider changes to the engagement area’s risks—especially since the audit plan was developed—as a best practice. The Standards also suggest prioritizing risk by significance, which can be illustrated through an engagement heat map (Standard 13.2: Engagement Risk Assessment).
- The new Standards provide guidance around both the types of scope limitations and, if resolution cannot be achieved, reporting to the board according to a methodology that internal audit has established. The Standards also make it clear that the CAE must approve the engagement objectives, scope and any changes that occur during the engagement (Standard 13.3: Engagement Objectives and Scope).
- The use of an “evaluation criteria”, as described in Standard 13.4 (Evaluation Criteria), is not a new concept. The application of the evaluation criteria, however, is different. The requirements note that if the criteria is inadequate, internal audit must identify appropriate criteria through discussion with the board and/or senior management. In the considerations for implementation, the need for adequate criteria is noted as essential for identifying potential findings, determining their significance and reaching meaningful conclusions. They further note that internal audit should research recommended practices and compare management practices to criteria used by other organizations. If management's criteria is deemed inadequate, internal audit may recommend using the criteria identified by internal audit (which may lead to the assurance engagement becoming an advisory service).
- Standard 13.5 (Engagement Resources) is interesting in how it interacts with the engagement objectives and scope Standard. In the engagement resources Standard, the requirements indicate that if available resources are inappropriate or insufficient, internal auditors must discuss concerns with the CAE to obtain resources. In the considerations for implementation section, it references back to the objectives and scope Standard and indicates that if the engagement’s objectives cannot be achieved, then the engagement resource concern needs to be escalated to the CAE, who is responsible for discussing with senior management/board and could lead to changes in the engagement scope.
- Similar to other Standards, Standard 13.6 (Work Program) indicates that the CAE must review and approve the initial engagement work program and promptly review and approve when subsequent changes are made. Making sure the CAE has an “approval process” in place for the various standards that reference the “CAE must review and approve” is an area that may require some process changes/updates.
To implement the engagement work program (Standard 13.6), internal auditors gather information and perform analyses and evaluations to produce evidence (documentation). The work program/evidence enable internal auditors to:
- Provide assurance and identify potential findings
- Determine the causes, effects and significance of the findings
- Develop recommendations/obtain management action plans
- Develop conclusions
What’s new/different in principle 14:
- In Standard 14.1, (Gathering Information for Analyses and Evaluation), we gather information for analyses and evaluation and in Standard 14.2 (Analyses and Potential Engagement Findings), the information we gathered is evaluated for potential engagement findings. The new Standards introduce what could be a new “term” to some internal auditors—condition. Condition is the existing state of the activity under review and is compared to the criteria to determine if there is a potential engagement finding. The new Standards also reinforce that if additional procedures are required, the work program must be updated and approved by the CAE (Standard 13.6: Work Program).
- When evaluating findings, the Standards require a determination of the root cause (when possible) of the finding and the consideration for implementation includes a discussion on performing a root cause analysis (Standard 14.3: Evaluation of Findings).
- If management disagrees with engagement recommendations/or action plans, internal audit should have an established methodology to allow both parties to express their positions and rationale and to determine a resolution (Standard 14.4: Recommendations and Action Plans).
- Requirements for engagement conclusions, under Standard 15.1 (Final Engagement Communication), note that assurance engagement conclusions must include the internal auditors’ judgment regarding the effectiveness of the governance, risk management and/or control processes of the activity under review—including an acknowledgement of when processes are effective. The considerations for implementation for this Standard indicate that internal audit “may“ have a rating scale and the examples of evidence of conformance provides the example that a conclusion statement be in the final communication. Therefore, while a rating scale is a suggested method, it is not required. The requirement is to have a work paper showing the basis for the auditors' conclusion and an overall conclusion statement in the final communication to meet the Standards (Standard 14.5 Engagement Conclusions).
- Standard 14.6 (Engagement Documentation) also indicates that the CAE must review and approve the engagement documentation. In small internal audit departments, the CAE might review engagement documentation themselves, but in larger organizations various levels can perform the review function. Conformance is expected to be evidenced through work papers documented in accordance with an established methodology and results of internal quality assessment reviews validating conformance with work paper and supervision policies.
- While the CAE may delegate appropriate responsibility to other qualified professionals in the internal audit function, the new Standards indicate that ultimate accountability remains with the CAE (Domain IV: Managing the Internal Audit Function). One question is, when the Standards use the wording “the CAE must”, to what extent can that requirement be delegated, and if delegation is expected, why do the Standards include the strong “must” wording? One possible explanation is that the purpose is to require the CAE to formally delegate the responsibility.
Internal auditors are responsible for communicating engagement results to management and for confirming to management that action plans are implemented.
What’s new/different in principle 15:
- The Standards continue the theme that the final communication for assurance engagements must include the engagement findings and their significance and prioritization—as well as a conclusion regarding the effectiveness of the governance, risk management and control processes. One question is whether each finding requires a note on its prioritization and significance, or whether having a sentence before the findings, stating that the findings are in order of significance and priority, would be sufficient (Standard 15.1: Final Engagement Communication).
- The new Standards indicate that if the engagement is not conducted in conformance with the Standards, the final engagement communication must disclose the details about the nonconformance (Standard 15.1: Final Engagement Communication).
- Standard 15.2 (Confirming the Implementation of Recommendations or Action Plans) indicates that internal audit must confirm management has implemented agreed upon management action plans. The new Standard also indicates that internal audit’s follow-up methodology must include inquiring about progress on the implementation while performing “follow-up assessments using a risk-based approach,” likely based on the significance and prioritization of the findings as discussed above. Furthermore, the Standard indicates that the extent of these procedures must consider the significance of the finding (e.g., inquiry for lower risk findings and re-testing for higher risk findings).
