Our final article explores Domain V of the IIA’s Global Internal Audit Standards (GIAS), we will discuss Domain V: Performing Internal Audit Services. This will conclude our series on the five domains in the proposed GIAS Standards, which is open for public comment until May 30, 2023. Domain V discusses planning and conducting engagements, developing findings, recommendations and conclusions, and communicating those items to the client. This domain is primarily directed at the Internal Auditor performing the engagement but does include areas involving the Chief Audit Executive (CAE). There are three principles encompassing fourteen standards which describe three distinct phases in any given engagement: planning, executing, and communicating the results of the audit using a systematic and disciplined approach.
Principle 13: Plan Engagements Effectively
Principle 13 provides standards for planning the engagement with a new emphasis on effective communication throughout the engagement. The planning standards include:
13.1 Engagement Communication
The communications required for an engagement cover four phases: initial, ongoing, closing, and final. The initial engagement communications should include the engagement announcement and discussions of the risk assessment, objectives, scope, timing and ongoing communication expectations. They should also include requests for required information and resources to set auditees’ expectations of resource commitment. Ongoing communications should include control issues and changes to the objectives, timing, or scope of the engagement. Closing communications include scope limitations, findings, recommendations, and conclusions. The final communications add management’s response, action plans, timing to address findings, and both sides of any unresolved disagreements between the auditors and management with the reason for disagreement.
13.2 Risk Assessment
Internal auditors are required to gain an understanding of the activity under review. They must have sufficient understanding to assess the relevant risks and define informed risk-based objectives based upon the organization’s risk tolerance. The risk assessment should define the impact and likelihood of the risks.
13.3 Objectives and Scope
Establishment of the objectives and scope of the engagement must consider the risk assessment with emphasis on significant and fraud related risks. The plan must include measurable evaluation criteria.
13.4 Evaluation Criteria
The evaluation criteria must be measurable and cover all objectives and scopes of the audit.
13.5 Resource Allocation
Resource allocation takes into consideration the allotted budget, as well as a project plan, which defines the resources required for successful completion of the audit.
Principle 14: Conduct Engagement Work
Principle 14 covers the Internal Auditor’s journey from gathering information to developing engagement conclusion. The standards continue to emphasize the need to obtain relevant, reliable, and sufficient evidence, and be able to discern when any of these aspects are missing. The new standards add an emphasis on analysis, evaluation, and documentation of the evidence to identify gaps. The auditor must evaluate each gap to identify a root cause, determine effects, and evaluate its significance. The audit standard continues to require documentation to the level that, “an informed, prudent internal auditor, or similarly informed and competent person, could repeat the work and derive the same findings, recommendations, and conclusions.”
The auditor should rate and rank findings to provide an indication of their priority. An engagement conclusion should then be completed, which zooms out from individual findings and looks at the engagement findings collectively relative to the engagement objectives and scope.
Principle 15: Communicate Engagement Conclusions and Monitoring Action Plans
A final communication should be drafted which includes the engagement’s objectives, scope, and conclusions as well as agreed-upon action plans and recommendations. There are a number of additional requirements for a final communication, which include:
This is a collective view of the overall significance of the audit findings. The collective rating is based upon the ratings and rankings of the individual findings. If it is an assurance engagement, it must include Internal Audit’s judgement of the governance, risk management, and/or control over the activities included in the scope of the engagement.
Conformance with the Standards
A statement that the engagement was performed in accordance with GIAS if the internal auditors followed the Standards and the results of the most recent quality assurance and improvement program support this statement. If the engagement was not conducted in conformance with the standards, the auditor must disclose details about nonconformance and the impact on the findings and conclusions.
The performance standards have been enhanced and provide additional details and guidance. The new standards bring an additional level of accountability to Internal Audit functions.
For more information regarding our internal audit experience, be sure to visit our Internal Audit Services page and don’t hesitate to reach out to a member of our internal audit team, such as Elaine Nissley.