Add to collection(s) Add to saved
  1. Business
  2. Management

organizational independence of Internal Audit? [STD

advertisement 
_____________________ CREDIT UNION
QUALITY ASSURANCE SELF-REVIEW
ASSESSMENT QUESTIONNAIRE
DEFINITIONS
1. “Chief Audit Executive” (CAE): The individual who is ultimately responsible for
carrying out the internal audit activity.
2. “Internal Audit”: The internal auditor, internal audit activity or the collective group
of internal audit personnel, depending upon context.
3. “Board”: The Supervisory Committee, Audit Committee, or other body that
ultimately governs the internal audit activity.
INSTRUCTIONS
1.
Survey selected auditees to obtain their views on authority and qualifications of
the auditors, adequacy of coverage, usefulness of reports, etc. Make
adjustments to Internal Audit practices as necessary
2.
Meet with the member of management to whom the CAE administratively
reports to gain insight into expectations of and the direction provided to Internal
Audit. Make adjustments to Internal Audit practices as necessary
3.
Complete the Self-Assessment Workpaper Review Checklist for a selection of
audits. Make adjustments to Internal Audit practices as necessary
4.
Complete assessment questionnaire. Questions are structured so that a “yes”
response indicates conformance with the Standards and Practice Advisories. For
items with no” answers, either adjust Internal Audit practices as necessary or be
prepared to discuss compensating factors to the QAR reviewer.
Page 1 of 38
Document1
ASSESSMENT QUESTIONNAIRE
The specific Standard (STD), Interpretation (INT) or Practice Advisory (PA) applicable to each
item is indicated in brackets.
1.
Attribute Standard 1000, “Purpose, Authority, and Responsibility”
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Is the purpose, authority and responsibility of Internal Audit formally
defined in an internal audit charter? [STD 1000]
b. Is the purpose, authority and responsibility consistent with the Definition
of Internal Auditing, the Code of Ethics, and the Standards? [STD 1000]
c. Does the CAE periodically review the charter and present it to senior
management and the Board for approval? [STD 1000]
d. Is the nature of assurance and consulting services defined in the
charter? [STD 1000.A1]
e. If assurances are provided to third parties, is the nature of these
assurances defined in the charter? [STD 1000.A1]
f. Does the charter establish

internal Audit’s position in the CU

nature of the CAE’s functional reporting relationship with the Board?
[INT 1000]
g. Does the charter authorize access to

records

personnel

physical properties

relevant to audit performance? [INT 1000]
h. Does the charter define the scope of Internal Audit activities? [INT 1000]
i. Does final approval of the charter reside with the Board? [INT 1000]
j. Does the CAE periodically assess whether Internal Audit’s purpose,
authority and responsibility, as defined in the charter, continue to enable
Internal Audit to accomplish its objectives? [PA 1000-1 #2]
2.
Determine compliance with Attribute Standard 1010 “Recognition of
the Definition of Internal Auditing, the Code of Ethics and the
Standards in the Internal Audit Charter”:
a. Does the charter recognize the mandatory nature of the Definition of
Internal Auditing, the Code of Ethics and the Standards? [STD 1010]
b. Does the CAE discuss the Definition, the Code and the Standards with
senior management and the Board? [STD 1010]
3.
Determine conformance with Attribute Standard 1100 “Independence
and Objectivity”:
Page 2 of 38
Document1
a. Is Internal Audit independent and objective in performing their work?
[STD 1100]
b. Is Internal Audit free from conditions that threaten Internal Audit’s ability
to carry out Internal Audit’s responsibilities in an unbiased manner? [INT
1100]
c. Does the CAE have direct and unrestricted access to senior
management and the Board? [INT 1100]
d. Is there an unbiased mental attitude that allows Internal Audit to perform
audits in such a manner that they believe in their work product and that
no quality compromises are made? [INT 1100]
e. Does Internal Audit not subordinate its judgment on audit matters to
others? [STD1100]
f. Are threats to independence and objectivity managed at the individual
auditor, audit, functional and Credit Union levels? [INT 1100]
4.
Determine conformance with Attribute Standard 1110, “Organizational
Independence”:
Yes
No
N/A
Yes
No
N/A
a. Does the CAE report to a level within the Credit Union that allows
Internal Audit to fulfill its responsibilities? [STD 1110]
b. Does the CAE confirm to the Board, at least annually, the
organizational independence of Internal Audit? [STD 1110]
c. Does the Board approve the charter and risk based audit plan? [INT
1110]
d. Does the CAE communicate with the Board on Internal Audit’s
performance relative to the audit plan? [INT 1110]
e. Does the Board approve decisions regarding the appointment and
removal of the CAE? [INT 1110]
f. Does the Board make appropriate inquiries of management and the
CAE to determine whether there is inappropriate scope or resource
limitations? [INT 1110]
g. Does support from senior management and the Board assist Internal
Audit in gaining the cooperation of audit clients and performing their
work free from interference? [PA 1110-1 #1]
h. If the CAE does not report to the Board, does the CAE report to an
individual in the Credit Union with sufficient authority to promote
independence and to ensure

broad audit coverage

adequate consideration of audit communications

appropriate action on audit recommendations? [PA 1110-1 #2]
5.
Determine conformance with Attribute Standard 1110.A1 “Free from
Interference”:
Page 3 of 38
Document1
a. Is Internal Audit free from interference in determining the scope of
internal auditing, performing work and communicating results? [STD
1110.A1]
6.
Determine conformance with Attribute Standard 1111 “Direct
Interaction With the Board”:
Yes
No
N/A
Yes
No
N/A
a. Does the CAE communicate and interact directly with the Board? [STD
1111]
b. Does the CAE regularly attend and participate in Board meetings that
relate to the Board’s oversight for auditing, financial reporting,
governance and control OR does the CAE meet privately with the Board
at least annually [PA 1111-1]
c. Is the CAE apprised of business and operational developments? [PA
1111-1 #1]
d. Does the CAE raise high-level risk, systems, procedures or control
issues at an early stage [PA 1111-1 #1]
7.
Determine conformance with Attribute Standard 1120, “Individual
Objectivity”:
a. Do Internal Auditors have an impartial, unbiased attitude and avoid any
conflict of interest? [STD 1120}
b. Do Internal Auditors NOT have competing professional or personal
interests that make it difficult to fulfill duties impartially? [INT 1120]
c. Are there NOT any appearances of impropriety that can undermine
confidence in Internal Audit and the profession [INT 1120]
d. Are Internal Auditors not placed in situations that could impair their
ability to make objective professional judgments? [PA1120-1 #1]
e. Does the CAE organize staff assignments that prevent potential and
actual conflict of interest and bias, periodically obtaining information
from the staff concerning potential conflict of interest, and rotating
Internal Audit staff assignments periodically? [PA1120-1 #2]
f. Is Internal Audit work results reviewed before audit communications are
released to provide reasonable assurance that the work was performed
objectively? [PA1120-1 #3]
g. Does the Internal Auditor avoid designing, installing, or drafting
procedures for operating systems? [PA1120-1 #4]
h. If the Internal Auditor performs non-audit work occasionally, is there full
disclosure in the reporting process? [PA1120-1 #5]
i. If the Internal Auditor performs non-audit work occasionally, is there
careful consideration by management and the Internal Auditor to avoid
adversely affecting the Internal Auditor’s objectivity. [PA1120-1 #5]
Page 4 of 38
Document1
8.
Determine conformance with Attribute Standard 1130, “Impairment to
Independence or Objectivity”:
Yes
No
N/A
Yes
No
N/A
a. If independence or objectivity is impaired in fact or appearance, are the
details of the impairment disclosed to appropriate parties? [STD 1130]
b. Are Internal Auditors required to disclose:
 personal conflict of interest
 scope limitations
 resource limitations [INT 1130]
c. Are Internal Auditors given unrestricted access to:
 records
 personnel
 properties [INT 1130]
d. Do Internal Auditors report to the CAE any situations in which an actual
or potential impairment to independence or objectivity may reasonably
be inferred? [PA 1130-1 #1]
e. Do Internal Auditors report to the CAE if they have questions about
whether a situation constitutes an impairment to objectivity or
independence? [PA 1130-1 #1]
f. Are scope limitations evaluated to determine if they preclude Internal
Audit from accomplishing its objectives and plans? [PA 1130-1 #2]
g. Are scope limitations and the potential effects communicated in writing
to the Board? [PA 1130-1 #3]
h. Do Internal Auditors decline fees, gifts or entertainment from
employees, members, vendors or business associates that may create
the appearance that the Auditor’s objectivity has been impaired? [PA
1130-1 #4]
i. Do Internal Auditors report immediately the offer of all material fees or
gifts to their supervisors? [PA 1130-1 #4]
j. Are persons who are transferred to, or temporarily engaged by, Internal
Audit not assigned to audit activities they previously performed or for
which they had management responsibility until at least 1 year has
elapsed? [PA 1130.A1-1]
k. Do Internal Auditors refrain from accepting responsibility for non-audit
functions or duties that are subject to periodic Internal Audit
assessments? [PA 1130.A2-1 #1]
9.
Determine conformance with Attribute Standard 1130.A1, “Assessing
Operations for Which Internal Auditors Were Previously
Responsible”:
a. Does Internal Audit refrain from assessing specific operations for which
they were previously responsible [STD 1130.A1-1]
Page 5 of 38
Document1
b. Does Internal Audit NOT provide assurance services for an activity for
which the auditor had responsibility within the previous year? [1130.A11]
10. Determine conformance with Attribute Standard 1130.A2, “Internal
Audit’s Responsibility for Other (Non-audit) Functions”
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Are assurance audits for which the CAE has responsibility overseen by
a party outside of Internal Audit [STD 1130.A2]
b. When Internal Audit accepts operational responsibilities and that
operation is part of the Internal Audit plan, does the CAE use a
contracted third party to complete audits of those areas reporting to the
CAE? [PA 1130.A2-1 #4]
c. Are Internal Audit’s operational responsibilities disclosed in the related
audit report of those areas reporting to the CAE and in Internal Audit’s
standard Board communication? [PA 1130.A2-1 #5]
11. Determine conformance with Attribute Standard 1200, “Proficiency
and Due Professional Care”:
a. Are audits performed with proficiency and due professional care? [STD
1200]
b. Does the CAE ensure that auditors assigned to each audit collectively
possess the necessary knowledge, skills and other competencies to
conduct the audit appropriately? [PA1200-1, #1].
c. Do Internal Auditors conform with the Code of Ethics, the Credit Union’s
code of conduct and codes of conduct for other professional
designations held by the Internal Auditor? [PA1200-1, #2].
12. Determine conformance with Attribute Standard 1210, “Proficiency”:
a. Do Internal Auditors possess the knowledge, skills and other
competencies needed to perform their individual responsibilities? [STD
1210]
b. Does Internal Audit collectively possess or obtain the knowledge, skills
and other competencies needed to perform its responsibilities? [STD
1210]
c. Do Internal Auditors demonstrate their proficiency by obtaining
appropriate professional certifications and qualifications? [INT 1210]
d. Are Internal Auditors proficient in applying internal audit standards,
procedures, and techniques in performing audits? [PA 1210-1 #1]
e. Are Internal Auditors proficient in accounting principles and techniques if
internal auditors work extensively with financial records and reports?
[PA 1210-1 #1]
Page 6 of 38
Document1
f.
Do Internal Auditors have an understanding of management principles
to recognize and evaluate the materiality and significance of deviations
from good business practice? [PA 1210-1 #1]
g. Do Internal Auditors have an appreciation of the fundamentals of
business subjects such as accounting, economics, commercial law,
finance, quantitative methods, risk management, and fraud? [PA 1210-1
#1]
h. Are Internal Auditors skilled in dealing with people, understanding
human relations and maintaining satisfactory relationships with audit
clients? [PA 1210-1 #1]
i. Are Internal Auditors skilled in oral and written communications and able
to clearly and effectively convey audit objectives, evaluations,
conclusions and recommendations? [PA 1210-1 #1]
j. Has the CAE established suitable criteria of education and experience
for filling internal audit positions? [PA 1210-1 #2]
k. Has the CAE obtained reasonable assurance as to each prospective
auditor’s qualifications and proficiency? [PA 1210-1 #2]
l. Is there an annual analysis of Internal Audit’s knowledge, skills and
other competencies? [PA 1210-1 #3]
13. Determine conformance with Attribute Standard 1210.A1 “Obtaining
External Service Providers to Support or Complement Internal Audit”
Yes
No
N/A
Yes
No
N/A
a. Does the CAE obtain competent advice and assistance if the Internal
Auditors lack the knowledge, skills or other competencies needed to
perform all or part of an audit? [STD 1210.A1]
b. When the CAE uses the work of an external service provider, does the
CAE perform appropriate vendor due diligence? [PA 1210.A1-1 #s4,5]
c. Does vendor due diligence include assessing the relationship of the
vendor to the Credit Union and to Internal Audit to ensure independence
and objectivity? [PA 1210.A1-1 #6]
d. If the vendor is the Credit Union’s CPA firm and the nature of the service
is extended audit services, does the CAE determine that work
performed does not impair the CPA firm’s independence? [PA 1210.A11 #8]
e. Does the CAE obtain proposals, engagement letters or contracts with
sufficient information regarding the scope of the vendor’s work? [PA
1210.A1-1 #9]
14. Determine conformance with Attribute Standard 1210.A2 “Fraud
Knowledge”
a. Do Internal Auditors have sufficient knowledge to evaluate the risk of
fraud and the manner in which fraud is managed by the Credit Union?
[STD 1210.A2]
Page 7 of 38
Document1
15. Determine conformance with Attribute Standard 1210.A3 “Technology
Knowledge”
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Do Internal Auditors have sufficient knowledge of key information
technology risks and controls? [STD 1210.A3]
b. Do Internal Auditors have available technology-based audit techniques
to perform their assigned work? [STD 1210.A3]
16. Determine conformance with Attribute Standard 1220, “Due
Professional Care”:
a. Do Internal Auditors apply the care and skill expected of a reasonably
prudent and competent internal auditor? [STD 1220]
b. Are Internal Auditors alert to the possibility of
 fraud
 intentional wrongdoing
 errors and omissions
 inefficiency
 waste
 ineffectiveness
 irregularities
 conflicts of interest? [PA 1220-1 #1]
c. Do Internal Auditors identify inadequate controls and recommend
improvements to promote conformance with procedures? [PA 1220-1
#1]
d. Do Internal Auditors conduct examinations and verifications to a
reasonable extent? [PA 1220-1 #2]
e. Do Internal Auditors NOT give absolute assurance that noncompliance
or irregularities do not exist? [PA 1220-1 #2]
17. Determine conformance with Attribute Standard 1220.A1 “Due
Professional Care Considerations”:
a. Do Internal Auditors consider
 the extent of work needed to achieve audit objectives
 the complexity, materiality or significance of matters to which audit
procedures are applied? [STD 1220.A1]
b. Do Internal Auditors consider the adequacy and effectiveness of
governance, risk management and control processes? [STD 1220.A1]
c. Do Internal Auditors consider the probability of significant errors, fraud
or noncompliance? [STD1220.A1]
d. Do Internal Auditors consider the cost of the audit in relation to potential
benefits? [STD 1220.A1]
Page 8 of 38
Document1
18. Determine Conformance with Attribute Standard 1220.A2
“Technology Based Audit”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Do Internal Auditors consider the use of technology-based audit and
other data analysis techniques? [STD 1220.A2]
19. Determine Conformance with Attribute Standard 1220.A3 “Significant
Risks”
a. Are Internal Auditors alert to significant risks that might affect objectives,
operations or resources? [Standard 1220.A3]
20. Determine conformance with Attribute Standard 1230, “Continuing
Professional Development”:
a. Do Internal Auditors enhance their knowledge, skills and other
competencies through continuing professional development? [STD
1230]
b. Have Internal Auditors stayed informed about improvements and current
developments in internal audit standards, procedures, techniques and
guidance? [PA 1230-1 #1]
c. Have Internal auditors pursued continuing professional education
(related to the Credit Union’s activities and credit union industry) to
maintain proficiency with regard to the governance, risk and control
processes unique to the Credit Union? [PA 1230-1 #3]
d. Have Internal Auditors with professional certifications obtained sufficient
CPE to satisfy recertification requirements? [PA 1230-1 #5]
21. Determine conformance with Attribute Standards 1300 “Quality
Assurance and Improvement Program”:
a. Has the CAE developed and maintained a quality assurance and
improvement program (QA&IP) that covers all aspects of Internal Audit?
[STD 1300]
b. Is the QA&IP designed to enable an evaluation of Internal Audit’s
conformance with the Definition of Internal Auditing and the Standards
and an evaluation of whether internal auditors apply the Code of Ethics?
[INT 1300]
c. Does the QA&IP assess the efficiency and effectiveness of Internal
Audit and identify opportunities for improvement? [INT 1300]
d. Has the CAE implemented processes designed to provide reasonable
assurance to the various stakeholders that Internal Audit is adding value
and improving the Credit Union’s operations? [PA 1300-1 #2]
e. Is the QA&IP sufficiently comprehensive to encompass all aspects of
Internal Audit operation and management? [PA 1300-1 #3]
Page 9 of 38
Document1
f.
Is the QA&IP Process performed by or under the direct supervision of
the CAE? [PA 1300-1 #3
22. Determine conformance with Attribute Standard 1310, “Requirements
of the QA&IP”
Yes
No
N/A
Yes
No
N/A
a. Does the QA&IP include both internal and external assessments? [STD
1310]
b. Is there an ongoing and periodic assessment of the entire work
performed by Internal Audit? [PA 1310-1 #1]
c. Are assessments composed of
 rigorous, comprehensive processes
 continuous supervision and testing of Internal Audit work
 periodic validations of conformance with the Definition, the Code and
the Standards? [PA 1310-1 #1]
d. Is there ongoing measurements and analyses of performance metrics
(e.g. plan accomplishment, cycle time, recommendations accepted,
customer satisfaction)? [PA 1310-1 #1]
e. If assessment results indicate areas for improvement by Internal Audit,
does the CAE implement the improvements through the QA&IP? [PA
1310-1 #1]
f. Do assessments evaluate and conclude on Internal Audit quality and
lead to recommendations for appropriate improvements? [PA 1310-1
#2]
g. Does the QA&IP include an evaluation of
 adequacy of the Internal Audit charter, goals, objectives, policies
and procedures
 contribution to the Credit Union’s governance, risk management,
and control processes
 effectiveness of continuous improvement activities and adoption of
best practices
 the extent to which Internal Audit adds value and improves the
Credit Union’s operations [PA 1310-1 #2]
h. Do QA&IP efforts include follow-up on recommendations involving
appropriate and timely modification of resources, technology,
processes, and procedures? [PA 1310-1 #3]
i. Does the CAE report to senior mgmt. and the Board on the quality
program efforts and results at least annually? [PA 1310-1 #4]
23. Determine conformance with Attribute Standard 1311, “Internal
Assessments”:
Page 10 of 38
Document1
a. Do internal assessment include
 ongoing performance monitoring
 periodic self-assessments or assessment by other persons in the
Credit Union with sufficient knowledge of Internal Audit practices
[STD 1311]
b. Is ongoing monitoring an integral part of the day-to-day supervision,
review and measurement of Internal Audit? [INT 1311]
c. Is ongoing monitoring incorporated into the routine policies and
practices used to manage Internal Audit? [INT 1311]
d. Are periodic assessment conducted to evaluate conformance with the
Definition of Internal Auditing, the Code of Ethics, and the Standards?
[INT 1311]
e. Do persons conducting the self-assessment understand all the elements
of the International Professional Practices Framework? [INT 1311]
f. Does ongoing assessment include
 audit supervision
 checklists and procedures are being followed
 feedback from audit customers and other stakeholders
 selective peer reviews of workpapers by staff not involved in the
respective audits
 project, budgets, timekeeping systems, audit plan completion, cost
recoveries
 analysis of other performance metrics (e.g. cycle time,
recommendations accepted)? [PA 1311-1 #1]
g. Are conclusions developed as to the quality of ongoing performance and
is follow up action taken to ensure appropriate improvements are
implemented? [PA 1311-1 #2]
h. Has the CAE established a results reporting structure that maintains
appropriate credibility and objectivity? [PA 1311-1 #7]
i. Does the CAE report results of internal assessments, action plans, and
successful implementation to senior management and the Board at least
annually? [PA 1311-1 #8]
24. Determine conformance with Attribute Standard 1312, “External
Assessments”:
a. Are external assessments conducted at least once every 5 years by a
qualified, independent assessor or assessment team from outside the
Credit Union? [STD 1312]
b. Does the CAE discuss with the Board
 the form and frequency of external assessments
 the qualifications and independence of the external
assessor/assessment team, including any potential conflict of
interest? [STD 1312]
Page 11 of 38
Document1
Yes
No
N/A
c. Is the external assessment in the form of a full-external assessment or a
self-assessment with independent validation? [STD 1312]
d. Did the assessor/assessment team demonstrate competence in
 internal auditing professional practice
 external assessment process? [INT]
e. Did the assessor/assessment team not have a real or apparent conflict
of interest and was not part of, or under the control of, the Credit Union?
[INT]
f. Do the external assessments cover the entire spectrum of audit and
consulting work and the QA&IP program? [PA 1312-1 #1]
g. Is the engagement NOT a reciprocal external assessment between the
Credit Union and another organization? [PA 1312-3 #1]
h. Do external assessments include benchmarking, identification and
reporting of leading practices? [PA 1312-1 #1]
i. Does the scope clearly state the expected deliverables of the external
assessment? [PA 1312-1 #1]
j.
Is there an expressed opinion as to the entire spectrum of audit work
performed, conformance with the Framework; and recommendations for
improvement? [PA 1312-1 #2]
k. Upon completion of the review, is a formal communication given to
senior management and the Board? [PA 1312-1 #3]
l. Are external assessment reviewers free from any obligation to, or
interest in the Credit Union or Credit Union personnel? [PA 1312-1 #5]
m. Are external reviewers honest and candid within the constraints of
confidentiality; objective, impartial? [PA 1312-1 #6]
n. Are external reviewers competent, CIAs, who possess current, in-depth
knowledge of the Standards? [PA 1312-1 #7]
o. Are external reviewers well-versed in internal audit best practices and
have at least 3 years internal audit experience or related consulting at
the management level? [PA 1312-1 #7]
p. Does the CAE involve senior management and the Board in determining
the approach and selection of an external assessment provider? [PA
1312-1 #9]
Page 12 of 38
Document1
q. Does the external assessment scope include the following internal
auditing elements
 conformance with the Framework, internal audit charter, plans,
policies, procedures and practices
 expectations expressed by the Board, senior management and
operational managers
 Internal Audit’s integration into the Credit Union’s governance
process and the relationship among the key governance groups
 Internal Audit tools and techniques
 mix of knowledge, experience and disciplines within Internal Audit
staff and staff focus on process improvement
 determination as to whether or not Internal Audit adds value and
improves the Credit Union’s operations? [PA 1312-1 #10]
r. Are the preliminary review results discussed with the CAE during, and at
the conclusion of the assessment? Are copies sent directly to
appropriate members of senior management and the Board? [PA 13121 #11]
s. Are final results communicated with the person who authorized the
review for the Credit Union? [PA 1312-1 #11]
t. Does the communication include
 an opinion on Internal Audit’s conformance with the Framework
based on a structured rating process
 an assessment and evaluation of best practices use
 recommendations for improvement
 response from the CAE that includes an action plan and
implementation dates [PA 1312-1 #12]
u. Does the CAE communicate the assessment results, including specifics
of remedial actions for significant issues and subsequent information as
to the planned action accomplishments? [PA 1312-1 #13]
v. Does the CAE communicate the results with the various stakeholders of
the activity, such as senior mgmt., the Board and external auditors. [PA
1312-1 #13]
25. For Self-Assessment with Independent Validation, determine
conformance with PA 1312-2
a. Was there a comprehensive and fully documented self-assessment
process, which emulates an external assessment process, at least with
respect to evaluation of conformance with the Framework? [PA 1312-2
#1]
b. Was there an independent, on-site validation by a qualified, independent
reviewer? [PA 1312-2 #1]
c. Was the same guidance and criteria set forth in PA 1312-1 followed for
the Self-Assessment with Independent Validation? [PA 1312-2 #3]
Page 13 of 38
Document1
Yes
No
N/A
d. Did a team under the CAE’s direction perform and fully document the
self-assessment process? [PA 1312-2 #4]
e. Was a draft report similar to that for an external assessment, prepared
including the CAE’s judgment on Standards conformance? [PA 1312-2
#4]
f. Did the qualified, independent reviewer perform sufficient tests of the
self-assessment to validate the results and express the indicated level
of conformance? [PA 1312-2 #5]
g. Did the external reviewer, upon completion of a rigorous review of the
self-assessment evaluation, review the draft report and attempt to
reconcile any unresolved issues? [PA 1312-2 #6]
h. Did the external reviewer, modify the report as needed, or prepare a
separate independent validation report? [PA 1312-1 # 6]
i. Was the final report signed by the self-assessment team and the
external reviewer and issued by the CAE to senior management and the
Board? [PA 1312-2 #7]
26. Determine conformance with Attribute Standard 1320, “Reporting on
the Quality Program”:
Yes
No
N/A
Yes
No
N/A
a. Does the CAE communicate the results of the QA&IP to senior
management and the Board? [STD 1320]
b. Is the form, content and frequency of communicating the results of the
QA&IP established through discussion with senior management and the
Board? [INT]
c. Are the results of external and periodic internal assessments
communicated upon completion of the assessments, and ongoing
monitoring results communicated at least annually? [INT]
d. Do the results include the assessor’s evaluation with respect to the
degree of conformance? [INT]
27. Determine conformance with Attribute Standard 1321, “Use of
Conforms with the International Standards for the Professional
Practice of Internal Auditing”:
a. Does the CAE state that Internal Audit conforms with the Standards only
if results of the QA&IP support the statement? [STD 1321]
b. Does the CAE use the conformance phrase only if an external
assessment has been completed within 5 years, and ongoing and
periodic assessments have been conducted? [PA 1321-1 #2]
c. Does the CAE use the phrase only if assessments and monitoring
concluded that Internal Audit was in conformance? [PA 1321-1#2]
Page 14 of 38
Document1
d. Does the CAE disclose instances of nonconformance that impact
Internal Audit’s overall operation scope, including failure to obtain an
external assessment within 5 years, to senior management and the
Board [PA 1321-1 #3]
e. Before the CAE uses the conformance phrase, are instances of nonconformance adequately remedied, documented, and reported to the
relevant reviewer to obtain concurrence? [PA 1321-1 #4]
28. Determine conformance with Attribute Standard 1322, “Disclosure of
Non-Conformance”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Does the CAE disclose nonconformance and the impact to senior
management and the Board when the nonconformance impacts the
overall scope of operation of Internal Audit? [STD 1322]
29. Determine conformance with Performance Standard 2000, “Managing
Internal Audit”:
a. Does the CAE effectively manage Internal Audit to ensure it adds value
to the Credit Union? [STD 12000]
b. Do the results of Internal Audit’s work achieve the purpose and
responsibility included in the Internal Audit Charter? [INT]
c. Does Internal Audit provide objective and relevant assurance? [INT]
d. Does Internal Audit contribute to the effectiveness and efficiency of
governance, risk management and control processes? [INT]
30. Determine conformance with Performance Standard 2010, “Planning”:
a. Does the CAE establish a risk-based plan to determine Internal Audit
priorities, consistent with the Credit Union’s goals? [STD 2010]
b. Does the CAE take into account the Credit Union’s risk management
framework including using management’s risk appetite level for the
different CU activities? [INT]
c. If a framework does not exist, does the CAE use judgment of risks after
consideration of input from senior management and the board? [INT]
d. Does the CAE review and adjust the plan in response to changes in the
Credit Union’s business, risks, operations, programs, systems, and
controls? [INT]
31. Determine conformance with Performance Standard 2010.A1 “Risk
Assessment”
a. Is Internal Audit’s audit plan based on a documented risk assessment,
undertaken at least annually? [STD 2010.A1]
b. Did the CAE consider senior management and the Board’s input in
Internal Audit’s risk assessment? [STD 2010.A1]
Page 15 of 38
Document1
c. Does the audit universe include components from the Credit Union’s
strategic plan? [PA 2010-1 #2]
d. Are key audit objectives to provide management and the Board with
assurance and information to help them accomplish the Credit Union’s
objectives, including an assessment of the effectiveness of
management’s risk management activities? [PA 2010-1 #3]
e. Is the audit universe updated at least annually to reflect the most current
strategies, Credit Union direction, operations, programs, systems, and
controls? [PA 2010-1 #4]
f. Are audit work schedules based on a risk assessment so that resources
are prioritized? [PA 2010-1 #5]
g. In audit planning, does Internal Audit consider the significant risks of the
activity and the controls to mitigate the risk to an acceptable level? [PA
2010-2 #5]
h. Does the Internal Audit Charter require a focus on high risk areas? [PA
2010-2 #10]
i. Does Internal Audit identify unnecessary, redundant, excessive or
complex controls that inefficiently reduce risk? [PA 2010-2 #10]
j. Is the approach to risk identification systematic and clearly
documented? [PA 2010-2 #11]
k. There a periodic selection of lower risk level audits in the plan to give
them coverage and confirm their risks have not changed? [PA 2010-2
#14]
l. l. Does the Internal Audit plan focus on
 unacceptable current risks where action is required
 control systems on which the Credit Union is most reliant
 areas where there is great difference between inherent and residual
risk
 areas where the inherent risk is very high [PA 2010-02 #15]
32. Determine conformance with Performance Standard 2010.A2
“Expectations”
Yes
No
N/A
Yes
No
N/A
a. Did the CAE identify and consider the expectations of senior
management, the Board and other stakeholders for Internal Audit
opinions and other conclusions? [STD 2010.A2]
33. Determine conformance with Performance Standard 2020,
“Communication & Approval”:
a. Does the CAE communicate Internal Audit’s plans and resource
requirements/limitations, including significant interim changes, to senior
management and the Board for review and approval? [STD 2020]
b. Does the CAE communicate the impact of resource limitations? [STD
2020]
Page 16 of 38
Document1
c. Does the CAE submit annually to senior management and the Board for
review and approval a summary of the Internal Audit plan, work
schedule, staffing plan, and financial budget? [PA 2020-1 #1]
d. Does the summary inform senior management and the Board of the
scope of Internal Audit work and any limitations placed on that scope
[PA 2020-1 #1]
e. Does the CAE submit all significant interim changes for approval and
information? [PA 2020-1 #1]
f. Do the approved work schedule, staffing plan, financial budget, and
interim changes contain sufficient information to enable senior
management and the Board to determine whether Internal Audit’s
objectives and plans support those of the Credit Union and the Board
and are consistent with the Internal Audit Charter? [PA 2020-1 #2]
34. Determine conformance with Performance Standard 2030, “Resource
Management”:
Yes
No
N/A
Yes
No
N/A
a. Does the CAE ensure Internal Audit resources are appropriate,
sufficient and effectively deployed to achieve the approved plan? [STD
2030]
b. Are the skills, capabilities and technical knowledge of Internal Audit staff
appropriate for the planned activities? [PA 2030-1 #2]
c. Does the CAE conduct a periodic skills assessment to determine
specific skills required to perform Internal Audit activities? [PA 2030-1
#2]
d. Are Internal Audit resources sufficient to execute the audit activities in
the breadth, depth, and timeliness expected by senior management and
the Board, as stated in the Internal Audit Charter? [PA 2030-1 #3]
e. Has the CAE considered succession planning, staff evaluations and
development programs and other HR disciplines? [PA 2030-1 #5]
f. Does the CAE maintain ongoing communications and dialog with senior
mgmt. and the Board on the adequacy of Internal Audit resources? [PA
2030-1 #6]
g. Has the CAE developed appropriate metrics, goals and objectives to
monitor the overall resource adequacy? [PA 2030-#6]
35. Determine conformance with Performance Standard 2040, “Policies &
Procedures”:
a. Has the CAE established policies and procedures to guide Internal
Audit? [STD 2040]
b. Are the policies and procedures appropriate for Internal Audit’s size
structure, and complexity of its work? [STD 2040]
Page 17 of 38
Document1
36. Determine conformance with Performance Standard 2050,
“Coordination”:
a. Does the CAE share information and coordinate activities with other
assurance and consulting services providers to ensure proper coverage
and minimize duplication of efforts? [STD 2050]
b. If the Credit Union uses the work of external auditors to provide
assurance related to activities within the scope of internal auditing, does
the CAE understand the work of the external auditors? [PA 2050-1 #2].
c. If the external auditor relies on Internal Audit’s work in performing their
work, does the CAE provide sufficient information to enable the external
auditors to understand Internal Audit’s techniques, methods and
terminology? [PA 2050-1 #3]
d. Is Internal Audit’s final communications, management’s responses and
subsequent follow-up made available to external auditors? [PA 2050-1
#6]
e. Does Internal Audit have access to the external auditors’ materials and
management letters? [PA 2050-1 #6]
f. Does the CAE regularly evaluate the coordination between internal and
external auditors? [PA 2050-1 #7]
g. Does Internal Audit consider areas of inadequate coverage when
developing the audit plan? [PA 2050-2 #9]
h. If the CAE believes that the assurance coverage is inadequate or
ineffective, does the CAE advise senior management and the Board?
[PA 2050-2 #13]
i. Does the Internal Audit charter and/or engagement letter specify that
Internal Audit has access to the work of providers? [PA 2050-3 #3]
j. Does Internal Audit document audit expectations in a contract or
agreement? [PA 2050-3 #4]
k. Do minimum expectations include
 nature and ownership of deliverables
 methods/techniques
 nature of procedures and data/information to be used
 progress reports/supervision [PA 2050-3]
l. Does Internal Audit evaluate the provider’s
 independence and objectivity
 competency and qualifications
 elements of practice
 adequacy of execution
 sufficiency of audit evidence? [PA 2050-3 #6-#10]
m. Does Internal Audit incorporate the provider’s results in the overall
report of assurance to the Board? [PA 2050-3 #11]
Page 18 of 38
Document1
Yes
No
N/A
n. Does Internal Audit follow-up the adequacy, effectiveness, and
timeliness of actions taken by management on recommendations? [PA
2020-3 #12]
37. Determine conformance with Performance Standard 2060, “Reporting
to Senior Management and the Board”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Does the CAE report periodically to senior management and the Board
on Internal Audit’s purpose, authority, responsibility and performance
relative to its plan? [STD 2060]
b. Does reporting include significant risk exposures and control issues,
including
 fraud risks
 governance issues and
 other matters needed or requested by senior management and the
Board? [STD 2060]
c. Does the frequency and content of reporting depend on the importance
of the information to be communicated and the urgency of the related
actions to be taken by senior management or the Board? [INT]
38. Determine conformance with Performance Standard 2070 “External
Service Provider and CU Responsibility for Internal Auditing”:
a. When an external service provider serves as Internal Audit, does the
provider make the Credit Union aware that the Credit Union has the
responsibility for maintaining an effective internal audit activity? [STD
2070]
b. Is the Credit Union’s responsibility demonstrated through the QA&IP?
[INT]
39. Determine conformance with Performance Standard 2100, “Nature of
Work”:
a. Does Internal Audit evaluate and contribute to the improvement of
governance, risk management and control processes using a systematic
and disciplined approach? [STD 2100]
40. Determine conformance with Performance Standard 2110,
“Governance”:
a. Does Internal Audit assess and make appropriate recommendations for
improving the governance process? [STD 2100]
b. Does the CAE work with the Board and management to determine how
governance should be defined for audit purposes? [PA 2110-1 #6]
c. Does the CAE consider the relationship between governance, risk and
controls in planning assessments of governance processes? [PA 2110-2
#6]
Page 19 of 38
Document1
d. Does Internal Audit provide assessments of the design and operating
effectiveness of the Credit Union’s governance processes? [PA 2110-03
#1]
e. Are governance processes considered in the risk assessment? [PA
2110-3 #3]
f. Does Internal Audit consider
 the results specific governance process audits
 governance issues arising from non-governance audits
 results of other internal/external assurance providers
 adverse incidents indicating improvement opportunities [PA 2110-3
#5]
g. Is Internal Audit sensitive to the potential nature and ramifications of the
results and ensure appropriate communications with the Board and
executive management? [PA 2110-3 #6]
41. Determine conformance with Performance Standard 2110.A1 “Ethics
Evaluation”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Does Internal Audit evaluate the design, implementation, and
effectiveness of the credit union’s ethics-related objectives, programs
and activities? [STD 2110.A1]
42. Determine conformance with Performance Standard 2110.A2 “IT
Governance”:
a. Does Internal Audit assess whether the Credit Union’s IT governance
supports the Credit Union’s strategies and objectives? [STD 2110.A2]
43. Determine conformance with Performance Standard 2120, “Risk
Management”:
a. Does Internal Audit evaluate the effectiveness and contribute to the
improvement of risk management processes? [STD 2120]
b. Does Internal Audit assess whether
 the Credit Union’s objectives support and align with the Credit
Union’s mission
 significant risks are identified and assessed
 appropriate risk responses are selected that align risks with the
Credit Union’s risk appetite
 relevant information is captured and communicated in a timely
manner across the Credit Union [INT 2120]
c. If the Credit Union does not have a formal risk assessment process,
does the CAE formally discuss with management and the Board their
obligations to understand, manage, and monitor Credit Union risks? [PA
2120-1 #3]
Page 20 of 38
Document1
d. Has the CAE obtained an understanding of senior management and the
Board’s expectations of Internal Audit in the Credit Union’s risk
management process? [PA 2120-1 #4]
e. Is this understanding codified in Internal Audit and Board charters? [PA
2120-1#4]
f. Is Internal Audit responsibilities coordinated between all groups and
individuals within the Credit Union’s risk management process? [PA
2120-1 #4]
g. If Internal Audit has taken on management/s responsibility for the risk
management process, has that role and the potential threat to
independence been discussed and approved by the Board [PA 2120-1
#5]
h. Has Internal Audit determined that the methodology chosen is
sufficiently comprehensive and appropriate for the nature of the Credit
Union’s activities? [PA 2120-1 #7]
i. Has Internal Audit obtained sufficient and appropriate evidence to
determine that the key objectives of the risk management processes are
being met to form an opinion on the adequacy of the risk management
processes? [PA 2120-1 #8]
j. Has the CAE considered the risks related to Internal Audit and the
achievement of audit objectives? [PA 2120-2 #1)
k. Has Internal Audit ensured that it is managing its own risks? [PA 2120-2
#2]
l. Is the use of Internal Audit in assisting the Credit Union to identify and
evaluate significant exposures to risk clearly defined for projects other
than internal audits? [PA 2120-2 #7]
44. Determine conformance with Performance Standard 2120.A1,
“Evaluating Risk Exposures”:
Yes
No
N/A
Yes
No
N/A
a. Does Internal Audit evaluate risk exposures relating to the Credit
Union’s governance, operations and information systems regarding the
 achievement of Credit Union strategic objectives
 reliability and integrity of financial and operational information
 effectiveness and efficiency of operations and programs
 safeguarding of assets
 compliance with laws, regulations, policies, procedures and
contracts? [STD 2120.A1]
45. Determine conformance with Performance Standard 2120.A2, “Fraud
Risk”:
a. Does Internal Audit evaluate the potential for fraud and how the Credit
Union manages fraud risk? [STD 2120.A2]
Page 21 of 38
Document1
46. Determine conformance with Performance Standard 2130, “Assessing
the Adequacy of Control Processes”:
Yes
No
N/A
Yes
No
N/A
a. Does Internal Audit assist the Credit Union in maintaining effective
controls by evaluating their effectiveness and efficiency and by
promoting continuous improvement? [STD 2130]
b. Does the CAE provide assurance about the effectiveness of the risk
management and control processes in select activities and functions of
the Credit Union? [PA 2130-1 #2]
c. Does the CAE form an overall opinion about the adequacy and
effectiveness of the control processes? [PA 2130-1 #3]
d. Is the CAE’s overall opinion based on sufficient audit evidence obtained
through completed audits, and reliance on the work of other assurance
providers? [PA 2130-1 #3]
e. Does the CAE communicate the overall opinion to senior management
and the Board? [PA 2130-1 #3]
f. Does the audit plan obtain sufficient evidence to evaluate the
effectiveness of the control processes? [PA 2130-1 # 4]
g. Does the audit plan obtain sufficient evidence about all major operating
units and business functions, and a review of the major control
processes operating across the Credit Union? [PA 2130-1 #4]
h. Does the audit plan give special consideration to those operations most
affected by recent or unexpected changes? [PA 2130-1 #5]
i. Does the audit plan have sufficient breadth of coverage to enable the
expression of an opinion about the Credit Union’s risk management and
control processes? [PA 2130-1 #7]
j. Does the CAE inform senior management and the Board of any gaps in
audit coverage that would prevent the expression of an opinion on all
aspects of the risk management and control processes? [PA 2130-1 #7]
k. In evaluating the overall effectiveness, does the CAE consider whether
 significant discrepancies or weaknesses were discovered
 corrections or improvements were made
 the discoveries and their potential consequences lead to a
conclusion that a pervasive condition exists resulting in an
unacceptable level of risk [PA 2130-1 #9]
47. Determine conformance with Performance Standard 2130.A1
“Controls Response to Risk”:
Page 22 of 38
Document1
a. Does Internal Audit evaluate the adequacy and effectiveness of controls
in responding to risks within the Credit Union’s governance, operations
and information systems regarding the
 achievement of the Credit Union’s strategic objectives
 reliability and integrity of financial and operational information
 effectiveness and efficiency of operations and programs
 safeguarding of assets
 compliance with laws, regulations, policies, procedures and
contracts? [STD 2130.A1]
b. Has Internal Audit determined whether senior management and the
Board have a clear understanding that information reliability and integrity
is a management responsibility? [PA 2130.A1 #1]
c. Does Internal Audit possess, or have access to, competent audit
resources to evaluate information reliability and integrity and associated
risk exposures? [PA 2130.A1-1 #2]
d. Does the CAE determine whether information reliability and integrity
breaches and conditions that might represent a Credit Union threat will
promptly be made known to senior management, the Board, and Internal
Audit? [PA 2130.A1-1 # 3]
e. Does Internal Audit assess the effectiveness of preventive, detective,
and mitigation measures against past attacks, and future attempts or
incidents deemed likely to occur? [PA 2130.A1-1 #4]
f. Does Internal Audit assess the Credit Union’s information reliability and
integrity practices, and recommend enhancements to, or implementation
of new controls and safeguards? [PA 2130-.A1-1 #5]
g. Does Internal Audit assess the adequacy of management’s identification
of risks related to its privacy objectives and the adequacy of the controls
established to mitigate those risks to an acceptable level? [PA 2130.A12 #4]
h. Does Internal Audit identify the types and appropriateness of
personal/private information gathered by the Credit Union, the collection
methodology, and is the Credit Union’s use of the information in
accordance with its intended use and applicable legislation? [PA
2130.A1-2 #5]
i. Does Internal Audit have the appropriate knowledge and competence to
conduct an assessment of the Credit Union’s privacy framework risk and
controls? [PA 2130.A1-2 #6]
48. Determine conformance with Performance Standard 2200,
“Engagement Planning”:
a. Does Internal Audit develop and document a plan for each audit,
including the audit scope, timing, and resource allocations? [STD 2200
Page 23 of 38
Document1
Yes
No
N/A
b. Does Internal Audit plan and conduct the audit with supervisory review
and approval? [PA 2200-1 #1]
c. Does the Audit Pan
 state the objectives of the audit
 identify technical requirements, objectives, risks, processes and
transactions to be examined
 state nature and extent of testing required
 document procedures for collecting, analyzing, interpreting and
documenting information during the audit
 get modified, as appropriate, during the audit with the approval of the
CAE? [PA 2200-1 #1]
d. Does the CAE require a level of formality and documentation that is
appropriate to the Credit Union? [PA2200-1, #2].
e. Does Internal Audit determine
 period covered
 estimated completion date
 final communication format [PA 2200-1 #3]
f. Does Internal Audit inform management, conduct meetings with
management responsible for the audited activity, summarize and
distribute discussion and conclusions from the meetings? [PA 2200-1
#4]
g. Does the CAE determine how, when and to whom the audit results will
be communicated? [PA 2200-1 #5]
h. Does Internal Audit communicate to management subsequent changes
that affect timing or reporting of audit results [PA 2200-1 #5]
i. Is the scope definition based on the more significant risks to the Credit
Union? [PA 2200-2 #3]
j. Are both manual and automated controls assessed and does Internal
Audit assess whether there is an appropriate combination of controls?
[PA 2200-2 #4]
k. Does the scope include all controls required to provide reasonable
assurance that risks are effectively managed (key controls)? [PA 2200-2
#5]
l. Does Internal Audit discuss with management whether non-key controls
are required? [PA 2200-2 #5]
m. Does Internal Audit include in the scope of at least 1 audit an
assessment of the design of the key controls as a whole (across all the
related Internal Audit audits) and whether it is sufficient to manage risks
within Credit Union tolerances [PA 2200-2 #10]
49. Determine conformance with Performance Standard 2201, “Planning
Considerations”:
Page 24 of 38
Document1
Yes
No
N/A
a. In planning the audit, does Internal Audit consider
 Credit Union objectives and controls over the area’s performance
 significant risks to the activity and risk mitigation
 adequacy and effectiveness of the activity’s governance, risk
management, and control processes compared to a relevant
framework or model
 opportunities for making significant improvements to the activity’s
governance, risk management, and control processes [STD 2201]
50. Determine conformance with Performance Standard 2201.A1, “ThirdParty Planning Considerations”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. When planning an audit for third parties, does Internal Audit establish
written understanding of objectives, scope, respective responsibilities,
and restrictions on results distribution? [STD 2201.A1]
51. Determine conformance with Performance Standard 2210,
“Engagement Objectives”:
a. Are objectives established for each audit? [STD 2210]
b. Do the objectives proceed and align to those initially identified during the
risk assessment process from which the internal audit plan is derived?
[PA 2210-1 #1]
c. For unplanned audits, are objectives established prior to the start of the
audit, and designed to address the specific issues that prompted the
audit? [PA 2210-1 #1]
d. After identifying the risks, does Internal Audit determine the procedures
to be performed and the scope of the procedures? [PA 2210-1 #3]
e. Are audit procedures performed in appropriate scope the means to
derive conclusions related to the audit objectives? [PA 2210-1 #3]
52. Determine conformance with Performance Standard 2210.A1,
“Engagement Risk Assessment”:
a. Does Internal Audit conduct a preliminary risk assessment? [STD
2210.A1]
b. Do audit objectives reflect the results of the risk assessment? [STD
2210.A1]
c. Does Internal Audit review management’s risk assessment process? [PA
2210.A1-1 #1]
d. Does Internal Audit obtain or update background information about the
activities to be reviewed to determine impact on the audit objectives and
scope? [PA 2210.A1-1 #2]
e. Does Internal Audit conduct a survey to become familiar with the
activities, risks and controls to identify audit emphasis, and to invite
comments and suggestions from audit clients? [PA 2210.A1.1 #3]
Page 25 of 38
Document1
f.
Does Internal Audit summarize
 significant audit issues
 objectives and procedures
 methodologies
 critical control points and deficiencies, and/or excess controls? [PA
2210.A1-1 #4]
53. Determine conformance with Performance Standard 2210.A2, “Errors,
Fraud and Non-compliance”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Does Internal Audit consider the probability of significant errors, fraud,
and noncompliance when developing audit objectives? [STD 2210.A2]
54. Determine conformance with Performance Standard 2210.A3,
“Objective and Goals Criteria”:
a. Does Internal Audit ascertain the extent to which management and/or
the board has established adequate criteria to determine whether
objectives and goals have been accomplished, [STD 2210.A3]
b. If adequate, does Internal Audit use the criteria in their evaluation? [STD
2210.A3]
c. If inadequate, does Internal Audit work with management and/or the
board to develop appropriate evaluation criteria? [STD 2210.A3]
55. Determine conformance with Performance Standard 2220,
“Engagement Scope”:
a. Is the audit scope sufficient to achieve the audit objectives? [STD 2220]
56. Determine conformance with Performance Standard 2220.A1, “Scope
Completeness”:
a. Does the audit scope include consideration of relevant systems, records,
personnel and physical properties, including those under control of third
parties? [STD 2220.A1]
57. Determine conformance with Performance Standard 2220.A2,
“Consulting Opportunities”:
a. If significant consulting opportunities arise during an assurance audit, is
there a specific written understanding of the objectives, scope,
respective responsibilities and other expectations? [STD 2220.A2]
58. Determine conformance with Performance Standard 2230,
“Engagement Resource Allocation”:
Page 26 of 38
Document1
a. Has Internal Audit determined appropriate and sufficient resources to
achieve audit objectives based on an evaluation of the nature and
complexity of each audit, time constraints and available resources?
[STD 2230]
b. Has Internal Audit considered the following when determining the
appropriateness and sufficiency of resources? [PA 2230-1]
 Internal Audit staff number and experience
 Internal Audit staff knowledge, skills and other competencies when
selecting Internal Auditors for the audit
 external resource availability where additional knowledge and
competencies are required
 Internal Audit training needs as each audit assignment serves as a
basis for meeting Internal Audit’s developmental needs
59. Determine conformance with Performance Standard 2240,
“Engagement Work Program”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Has Internal Audit developed and documented work programs that
achieve the audit objectives? [STD 2240]
b. Is the process of collecting, analyzing, interpreting and documenting
information supervised to provide reasonable assurance that audit
objectives are met and that in the internal auditor’s objectivity is
maintained? [PA 2240-1 #2]
60. Determine conformance with Performance Standard 2240.A1,
“Engagement Procedures”:
a. Do work programs include procedures for identifying, analyzing,
evaluating and documenting audit information? [STD 2240.A1]
b. Is the work program approved prior to implementation and any
adjustments approved promptly? [STD 2240.A1]
61. Determine conformance with Performance Standard 2300,
“Performing the Engagement”:
a. Does Internal Audit identify, analyze, evaluate and document sufficient
information to achieve the audit objectives? [STD 2300]
b. Does Internal Audit consider concerns relating to protection of
personally identifiable information (PII) gathered during audits? [PA
2300-1 #1]
c. Does Internal Audit understand and comply with all laws regarding the
use of PII? [PA 2300-1 #4]
d. Are there procedures for safeguarding PII? [PA 2300-1 #5]
62. Determine conformance with Performance Standard 2310, “Identifying
Information”:
Page 27 of 38
Document1
a. Does Internal Audit identify sufficient, reliable, relevant and useful
information to achieve audit objectives? [STD 2310]
b. Is information factual, adequate and convincing so that a prudent
informed person would reach the same conclusions as Internal Audit?
[INT 2310]
c. Is information the best attainable through the use of appropriate audit
techniques? [INT 2310]
d. Does the information support audit observations and recommendations
and is the information consistent with audit objectives? [INT 2310]
e. Does the information help the Credit Union meet its goals? [INT 2310]
63. Determine conformance with Performance Standard 2320, “Analysis &
Evaluation”:
Yes
No
N/A
Yes
No
N/A
a. Does Internal Audit base conclusions and audit results on appropriate
analyses and evaluations? [STD 2320]
b. When analytical audit procedures identify unexpected results or
relationships, does Internal Audit evaluate those results or relationships?
[PA 2320-1 #6]
c. Does the evaluation include determining whether the difference from
expectations could be a result of fraud, error or a change in conditions?
[PA 2320-1 #6]
d. Does Internal Audit satisfy itself that any explanations consider both the
change direction and difference amount? [PA 2320-1 #6]
e. Does Internal Audit reporting include the underlying reasons that caused
an issue in order to add insights that improve the longer-term
effectiveness and efficiency of business processes? [PA 2320-2 #2]
f. Does Internal Audit have the competency to identify the need for root
cause analysis and facilitate, review, and/or conduct a root cause
analysis? [PA 2320-2 #2]
g. Are the resources spent on root cause analysis commensurate with the
impact of the issue or potential future issues and risk [PA 2320-2 #5]
64. Determine conformance with Performance Standard 2330,
“Documenting Information”:
a. Does Internal Audit document relevant information to support
conclusions and audit results? [STD 2330]
b. Does Internal Audit prepare working papers? [PA 2330-1 #1]
c. Do working papers document
 the information obtained
 the analysis made
 support for the conclusions and audit results [PA 2330-1 #1]
Page 28 of 38
Document1
d. Does Internal Audit management review the working papers?[PA 2330-1
#1]
e. Do working papers
 aid in the planning, performance, and audit reviews
 provide principal support for audit results [PA 2330-1]
f. Do working papers
 document whether audit objectives were achieved
 support accuracy and completeness of the work performed
 provide basis for QA&IP
 facilitate third-party reviews? [PA 2330-1 # 2]
g. Do audit working papers document all aspect of the audit process from
planning to communicating the results? [PA 2330-1 #3]
h. Has the CAE established working paper policies for the various types of
audits performed? [PA 2330-1 #4]
65. Determine conformance with Performance Standard 2330.A1 “Control
of Engagement Records”:
a. Does the CAE control access to audit records? [STD 2330.A1]
b. Does the CAE obtain senior management approval and/or legal counsel
prior to releasing records to external parties? [STD 2330.A1]
c. Does Internal Audit provide access to authorized personnel only? [PA
2330.A1-1 #1]
d. Does the Board review policies relating to audit record access, access
request handling, and procedures for when an audit warrants an
investigation? [PA 2330.A1-1 #2]
e. Do Internal Audit policies explain
 who in the Credit Union is responsible for ensuring control and
security of Internal Audit records
 which internal and external parties can be granted audit record
access
 how requests for records access need to be handled? [PA 2330.A11 #3]
f. Does the CAE approve access requests by Credit Union officials and
external auditors? [PA 2330.A1-1 #4,5]
g. In a legal proceeding, does the CAE work closely with legal counsel in
deciding what to provide when there is a request for audit records in
relation to legal proceedings? [PA 2330.A1-1 #7]
h. Do Internal Audit policies
 cover what to include in engagement records
 specify content and format
 specify how Internal Audit handle resolved review notes [PA
2330.A1-2 #4]
Page 29 of 38
Document1
Yes
No
N/A
i.
j.
k.
l.
m.
n.
o.
Do Internal Audit policies specify how long internal audit records are to
be retained? [PA 2330.A1-2 #4]
Are the Credit Union’s needs and legal requirements considered when
specifying retention requirements? [PA 2330.A1-2 #4]
Is the CAE aware of changing industry practices and changing legal
precedents? [PA 2330.A1-2 #5]
When developing policies, does the CAE consider who may seek
access to Internal Audit records? [PA 2330.A1-2 #5]
When furnishing engagement records, does the CAE provide only
specific documents directed by legal counsel or policies? [PA 2330.A1-2
#8]
When furnishing engagement records, does the CAE release documents
in an unchangeable form? [PA 2330.A1-2 #8]
When furnishing engagement records, does the CAE
 label each document as confidential
 place a notation that secondary distribution is not permitted without
permission? [PA 2330.A1-2 #8]
66. Determine conformance with Performance Standard 2330.A2
“Retention of Records”
Yes
No
N/A
Yes
No
N/A
a. Has the CAE developed audit record retention requirements? [STD
2330.A2]
b. Are the retention requirements consistent with the Credit Union’s
guidelines and any pertinent regulatory requirements? [STD 2330.A2]
c. Are the retention requirements in a written policy? [PA 2330.A2-1 # 2]
d. Does the policy include record retention related to external service
provider audits? [PA 2330.A2-1 #3]
67. Determine conformance with Performance Standard 2340,
“Engagement Supervision”:
a. Are audits properly supervised to ensure
 objectives are achieved
 quality is assured
 staff is developed. [STD 2340]
b. Is evidence of supervision documented and retained? [INT]
c. Are there appropriate instructions during audit planning and audit
program approval? [PA 2340-1 #1]
d. Does supervision include ensuring that the approved audit program is
completed unless changes are justified and authorized? [PA 2340-1 #1]
e. Does supervision include determining that audit workpapers adequately
support audit observations, conclusions and recommendations? [PA
2340-1 #1]
Page 30 of 38
Document1
f.
Does supervision include ensuring communications are accurate,
objective, clear, concise, constructive and timely? [PA 2340-1 #1]
g. Does supervision include ensuring the audit objectives are met? [PA
2340-1 #1]
h. Does the CAE take responsibility for all Internal Audit audits whether
performed by or for Internal Audit? [PA 2340-1 #2]
i. Does the CAE take responsibility for all significant professional
judgments made throughout the audit? [PA 2340-1 #2]
j. Are policies and procedures designed to minimize the risk that Internal
Audit or others performing work for Internal Audit make professional
judgments or take other actions inconsistent with the CAE’s professional
judgment such that the audit is impacted adversely [PA 2340-1 #2]
k. Are policies and procedures designed to resolve differences in
professional judgment between the CAE and Internal Audit staff over
significant audit issues? [PA 2340-1 #2]
l. When clearing review notes, is care taken to ensure working papers
provide adequate evidence that questions raised are resolved?
[PA2340-1#4]
68. Determine conformance with Performance Standard 2400,
“Communicating Results”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Does Internal Audit communicate the audit results? [STD 2400]
b. Does Internal Audit consider legal issues when communicating
noncompliance with laws, regulations and other issues? [PA 2400-1 #1]
69. Determine conformance with Performance Standard 2410, “Criteria for
Communicating”:
a. Do communications include the audit’s
 objectives
 scope
 conclusions
 recommendations
 action plans [STD 2410]
70. Determine conformance with Performance Standard 2410.A1 “Opinion
and/or Conclusions”
a. Do final communications of audit results contain Internal Audit’s opinion
and/or conclusions? [STD 2410.A1]
b. Does the opinion or conclusion take account of the expectations of
senior management, the Board, and other stakeholders? [STD 2410.A1]
Page 31 of 38
Document1
c. Is the opinion or conclusion supported by information that is
 sufficient
 reliable
 relevant
 useful [STD 2410.A1]
d. Does Internal Audit communicate observations necessary to support or
prevent misunderstanding of Internal Audit’s conclusions and
recommendations? [PA 2410-1 #6]
e. Are observations and recommendations based on
 criteria used in making an evaluation or verification
 condition found in the course of examination
 cause for difference between expected and actual conditions
 effect of risk or exposure to the Credit Union? [PA2410-1, #7].
f. Does Internal Audit evaluate the effect of the observations and
recommendations on the activities reviewed? [PA2410-1, #8].
g. Are audit conclusions clearly identified in the audit report? [PA 2410-1
#8]
h. Are recommendations based on Internal Audit’s observations and
conclusions? [PA 2410-1 #9]
i. Do recommendations call for action to correct existing conditions or
improve operations? [PA 2410-1 #9]
j. Does Internal Audit obtain agreement from management on the results
of the audit and plans of action to improve operations? [PA 2410-1 #12]
k. If Internal Audit and the audit client disagree about the audit results, do
the communications state both positions and the reasons for the
disagreement? [PA 2410-1 #12]
l. Are interim reports used to communicate
 information that requires immediate attention
 change in audit scope
 audit progress when audits extend over a long period of time? [PA
2410-1 #14]
m. Is a signed report (manually or electronically) issued after the audit
completion? [PA 2410-#15]
n. Does the CAE determine which Internal Auditor is authorized to sign the
report? [PA 2410-#15]
o. If reports are distributed electronically, is a signed version retained on
file by Internal Audit? [PA 2410-#15]
71. Determine conformance with Performance Standard 2410.A2
“Acknowledging Satisfactory Performance”
a. Does Internal Audit acknowledge satisfactory performance in audit
communications? [STD 2410.A2]
Page 32 of 38
Document1
Yes
No
N/A
72. Determine conformance with Performance Standard 2410.A3
“Distribution Limitations”
Yes
No
N/A
Yes
No
N/A
a. When releasing audit results to third parties, does the communication
include limitations on distribution and use of results? [STD 2410.A3]
b. Is privileged, proprietary or sensitive information disclosed in a separate
report because it is not appropriate for disclosure to all report recipients?
[PA 2410-1 #13]
c. Are reports distributed to the Board if the conditions involve senior
management? [PA 2410-1 #13]
73. Determine conformance with Performance Standard 2420, “Quality of
Communications”:
a. Are communications
 accurate
 objective
 clear
 concise
 constructive
 complete
 timely? [STD 2420]
b. Are communications
 free from errors and distortions
 faithful to the underlying facts? [INT]
c. Are communications
 fair
 impartial
 unbiased
 the results of a fair-minded assessment of all relevant facts and
circumstances? [INT]
d. Are communications
 easily understood
 logical
 to the point [INT]
e. Do communications
 avoid unnecessary technical language or elaboration
 provide all significant and relevant information?
 avoid superfluous detail, redundancy, wordiness? [INT]
f. Are communications
 helpful to the audit client and the Credit Union?
 opportune and expedient? [INT]
Page 33 of 38
Document1
g. Do communications
 lead to improvements where needed?
 lack nothing that is essential to the target audience? [INT]
h. Was data and evidence gathered, evaluated and summarized with care
and precision? [PA 2420-1 #1]
i. Were observations, conclusions and recommendations derived and
expressed without prejudice, partisanship, personal interest and the
undue influence of others? [PA 2420-1 #2]
j. Is all significant and relevant information provided in context? [PA 24201 #3]
k. Is each element meaningful and succinct? [PA 2420-1 #4]
l. Is the tone and content
 well-meaning
 useful
 positive
 focused on the Credit Union’s objectives? [PA 2420-1 #5]
m. Is the communication consistent with the Credit Union’s style and
culture? [PA 2420-1 #6]
n. Is the timing of the results presentation planned to avoid undue delay?
[PA 2420-1 #7]
74. Determine conformance with Performance Standard 2421, “Errors &
Omissions”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. If a final communication contains a significant error or omission, does
the CAE communicate corrected information to all parties who received
the original communication? [STD 2421]
75. Determine conformance with Performance Standard 2430, “Use of
Conducted in Conformance with the International Standards for the
Professional Practice of Internal Auditing”:
a. Does Internal Audit report that its audits are “conducted in conformance
with the International Standards for the Professional Practice of Internal
Auditing” only if the results of the QA&IP support the statement? [STD
2430]
76. Determine conformance with Performance Standard 2431,
“Engagement Disclosure of Nonconformance”:
Page 34 of 38
Document1
a. When nonconformance with the Definition of Internal Auditing, the Code
of Ethics or the Standards impacts a specific audit, does the
communication of the results disclose
 the principle or rule with which conformance was not achieved
 reasons for nonconformance
 impact of nonconformance on the audit
 impact of nonconformance on the communicated audit results? [STD
2431]
77. Determine conformance with Performance Standard 2440,
“Disseminating Results”:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
a. Does the CAE communicate results to the appropriate parties? [STD
2440]
b. Does the CAE review and approve the final audit communication before
issuance and decide to whom and how it will be disseminated? [INT]
c. When the CAE delegates the review and approval, does the CAE retain
overall responsibility? [INT]
d. Does Internal Audit discuss conclusions and recommendations with
appropriate levels of management, or provide a report draft before the
CAE issues the final audit communications? [PA 2440-1 #1,2]
78. Determine conformance with Performance Standard 2440.A1 “Report
Addressee”
a. Does the CAE communicate the final results to parties who can ensure
that the results are given due consideration? [STD 2440.A1]
b. Does the CAE distribute the final audit communication to the
management of the audited area, and to those persons in the Credit
Union who can take corrective action or ensure corrective action is taken
[PA 2440-1 #4]
79. Determine conformance with Performance Standard 2440.A2
“Considerations Prior to Release”
a. Prior to releasing results to third parties does the CAE
 assess the potential risk to the Credit Union
 consult with senior management and/or legal counsel
 control dissemination by restricting use of the results? [STD
2440.A2]
b. If internal whistleblowing is elected, does Internal Audit evaluate
alternate ways of communicating risk to persons outside the normal
chain of command? [PA 2440-2 #7]
c. Is Internal Audit aware of the laws and regulations of the various
jurisdictions in which the Credit Union operates? [PA 2440-2 #9]
Page 35 of 38
Document1
d. Does Internal Audit carefully evaluate all evidence and the
reasonableness of conclusions and decide whether further actions are
need to protect the Credit Union’s and members’ interest? [PA 2440-2
#11]
e. Does Internal Audit consider the duty of confidentiality to respect the
value and ownership of information and avoid disclosing it without
appropriate authority unless there is a legal or professional obligation to
do so? [PA 2440-2 #11]
f. Is the decision to communicate outside the normal chain of command
based on a well-informed opinion that the wrongdoing is supported by
substantial, credible evidence and that a legal or regulatory imperative,
or a professional or ethical obligation, requires further action? [PA 24402 #12]
80. Determine conformance with Performance Standard 2450, “Overall
Opinions”:
Yes
No
N/A
Yes
No
N/A
a. When an overall opinion is issued, does it take into account the
expectations of senior management, the Board and other stakeholders?
[STD 2450]
b. Is the overall opinions supported by sufficient, reliable, relevant and
useful information? [STD 2450]
c. Does the communication identify
 scope and scope limitations
 consideration of all related projects including reliance on other
assurance providers
 the risk or control framework or other criteria used as a basis for the
overall opinion
 the overall opinion, judgment or conclusion reached
 reasons for an unfavorable opinion [INT]
81. Determine conformance with Performance Standard 2500, “Monitoring
Progress”:
a. Does the CAE maintain a system to monitor the disposition of results
communicated to management? [STD 2500]
b. Do procedures include
 timeframe within which management’s response is required
 evaluation of management’s response
 verification of the response if appropriate
 performance of a follow-up engagement if appropriate [PA 2500-1 #
1]
c. Do procedures include a communications process that escalates
unsatisfactory responses/actions, including the assumption of risk, to the
appropriate levels of senior management or the board? [PA 2500-1 #1]
Page 36 of 38
Document1
d. If reported observations and recommendations are significant enough to
require immediate action by management or the Board, does Internal
Audit monitor actions taken until the observation is corrected or the
recommendation implemented? [PA 2500-1 #2]
82. Determine conformance with Performance Standard 2500.A1, “FollowUp Process”:
Yes
No
N/A
Yes
No
N/A
a. Does the CAE establish a follow-up process to monitor and ensure that
management actions have been effectively implemented or that senior
management has accepted the risk of not taking action? [STD 2500.A1]
b. Does Internal Audit determine whether management has taken action or
implemented the recommendation? [PA 2500.A1-1 #1]
c. Does Internal Audit determine whether the desired results were
achieved or if senior management or the Board has assumed the risk of
not taking action or implementing a recommendation? [PA 2500.A1-1
#1]
d. Does Internal Audit evaluate the adequacy, effectiveness and timeliness
of actions taken by management on reported observations and
recommendations, including those made by external auditors and
others. [PA 2500.A1-1 #2]
e. Does the Internal Audit Charter define responsibility for follow-up? [PA
2500.A1-1 #3]
f. Does the CAE determine the nature, timing and extent of follow-up
considering
 significance of the reported observation or recommendation
 degree of effort and cost needed to correct the reported condition
 impact that may result should the corrective action fail
 complexity of the corrective action
 time period involved [PA 2500.A1-1 #3]
g. Does the CAE schedule follow-up activities as part of audit work
schedules? [PA 2500.A1-1 #4]
h. Is follow-up scheduling based on the risk and exposure involved, the
degree of difficulty and the significance of timing in implementing
corrective action? [PA 2500.A1-1 #4]
i. Does Internal Audit determine whether actions taken on observations
and recommendation remedy the underlying conditions? [PA 2500.A1-1
#6]
j. Are follow-up activities documented? [PA 2500.A1-1 #6]
83. Determine conformance with Performance Standard 2600,
“Communicating the Acceptance of Risks”:
Page 37 of 38
Document1
a. When the CAE concludes that management has accepted a level of risk
that may be unacceptable to the CU, does the CAE discuss the matter
with senior management? [STD 2600]
b. If the CAE determines that the matter has not been resolved, does the
CAE communicate the matter to the board? [STD 2600]
Copyright  2002 by the Association of Credit Union Internal Auditors, Inc. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Page 38 of 38
Document1
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Marketing Plan Rubric
Marketing Plan Rubric
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
Most Important Issues Confronting Colleges
Most Important Issues Confronting Colleges
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
Download
advertisement