Performance Standards

Performance
Standard 2000

Managing the Internal Audit Activity
The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.
Performance
Standard 2010
Planning
The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.
 

Implementation Standard 2010.A1
(Assurance Engagements)

 

 

The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.

 

Implementation
Standard 2010.C1

(Consulting Engagements)

 

  The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Those engagements that have been accepted should be included in the plan.
Performance
Standard 2020

Communication and Approval
The chief audit executive should communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations.

Performance
Standard 2030

Resource Management
The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

Performance
Standard 2040
Policies and Procedures
The chief audit executive should establish policies and procedures to guide the internal audit activity.
Performance
Standard 2050

Coordination
The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

Performance
Standard 2060

Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior management on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.

Performance
Standard 2100

Nature of Work
The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

Performance
Standard 2110

Risk Management
The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

 

Implementation 
Standard 2110.A1
(Assurance Engagements)

 

 

The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.

  Implementation 
Standard 2110.A2
(Assurance Engagements)
 

The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the

  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts.
 

Implementation 
Standard 2110.C1
(Consulting Engagements)

 

  During consulting engagements, internal auditors should address risk consistent with the engagement's objectives and be alert to the existence of other significant risks.
 

Implementation 
Standard 2110.C2
(Consulting Engagements)

 

  Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.
Performance
Standard 2120

Control
The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

  Implementation 
Standard 2120.A1
(Assurance Engagements)
 

Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include:

  • Reliability and integrity of financial and operational information. 
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts.
 

Implementation
Standard 2120.A2
(Assurance Engagements)

 

 

Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.

 

Implementation 
Standard 2120.A3
(Assurance Engagements)

 

 

Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.

  Implementation 
Standard 2120.A4
(Assurance Engagements)
 

Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria.

 

 

Implementation 
Standard 2120.C1
(Consulting Engagements)

 

  During consulting engagements, internal auditors should address controls consistent with the engagement's objectives and be alert to the existence of any significant control weaknesses.
 

Implementation 
Standard 2120.C2
(Consulting Engagements)

 

  Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.
Performance
Standard 2130

Governance

The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

  • Promoting appropriate ethics and values within the organization.
  • Ensuring effective organizational performance management and accountability.
  • Effectively communicating risk and control information to appropriate areas of the organization.
  • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.
 

Implementation 
Standard 2130.A1
(Assurance Engagements)

 

 

The internal audit activity should evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs and activities.

 

Implementation 
Standard 2130.C1
(Consulting Engagements)

 

  Consulting engagement objectives should be consistent with the overall values and goals of the organization.
Performance
Standard 2200

Engagement Planning
Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.

Performance
Standard 2201

Planning Considerations
In planning the engagement, internal auditors should consider:

  • The objectives of the activity being reviewed and the means by which the activity controls its performance. 
  • The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. 
  • The adequacy and effectiveness of the activity's risk management and control systems compared to a relevant control framework or model. 
  • The opportunities for making significant improvements to the activity's risk management and control systems.
  Implementation 
Standard 2201.A1
(Assurance Engagements)
  When planning an engagement for parties outside the organization, internal auditors should establish a written understanding with them about objectives, scope, respective responsibilities and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.
 

Implementation 
Standard 2201.C1
(Consulting Engagements)

 

  Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.
Performance
Standard 2210

Engagement Objectives
Objectives should be established for each engagement.

 

Implementation 
Standard 2210.A1
(Assurance Engagements)

 

 

Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review.  Engagement objectives should reflect the results of the risk assessment.

 

Implementation 
Standard 2210.A2
(Assurance Engagements
)

 

 

The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives.

 

Implementation 
Standard 2210.C1
(Consulting Engagements
)

 

  Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client.
Performance
Standard 2220

Engagement Scope
The established scope should be sufficient to satisfy the objectives of the engagement. 

 

Implementation 
Standard 2220.A1
(Assurance Engagements)

 

 

The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

  Implementation 
Standard 2220.A2
(Assurance Engagements)
  If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.
 

Implementation 
Standard 2220.C1
(Consulting Engagements)

 

  In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives.  If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement.  
Performance
Standard 2230

Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

Performance
Standard 2240

Engagement Work Program
Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.

  Implementation 
Standard 2240.A1
(Assurance Engagements)
 

Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to its implementation, and any adjustments approved promptly.

 

Implementation 
Standard 2240.C1
(Consulting Engagements)

 

  Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.
Performance
Standard 2300

Performing the Engagement
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

Performance
Standard 2310

Identifying Information
Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives.

Performance
Standard 2320

Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

Performance
Standard 2330

Recording Information
Internal auditors should record relevant information to support the conclusions and engagement results.

  Implementation 
Standard 2330.A1
(Assurance Engagements)
 

The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

  Implementation 
Standard 2330.A2
(Assurance Engagements)
 

The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organization's guidelines and any pertinent regulatory or other requirements.

 

Implementation 
Standard 2330.C1
(Consulting Engagements)

 

  The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties.  These policies should be consistent with the organization's guidelines and any pertinent regulatory or other requirements.
Performance
Standard 2340

Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.

Performance
Standard 2400

Communicating Results
Internal auditors should communicate the engagement results.

Performance
Standard 2410

Criteria for Communicating
Communications should include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans.

 

Implementation 
Standard 2410.A1
(Assurance Engagements)

 

 

Final communication of engagement results should, where appropriate, contain the internal auditor's overall opinion and or conclusions.

 

Implementation 
Standard 2410.A2
(Assurance Engagements)

 

 

Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications.

  Implementation 
Standard 2410.A3
(Assurance Engagements)
  When releasing engagement results to parties outside the organization, the communication should include limitations on distribution and use of the results.
 

Implementation 
Standard 2410.C1
(Consulting Engagements)

 

  Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.
Performance
Standard 2420

Quality of Communications
Communications should be accurate, objective, clear, concise, constructive, complete, and timely.

Performance
Standard 2421

Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all parties who received the original communication.

 
Performance
Standard 2430

Engagement Disclosure of Noncompliance with the  Standards
When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the:

  • Standard(s) with which full compliance was not achieved, 
  • Reason(s) for noncompliance, and 
  • Impact of noncompliance on the engagement.
Performance
Standard 2440

Disseminating Results
The chief audit executive should disseminate results to the appropriate parties.

 

Implementation 
Standard 2440.A1
(Assurance Engagements)

 

 

The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration.

  Implementation 
Standard 2440.A2
(Assurance Engagements)
 

If not otherwise mandated by legal, statutory or regulatory requirements, prior to releasing results to parties outside the organization, the chief audit executive should:

  • Assess the potential risk to the organization.
  • Consult with senior management and/or legal counsel as appropriate.
  • Control dissemination by restricting the use of the results.
 

Implementation 
Standard 2440.C1
(Consulting Engagements)

 

  The chief audit executive is responsible for communicating the final results of consulting engagements to clients.
 
 

Implementation 
Standard 2440.C2
(Consulting Engagements)

 

  During consulting engagements, risk management, control, and governance issues may be identified.  Whenever these issues are significant to the organization, they should be communicated to senior management and the board.
Performance
Standard 2500

Monitoring Progress
The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

 

Implementation 
Standard 2500.A1
(Assurance Engagements)

 

 

The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

 

Implementation 
Standard 2500.C1
(Consulting Engagements)

 

  The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client.
Performance
Standard 2600

Management's Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

 
© Asociatia Auditorilor Interni din Romania - AAIR
Institutul Bancar Roman (IBR), Str. Negru Voda, nr.3, sector 3, cod postal 030774, Bucuresti (in spatele magazinului Unirea, cu intrare dinspre Bd. Unirii).
• www.aair.ro •
Web design by SofteSS 21