State Internal Audit Advisory Board
Internal Auditing Standards and Requirements in the State of Illinois Review Course
Based on 2017 IIA Standards

IIA Performance Standard 2300 – Performing the Engagement

2300 – Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.

2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

Interpretation:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals.

2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

2330 – Documenting Information
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions.

2330.A1 – The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

2330.A2 – The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2330.C1 – The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2340 – Engagement Supervision

Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.

Interpretation:
The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.

SIAAB Requirements:

In accordance with the IIA’s International Professional Practice Framework (IPPF), internal auditors should prepare working papers that document the information obtained, the analyses made, and the support for the engagements results and conclusions. Internal audit management reviews the prepared working papers. Engagement working papers generally:

  • Aid in the planning, performance, and review of engagements;
  • Provide the principal support for engagement results;
  • Document whether engagement objectives were achieved;
  • Support the accuracy and completeness of the work performed;
  • Provide a basis for the internal audit activity’s quality assurance and improvement program; and
  • Facilitate third-party reviews.

The organization, design, and content of engagement working papers depend on the engagement’s nature and objectives and the organization’s needs. Engagement working papers document all aspects of the engagement process from planning to communicating results. Internal auditors need to consider concerns relating to the protection of personally identifiable information gathered during audit engagements as advances in information technology and communications continue to present privacy risk and threats. It is important that internal auditors understand and comply with all laws regarding the use of personal information in their jurisdiction and in those jurisdictions where their organizations conduct business.

The internal audit activity determines the media used to document and store working papers. The chief audit executive establishes working paper policies for the various types of engagements performed.

Standardized engagement working papers, such as questionnaires and audit programs, may improve the engagement’s efficiency and facilitate the delegation of engagement work. Engagement working papers may be categorized as permanent or carry-forward engagement files that contain information of continuing importance.

Engagement records or working papers are the property of the organization. The internal audit activity controls engagement working papers and provides access to authorized personnel only. Internal audit policies explain who in the organization is responsible for ensuring the control and security of the activity’s records, which internal or external parities can be granted access to engagement records, and how requests for access to those records need to be handled. These policies will vary depending on the nature of the organization and access privileges established by law.

Management and other members of the organization may request access to all or specific engagement working papers. Such access may be necessary to substantiate or explain engagement observations and recommendations or for other business purposes. The chief audit executive approves these requests as well as access to engagement working papers by external auditors. There are circumstances where parties outside the organization, other than external auditors, request access to engagement working papers and reports. Prior to releasing the documentation, the chief audit executive obtains the approval of senior management and/or legal counsel, as appropriate.

The chief audit executive or designee provides appropriate engagement supervision that begins with planning and continues throughout the engagement which includes:

  • Ensuring designated auditors collectively possess the required knowledge, skills, and other competencies to perform the engagement;
  • Providing appropriate instructions during the planning of the engagement and approving the engagement program;
  • Ensuring the approved engagement program is completed unless changes are justified and authorized;
  • Determining engagement working papers adequately support engagement observations, conclusions, and recommendations;
  • Ensuring engagement communications are accurate, objective, clear, concise, constructive, and timely;
  • Ensuring engagement objectives are met; and
  • Providing opportunities for developing internal auditors’ knowledge, skills, and other competencies.

The chief audit executive is responsible for all internal audit engagements, whether performed by or for the internal audit activity, and all significant professional judgments made throughout the engagement. The chief audit executive adopts policies and procedures designed to:

  • Minimize the risk that internal auditors or others performing work for the internal audit activity make professional judgments or take other actions that are inconsistent with the chief audit executive’s professional judgment such that the engagement is impacted adversely; and
  • Resolve differences in professional judgment between the chief audit executive and internal audit staff over significant issues relating to the engagement. Such means may include discussion of pertinent facts, further inquiry or research, and documentation and disposition of the differing viewpoints in engagement working papers. In instances of a difference in professional judgment over an ethical issue, suitable means may include referral of the issue to those individuals in the organization having responsibility over ethical matters.

All engagement working papers are reviewed to ensure they support engagement communications and necessary audit procedures are performed. Evidence of supervisory review consists of the reviewer initialing and dating each working paper after it is reviewed. Other techniques that provide evidence of supervisory review include completing an engagement working paper review checklist; preparing a memorandum specifying the nature, extent, and results of the review; or evaluating and accepting reviews within the working paper software.

Reviewers can make a written record (i.e., review notes) of questions arising from the review process. When clearing review notes, care needs to be taken to ensure working papers provide adequate evidence that questions raised during the review are resolved.

From: The IIA’s International Professional Practices Framework Copyright 2017 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission

Please close this window to return to Ability LMS to take the quiz for this lesson.