CHAPTER 14 – Communicating Assurance Engagement Outcomes

and Performing Follow up Procedures

Objectives

• Understand why it is appropriate and necessary to communicate assurance engagement outcomes

• Identify the different forms of assurance engagement communications

• Identify the steps involved in creating an effective assurance engagement communications

• Understand the distribution process for the effectively communicating assurance engagement outcomes

• Understand what is involved in effective monitoring of, and follow-up on assurance engagement outcomes

Perform Observation Evaluation and Escalation Process

• Determine the COSO Objective Category Operations Financial reporting Compliance

• Classification Inadequately/Ineffectively

• Impact and Likelihood of the Observations• Assessment

Insignificant Significant Material Observation assessment template Assisting documentation Observation summary

Observation Assessment Template• Conditions(facts)- What is found through testing?• Criteria- What should exist?• Cause- What allowed the condition to exist?• Effect- What could go wrong?• Compensating Controls-Other controls in place to mitigate the observation.• Conclusion- Detailed analysis• Detailed Recommendation- What does the IA function recommend?• Managements Solution- What will management do to fix the existing

condition or prevent the problem from occurring again?• Observation Evaluation- The assessment• Evaluation performed by: Who performed the Evaluation?• Working paper Reference

Conducting Interim and Preliminary Communications

Interim Engagement Communication

• Communication is key to assurance engagement

• Usually between IA’s and members of audit subject area

• Purpose is to discuss observations throughout engagement

• Information from this communication is eventually used in management’s action plan

Final Engagement Communication• Preliminary facts and conclusions must be confirmed

before being finalized

• An exit interview is usually conducted in a formal meeting to resolve any last issues

• Final meeting involves feedback and a proposed course of action

• Results much be communicated to appropriate parties

Develop Final Engagement Communications

Final Communication Should Include:

• Purpose and Scope of the Engagement

• Time Frame Covered by the Engagement

• Observations and Recommendations

• Conclusions and Ratings (if applicable)

• Management’s Action Plan (if applicable)

Rating System• Relatively common

• Effective Controls = Positive Observation

• Ineffective Controls = Negative Observation

• Systems range from numerical to descriptive ratings

• Disadvantage: relationship tension between IA’s and area audited

Distribute Formal Communications• After all observations have been identified and assessed through observation

evaluation and escalation processes individually and in the aggregate they must be communicated according to the results of that process

• Communications must be reviewed and approved by the CAE or designee before they can be distributed

• Then the CAE distributes the final engagement communication to management of the audited activity and members who can ensure the results are given due consideration and take corrective action

• Assurance engagement communications are FORMAL or INFORMAL depending n the outcome as determined by the observation evaluation and escalation process

Formal Communications• Recipients of formal assurance engagement communications are senior management, the

audit committee, the organizations independent outside auditor, and/or auditee management

• Use when controls evaluated during an assurance engagement are:- insignificantly compromised (although key controls are compromised)- significantly compromised - materially compromised

• Format used to be communicated through hard copies and word documents but now are moving towards power point presentations– format is less important than covering all of the elements of a formal communication

• Should Include - The purpose and scope of the audit - The time frame of the audit- The observations and recommendations (results) of the audit, if any - The conclusion (opinion/rating) of the internal audit function - Managements response (action plan) to the recommendations

Informal Communications• Considered appropriate only when, during the observation evaluation and

escalation process, all observations were assessed to be insignificant with no key controls compromised

• Will cover insignificant observations related to secondary controls that may be compromised and will only

• Distributed only to management of the area that was the target of the engagement informally via e-mail, face-to-face, meetings, or conference calls

• To satisfy the Standards relative to communicating assurance engagement outcomes must still communicate to senior management , audit committee, and independent outside auditor that NO observations were identified related to key controls

Quality of Communications• Standard 2420 states that communications must be:1. Accurate- free from errors and distortions and faithful to the underlying facts 2. Objective- fair, impartial, and unbiased; are the result of a fair-minded and balanced

assessment of all relevant facts and circumstances 3. Clear- easily understood and logical providing all significant and relevant

information; avoid using unnecessary technical language 4. Concise- to the point- avoid unnecessary elaboration, superfluous detail

redundancies and wordiness 5. Constructive- helpful to the engagement client and the organization and lead to

improvements where needed 6. Complete- lack nothing essential to target audience; include all significant and

relevant information and observations to support recommendations and conclusions

7. Timely- opportune and expedient, depending on significance of the issue, allowing management to take appropriate corrective action

Practice advisory 2420-1: Quality of Communications additional guidance

• Internal Auditors should:1. Gather, evaluate, and summarize data and evidence with care and precision 2. Derive and express observations, conclusions, and recommendations without

prejudice, partisanship, personal interests, and undue influence of others 3. Improve clarity by avoiding unnecessary technical language and providing all

significant and relevant information in context 4. Develop communications with the objective of making each element meaningful

but succinct 5. Adopt a useful, positive, and well-meaning content and tone that focuses on the

organizations objectives 6. Ensure communication is consistent with the organizations style and culture7. Plan the timing of the presentation of engagement results to avoid undue delay

Errors and Omissions • At times there will be an unintentional misstatement or omission of significant

information in the final engagement communication • According to the Standards 2421: Errors and Omissions “If a final communication

contains a significant error or omission, the CAE must communicate corrected information to all parties who received the original communication”

Perform Monitoring and Follow-up

• As stated in the Standards, the internal auditor is to “establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action”

Perform Monitoring and Follow-up• The internal auditor’s job isn’t done when the engagement

results are communicated.• During the engagement, the internal auditor identifies

observations and management must make the choice to:1. Implement changes to remediate the observation 2. Accept the risk associated with making no changes to the

control • Management’s decision determines the course of the

monitoring and follow-up procedures.

Implementation

• Management – implements suggested changes

• Internal auditor – monitors the progress of changes – Regularly follow-ups to assess efficiency and effectiveness

of changes– Ensures that changes are made in accordance with the

schedule defined in the final engagement communication – Document findings for working papers, and additional

follow-up

Acceptance

• Management – Accepts the risk

• Chief Audit Executive– Evaluates management’s decision

If it is believed that management has accepted a risk beyond the tolerance, the CAE must: – Discuss with management – If not resolved, must report it to the Board of Directors for

resolution

Assurance Engagement Outcome

• Specific focus of Chapter 14• Consulting engagement communications are

discussed in Chapter 15

Questions?