(Some dictionary definitions from Colins and Oxford)
Internal auditors in the Canadian Government are to utilise the IIA Standards for the Professional Practice of Internal Auditing in carrying out their internal auditing responsibilities.
(TB Policy on Internal Audit, Appendix B)
"Assurance services are objective examinations of evidence for the purpose of providing an independent assessment of...
(TB Policy, Section 2 and Appendix A)
"Assurance services - An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements."
(IIA Standards for the Professional Practice of Internal Auditing)
Assurance provided by the internal auditor, through audit engagements, provide management confidence on the soundness of management processes within the organization. They will also guide management in determining where the organization is most exposed to risk,...
(TB Policy, Section 2)
2100 - Nature of Work - The IA activity evaluates and contributes to the improvement of risk management, control and governance systems.
2110 - Risk Management - The IA activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
2120.A1 - Based on the results of the risk assessment, the IA activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include:
(IIA Performance Standards)
1220.A2 - The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
(IIA Attribute Standards)
(TB Policy, Appendix B)
2200 - Engagement Planning - Internal auditors should develop and record a plan for each engagement.
2201 - Planning Consideration - In planning the engagement, internal auditors should consider:
2210 - Engagement Objectives - The engagement's objectives should address the risks, controls, and governance processes associated with the activities under review.
2220 - Engagement Scope - The established scope should be sufficient to satisfy the objectives of the engagement.
2240 - Engagement Work Program - Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.
2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved accordingly.
2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria.
"In an audit engagement, in order for meaningful conclusions to be reached, they need to be made in relation to a set of suitable criteria."
"Criteria are benchmarks against which the subject matter can be assessed."
"The internal auditor should always attempt to identify criteria that yield useful information to departmental or agency management."
"Preference is to be given to the use of generally accepted criteria when they are consistent with the objective of the audit engagement."
"In the federal government environment, generally accepted criteria could be those established by:
"When there are no generally accepted criteria consistent with the objective of the audit engagement, and criteria from other sources are identified, then the internal auditor should obtain from departmental or agency management an acknowledgement that the criteria are suitable for the engagement."
(TB Policy, Appendix A)
2300 - Performing the Engagement - Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.
2310 - Identifying Information - Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives.
2320 - Analysis and Evaluation - Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.
2330 - Recording Information - Internal auditors should record relevant information to support the conclusions and engagement results.
"...assurance is provided by designing procedures so that in the internal auditor's professional judgement, the risk of an inappropriate conclusion is...low...through procedures such as inspection, observation, enquiry, confirmation, computation, analysis and discussion."
(adaptation from TB Policy on Internal Audit, Appendix B)
assurance
= not absolute.
= low risk of inappropriate conclusion.
= judgement
ie. consistency that others would arrive at the same conclusion(s) based on the criteria, testing methods and evidence.
The IA function has the capacity to accomplish its responsibilities, by having sufficient resources and being staffed with competent people, effectively deployed, who work to professional standards, utilize good communication practices, and adhere to public service and professional ethics, values and codes of conduct.
The IA function has the breadth of knowledge to accomplish its responsibilities, by utilizing work teams that collectively possess or have access to sufficient expertise the subject matter being audited.
1200 - Proficiency and Due Professional Care - Engagements should be performed with proficiency and due professional care.
1210 - Proficiency - Internal auditors should possess the knowledge, skills and other competencies needed to perform their individual responsibilities. The IA activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.
1220 - Due Professional Care - Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
1220.A1 - The internal auditor should exercise due professional care by considering the:
2400 - Communicating Results - Internal auditors should communicate the engagement results promptly.
2410 - Criteria for Communicating - Communications should include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans.
2410.A1 - The final communication of results should, where appropriate, contain the internal auditor's overall opinion.
2500 - Monitoring Progress - The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.
2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
2600 - Management's Acceptance of Risks - When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.