CHAPTER 14 Communicating

Assurance Engagement
Outcomes and Performing
Follow up Procedures
 Objectives
Understand why it is appropriate and necessary to
communicate assurance engagement outcomes
Identify the different forms of assurance engagement
communications
Identify the steps involved in creating an effective
assurance engagement communications
Understand the distribution process for the
effectively communicating assurance engagement
outcomes
Understand what is involved in effective monitoring
of, and follow-up on assurance engagement
outcomes
Perform Observation Evaluation and
Escalation Process

Determine the COSO Objective Category

Operations
Financial reporting
Compliance
Classification
Inadequately/Ineffectively
Impact and Likelihood of the Observations
Assessment
Insignificant
Significant
Material
Observation assessment template
Assisting documentation
Observation summary
 Observation Assessment
Template
Conditions(facts)- What is found through testing?
Criteria- What should exist?
Cause- What allowed the condition to exist?
Effect- What could go wrong?
Compensating Controls-Other controls in place to mitigate the
observation.
Conclusion- Detailed analysis
Detailed Recommendation- What does the IA function
recommend?
Managements Solution- What will management do to fix the
existing condition or prevent the problem from occurring again?
Observation Evaluation- The assessment
Evaluation performed by: Who performed the Evaluation?
Working paper Reference
Conducting Interim and
Preliminary
Communications
 Interim Engagement
Communication
Communication is key to assurance engagement

Usually between IAs and members of audit

subject area

Purpose is to discuss observations throughout

engagement

Information from this communication is

eventually used in managements action plan
 Final Engagement
Communication
Preliminary facts and conclusions must be
confirmed before being finalized

An exit interview is usually conducted in a formal

meeting to resolve any last issues

Final meeting involves feedback and a proposed

course of action

Results much be communicated to appropriate

parties
Develop Final Engagement
Communications
 Final Communication Should
Include:
Purpose and Scope of the Engagement

Time Frame Covered by the Engagement

Observations and Recommendations

Conclusions and Ratings (if applicable)

Managements Action Plan (if applicable)

 Rating System
Relatively common

Effective Controls = Positive Observation

Ineffective Controls = Negative Observation

Systems range from numerical to descriptive

ratings

Disadvantage: relationship tension between IAs

and area audited
 Distribute Formal
Communications
After all observations have been identified and assessed through
observation evaluation and escalation processes individually and
in the aggregate they must be communicated according to the
results of that process
Communications must be reviewed and approved by the CAE or
designee before they can be distributed
Then the CAE distributes the final engagement communication to
management of the audited activity and members who can ensure
the results are given due consideration and take corrective action
Assurance engagement communications are FORMAL or
INFORMAL depending n the outcome as determined by the
observation evaluation and escalation process
 Formal Communications
Recipients of formal assurance engagement communications are senior
management, the audit committee, the organizations independent outside
auditor, and/or auditee management
Use when controls evaluated during an assurance engagement are:
- insignificantly compromised (although key controls are compromised)
- significantly compromised
- materially compromised
Format used to be communicated through hard copies and word documents
but now are moving towards power point presentations format is less
important than covering all of the elements of a formal communication
Should Include
- The purpose and scope of the audit
- The time frame of the audit
- The observations and recommendations (results) of the audit, if any
- The conclusion (opinion/rating) of the internal audit function
- Managements response (action plan) to the recommendations
 Informal Communications
Considered appropriate only when, during the observation
evaluation and escalation process, all observations were assessed
to be insignificant with no key controls compromised
Will cover insignificant observations related to secondary controls
that may be compromised and will only
Distributed only to management of the area that was the target of
the engagement informally via e-mail, face-to-face, meetings, or
conference calls
To satisfy the Standards relative to communicating assurance
engagement outcomes must still communicate to senior
management , audit committee, and independent outside auditor
that NO observations were identified related to key controls
 Quality of Communications
Standard 2420 states that communications must be:
1. Accurate- free from errors and distortions and faithful to the underlying
facts
2. Objective- fair, impartial, and unbiased; are the result of a fair-minded
and balanced assessment of all relevant facts and circumstances
3. Clear- easily understood and logical providing all significant and
relevant information; avoid using unnecessary technical language
4. Concise- to the point- avoid unnecessary elaboration, superfluous detail
redundancies and wordiness
5. Constructive- helpful to the engagement client and the organization
and lead to improvements where needed
6. Complete- lack nothing essential to target audience; include all
significant and relevant information and observations to support
recommendations and conclusions
7. Timely- opportune and expedient, depending on significance of the
issue, allowing management to take appropriate corrective action
Practice advisory 2420-1: Quality of
Communications additional guidance
Internal Auditors should:
1. Gather, evaluate, and summarize data and evidence with care and
precision
2. Derive and express observations, conclusions, and recommendations
without prejudice, partisanship, personal interests, and undue influence
of others
3. Improve clarity by avoiding unnecessary technical language and
providing all significant and relevant information in context
4. Develop communications with the objective of making each element
meaningful but succinct
5. Adopt a useful, positive, and well-meaning content and tone that
focuses on the organizations objectives
6. Ensure communication is consistent with the organizations style and
culture
7. Plan the timing of the presentation of engagement results to avoid
undue delay
 Errors and Omissions
At times there will be an unintentional misstatement or omission
of significant information in the final engagement communication
According to the Standards 2421: Errors and Omissions If a final
communication contains a significant error or omission, the CAE
must communicate corrected information to all parties who
received the original communication
 Perform Monitoring and
Follow-up
As stated in the Standards, the
internal auditor is to establish a
follow-up process to monitor and
ensure that management actions
have been effectively implemented
or that senior management has
accepted the risk of not taking
action
Perform Monitoring and Follow-up
The internal auditors job isnt done when the
engagement results are communicated.
During the engagement, the internal auditor
identifies observations and management must
make the choice to:
1.Implement changes to remediate the
observation
2.Accept the risk associated with making no
changes to the control
Managements decision determines the course of
the monitoring and follow-up procedures.
 Implementation
Management
implements suggested changes
Internal auditor
monitors the progress of changes
Regularly follow-ups to assess efficiency and
effectiveness of changes
Ensures that changes are made in accordance
with the schedule defined in the final
engagement communication
Document findings for working papers, and
additional follow-up
 Acceptance
Management
Accepts the risk
Chief Audit Executive
Evaluates managements decision
If it is believed that management has
accepted a risk beyond the tolerance, the
CAE must:
Discuss with management
If not resolved, must report it to the Board of
Directors for resolution
Assurance Engagement Outcome

Specific focus of Chapter 14

Consulting engagement
communications are discussed in
Chapter 15
Questions?