content and purpose of audit file and impact of DP
Performance std 2330 - CAE must control acces to engagement records and must obtain SM approval or legal advidr prior to release to exteranla parties
Practice advisory say IA should
- records include reports, suppording doc, review notes and correspondence propertyl at org
- may educate mgmt & board about access to records by extenal parties
- poliies explain thos responsible for control and that can be gratnted acces
- manage request for acces to substantive observations and recommendations CAE approaves
- CAE may grant acces to w/p by EA
- CAE obtain legal advise with SM approval
IPPF + DPA act principles
2040 Policies and Procedures
The chief audit executive must establish policies and procedures to guide the internal audit activity.
The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.
The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organisation's guidelines and any pertinent regulatory or other requirements.
In uk DPA principles are relevant
DPA cat is relevant to arrangements for extenal providers
WhY - part of wider benefits of good privacy & external providers
- protects org publi image & brand
- ensure confidentiality
- protect valuable data on customers & staff
- achieve competitive advantage
- comply with privacy laws
- enhance credibility/promote confidence and goodwill
DPA ACT applicable to manual and electronic records
- requirees thos who handle personal information to comple and give including rights over their data
- applied to all systems processing personal data
8 principles of DPA
The act contains eight “Data Protection Principles”. These specify that personal data must be:
1. Processed fairly and lawfully.
2. Obtained for specified and lawful purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept any longer than necessary.
6. Processed in accordance with the “data subject’s” (the individual’s) rights.
7. Securely kept.
8. Not transferred to any other country without adequate protection in situ.
Justification and Coverage
- Defines standard and method of work
- let auditors know what expected
- baselien for expected stds of performrman
- governanance, charter, strategy
- conduction - risk based audit, system audit, CRSA
- which mean there is quality assurance that can be referred to
- Administration of time recording, professional membership
content of documentation
this should include:
- clear system for numbering & storing e.g. location, referene no. or function, all relevant audits, risk areas, subject & location e.g organisational charts, job descriptions, authority limits, TORs, flowcharts, policy docs, manual, meeting notes
- Standard docs include:
- pre-audit checklist
- risk and control matrices
- test summaries
- action plans
- administratrion - time recording and CPD, professiona membership
importance and rang eof audit w/p manaul and elect
- set out objectives - of work being undestakding - explain central system as ascerteined and risk evaluated
- contains hiearchy - audit no. auditor, date and supervison review
- Being no. to help cross referencing
- Set in logical and simily to facilitate review
- show what was carries out to support opiinion reached
- show checks that will impact report -may be background or findings in the review
- demonstrate compliance with IPPF
- support all decions & recommendations during and after engagment
- aid development, planning, peformance review of engagements
- archive and record matters
- INFO RECORDED MUST BE ADEQUATE FOR PURPOSE INTENDED
IPPF 2340 ENGAGEMENT SUPERVISION
2340 Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured and staff is developed.