Audit documentation

Performance std 2330 - CAE must control acces to engagement records and must obtain SM approval or legal advidr prior to release to exteranla parties

Practice advisory say IA should

• records include reports, suppording doc, review notes and correspondence propertyl at org
• may educate mgmt & board about access to records by extenal parties
• poliies explain thos responsible for control and that can be gratnted acces
• manage request for acces to substantive observations and recommendations  CAE approaves
• CAE may grant acces to w/p by EA
• CAE obtain legal advise with SM approval

2040 Policies and Procedures

The chief audit executive must establish policies and procedures to guide the internal audit activity.

Interpretation:
The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.

2330.A2
The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organisation's guidelines and any pertinent regulatory or other requirements.

In uk DPA principles are relevant

DPA cat is relevant to arrangements for extenal providers

WhY - part of wider benefits of good privacy & external providers

• protects org publi image & brand
• ensure confidentiality
• protect valuable data on customers & staff
• achieve competitive advantage
• comply with privacy laws
• enhance credibility/promote confidence and goodwill

DPA ACT applicable to manual and electronic records

• requirees thos who handle personal information to comple and give including rights over their data
• applied to all systems processing personal data

The act contains eight “Data Protection Principles”. These specify that personal data must be:

1. Processed fairly and lawfully.

2. Obtained for specified and lawful purposes.

3. Adequate, relevant and not excessive.

4. Accurate and up to date.

5. Not kept any longer than necessary.

6. Processed in accordance with the “data subject’s” (the individual’s) rights.

7. Securely kept.

8. Not transferred to any other country without adequate protection in situ.

Reasons include

• Defines standard and method of work
• let auditors know what expected
• baselien for expected stds of performrman

Coverage

• governanance, charter, strategy
• conduction - risk based audit, system audit, CRSA
• which mean there is quality assurance that can be referred to
• Administration of time recording, professional membership

this should include:

• clear system for numbering & storing e.g. location, referene no. or function, all relevant audits, risk areas, subject & location e.g organisational charts, job descriptions, authority limits, TORs, flowcharts, policy docs, manual, meeting notes
• Standard docs include:
• pre-audit checklist
• workpalns
• TORS
• CSQs
• risk and control matrices
• test summaries
• action plans
• administratrion - time recording and CPD, professiona membership

content

• set out objectives - of work being undestakding - explain central system as ascerteined and risk evaluated
• contains hiearchy - audit no. auditor, date and supervison review
• Being no. to help cross referencing
• Set in logical and simily to facilitate review
• show what was carries out to support opiinion reached
• show checks that will impact report -may be background or findings in the review

WHY

• demonstrate compliance with IPPF
• support all decions & recommendations during and after engagment
• aid development, planning, peformance review of engagements
• archive and record matters
• INFO RECORDED MUST BE ADEQUATE FOR PURPOSE INTENDED

2340 Engagement Supervision

Engagements must be properly supervised to ensure objectives are achieved, quality is assured and staff is developed.