Condition (facts) - Factual evidence and description of controls as they exist (what is). What was found through testing.
Criteria - Standards, measures, expectations, policy, or procedures used in making the evaluation (what should exist).
Cause - What allowed or caused the condition to exist (the why).
Effect - Risk or exposure encountered because the condition is not consistent with the criteria (what could go wrong, both past and possible future impact). Considers both the impact (financial, reputational, safety, etc.) and the likelihood.
Compensating controls - Other controls in place to mitigate the observation. Includes monitoring.
Conclusion - Detailed analysis, assessment, and justification for evaluation classifications and final conclusions.
Detailed recommendation - What the internal audit function recommends. This recommendation must reconcile with management's solution as discussed during the preliminary communication process.Management solution - What management will do to fix the existing condition or prevent the problem from happening again.
Observation evaluation: COSO category, Classification, Assessment.
Evaluation performed by: Internal audit function, Business unit management, Independent outside auditor, Working paper reference.
Informal communication is considered appropriate only when, during the observation evaluation and escalation process, all observations were assessed to be insignificant with no key control activities compromised.
The informal communication will cover insignificant observations related to secondary control activities that might be compromised and will only be distributed to management representatives of the area that was the target of the audit.
Formal communications are assurance engagement communications for which the intended recipient is
senior management, the audit committee, the organization's independent outside auditor, and/or management to whom the key individuals within the area that is the subject of the audit report.
Formal communications are indicated when the controls evaluated during an assurance engagement are assessed to be:
insignificantly compromised with key control activities affected,
significantly compromised, or
Every assurance engagement, no matter if there are observations to report or not, must result in a final, formal communication for the internal audit function to fully discharge its responsibilities as outlined in the Standards.
According to the International Professional Practices Framework (IPPF), an engagement final communication should include, at minimum, which of the following?
I. Background information.
II. Purpose of the engagement.
III. Engagement scope.
IV. Results of the engagement.
a. I, II, and III.
b. I, III, and V.
c. II, III, and IV.
d. II, IV, and V.