Planning
This document summarizes the control environment, risk assessment, control activities, and monitoring for the audit entity in a risk-based audit.
What is the Audit Entity Profile (AEP)?
In risk-based audits, this process must be completed before providing positive assurance on the design of key controls.
What is the Walkthrough process?
Risk-based audit reports must be issued within this number of days after fieldwork completion.
What is 45 calendar days?
In risk-based audits, all workpapers must be completed, reviewed, and signed off before this event.
What is report issuance?
In case of an “Unsatisfactory” audit, a follow-up audit is required within these many months of the final report being issued.
12 months
In advisory reviews, this document formalizes the objectives, scope, and goals agreed with management and must be approved by the Audit Director. It must be conducted for each Advisory Review.
What is the Engagement Memorandum?
In advisory reviews, this document establishes the basis for all audit procedures and must allow for re-performance of the work.
What is the Advisory Summary Sheet?
Each audit issue in a risk-based audit report must be discussed with this group before inclusion in the draft.
What is management?
This meeting must be documented as part of project closure in both risk-based audits and advisory reviews.
What is the exit conference/meeting?
In risk-based audits, all outstanding actions must be tracked in this system.
What is the Issues Database?
During the planning phase, this meeting ensures engagement among operational, financial, and IT auditors, and data analytics resources.
What is the pre-planning meeting?
This type of information must be protected, redacted, or anonymized in audit documentation to comply with data privacy requirements.
What is Personal Identifiable Information (PII)?
Advisory reports must be approved by this person before issuance.
Who is the Audit Director?
This must be issued to key auditees to assess satisfaction and expectations within 30 days of the final report’s issuance.
What is the client satisfaction survey?
In advisory reviews, recommendations are entered as these, with due dates set a year from memo issuance.
What are Management Action Plans (MAPs)?
The audit scope period can end no more than this number of days prior to notification of the audit being sent to the auditees
What is 30 days?
If an observation in an advisory review has a SOX implication, it must be reported according to this.
What is separate SOX guidance?
The distribution list for advisory review reports must always include this individual.
Who is the Chief Auditor?
This session is required for the advisory project team to discuss performance and continuous improvement.
What is the de-brief session?
For high-risk issues in risk-based audits, this type of testing is required to ensure completion of action plans.
What is full scope testing (walkthrough, substantive, or control testing)?
This is required at least two weeks prior to walkthroughs to notify the main auditee of the forthcoming engagement.
What is the Audit Notification?
The assessment of operational effectiveness in risk-based audits is based on these three elements.
What are testing methods, sample selection, and audit evidence?
In advisory reviews, the Chief Auditor must be copied on the report distribution list, regardless of the number of recommendations, but if there are more than this number of high-priority recommendations, the Audit Committee must also be notified.
What is 3 high-priority recommendations?
The lessons learned process must be complete within how many days of the final report’s issuance.
What is 30 days?
Closure of recommendations in advisory reviews is based on this type of confirmation from the action owner.
What is written confirmation?