_____________________ CREDIT UNIONQUALITY ASSURANCE SELF-REVIEW

ASSESSMENT QUESTIONNAIRE

DEFINITIONS

1. “Chief Audit Executive” (CAE): The individual who is ultimately responsible for carrying out the internal audit activity.

2. “Internal Audit”: The internal auditor, internal audit activity or the collective group of internal audit personnel, depending upon context.

3. “Board”: The Supervisory Committee, Audit Committee, or other body that ultimately governs the internal audit activity.

INSTRUCTIONS

1. Survey selected auditees to obtain their views on authority and qualifications of the auditors, adequacy of coverage, usefulness of reports, etc. Make adjustments to Internal Audit practices as necessary

2. Meet with the member of management to whom the CAE administratively reports to gain insight into expectations of and the direction provided to Internal Audit. Make adjustments to Internal Audit practices as necessary

3. Complete the Self-Assessment Workpaper Review Checklist for a selection of audits. Make adjustments to Internal Audit practices as necessary

4. Complete assessment questionnaire. Questions are structured so that a “yes” response indicates conformance with the Standards and Practice Advisories. For items with no” answers, either adjust Internal Audit practices as necessary or be prepared to discuss compensating factors to the QAR reviewer.

Page 1 of 38document.docx

ASSESSMENT QUESTIONNAIREThe specific Standard (STD), Interpretation (INT) or Practice Advisory (PA) applicable to each

item is indicated in brackets.

Page 2 of 38document.docx

1. Attribute Standard 1000, “Purpose, Authority, and Responsibility” Yes No N/A

a. Is the purpose, authority and responsibility of Internal Audit formally defined in an internal audit charter? [STD 1000]

b. Is the purpose, authority and responsibility consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards? [STD 1000]

c. Does the CAE periodically review the charter and present it to senior management and the Board for approval? [STD 1000]

d. Is the nature of assurance and consulting services defined in thecharter? [STD 1000.A1]

e. If assurances are provided to third parties, is the nature of these assurances defined in the charter? [STD 1000.A1]

f. Does the charter establish internal Audit’s position in the CU nature of the CAE’s functional reporting relationship with the Board?

[INT 1000]g. Does the charter authorize access to

records personnel physical properties relevant to audit performance? [INT 1000]

h. Does the charter define the scope of Internal Audit activities? [INT 1000]i. Does final approval of the charter reside with the Board? [INT 1000]j. Does the CAE periodically assess whether Internal Audit’s purpose,

authority and responsibility, as defined in the charter, continue to enable Internal Audit to accomplish its objectives? [PA 1000-1 #2]

2. Determine compliance with Attribute Standard 1010 “Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the Internal Audit Charter”:

Yes No N/A

a. Does the charter recognize the mandatory nature of the Definition of Internal Auditing, the Code of Ethics and the Standards? [STD 1010]

b. Does the CAE discuss the Definition, the Code and the Standards with senior management and the Board? [STD 1010]

3. Determine conformance with Attribute Standard 1100 “Independence and Objectivity”:

Yes No N/A

a. Is Internal Audit independent and objective in performing their work? [STD 1100]

b. Is Internal Audit free from conditions that threaten Internal Audit’s ability to carry out Internal Audit’s responsibilities in an unbiased manner? [INT 1100]

Page 3 of 38document.docx

c. Does the CAE have direct and unrestricted access to senior management and the Board? [INT 1100]

d. Is there an unbiased mental attitude that allows Internal Audit to perform audits in such a manner that they believe in their work product and that no quality compromises are made? [INT 1100]

e. Does Internal Audit not subordinate its judgment on audit matters to others? [STD1100]

f. Are threats to independence and objectivity managed at the individual auditor, audit, functional and Credit Union levels? [INT 1100]

4. Determine conformance with Attribute Standard 1110, “Organizational Independence”:

Yes No N/A

a. Does the CAE report to a level within the Credit Union that allows Internal Audit to fulfill its responsibilities? [STD 1110]

b. Does the CAE confirm to the Board, at least annually, theorganizational independence of Internal Audit? [STD 1110]

c. Does the Board approve the charter and risk based audit plan? [INT 1110]

d. Does the CAE communicate with the Board on Internal Audit’s performance relative to the audit plan? [INT 1110]

e. Does the Board approve decisions regarding the appointment and removal of the CAE? [INT 1110]

f. Does the Board make appropriate inquiries of management and the CAE to determine whether there is inappropriate scope or resource limitations? [INT 1110]

g. Does support from senior management and the Board assist Internal Audit in gaining the cooperation of audit clients and performing their work free from interference? [PA 1110-1 #1]

h. If the CAE does not report to the Board, does the CAE report to an individual in the Credit Union with sufficient authority to promote independence and to ensure broad audit coverage adequate consideration of audit communications appropriate action on audit recommendations? [PA 1110-1 #2]

5. Determine conformance with Attribute Standard 1110.A1 “Free from Interference”:

Yes No N/A

a. Is Internal Audit free from interference in determining the scope of internal auditing, performing work and communicating results? [STD 1110.A1]

6. Determine conformance with Attribute Standard 1111 “Direct Interaction With the Board”:

Yes No N/A

Page 4 of 38document.docx

a. Does the CAE communicate and interact directly with the Board? [STD 1111]

b. Does the CAE regularly attend and participate in Board meetings that relate to the Board’s oversight for auditing, financial reporting, governance and control OR does the CAE meet privately with the Board at least annually [PA 1111-1]

c. Is the CAE apprised of business and operational developments? [PA 1111-1 #1]

d. Does the CAE raise high-level risk, systems, procedures or control issues at an early stage [PA 1111-1 #1]

7. Determine conformance with Attribute Standard 1120, “Individual Objectivity”:

Yes No N/A

a. Do Internal Auditors have an impartial, unbiased attitude and avoid any conflict of interest? [STD 1120}

b. Do Internal Auditors NOT have competing professional or personal interests that make it difficult to fulfill duties impartially? [INT 1120]

c. Are there NOT any appearances of impropriety that can undermine confidence in Internal Audit and the profession [INT 1120]

d. Are Internal Auditors not placed in situations that could impair their ability to make objective professional judgments? [PA1120-1 #1]

e. Does the CAE organize staff assignments that prevent potential and actual conflict of interest and bias, periodically obtaining information from the staff concerning potential conflict of interest, and rotating Internal Audit staff assignments periodically? [PA1120-1 #2]

f. Is Internal Audit work results reviewed before audit communications are released to provide reasonable assurance that the work was performed objectively? [PA1120-1 #3]

g. Does the Internal Auditor avoid designing, installing, or drafting procedures for operating systems? [PA1120-1 #4]

h. If the Internal Auditor performs non-audit work occasionally, is there full disclosure in the reporting process? [PA1120-1 #5]

i. If the Internal Auditor performs non-audit work occasionally, is there careful consideration by management and the Internal Auditor to avoid adversely affecting the Internal Auditor’s objectivity. [PA1120-1 #5]

8. Determine conformance with Attribute Standard 1130, “Impairment to Independence or Objectivity”:

Yes No N/A

a. If independence or objectivity is impaired in fact or appearance, are the details of the impairment disclosed to appropriate parties? [STD 1130]

Page 5 of 38document.docx

b. Are Internal Auditors required to disclose: personal conflict of interest scope limitations resource limitations [INT 1130]

c. Are Internal Auditors given unrestricted access to: records personnel properties [INT 1130]

d. Do Internal Auditors report to the CAE any situations in which an actual or potential impairment to independence or objectivity may reasonably be inferred? [PA 1130-1 #1]

e. Do Internal Auditors report to the CAE if they have questions about whether a situation constitutes an impairment to objectivity or independence? [PA 1130-1 #1]

f. Are scope limitations evaluated to determine if they preclude Internal Audit from accomplishing its objectives and plans? [PA 1130-1 #2]

g. Are scope limitations and the potential effects communicated in writing to the Board? [PA 1130-1 #3]

h. Do Internal Auditors decline fees, gifts or entertainment from employees, members, vendors or business associates that may create the appearance that the Auditor’s objectivity has been impaired? [PA 1130-1 #4]

i. Do Internal Auditors report immediately the offer of all material fees or gifts to their supervisors? [PA 1130-1 #4]

j. Are persons who are transferred to, or temporarily engaged by, Internal Audit not assigned to audit activities they previously performed or for which they had management responsibility until at least 1 year has elapsed? [PA 1130.A1-1]

k. Do Internal Auditors refrain from accepting responsibility for non-audit functions or duties that are subject to periodic Internal Audit assessments? [PA 1130.A2-1 #1]

9. Determine conformance with Attribute Standard 1130.A1, “Assessing Operations for Which Internal Auditors Were Previously Responsible”:

Yes No N/A

a. Does Internal Audit refrain from assessing specific operations for which they were previously responsible [STD 1130.A1-1]

b. Does Internal Audit NOT provide assurance services for an activity for which the auditor had responsibility within the previous year? [1130.A1-1]

10. Determine conformance with Attribute Standard 1130.A2, “Internal Audit’s Responsibility for Other (Non-audit) Functions”

Yes No N/A

Page 6 of 38document.docx

a. Are assurance audits for which the CAE has responsibility overseen by a party outside of Internal Audit [STD 1130.A2]

b. When Internal Audit accepts operational responsibilities and that operation is part of the Internal Audit plan, does the CAE use a contracted third party to complete audits of those areas reporting to the CAE? [PA 1130.A2-1 #4]

c. Are Internal Audit’s operational responsibilities disclosed in the related audit report of those areas reporting to the CAE and in Internal Audit’s standard Board communication? [PA 1130.A2-1 #5]

11. Determine conformance with Attribute Standard 1200, “Proficiency and Due Professional Care”:

Yes No N/A

a. Are audits performed with proficiency and due professional care? [STD 1200]

b. Does the CAE ensure that auditors assigned to each audit collectively possess the necessary knowledge, skills and other competencies to conduct the audit appropriately? [PA1200-1, #1].

c. Do Internal Auditors conform with the Code of Ethics, the Credit Union’s code of conduct and codes of conduct for other professional designations held by the Internal Auditor? [PA1200-1, #2].

12. Determine conformance with Attribute Standard 1210, “Proficiency”: Yes No N/A

a. Do Internal Auditors possess the knowledge, skills and other competencies needed to perform their individual responsibilities? [STD 1210]

b. Does Internal Audit collectively possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities? [STD 1210]

c. Do Internal Auditors demonstrate their proficiency by obtaining appropriate professional certifications and qualifications? [INT 1210]

d. Are Internal Auditors proficient in applying internal audit standards, procedures, and techniques in performing audits? [PA 1210-1 #1]

e. Are Internal Auditors proficient in accounting principles and techniques if internal auditors work extensively with financial records and reports? [PA 1210-1 #1]

f. Do Internal Auditors have an understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practice? [PA 1210-1 #1]

g. Do Internal Auditors have an appreciation of the fundamentals of business subjects such as accounting, economics, commercial law, finance, quantitative methods, risk management, and fraud? [PA 1210-1 #1]

Page 7 of 38document.docx

h. Are Internal Auditors skilled in dealing with people, understanding human relations and maintaining satisfactory relationships with audit clients? [PA 1210-1 #1]

i. Are Internal Auditors skilled in oral and written communications and able to clearly and effectively convey audit objectives, evaluations, conclusions and recommendations? [PA 1210-1 #1]

j. Has the CAE established suitable criteria of education and experience for filling internal audit positions? [PA 1210-1 #2]

k. Has the CAE obtained reasonable assurance as to each prospective auditor’s qualifications and proficiency? [PA 1210-1 #2]

l. Is there an annual analysis of Internal Audit’s knowledge, skills and other competencies? [PA 1210-1 #3]

13. Determine conformance with Attribute Standard 1210.A1 “Obtaining External Service Providers to Support or Complement Internal Audit”

Yes No N/A

a. Does the CAE obtain competent advice and assistance if the Internal Auditors lack the knowledge, skills or other competencies needed to perform all or part of an audit? [STD 1210.A1]

b. When the CAE uses the work of an external service provider, does the CAE perform appropriate vendor due diligence? [PA 1210.A1-1 #s4,5]

c. Does vendor due diligence include assessing the relationship of the vendor to the Credit Union and to Internal Audit to ensure independence and objectivity? [PA 1210.A1-1 #6]

d. If the vendor is the Credit Union’s CPA firm and the nature of the service is extended audit services, does the CAE determine that work performed does not impair the CPA firm’s independence? [PA 1210.A1-1 #8]

e. Does the CAE obtain proposals, engagement letters or contracts with sufficient information regarding the scope of the vendor’s work? [PA 1210.A1-1 #9]

14. Determine conformance with Attribute Standard 1210.A2 “Fraud Knowledge”

Yes No N/A

a. Do Internal Auditors have sufficient knowledge to evaluate the risk of fraud and the manner in which fraud is managed by the Credit Union? [STD 1210.A2]

15. Determine conformance with Attribute Standard 1210.A3 “Technology Knowledge”

Yes No N/A

a. Do Internal Auditors have sufficient knowledge of key information technology risks and controls? [STD 1210.A3]

b. Do Internal Auditors have available technology-based audit techniques to perform their assigned work? [STD 1210.A3]

Page 8 of 38document.docx

16. Determine conformance with Attribute Standard 1220, “Due Professional Care”:

Yes No N/A

a. Do Internal Auditors apply the care and skill expected of a reasonably prudent and competent internal auditor? [STD 1220]

b. Are Internal Auditors alert to the possibility of fraud intentional wrongdoing errors and omissions inefficiency waste ineffectiveness irregularities conflicts of interest? [PA 1220-1 #1]

c. Do Internal Auditors identify inadequate controls and recommend improvements to promote conformance with procedures? [PA 1220-1 #1]

d. Do Internal Auditors conduct examinations and verifications to a reasonable extent? [PA 1220-1 #2]

e. Do Internal Auditors NOT give absolute assurance that noncompliance or irregularities do not exist? [PA 1220-1 #2]

17. Determine conformance with Attribute Standard 1220.A1 “Due Professional Care Considerations”:

Yes No N/A

a. Do Internal Auditors consider the extent of work needed to achieve audit objectives the complexity, materiality or significance of matters to which audit

procedures are applied? [STD 1220.A1]b. Do Internal Auditors consider the adequacy and effectiveness of

governance, risk management and control processes? [STD 1220.A1]c. Do Internal Auditors consider the probability of significant errors, fraud

or noncompliance? [STD1220.A1]d. Do Internal Auditors consider the cost of the audit in relation to potential

benefits? [STD 1220.A1]

18. Determine Conformance with Attribute Standard 1220.A2 “Technology Based Audit”:

Yes No N/A

a. Do Internal Auditors consider the use of technology-based audit and other data analysis techniques? [STD 1220.A2]

19. Determine Conformance with Attribute Standard 1220.A3 “Significant Risks”

Yes No N/A

Page 9 of 38document.docx

a. Are Internal Auditors alert to significant risks that might affect objectives, operations or resources? [Standard 1220.A3]

20. Determine conformance with Attribute Standard 1230, “Continuing Professional Development”:

Yes No N/A

a. Do Internal Auditors enhance their knowledge, skills and other competencies through continuing professional development? [STD 1230]

b. Have Internal Auditors stayed informed about improvements and current developments in internal audit standards, procedures, techniques and guidance? [PA 1230-1 #1]

c. Have Internal auditors pursued continuing professional education (related to the Credit Union’s activities and credit union industry) to maintain proficiency with regard to the governance, risk and control processes unique to the Credit Union? [PA 1230-1 #3]

d. Have Internal Auditors with professional certifications obtained sufficient CPE to satisfy recertification requirements? [PA 1230-1 #5]

21. Determine conformance with Attribute Standards 1300 “Quality Assurance and Improvement Program”:

Yes No N/A

a. Has the CAE developed and maintained a quality assurance and improvement program (QA&IP) that covers all aspects of Internal Audit? [STD 1300]

b. Is the QA&IP designed to enable an evaluation of Internal Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics? [INT 1300]

c. Does the QA&IP assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement? [INT 1300]

d. Has the CAE implemented processes designed to provide reasonable assurance to the various stakeholders that Internal Audit is adding value and improving the Credit Union’s operations? [PA 1300-1 #2]

e. Is the QA&IP sufficiently comprehensive to encompass all aspects of Internal Audit operation and management? [PA 1300-1 #3]

f. Is the QA&IP Process performed by or under the direct supervision of the CAE? [PA 1300-1 #3

22. Determine conformance with Attribute Standard 1310, “Requirements of the QA&IP”

Yes No N/A

a. Does the QA&IP include both internal and external assessments? [STD 1310]

b. Is there an ongoing and periodic assessment of the entire work performed by Internal Audit? [PA 1310-1 #1]

Page 10 of 38document.docx

c. Are assessments composed of rigorous, comprehensive processes continuous supervision and testing of Internal Audit work periodic validations of conformance with the Definition, the Code

and the Standards? [PA 1310-1 #1]d. Is there ongoing measurements and analyses of performance metrics

(e.g. plan accomplishment, cycle time, recommendations accepted, customer satisfaction)? [PA 1310-1 #1]

e. If assessment results indicate areas for improvement by Internal Audit, does the CAE implement the improvements through the QA&IP? [PA 1310-1 #1]

f. Do assessments evaluate and conclude on Internal Audit quality and lead to recommendations for appropriate improvements? [PA 1310-1 #2]

g. Does the QA&IP include an evaluation of adequacy of the Internal Audit charter, goals, objectives, policies

and procedures contribution to the Credit Union’s governance, risk management,

and control processes effectiveness of continuous improvement activities and adoption of

best practices the extent to which Internal Audit adds value and improves the

Credit Union’s operations [PA 1310-1 #2]h. Do QA&IP efforts include follow-up on recommendations involving

appropriate and timely modification of resources, technology, processes, and procedures? [PA 1310-1 #3]

i. Does the CAE report to senior mgmt. and the Board on the quality program efforts and results at least annually? [PA 1310-1 #4]

23. Determine conformance with Attribute Standard 1311, “Internal Assessments”:

Yes No N/A

a. Do internal assessment include ongoing performance monitoring periodic self-assessments or assessment by other persons in the

Credit Union with sufficient knowledge of Internal Audit practices [STD 1311]

b. Is ongoing monitoring an integral part of the day-to-day supervision, review and measurement of Internal Audit? [INT 1311]

c. Is ongoing monitoring incorporated into the routine policies and practices used to manage Internal Audit? [INT 1311]

d. Are periodic assessment conducted to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards? [INT 1311]

Page 11 of 38document.docx

e. Do persons conducting the self-assessment understand all the elements of the International Professional Practices Framework? [INT 1311]

f. Does ongoing assessment include audit supervision checklists and procedures are being followed feedback from audit customers and other stakeholders selective peer reviews of workpapers by staff not involved in the

respective audits project, budgets, timekeeping systems, audit plan completion, cost

recoveries analysis of other performance metrics (e.g. cycle time,

recommendations accepted)? [PA 1311-1 #1]g. Are conclusions developed as to the quality of ongoing performance and

is follow up action taken to ensure appropriate improvements are implemented? [PA 1311-1 #2]

h. Has the CAE established a results reporting structure that maintains appropriate credibility and objectivity? [PA 1311-1 #7]

i. Does the CAE report results of internal assessments, action plans, and successful implementation to senior management and the Board at least annually? [PA 1311-1 #8]

24. Determine conformance with Attribute Standard 1312, “External Assessments”:

Yes No N/A

a. Are external assessments conducted at least once every 5 years by a qualified, independent assessor or assessment team from outside the Credit Union? [STD 1312]

b. Does the CAE discuss with the Board the form and frequency of external assessments the qualifications and independence of the external

assessor/assessment team, including any potential conflict of interest? [STD 1312]

c. Is the external assessment in the form of a full-external assessment or a self-assessment with independent validation? [STD 1312]

d. Did the assessor/assessment team demonstrate competence in internal auditing professional practice external assessment process? [INT]

e. Did the assessor/assessment team not have a real or apparent conflict of interest and was not part of, or under the control of, the Credit Union? [INT]

f. Do the external assessments cover the entire spectrum of audit and consulting work and the QA&IP program? [PA 1312-1 #1]

g. Is the engagement NOT a reciprocal external assessment between the Credit Union and another organization? [PA 1312-3 #1]

Page 12 of 38document.docx

h. Do external assessments include benchmarking, identification and reporting of leading practices? [PA 1312-1 #1]

i. Does the scope clearly state the expected deliverables of the external assessment? [PA 1312-1 #1]

j. Is there an expressed opinion as to the entire spectrum of audit work performed, conformance with the Framework; and recommendations for improvement? [PA 1312-1 #2]

k. Upon completion of the review, is a formal communication given to senior management and the Board? [PA 1312-1 #3]

l. Are external assessment reviewers free from any obligation to, or interest in the Credit Union or Credit Union personnel? [PA 1312-1 #5]

m. Are external reviewers honest and candid within the constraints of confidentiality; objective, impartial? [PA 1312-1 #6]

n. Are external reviewers competent, CIAs, who possess current, in-depth knowledge of the Standards? [PA 1312-1 #7]

o. Are external reviewers well-versed in internal audit best practices and have at least 3 years internal audit experience or related consulting at the management level? [PA 1312-1 #7]

p. Does the CAE involve senior management and the Board in determining the approach and selection of an external assessment provider? [PA 1312-1 #9]

q. Does the external assessment scope include the following internal auditing elements conformance with the Framework, internal audit charter, plans,

policies, procedures and practices expectations expressed by the Board, senior management and

operational managers Internal Audit’s integration into the Credit Union’s governance

process and the relationship among the key governance groups Internal Audit tools and techniques mix of knowledge, experience and disciplines within Internal Audit

staff and staff focus on process improvement determination as to whether or not Internal Audit adds value and

improves the Credit Union’s operations? [PA 1312-1 #10]r. Are the preliminary review results discussed with the CAE during, and at

the conclusion of the assessment? Are copies sent directly to appropriate members of senior management and the Board? [PA 1312-1 #11]

s. Are final results communicated with the person who authorized the review for the Credit Union? [PA 1312-1 #11]

Page 13 of 38document.docx

t. Does the communication include an opinion on Internal Audit’s conformance with the Framework

based on a structured rating process an assessment and evaluation of best practices use recommendations for improvement response from the CAE that includes an action plan and

implementation dates [PA 1312-1 #12]u. Does the CAE communicate the assessment results, including specifics

of remedial actions for significant issues and subsequent information as to the planned action accomplishments? [PA 1312-1 #13]

v. Does the CAE communicate the results with the various stakeholders of the activity, such as senior mgmt., the Board and external auditors. [PA 1312-1 #13]

25. For Self-Assessment with Independent Validation, determine conformance with PA 1312-2

Yes No N/A

a. Was there a comprehensive and fully documented self-assessment process, which emulates an external assessment process, at least with respect to evaluation of conformance with the Framework? [PA 1312-2 #1]

b. Was there an independent, on-site validation by a qualified, independent reviewer? [PA 1312-2 #1]

c. Was the same guidance and criteria set forth in PA 1312-1 followed for the Self-Assessment with Independent Validation? [PA 1312-2 #3]

d. Did a team under the CAE’s direction perform and fully document the self-assessment process? [PA 1312-2 #4]

e. Was a draft report similar to that for an external assessment, prepared including the CAE’s judgment on Standards conformance? [PA 1312-2 #4]

f. Did the qualified, independent reviewer perform sufficient tests of the self-assessment to validate the results and express the indicated level of conformance? [PA 1312-2 #5]

g. Did the external reviewer, upon completion of a rigorous review of the self-assessment evaluation, review the draft report and attempt to reconcile any unresolved issues? [PA 1312-2 #6]

h. Did the external reviewer, modify the report as needed, or prepare a separate independent validation report? [PA 1312-1 # 6]

i. Was the final report signed by the self-assessment team and the external reviewer and issued by the CAE to senior management and the Board? [PA 1312-2 #7]

26. Determine conformance with Attribute Standard 1320, “Reporting on the Quality Program”:

Yes No N/A

Page 14 of 38document.docx

a. Does the CAE communicate the results of the QA&IP to senior management and the Board? [STD 1320]

b. Is the form, content and frequency of communicating the results of the QA&IP established through discussion with senior management and the Board? [INT]

c. Are the results of external and periodic internal assessments communicated upon completion of the assessments, and ongoing monitoring results communicated at least annually? [INT]

d. Do the results include the assessor’s evaluation with respect to the degree of conformance? [INT]

28. Determine conformance with Attribute Standard 1321, “Use of Conforms with the International Standards for the Professional Practice of Internal Auditing”:

Yes No N/A

a. Does the CAE state that Internal Audit conforms with the Standards only if results of the QA&IP support the statement? [STD 1321]

b. Does the CAE use the conformance phrase only if an external assessment has been completed within 5 years, and ongoing and periodic assessments have been conducted? [PA 1321-1 #2]

c. Does the CAE use the phrase only if assessments and monitoring concluded that Internal Audit was in conformance? [PA 1321-1#2]

d. Does the CAE disclose instances of nonconformance that impact Internal Audit’s overall operation scope, including failure to obtain an external assessment within 5 years, to senior management and the Board [PA 1321-1 #3]

e. Before the CAE uses the conformance phrase, are instances of non-conformance adequately remedied, documented, and reported to the relevant reviewer to obtain concurrence? [PA 1321-1 #4]

29. Determine conformance with Attribute Standard 1322, “Disclosure of Non-Conformance”:

Yes No N/A

a. Does the CAE disclose nonconformance and the impact to senior management and the Board when the nonconformance impacts the overall scope of operation of Internal Audit? [STD 1322]

30. Determine conformance with Performance Standard 2000, “Managing Internal Audit”:

Yes No N/A

a. Does the CAE effectively manage Internal Audit to ensure it adds value to the Credit Union? [STD 12000]

b. Do the results of Internal Audit’s work achieve the purpose and responsibility included in the Internal Audit Charter? [INT]

c. Does Internal Audit provide objective and relevant assurance? [INT]

Page 15 of 38document.docx

d. Does Internal Audit contribute to the effectiveness and efficiency of governance, risk management and control processes? [INT]

31. Determine conformance with Performance Standard 2010, “Planning”: Yes No N/A

a. Does the CAE establish a risk-based plan to determine Internal Audit priorities, consistent with the Credit Union’s goals? [STD 2010]

b. Does the CAE take into account the Credit Union’s risk management framework including using management’s risk appetite level for the different CU activities? [INT]

c. If a framework does not exist, does the CAE use judgment of risks after consideration of input from senior management and the board? [INT]

d. Does the CAE review and adjust the plan in response to changes in the Credit Union’s business, risks, operations, programs, systems, and controls? [INT]

32. Determine conformance with Performance Standard 2010.A1 “Risk Assessment”

Yes No N/A

a. Is Internal Audit’s audit plan based on a documented risk assessment, undertaken at least annually? [STD 2010.A1]

b. Did the CAE consider senior management and the Board’s input in Internal Audit’s risk assessment? [STD 2010.A1]

c. Does the audit universe include components from the Credit Union’s strategic plan? [PA 2010-1 #2]

d. Are key audit objectives to provide management and the Board with assurance and information to help them accomplish the Credit Union’s objectives, including an assessment of the effectiveness of management’s risk management activities? [PA 2010-1 #3]

e. Is the audit universe updated at least annually to reflect the most current strategies, Credit Union direction, operations, programs, systems, and controls? [PA 2010-1 #4]

f. Are audit work schedules based on a risk assessment so that resources are prioritized? [PA 2010-1 #5]

g. In audit planning, does Internal Audit consider the significant risks of the activity and the controls to mitigate the risk to an acceptable level? [PA 2010-2 #5]

h. Does the Internal Audit Charter require a focus on high risk areas? [PA 2010-2 #10]

i. Does Internal Audit identify unnecessary, redundant, excessive or complex controls that inefficiently reduce risk? [PA 2010-2 #10]

j. Is the approach to risk identification systematic and clearly documented? [PA 2010-2 #11]

Page 16 of 38document.docx

k. There a periodic selection of lower risk level audits in the plan to give them coverage and confirm their risks have not changed? [PA 2010-2 #14]

l. l. Does the Internal Audit plan focus on unacceptable current risks where action is required control systems on which the Credit Union is most reliant areas where there is great difference between inherent and residual

risk areas where the inherent risk is very high [PA 2010-02 #15]

33. Determine conformance with Performance Standard 2010.A2 “Expectations”

Yes No N/A

a. Did the CAE identify and consider the expectations of senior management, the Board and other stakeholders for Internal Audit opinions and other conclusions? [STD 2010.A2]

34. Determine conformance with Performance Standard 2020, “Communication & Approval”:

Yes No N/A

a. Does the CAE communicate Internal Audit’s plans and resource requirements/limitations, including significant interim changes, to senior management and the Board for review and approval? [STD 2020]

b. Does the CAE communicate the impact of resource limitations? [STD 2020]

c. Does the CAE submit annually to senior management and the Board for review and approval a summary of the Internal Audit plan, work schedule, staffing plan, and financial budget? [PA 2020-1 #1]

d. Does the summary inform senior management and the Board of the scope of Internal Audit work and any limitations placed on that scope [PA 2020-1 #1]

e. Does the CAE submit all significant interim changes for approval and information? [PA 2020-1 #1]

f. Do the approved work schedule, staffing plan, financial budget, and interim changes contain sufficient information to enable senior management and the Board to determine whether Internal Audit’s objectives and plans support those of the Credit Union and the Board and are consistent with the Internal Audit Charter? [PA 2020-1 #2]

35. Determine conformance with Performance Standard 2030, “Resource Management”:

Yes No N/A

a. Does the CAE ensure Internal Audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan? [STD 2030]

Page 17 of 38document.docx

b. Are the skills, capabilities and technical knowledge of Internal Audit staff appropriate for the planned activities? [PA 2030-1 #2]

c. Does the CAE conduct a periodic skills assessment to determine specific skills required to perform Internal Audit activities? [PA 2030-1 #2]

d. Are Internal Audit resources sufficient to execute the audit activities in the breadth, depth, and timeliness expected by senior management and the Board, as stated in the Internal Audit Charter? [PA 2030-1 #3]

e. Has the CAE considered succession planning, staff evaluations and development programs and other HR disciplines? [PA 2030-1 #5]

f. Does the CAE maintain ongoing communications and dialog with senior mgmt. and the Board on the adequacy of Internal Audit resources? [PA 2030-1 #6]

g. Has the CAE developed appropriate metrics, goals and objectives to monitor the overall resource adequacy? [PA 2030-#6]

36. Determine conformance with Performance Standard 2040, “Policies & Procedures”:

Yes No N/A

a. Has the CAE established policies and procedures to guide Internal Audit? [STD 2040]

b. Are the policies and procedures appropriate for Internal Audit’s size structure, and complexity of its work? [STD 2040]

37. Determine conformance with Performance Standard 2050, “Coordination”:

Yes No N/A

a. Does the CAE share information and coordinate activities with other assurance and consulting services providers to ensure proper coverage and minimize duplication of efforts? [STD 2050]

b. If the Credit Union uses the work of external auditors to provide assurance related to activities within the scope of internal auditing, does the CAE understand the work of the external auditors? [PA 2050-1 #2].

c. If the external auditor relies on Internal Audit’s work in performing their work, does the CAE provide sufficient information to enable the external auditors to understand Internal Audit’s techniques, methods and terminology? [PA 2050-1 #3]

d. Is Internal Audit’s final communications, management’s responses and subsequent follow-up made available to external auditors? [PA 2050-1 #6]

e. Does Internal Audit have access to the external auditors’ materials and management letters? [PA 2050-1 #6]

f. Does the CAE regularly evaluate the coordination between internal and external auditors? [PA 2050-1 #7]

Page 18 of 38document.docx

g. Does Internal Audit consider areas of inadequate coverage when developing the audit plan? [PA 2050-2 #9]

h. If the CAE believes that the assurance coverage is inadequate or ineffective, does the CAE advise senior management and the Board? [PA 2050-2 #13]

i. Does the Internal Audit charter and/or engagement letter specify that Internal Audit has access to the work of providers? [PA 2050-3 #3]

j. Does Internal Audit document audit expectations in a contract or agreement? [PA 2050-3 #4]

k. Do minimum expectations include nature and ownership of deliverables methods/techniques nature of procedures and data/information to be used progress reports/supervision [PA 2050-3]

l. Does Internal Audit evaluate the provider’s independence and objectivity competency and qualifications elements of practice adequacy of execution sufficiency of audit evidence? [PA 2050-3 #6-#10]

m. Does Internal Audit incorporate the provider’s results in the overall report of assurance to the Board? [PA 2050-3 #11]

n. Does Internal Audit follow-up the adequacy, effectiveness, and timeliness of actions taken by management on recommendations? [PA 2020-3 #12]

38. Determine conformance with Performance Standard 2060, “Reporting to Senior Management and the Board”:

Yes No N/A

a. Does the CAE report periodically to senior management and the Board on Internal Audit’s purpose, authority, responsibility and performance relative to its plan? [STD 2060]

b. Does reporting include significant risk exposures and control issues, including fraud risks governance issues and other matters needed or requested by senior management and the

Board? [STD 2060]c. Does the frequency and content of reporting depend on the importance

of the information to be communicated and the urgency of the related actions to be taken by senior management or the Board? [INT]

39. Determine conformance with Performance Standard 2070 “External Service Provider and CU Responsibility for Internal Auditing”:

Yes No N/A

Page 19 of 38document.docx

a. When an external service provider serves as Internal Audit, does the provider make the Credit Union aware that the Credit Union has the responsibility for maintaining an effective internal audit activity? [STD 2070]

b. Is the Credit Union’s responsibility demonstrated through the QA&IP? [INT]

40. Determine conformance with Performance Standard 2100, “Nature of Work”:

Yes No N/A

a. Does Internal Audit evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach? [STD 2100]

41. Determine conformance with Performance Standard 2110, “Governance”:

Yes No N/A

a. Does Internal Audit assess and make appropriate recommendations for improving the governance process? [STD 2100]

b. Does the CAE work with the Board and management to determine how governance should be defined for audit purposes? [PA 2110-1 #6]

c. Does the CAE consider the relationship between governance, risk and controls in planning assessments of governance processes? [PA 2110-2 #6]

d. Does Internal Audit provide assessments of the design and operating effectiveness of the Credit Union’s governance processes? [PA 2110-03 #1]

e. Are governance processes considered in the risk assessment? [PA 2110-3 #3]

f. Does Internal Audit consider the results specific governance process audits governance issues arising from non-governance audits results of other internal/external assurance providers adverse incidents indicating improvement opportunities [PA 2110-3

#5]g. Is Internal Audit sensitive to the potential nature and ramifications of the

results and ensure appropriate communications with the Board and executive management? [PA 2110-3 #6]

42. Determine conformance with Performance Standard 2110.A1 “Ethics Evaluation”:

Yes No N/A

a. Does Internal Audit evaluate the design, implementation, and effectiveness of the credit union’s ethics-related objectives, programs and activities? [STD 2110.A1]

Page 20 of 38document.docx

43. Determine conformance with Performance Standard 2110.A2 “IT Governance”:

Yes No N/A

a. Does Internal Audit assess whether the Credit Union’s IT governance supports the Credit Union’s strategies and objectives? [STD 2110.A2]

44. Determine conformance with Performance Standard 2120, “Risk Management”:

Yes No N/A

a. Does Internal Audit evaluate the effectiveness and contribute to the improvement of risk management processes? [STD 2120]

b. Does Internal Audit assess whether the Credit Union’s objectives support and align with the Credit

Union’s mission significant risks are identified and assessed appropriate risk responses are selected that align risks with the

Credit Union’s risk appetite relevant information is captured and communicated in a timely

manner across the Credit Union [INT 2120]c. If the Credit Union does not have a formal risk assessment process,

does the CAE formally discuss with management and the Board their obligations to understand, manage, and monitor Credit Union risks? [PA 2120-1 #3]

d. Has the CAE obtained an understanding of senior management and the Board’s expectations of Internal Audit in the Credit Union’s risk management process? [PA 2120-1 #4]

e. Is this understanding codified in Internal Audit and Board charters? [PA 2120-1#4]

f. Is Internal Audit responsibilities coordinated between all groups and individuals within the Credit Union’s risk management process? [PA 2120-1 #4]

g. If Internal Audit has taken on management/s responsibility for the risk management process, has that role and the potential threat to independence been discussed and approved by the Board [PA 2120-1 #5]

h. Has Internal Audit determined that the methodology chosen is sufficiently comprehensive and appropriate for the nature of the Credit Union’s activities? [PA 2120-1 #7]

i. Has Internal Audit obtained sufficient and appropriate evidence to determine that the key objectives of the risk management processes are being met to form an opinion on the adequacy of the risk management processes? [PA 2120-1 #8]

j. Has the CAE considered the risks related to Internal Audit and the achievement of audit objectives? [PA 2120-2 #1)

Page 21 of 38document.docx

k. Has Internal Audit ensured that it is managing its own risks? [PA 2120-2 #2]

l. Is the use of Internal Audit in assisting the Credit Union to identify and evaluate significant exposures to risk clearly defined for projects other than internal audits? [PA 2120-2 #7]

45. Determine conformance with Performance Standard 2120.A1, “Evaluating Risk Exposures”:

Yes No N/A

a. Does Internal Audit evaluate risk exposures relating to the Credit Union’s governance, operations and information systems regarding the achievement of Credit Union strategic objectives reliability and integrity of financial and operational information effectiveness and efficiency of operations and programs safeguarding of assets compliance with laws, regulations, policies, procedures and

contracts? [STD 2120.A1]

46. Determine conformance with Performance Standard 2120.A2, “Fraud Risk”:

Yes No N/A

a. Does Internal Audit evaluate the potential for fraud and how the Credit Union manages fraud risk? [STD 2120.A2]

47. Determine conformance with Performance Standard 2130, “Assessing the Adequacy of Control Processes”:

Yes No N/A

a. Does Internal Audit assist the Credit Union in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement? [STD 2130]

b. Does the CAE provide assurance about the effectiveness of the risk management and control processes in select activities and functions of the Credit Union? [PA 2130-1 #2]

c. Does the CAE form an overall opinion about the adequacy and effectiveness of the control processes? [PA 2130-1 #3]

d. Is the CAE’s overall opinion based on sufficient audit evidence obtained through completed audits, and reliance on the work of other assurance providers? [PA 2130-1 #3]

e. Does the CAE communicate the overall opinion to senior management and the Board? [PA 2130-1 #3]

f. Does the audit plan obtain sufficient evidence to evaluate the effectiveness of the control processes? [PA 2130-1 # 4]

g. Does the audit plan obtain sufficient evidence about all major operating units and business functions, and a review of the major control processes operating across the Credit Union? [PA 2130-1 #4]

Page 22 of 38document.docx

h. Does the audit plan give special consideration to those operations most affected by recent or unexpected changes? [PA 2130-1 #5]

i. Does the audit plan have sufficient breadth of coverage to enable the expression of an opinion about the Credit Union’s risk management and control processes? [PA 2130-1 #7]

j. Does the CAE inform senior management and the Board of any gaps in audit coverage that would prevent the expression of an opinion on all aspects of the risk management and control processes? [PA 2130-1 #7]

k. In evaluating the overall effectiveness, does the CAE consider whether significant discrepancies or weaknesses were discovered corrections or improvements were made the discoveries and their potential consequences lead to a

conclusion that a pervasive condition exists resulting in an unacceptable level of risk [PA 2130-1 #9]

48. Determine conformance with Performance Standard 2130.A1 “Controls Response to Risk”:

Yes No N/A

a. Does Internal Audit evaluate the adequacy and effectiveness of controls in responding to risks within the Credit Union’s governance, operations and information systems regarding the achievement of the Credit Union’s strategic objectives reliability and integrity of financial and operational information effectiveness and efficiency of operations and programs safeguarding of assets compliance with laws, regulations, policies, procedures and

contracts? [STD 2130.A1]b. Has Internal Audit determined whether senior management and the

Board have a clear understanding that information reliability and integrity is a management responsibility? [PA 2130.A1 #1]

c. Does Internal Audit possess, or have access to, competent audit resources to evaluate information reliability and integrity and associated risk exposures? [PA 2130.A1-1 #2]

d. Does the CAE determine whether information reliability and integrity breaches and conditions that might represent a Credit Union threat will promptly be made known to senior management, the Board, and Internal Audit? [PA 2130.A1-1 # 3]

e. Does Internal Audit assess the effectiveness of preventive, detective, and mitigation measures against past attacks, and future attempts or incidents deemed likely to occur? [PA 2130.A1-1 #4]

f. Does Internal Audit assess the Credit Union’s information reliability and integrity practices, and recommend enhancements to, or implementation of new controls and safeguards? [PA 2130-.A1-1 #5]

Page 23 of 38document.docx

g. Does Internal Audit assess the adequacy of management’s identification of risks related to its privacy objectives and the adequacy of the controls established to mitigate those risks to an acceptable level? [PA 2130.A1-2 #4]

h. Does Internal Audit identify the types and appropriateness of personal/private information gathered by the Credit Union, the collection methodology, and is the Credit Union’s use of the information in accordance with its intended use and applicable legislation? [PA 2130.A1-2 #5]

i. Does Internal Audit have the appropriate knowledge and competence to conduct an assessment of the Credit Union’s privacy framework risk and controls? [PA 2130.A1-2 #6]

49. Determine conformance with Performance Standard 2200, “Engagement Planning”:

Yes No N/A

a. Does Internal Audit develop and document a plan for each audit, including the audit scope, timing, and resource allocations? [STD 2200

b. Does Internal Audit plan and conduct the audit with supervisory review and approval? [PA 2200-1 #1]

c. Does the Audit Pan state the objectives of the audit identify technical requirements, objectives, risks, processes and

transactions to be examined state nature and extent of testing required document procedures for collecting, analyzing, interpreting and

documenting information during the audit get modified, as appropriate, during the audit with the approval of the

CAE? [PA 2200-1 #1]d. Does the CAE require a level of formality and documentation that is

appropriate to the Credit Union? [PA2200-1, #2].e. Does Internal Audit determine

period covered estimated completion date final communication format [PA 2200-1 #3]

f. Does Internal Audit inform management, conduct meetings with management responsible for the audited activity, summarize and distribute discussion and conclusions from the meetings? [PA 2200-1 #4]

g. Does the CAE determine how, when and to whom the audit results will be communicated? [PA 2200-1 #5]

h. Does Internal Audit communicate to management subsequent changes that affect timing or reporting of audit results [PA 2200-1 #5]

i. Is the scope definition based on the more significant risks to the Credit Union? [PA 2200-2 #3]

Page 24 of 38document.docx

j. Are both manual and automated controls assessed and does Internal Audit assess whether there is an appropriate combination of controls? [PA 2200-2 #4]

k. Does the scope include all controls required to provide reasonable assurance that risks are effectively managed (key controls)? [PA 2200-2 #5]

l. Does Internal Audit discuss with management whether non-key controls are required? [PA 2200-2 #5]

m. Does Internal Audit include in the scope of at least 1 audit an assessment of the design of the key controls as a whole (across all the related Internal Audit audits) and whether it is sufficient to manage risks within Credit Union tolerances [PA 2200-2 #10]

50. Determine conformance with Performance Standard 2201, “Planning Considerations”:

Yes No N/A

a. In planning the audit, does Internal Audit consider Credit Union objectives and controls over the area’s performance significant risks to the activity and risk mitigation adequacy and effectiveness of the activity’s governance, risk

management, and control processes compared to a relevant framework or model

opportunities for making significant improvements to the activity’s governance, risk management, and control processes [STD 2201]

51. Determine conformance with Performance Standard 2201.A1, “Third-Party Planning Considerations”:

Yes No N/A

a. When planning an audit for third parties, does Internal Audit establish written understanding of objectives, scope, respective responsibilities, and restrictions on results distribution? [STD 2201.A1]

52. Determine conformance with Performance Standard 2210, “Engagement Objectives”:

Yes No N/A

a. Are objectives established for each audit? [STD 2210]b. Do the objectives proceed and align to those initially identified during the

risk assessment process from which the internal audit plan is derived? [PA 2210-1 #1]

c. For unplanned audits, are objectives established prior to the start of the audit, and designed to address the specific issues that prompted the audit? [PA 2210-1 #1]

d. After identifying the risks, does Internal Audit determine the procedures to be performed and the scope of the procedures? [PA 2210-1 #3]

e. Are audit procedures performed in appropriate scope the means to derive conclusions related to the audit objectives? [PA 2210-1 #3]

Page 25 of 38document.docx

53. Determine conformance with Performance Standard 2210.A1, “Engagement Risk Assessment”:

Yes No N/A

a. Does Internal Audit conduct a preliminary risk assessment? [STD 2210.A1]

b. Do audit objectives reflect the results of the risk assessment? [STD 2210.A1]

c. Does Internal Audit review management’s risk assessment process? [PA 2210.A1-1 #1]

d. Does Internal Audit obtain or update background information about the activities to be reviewed to determine impact on the audit objectives and scope? [PA 2210.A1-1 #2]

e. Does Internal Audit conduct a survey to become familiar with the activities, risks and controls to identify audit emphasis, and to invite comments and suggestions from audit clients? [PA 2210.A1.1 #3]

f. Does Internal Audit summarize significant audit issues objectives and procedures methodologies critical control points and deficiencies, and/or excess controls? [PA

2210.A1-1 #4]

54. Determine conformance with Performance Standard 2210.A2, “Errors, Fraud and Non-compliance”:

Yes No N/A

a. Does Internal Audit consider the probability of significant errors, fraud, and noncompliance when developing audit objectives? [STD 2210.A2]

55. Determine conformance with Performance Standard 2210.A3, “Objective and Goals Criteria”:

Yes No N/A

a. Does Internal Audit ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished, [STD 2210.A3]

b. If adequate, does Internal Audit use the criteria in their evaluation? [STD 2210.A3]

c. If inadequate, does Internal Audit work with management and/or the board to develop appropriate evaluation criteria? [STD 2210.A3]

56. Determine conformance with Performance Standard 2220, “Engagement Scope”:

Yes No N/A

a. Is the audit scope sufficient to achieve the audit objectives? [STD 2220]

57. Determine conformance with Performance Standard 2220.A1, “Scope Completeness”:

Yes No N/A

Page 26 of 38document.docx

a. Does the audit scope include consideration of relevant systems, records, personnel and physical properties, including those under control of third parties? [STD 2220.A1]

58. Determine conformance with Performance Standard 2220.A2, “Consulting Opportunities”:

Yes No N/A

a. If significant consulting opportunities arise during an assurance audit, is there a specific written understanding of the objectives, scope, respective responsibilities and other expectations? [STD 2220.A2]

59. Determine conformance with Performance Standard 2230, “Engagement Resource Allocation”:

Yes No N/A

a. Has Internal Audit determined appropriate and sufficient resources to achieve audit objectives based on an evaluation of the nature and complexity of each audit, time constraints and available resources? [STD 2230]

b. Has Internal Audit considered the following when determining the appropriateness and sufficiency of resources? [PA 2230-1] Internal Audit staff number and experience Internal Audit staff knowledge, skills and other competencies when

selecting Internal Auditors for the audit external resource availability where additional knowledge and

competencies are required Internal Audit training needs as each audit assignment serves as a

basis for meeting Internal Audit’s developmental needs

60. Determine conformance with Performance Standard 2240, “Engagement Work Program”:

Yes No N/A

a. Has Internal Audit developed and documented work programs that achieve the audit objectives? [STD 2240]

b. Is the process of collecting, analyzing, interpreting and documenting information supervised to provide reasonable assurance that audit objectives are met and that in the internal auditor’s objectivity is maintained? [PA 2240-1 #2]

61. Determine conformance with Performance Standard 2240.A1, “Engagement Procedures”:

Yes No N/A

a. Do work programs include procedures for identifying, analyzing, evaluating and documenting audit information? [STD 2240.A1]

b. Is the work program approved prior to implementation and any adjustments approved promptly? [STD 2240.A1]

62. Determine conformance with Performance Standard 2300, “Performing the Engagement”:

Yes No N/A

Page 27 of 38document.docx

a. Does Internal Audit identify, analyze, evaluate and document sufficient information to achieve the audit objectives? [STD 2300]

b. Does Internal Audit consider concerns relating to protection of personally identifiable information (PII) gathered during audits? [PA 2300-1 #1]

c. Does Internal Audit understand and comply with all laws regarding the use of PII? [PA 2300-1 #4]

d. Are there procedures for safeguarding PII? [PA 2300-1 #5]

63. Determine conformance with Performance Standard 2310, “Identifying Information”:

Yes No N/A

a. Does Internal Audit identify sufficient, reliable, relevant and useful information to achieve audit objectives? [STD 2310]

b. Is information factual, adequate and convincing so that a prudent informed person would reach the same conclusions as Internal Audit? [INT 2310]

c. Is information the best attainable through the use of appropriate audit techniques? [INT 2310]

d. Does the information support audit observations and recommendations and is the information consistent with audit objectives? [INT 2310]

e. Does the information help the Credit Union meet its goals? [INT 2310]

64. Determine conformance with Performance Standard 2320, “Analysis & Evaluation”:

Yes No N/A

a. Does Internal Audit base conclusions and audit results on appropriate analyses and evaluations? [STD 2320]

b. When analytical audit procedures identify unexpected results or relationships, does Internal Audit evaluate those results or relationships? [PA 2320-1 #6]

c. Does the evaluation include determining whether the difference from expectations could be a result of fraud, error or a change in conditions? [PA 2320-1 #6]

d. Does Internal Audit satisfy itself that any explanations consider both the change direction and difference amount? [PA 2320-1 #6]

e. Does Internal Audit reporting include the underlying reasons that caused an issue in order to add insights that improve the longer-term effectiveness and efficiency of business processes? [PA 2320-2 #2]

f. Does Internal Audit have the competency to identify the need for root cause analysis and facilitate, review, and/or conduct a root cause analysis? [PA 2320-2 #2]

g. Are the resources spent on root cause analysis commensurate with the impact of the issue or potential future issues and risk [PA 2320-2 #5]

Page 28 of 38document.docx

65. Determine conformance with Performance Standard 2330, “Documenting Information”:

Yes No N/A

a. Does Internal Audit document relevant information to support conclusions and audit results? [STD 2330]

b. Does Internal Audit prepare working papers? [PA 2330-1 #1]c. Do working papers document

the information obtained the analysis made support for the conclusions and audit results [PA 2330-1 #1]

d. Does Internal Audit management review the working papers?[PA 2330-1 #1]

e. Do working papers aid in the planning, performance, and audit reviews provide principal support for audit results [PA 2330-1]

f. Do working papers document whether audit objectives were achieved support accuracy and completeness of the work performed provide basis for QA&IP facilitate third-party reviews? [PA 2330-1 # 2]

g. Do audit working papers document all aspect of the audit process from planning to communicating the results? [PA 2330-1 #3]

h. Has the CAE established working paper policies for the various types of audits performed? [PA 2330-1 #4]

66. Determine conformance with Performance Standard 2330.A1 “Control of Engagement Records”:

Yes No N/A

a. Does the CAE control access to audit records? [STD 2330.A1]b. Does the CAE obtain senior management approval and/or legal counsel

prior to releasing records to external parties? [STD 2330.A1]c. Does Internal Audit provide access to authorized personnel only? [PA

2330.A1-1 #1]d. Does the Board review policies relating to audit record access, access

request handling, and procedures for when an audit warrants an investigation? [PA 2330.A1-1 #2]

e. Do Internal Audit policies explain who in the Credit Union is responsible for ensuring control and

security of Internal Audit records which internal and external parties can be granted audit record

access how requests for records access need to be handled? [PA 2330.A1-

1 #3]

Page 29 of 38document.docx

f. Does the CAE approve access requests by Credit Union officials and external auditors? [PA 2330.A1-1 #4,5]

g. In a legal proceeding, does the CAE work closely with legal counsel in deciding what to provide when there is a request for audit records in relation to legal proceedings? [PA 2330.A1-1 #7]

h. Do Internal Audit policies cover what to include in engagement records specify content and format specify how Internal Audit handle resolved review notes [PA

2330.A1-2 #4]i. Do Internal Audit policies specify how long internal audit records are to

be retained? [PA 2330.A1-2 #4]j. Are the Credit Union’s needs and legal requirements considered when

specifying retention requirements? [PA 2330.A1-2 #4]k. Is the CAE aware of changing industry practices and changing legal

precedents? [PA 2330.A1-2 #5]l. When developing policies, does the CAE consider who may seek

access to Internal Audit records? [PA 2330.A1-2 #5]m. When furnishing engagement records, does the CAE provide only

specific documents directed by legal counsel or policies? [PA 2330.A1-2 #8]

n. When furnishing engagement records, does the CAE release documents in an unchangeable form? [PA 2330.A1-2 #8]

o. When furnishing engagement records, does the CAE label each document as confidential place a notation that secondary distribution is not permitted without

permission? [PA 2330.A1-2 #8]

67. Determine conformance with Performance Standard 2330.A2 “Retention of Records”

Yes No N/A

a. Has the CAE developed audit record retention requirements? [STD 2330.A2]

b. Are the retention requirements consistent with the Credit Union’s guidelines and any pertinent regulatory requirements? [STD 2330.A2]

c. Are the retention requirements in a written policy? [PA 2330.A2-1 # 2]d. Does the policy include record retention related to external service

provider audits? [PA 2330.A2-1 #3]

68. Determine conformance with Performance Standard 2340, “Engagement Supervision”:

Yes No N/A

Page 30 of 38document.docx

a. Are audits properly supervised to ensure objectives are achieved quality is assured staff is developed. [STD 2340]

b. Is evidence of supervision documented and retained? [INT]c. Are there appropriate instructions during audit planning and audit

program approval? [PA 2340-1 #1]d. Does supervision include ensuring that the approved audit program is

completed unless changes are justified and authorized? [PA 2340-1 #1]e. Does supervision include determining that audit workpapers adequately

support audit observations, conclusions and recommendations? [PA 2340-1 #1]

f. Does supervision include ensuring communications are accurate, objective, clear, concise, constructive and timely? [PA 2340-1 #1]

g. Does supervision include ensuring the audit objectives are met? [PA 2340-1 #1]

h. Does the CAE take responsibility for all Internal Audit audits whether performed by or for Internal Audit? [PA 2340-1 #2]

i. Does the CAE take responsibility for all significant professional judgments made throughout the audit? [PA 2340-1 #2]

j. Are policies and procedures designed to minimize the risk that Internal Audit or others performing work for Internal Audit make professional judgments or take other actions inconsistent with the CAE’s professional judgment such that the audit is impacted adversely [PA 2340-1 #2]

k. Are policies and procedures designed to resolve differences in professional judgment between the CAE and Internal Audit staff over significant audit issues? [PA 2340-1 #2]

l. When clearing review notes, is care taken to ensure working papers provide adequate evidence that questions raised are resolved? [PA2340-1#4]

69. Determine conformance with Performance Standard 2400, “Communicating Results”:

Yes No N/A

a. Does Internal Audit communicate the audit results? [STD 2400]b. Does Internal Audit consider legal issues when communicating

noncompliance with laws, regulations and other issues? [PA 2400-1 #1]

70. Determine conformance with Performance Standard 2410, “Criteria for Communicating”:

Yes No N/A

Page 31 of 38document.docx

a. Do communications include the audit’s objectives scope conclusions recommendations action plans [STD 2410]

71. Determine conformance with Performance Standard 2410.A1 “Opinion and/or Conclusions”

Yes No N/A

a. Do final communications of audit results contain Internal Audit’s opinion and/or conclusions? [STD 2410.A1]

b. Does the opinion or conclusion take account of the expectations of senior management, the Board, and other stakeholders? [STD 2410.A1]

c. Is the opinion or conclusion supported by information that is sufficient reliable relevant useful [STD 2410.A1]

d. Does Internal Audit communicate observations necessary to support or prevent misunderstanding of Internal Audit’s conclusions and recommendations? [PA 2410-1 #6]

e. Are observations and recommendations based on criteria used in making an evaluation or verification condition found in the course of examination cause for difference between expected and actual conditions effect of risk or exposure to the Credit Union? [PA2410-1, #7].

f. Does Internal Audit evaluate the effect of the observations and recommendations on the activities reviewed? [PA2410-1, #8].

g. Are audit conclusions clearly identified in the audit report? [PA 2410-1 #8]

h. Are recommendations based on Internal Audit’s observations and conclusions? [PA 2410-1 #9]

i. Do recommendations call for action to correct existing conditions or improve operations? [PA 2410-1 #9]

j. Does Internal Audit obtain agreement from management on the results of the audit and plans of action to improve operations? [PA 2410-1 #12]

k. If Internal Audit and the audit client disagree about the audit results, do the communications state both positions and the reasons for the disagreement? [PA 2410-1 #12]

Page 32 of 38document.docx

l. Are interim reports used to communicate information that requires immediate attention change in audit scope audit progress when audits extend over a long period of time? [PA

2410-1 #14]m. Is a signed report (manually or electronically) issued after the audit

completion? [PA 2410-#15]n. Does the CAE determine which Internal Auditor is authorized to sign the

report? [PA 2410-#15]o. If reports are distributed electronically, is a signed version retained on

file by Internal Audit? [PA 2410-#15]

72. Determine conformance with Performance Standard 2410.A2 “Acknowledging Satisfactory Performance”

Yes No N/A

a. Does Internal Audit acknowledge satisfactory performance in audit communications? [STD 2410.A2]

73. Determine conformance with Performance Standard 2410.A3 “Distribution Limitations”

Yes No N/A

a. When releasing audit results to third parties, does the communication include limitations on distribution and use of results? [STD 2410.A3]

b. Is privileged, proprietary or sensitive information disclosed in a separate report because it is not appropriate for disclosure to all report recipients? [PA 2410-1 #13]

c. Are reports distributed to the Board if the conditions involve senior management? [PA 2410-1 #13]

74. Determine conformance with Performance Standard 2420, “Quality of Communications”:

Yes No N/A

a. Are communications accurate objective clear concise constructive complete timely? [STD 2420]

b. Are communications free from errors and distortions faithful to the underlying facts? [INT]

Page 33 of 38document.docx

c. Are communications fair impartial unbiased the results of a fair-minded assessment of all relevant facts and

circumstances? [INT]d. Are communications

easily understood logical to the point [INT]

e. Do communications avoid unnecessary technical language or elaboration provide all significant and relevant information? avoid superfluous detail, redundancy, wordiness? [INT]

f. Are communications helpful to the audit client and the Credit Union? opportune and expedient? [INT]

g. Do communications lead to improvements where needed? lack nothing that is essential to the target audience? [INT]

h. Was data and evidence gathered, evaluated and summarized with care and precision? [PA 2420-1 #1]

i. Were observations, conclusions and recommendations derived and expressed without prejudice, partisanship, personal interest and the undue influence of others? [PA 2420-1 #2]

j. Is all significant and relevant information provided in context? [PA 2420-1 #3]

k. Is each element meaningful and succinct? [PA 2420-1 #4]l. Is the tone and content

well-meaning useful positive focused on the Credit Union’s objectives? [PA 2420-1 #5]

m. Is the communication consistent with the Credit Union’s style and culture? [PA 2420-1 #6]

n. Is the timing of the results presentation planned to avoid undue delay? [PA 2420-1 #7]

75. Determine conformance with Performance Standard 2421, “Errors & Omissions”:

Yes No N/A

a. If a final communication contains a significant error or omission, does the CAE communicate corrected information to all parties who received the original communication? [STD 2421]

Page 34 of 38document.docx

76. Determine conformance with Performance Standard 2430, “Use of Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”:

Yes No N/A

a. Does Internal Audit report that its audits are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing” only if the results of the QA&IP support the statement? [STD 2430]

77. Determine conformance with Performance Standard 2431, “Engagement Disclosure of Nonconformance”:

Yes No N/A

a. When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific audit, does the communication of the results disclose the principle or rule with which conformance was not achieved reasons for nonconformance impact of nonconformance on the audit impact of nonconformance on the communicated audit results? [STD

2431]

78. Determine conformance with Performance Standard 2440, “Disseminating Results”:

Yes No N/A

a. Does the CAE communicate results to the appropriate parties? [STD 2440]

b. Does the CAE review and approve the final audit communication before issuance and decide to whom and how it will be disseminated? [INT]

c. When the CAE delegates the review and approval, does the CAE retain overall responsibility? [INT]

d. Does Internal Audit discuss conclusions and recommendations with appropriate levels of management, or provide a report draft before the CAE issues the final audit communications? [PA 2440-1 #1,2]

79. Determine conformance with Performance Standard 2440.A1 “Report Addressee”

Yes No N/A

a. Does the CAE communicate the final results to parties who can ensure that the results are given due consideration? [STD 2440.A1]

b. Does the CAE distribute the final audit communication to the management of the audited area, and to those persons in the Credit Union who can take corrective action or ensure corrective action is taken [PA 2440-1 #4]

80. Determine conformance with Performance Standard 2440.A2 “Considerations Prior to Release”

Yes No N/A

Page 35 of 38document.docx

a. Prior to releasing results to third parties does the CAE assess the potential risk to the Credit Union consult with senior management and/or legal counsel control dissemination by restricting use of the results? [STD

2440.A2]b. If internal whistleblowing is elected, does Internal Audit evaluate

alternate ways of communicating risk to persons outside the normal chain of command? [PA 2440-2 #7]

c. Is Internal Audit aware of the laws and regulations of the various jurisdictions in which the Credit Union operates? [PA 2440-2 #9]

d. Does Internal Audit carefully evaluate all evidence and the reasonableness of conclusions and decide whether further actions are need to protect the Credit Union’s and members’ interest? [PA 2440-2 #11]

e. Does Internal Audit consider the duty of confidentiality to respect the value and ownership of information and avoid disclosing it without appropriate authority unless there is a legal or professional obligation to do so? [PA 2440-2 #11]

f. Is the decision to communicate outside the normal chain of command based on a well-informed opinion that the wrongdoing is supported by substantial, credible evidence and that a legal or regulatory imperative, or a professional or ethical obligation, requires further action? [PA 2440-2 #12]

81. Determine conformance with Performance Standard 2450, “Overall Opinions”:

Yes No N/A

a. When an overall opinion is issued, does it take into account the expectations of senior management, the Board and other stakeholders? [STD 2450]

b. Is the overall opinions supported by sufficient, reliable, relevant and useful information? [STD 2450]

c. Does the communication identify scope and scope limitations consideration of all related projects including reliance on other

assurance providers the risk or control framework or other criteria used as a basis for the

overall opinion the overall opinion, judgment or conclusion reached reasons for an unfavorable opinion [INT]

82. Determine conformance with Performance Standard 2500, “Monitoring Progress”:

Yes No N/A

a. Does the CAE maintain a system to monitor the disposition of results communicated to management? [STD 2500]

Page 36 of 38document.docx

b. Do procedures include timeframe within which management’s response is required evaluation of management’s response verification of the response if appropriate performance of a follow-up engagement if appropriate [PA 2500-1 #

1]c. Do procedures include a communications process that escalates

unsatisfactory responses/actions, including the assumption of risk, to the appropriate levels of senior management or the board? [PA 2500-1 #1]

d. If reported observations and recommendations are significant enough to require immediate action by management or the Board, does Internal Audit monitor actions taken until the observation is corrected or the recommendation implemented? [PA 2500-1 #2]

83. Determine conformance with Performance Standard 2500.A1, “Follow-Up Process”:

Yes No N/A

a. Does the CAE establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action? [STD 2500.A1]

b. Does Internal Audit determine whether management has taken action or implemented the recommendation? [PA 2500.A1-1 #1]

c. Does Internal Audit determine whether the desired results were achieved or if senior management or the Board has assumed the risk of not taking action or implementing a recommendation? [PA 2500.A1-1 #1]

d. Does Internal Audit evaluate the adequacy, effectiveness and timeliness of actions taken by management on reported observations and recommendations, including those made by external auditors and others. [PA 2500.A1-1 #2]

e. Does the Internal Audit Charter define responsibility for follow-up? [PA 2500.A1-1 #3]

f. Does the CAE determine the nature, timing and extent of follow-up considering significance of the reported observation or recommendation degree of effort and cost needed to correct the reported condition impact that may result should the corrective action fail complexity of the corrective action time period involved [PA 2500.A1-1 #3]

g. Does the CAE schedule follow-up activities as part of audit work schedules? [PA 2500.A1-1 #4]

h. Is follow-up scheduling based on the risk and exposure involved, the degree of difficulty and the significance of timing in implementing corrective action? [PA 2500.A1-1 #4]

Page 37 of 38document.docx

i. Does Internal Audit determine whether actions taken on observations and recommendation remedy the underlying conditions? [PA 2500.A1-1 #6]

j. Are follow-up activities documented? [PA 2500.A1-1 #6]

84. Determine conformance with Performance Standard 2600, “Communicating the Acceptance of Risks”:

Yes No N/A

a. When the CAE concludes that management has accepted a level of risk that may be unacceptable to the CU, does the CAE discuss the matter with senior management? [STD 2600]

b. If the CAE determines that the matter has not been resolved, does the CAE communicate the matter to the board? [STD 2600]

Copyright 2002 by the Association of Credit Union Internal Auditors, Inc. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.

Page 38 of 38document.docx