F.3 Establishing Engagement Objectives and Audit Criteria

1. Each internal audit engagement should describe the engagement objective(s) and the audit criteria to be used to carry out the assessment.

Engagement Objectives

2. Objectives must be established for each engagement and reflect the results of the preliminary risk assessment conducted during the planning phase of the engagement.

3. In establishing the objectives, the audit directors must consider:

   • the preliminary assessment of the risks relevant to the activity under review; and

   • the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

Audit Criteria

4. Audit criteria must be established for each internal audit engagement undertaken and be sufficient some or all aspects of evaluate governance, risk management and internal controls, where appropriate.

5. Audit criteria are to be reasonable and attainable standards of performance and control against which compliance; the adequacy of systems and practices; and the economy, efficiency, and cost-effectiveness of operations can be evaluated and assessed. Audit criteria provide a basis for developing audit observations and formulating conclusions.

6. Criteria suitable for audit purposes must be appropriate to the nature of the audit. The failure to identify and obtain acceptance by the internal audit client of criteria suitable to the audit may result in inappropriate, or highly contested, conclusions being drawn by the internal auditor.

7. Good audit criteria statements should be relevant, reliable, neutral, and complete.

8. In identifying relevant and reliable criteria, the lead auditor can usually rely upon strategic plans, business plans and objectives, budgets, policies and procedures, acts and regulations, guidelines, standards, estimates, and recognized subject matter experts. In the absence of such criteria, the lead auditor can draw upon a wide variety of potential sources for audit criteria, e.g., professional associations’ standards, recognized industry standards and norms, accepted good practice, generic management control frameworks, and the audit client’s own standards.

9. The lead internal audit director must review and discuss the proposed audit criteria with the internal client, particularly when there are no generally accepted criteria, to obtain an acknowledgment that the criteria are suitable for the audit. If agreement on the audit criteria cannot be reached, this should be reflected in the planning documentation, with an explanation as to why the lead auditor believes the criteria remain appropriate. If necessary to the successful completion of the audit, the Chief Audit Executive may seek approval of the criteria by the Audit Committee.

10. The Chief Audit Executive needs to approve the audit criteria, as defined in the Internal Audit Plan Summary by signing off the Team Mate step as reviewed.

Last modified:

2018-03-22