Vdi 2230 Standard

[Dhara Lyford]

Theinternal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.

The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.

The frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board. The frequency and content of reporting depends on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board.

When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.

2120.C3 - When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

2130.A1- The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the:

2201.A1 - When planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.

2210.A1 - Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

2210.A3 - Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.

2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.

2220.C1 - In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement.

Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quantity of resources needed to accomplish the engagement with due professional care.

2240.A1- Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.

2330.A1- The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

2330.A2- The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization's guidelines and any pertinent regulatory or other requirements.

2330.C1- The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization's guidelines and any pertinent regulatory or other requirements.

Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk, or business unit. The formulation of such opinions requires consideration of the engagement results and their significance.

Indicating that engagements are "conducted in conformance with the International Standards for the Professional Practice of Internal Auditing" is appropriate only if supported by the results of the quality assurance and improvement program.

The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility.

2440.C2- During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization, they must be communicated to senior management and the board.

When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organization; and the expectations of senior management, the board, and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant, and useful information.

2500.A1- The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.

Save Time and Trouble!

With a Redline you no longer have to spend time trying to determine what has changed in the new standard! Redlines save you time and ensure you see what the changes are to the standard.

Domestic orders are delivered via United Parcel Service (UPS) or United States Postal Service (USPS). Transit times average 3 to 5 business days. Please be aware that UPS will not deliver packages to Post Office Boxes.

International orders are delivered via courier post services which can be either a postal service, courier service, or a combination of both. Standard Service is untraceable. Please allow 4-7 weeks for delivery.

Please be aware that carriers will not deliver packages to Post Office Boxes. Because of the variability of customs processes and procedures in different countries, ASTM International cannot guarantee transit times to international destinations. Customs duty and taxes are the responsibility of the consignee.

IMPORTANT- READ THESE TERMS CAREFULLY BEFORE ENTERING THIS ASTM PRODUCT.

By purchasing a subscription and clicking through this agreement, you are entering into a contract, and acknowledge that you have read this License Agreement, that you understand it and agree to be bound by its terms. If you do not agree to the terms of this License Agreement, promptly exit this page without entering the ASTM Product.

1. Ownership:

This Product is copyrighted, both as a compilation and as individual standards, articles and/or documents ("Documents") by ASTM ("ASTM"), 100 Barr Harbor Drive, West Conshohocken, PA 19428-2959 USA, except as may be explicitly noted in the text of the individual Documents. All rights reserved. You (Licensee) have no ownership or other rights in the ASTM Product or in the Documents. This is not a sale; all right, title and interest in the ASTM Product or Documents (in both electronic file and hard copy) belong to ASTM. You may not remove or obscure the copyright notice or other notice contained in the ASTM Product or Documents.

(ii) Single-Site:

one geographic location or to multiple sites within one city that are part of a single organization unit administered centrally; for example, different campuses of the same university within the same city administered centrally.

(iii) Multi-Site:

an organization or company with independently administered multiple locations within one city; or an organization or company located in more than one city, state or country, with central administration for all locations.

B. Authorized Users:

any individual who has subscribed to this Product; if a Site License, also includes registered students, faculty or staff member, or employee of the Licensee, at the Single or Multiple Site.

3. Limited License.

ASTM grants Licensee a limited, revocable, nonexclusive, non-transferable license to access, by means of one or more authorized IP addresses, and according to the terms of this Agreement, to make the uses permitted and described below, each ASTM Product to which Licensee has subscribed.

(b) the right to download, store or print single copies of individual Documents, or portions of such Documents, solely for Licensee's own use. That is, Licensee may access and download an electronic file of a Document (or portion of a Document) for temporary storage on one computer for purposes of viewing, and/or printing one copy of a Document for individual use. Neither the electronic file nor the single hard copy print may be reproduced in anyway. In addition, the electronic file may not be distributed elsewhere over computer networks or otherwise. That is, the electronic file cannot be emailed, downloaded to disk, copied to another hard drive or otherwise shared. The single hard copy print may only be distributed to others for their internal use within your organization; it may not be copied. The individual Document downloaded may not otherwise be sold or resold, rented, leased, lent or sub-licensed.

3a8082e126