Implementation Guide 2060

Standard 2060 Reporting to Senior Management and the Board

The chief audit executive must report periodically to senior management and the board on
the internal audit activitys purpose, authority, responsibility, and performance relative to its
plan and on its conformance with the Code of Ethics and the Standards. Reporting must also
include significant risk and control issues, including fraud risks, governance issues, and other
matters that require the attention of senior management and/or the board.
Interpretation:
The frequency and content of reporting are determined collaboratively by the chief audit
executive, senior management, and the board. The frequency and content of reporting
depends on the importance of the information to be communicated and the urgency of the
related actions to be taken by senior management and/or the board.
The chief audit executives reporting and communication to senior management and the
board must include information about:

The audit charter.

Independence of the internal audit activity.
The audit plan and progress against the plan.
Resource requirements.
Results of audit activities.
Conformance with the Code of Ethics and the Standards, and action plans to
address any significant conformance issues.
Managements response to risk that, in the chief audit executives judgment, may
be unacceptable to the organization.
These and other chief audit executive communication requirements are referenced
throughout the Standards.
Revised Standards, Effective 1 January 2017

1
 Implementation Guide 2060 / Reporting to Senior Management and the Board

Getting Started
Communicating effectively with senior management and the board is an essential responsibility
of the chief audit executive (CAE), and this standard brings together the CAEs primary
reporting requirements referenced throughout the Standards. In implementing the standards
related to communication, the CAE will usually want to understand the reporting-related
expectations of senior management and the board, which may be stated in the audit
committee charter. The three parties typically discuss and collaboratively determine the
frequency and form of internal audit reporting and the reporting schedule that is most
appropriate for the organization, as well as the importance and urgency of various types of
audit information. It also may be helpful to agree in advance on protocols for the CAE to report
important and urgent risk or control events and the related actions to be taken by senior
management and the board.

Additionally, the CAE may find it helpful to establish or review:

The internal audit charter, including the internal audit activitys purpose, authority,
responsibility.
The internal audit plan and key performance indicators to measure the internal audit
activitys progress toward accomplishing the plan.
The quality assurance and improvement program, which gauges the internal audit
activitys conformance with the Mandatory Guidance of the International Professional
Practices Framework (IPPF).
Processes for identifying significant risk and control issues.

Considerations for Implementation

While Standard 2060 allows flexibility in the frequency and content of reporting, it notes that
these factors will depend on the importance of the information and the urgency with which
senior management and/or the board might need to act on the communications. Additionally,
some standards have specific requirements regarding frequency. For instance, items that must
be communicated at least annually include the internal audit activitys organizational

2
 Implementation Guide 2060 / Reporting to Senior Management and the Board

independence (Standard 1110) and the results of ongoing monitoring of the internal audit
activitys performance (Standard 1320).

To maintain and track consistent and effective communication with senior management and
the board, the CAE may consider using a checklist of all reporting requirements referenced
throughout the Standards, which would the following topics:

The internal audit charter.

Organizational independence of the internal audit activity.
Internal audit plans, resource requirements, and performance.
Results of audit engagements.
Quality assurance and improvement program.
Conformance with the Code of Ethics and Standards.
Significant risk and control issues, and managements acceptance of risk.

Such a checklist may include a schedule of communications and reminders about any
approval requirements. Establishing a standing item on the board meeting agenda secures an
opportunity for the CAE to communicate regularly.

The Internal Audit Charter

According to Standard 1000 Purpose, Authority, and Responsibility, the internal audit
activitys purpose, authority, and responsibility must be formally defined in the internal audit
charter. The CAE is responsible for periodically reviewing the charter and presenting it to
senior management and the board for approval. The Mission of Internal Audit and the
mandatory elements of the IPPF, which are acknowledged in the internal audit charter, should
also be discussed, according to Standard 1010 Recognizing Mandatory Guidance in the
Internal Audit Charter.

Organizational Independence of the Internal Audit Activity

The organizational independence of the internal audit activity must be confirmed to the board
annually, according to Standard 1110 Organizational Independence. In addition, any
interference in determining the scope of internal auditing, performing work, or communicating

3
 Implementation Guide 2060 / Reporting to Senior Management and the Board

results as well as the implications of such interference must be disclosed to the board,
according to Standard 1110.A1. An independent reporting relationship is essential to facilitate
the CAEs ability to communicate directly with the board, as required in Standard 1111
Direct Interaction With the Board.

Internal Audit Plans, Resource Requirements, and Performance

Standard 2020 Communication and Approval and the related Implementation Guidance
specifies the details of communicating the internal audit activitys plans and resource
requirements. Standard 2060 adds the requirement to report the internal audit activitys
performance relative to its plan. This is an opportunity for the CAE to illustrate the value
enhanced and protected by the internal audit activity and the implementation of its
recommendations. To quantify the level of performance, many CAEs use key performance
indicators such as the percentage of the audit plan completed, percentage of audit
recommendations that have been accepted or implemented, status of managements
corrective actions, or average time taken to issue reports. In addition, updates on any special
requests made by the board and/or senior management may be discussed during board
meetings.

Results of Audit Engagements

The 2400 series of standards covers the requirements for communicating the results of audit
engagements, including the information that engagement communications must contain, the
quality of that information, and the protocol in the case of errors and omissions or
nonconformance with the Code of Ethics or Standards that affects a specific engagement.
Standard 2440 Disseminating Results discusses the CAEs responsibilities related to the
final engagement communication, and Standard 2450 Overall Opinions describes the criteria
for issuing an overall opinion.

Quality Assurance and Improvement Program

The 1300 series of standards cover the CAEs responsibility for developing and maintaining a
quality assurance and improvement program that includes internal and external assessments.

4
 Implementation Guide 2060 / Reporting to Senior Management and the Board

Standard 1320 Reporting on the Quality Assurance and Improvement Program lists the
requirements of the CAEs communication to senior management and the board, including that
this reporting must occur as the assessments are completed. However, the results of ongoing
monitoring of the internal audit activitys performance, which is part of the internal assessment
process, must be reported at least annually.

With regard to the external assessment of the internal audit activity, which must be conducted
at least once every five years, Standard 1312 External Assessments requires the CAE to
discuss with the board the qualifications and independence of the external assessor or
assessment team, including any potential conflict of interest. The CAE should encourage
board oversight in the external assessment to reduce perceived or potential conflicts of
interest.

Conformance With the Code of Ethics and Standards

Standard 1320 Reporting on the Quality Assurance and Improvement Program and its
Implementation Guidance also describe the details of reporting on the internal audit activitys
conformance with the Code of Ethics and Standards. Standard 1322 Disclosure of
Nonconformance states, When nonconformance with the Code of Ethics or the Standards
impacts the overall scope or operation of the internal audit activity, the chief audit executive
must disclose the nonconformance and the impact to senior management and the board.
Standard 1322 also describes considerations for reporting nonconformance. Standard 2431
Engagement Disclosure of Nonconformance stipulates the information that must be disclosed
when nonconformance impacts a specific engagement. In addition, Standard 2060 calls for the
CAE to communicate action plans to address any significant issues related to conformance.

Significant Risk and Control Issues and Managements Acceptance of Risk

A primary purpose of CAE reporting is to provide assurance and advice to senior management
and the board regarding the organizations governance (Standard 2110), risk management
(Standard 2120), and controls (Standard 2130). An in-depth understanding of these processes
can be obtained by implementing the 2100 series of standards. Standard 2060 identifies the

5
 Implementation Guide 2060 / Reporting to Senior Management and the Board

CAEs responsibility to report significant risk and control issues that could adversely affect the
organization and its ability to achieve its objectives. Significant issues are those that would
require the attention of senior management and the board, which may include conflicts of
interest, control weaknesses, errors, fraud, illegal acts, ineffectiveness, and inefficiency.

If the CAE believes that senior management has accepted a level of risk that the organization
would consider unacceptable, the CAE should first discuss the matter with senior
management. If the CAE and senior management cannot resolve the matter, Standard 2600
directs the CAE to communicate the matter to the board. If such issues are too urgent to wait
until a scheduled board meeting (e.g., a major fraud), the CAE would be well advised to make
arrangements to communicate sooner.

Considerations for Demonstrating Conformance

CAE discussions with senior management and the board regarding the contents of the
charter, the internal audit activitys performance relative to the audit plan, and significant risk
exposures or control issues may be documented in agendas and minutes of meetings with
the board and senior management. Discussions amongst these parties may also be
documented in reports and presentations with attached distribution lists. Minutes from ad hoc
meetings and documentation of reports and other communications sent electronically may also
demonstrate conformance with Standard 2060. Board and senior management survey results
and CAE performance evaluations may contain feedback that indicates the quality and
effectiveness of the CAEs communication related to this standard. The CAE may also
maintain a communications checklist that documents the frequency of reporting and approval
requirements.

6
 Implementation Guide 2060 / Reporting to Senior Management and the Board

About The IIA

The Institute of Internal Auditors (The IIA) is the internal audit professions most widely recognized advocate, educator,
and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 180,000
members from more than 170 countries and territories. The associations global headquarters are in Lake Mary, Fla.
For more information, visit www.globaliia.org or www.theiia.org.

About Implementation Guidance

Implementation Guidance, as part of The IIAs International Professional Practices Framework (IPPF), provides
recommended (non-mandatory) guidance for the internal audit profession. It is designed to assist both internal auditors
and internal audit activities to enhance their ability to achieve conformance with the International Standards for the
Professional Practice of Internal Auditing (Standards).

Implementation Guides assist internal auditors in applying the Standards. They collectively address internal audit's
approach, methodologies, and consideration, but do not detail processes or procedures.

For other authoritative guidance materials provided by The IIA, please visit our website at
www.globaliia.org/standards-guidance or www.theiia.org/guidance.

Disclaimer
The IIA publishes this document for informational and educational purposes. This guidance material is not intended to
provide definitive answers to specific individual circumstances and, as such, is only intended to be used as a guide.
The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA
accepts no responsibility for anyone placing sole reliance on this guidance.

Copyright
Copyright 2016 The Institute of Internal Auditors. For permission to reproduce, please contact [email protected].