managed appropriately, and relate the findings to the risk tolerances management has
                   established in support of its business goals and objectives.

                   Internal auditors should consult with management throughout the engagement process and
                   obtain management’s recognition of any observations (including the severity) and any action
                   plans, before issuing any reports. Standard series 2400 can be used to guide the CAE’s
                   communication with senior management and the board.
                   Additional requirements are described in Standards 2110 – Governance, 2120 – Risk
                   Management, 2130 – Control, and 2330 – Documenting Information.



































































                   23 — theiia.org