When performing an assessment, it is important to remain flexible and adjust the execution plan as new information is uncovered. This adaptive approach ensures that the assessment remains relevant and effective in identifying issues and areas for improvement. Rigidly adhering to theoriginal plan, regardless of new findings, can result in missed opportunities to address critical risks and controls. Adjusting procedures as appropriate based on new information enhances the overall quality and effectiveness of the assessment.References:
ISO 19011:2018 - Guidelines for auditing management systems
COSO Internal Control – Integrated Framework
Questions 5
Which one of these is most associated with a "measure of how well we are meeting obligations"
Compliance is most associated with a "measure of how well we are meeting obligations." Compliance involves adhering to laws, regulations, policies, and standards that apply to an organization. It ensures that the organization is fulfilling its legal, regulatory, and ethical obligations, thereby avoiding penalties, legal issues, and reputational damage. Compliance programs include policies, procedures, training, monitoring, and audits to ensure that all obligations are consistently met.References:
ISO 19600:2014 - Compliance management systems - Guidelines
NIST SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations
Questions 6
A NEGATIVE assurance opinion or statement is
Options:
A.
An affirmative statement that subject matter conforms to the suitable criteria and is free from meaningful misunderstanding
B.
A statement that the assessment didn’t observe anything that makes us doubt whether subject matter conforms to the suitable criteria and is free from meaningful misunderstanding.
C.
A statement that the assessment encountered some limitations in what can be concluded and outside of those limitations a positive or negative statement can be offered.
A NEGATIVE assurance opinion or statement indicates that, based on the procedures performed and evidence obtained, the assurance provider did not identify any reasons to believe that the subject matter does not conform to the applicable criteria. This form of opinion does not provide absolute assurance but rather limited assurance, suggesting that nothing came to the auditor's attention that causes them to believe the subject matter is not fairly stated.References:
AICPA Auditing Standards
IIA Standards for the Professional Practice of Internal Auditing
Questions 7
What level of assurance is required for an assessment?
Options:
A.
Medium
B.
High
C.
Low
D.
An assessment may target any level of assurance. The key is to define this level prior to setting the purpose and parameters.
The level of assurance required for an assessment can vary depending on the purpose, scope, and objectives of the assessment. It is crucial to define the desired level of assurance (low, medium, or high) before beginning the assessment to ensure that the approach, methodology, and resources allocated are appropriate. This helps in setting clear expectations and aligning the assessment process with the organization's risk tolerance and regulatory requirements.References:
ISO 19011:2018 - Guidelines for auditing management systems
COSO Enterprise Risk Management – Integrating with Strategy and Performance
