During engagement planning, an internal auditor assessed risks related to achieving business objectives in the area under review. Next, the auditor will identify criteria for evaluating controls. What is the proper action for the auditor to take if such criteria has not been established by management or the board?
If criteria for evaluating controls have not been established by management or the board, the auditor must identify appropriate criteria through discussion with management and the board. This ensures that the criteria are relevant and aligned with the organization's objectives and risk tolerance.
Implementation Standard 2210.A3 "... If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.