From the
INTERAGENCY POLICY STATEMENT ON THE INTERNAL AUDIT FUNCTION AND ITS OUTSOURCING :
Management, staffing, and audit quality. In managing the internal audit function, the manager of internal audit is responsible for control risk assessments, audit plans, audit programs, and audit reports.
> A control risk assessment (or risk assessment methodology) documents the internal auditor's understanding of the institution's significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.
> An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.
> An internal audit program describes the objectives of the audit work and lists the procedures that will be performed during each internal audit review.
> An audit report generally presents the purpose, scope, and results of the audit, including findings, conclusions, and recommendations. Workpapers that document the work performed and support the audit report should be maintained.