Practice of Internal

Auditing
Part II Planning the Engagement
A Establish Engagement Objectives and Scope
B Conduct Engagement Risk Assessment
C Prepare Engagement Procedures and Work
Program
D Determine Staff and Resources for the
Engagement
E Construct an Audit Staff Schedule for Effective
Use of Time
 Engagement Audit Process
 Engagement planning (e.g. interviews with the audit client, walk through
the processes/systems, research into risks etc.)
 Creation of the audit program (including audit objectives and tests)
 Fieldwork (e.g. interviews, observations, analyses etc.)
 Internal audit manager review
 Draft report
 Client review and discussions
 Final report
Engagement Planning
- Performance Standard 2200

Internal auditors must develop and document a

plan for each engagement, including the
engagement’s objectives, scope, timing, and
resource allocations.

The plan must consider the organization’s

strategies, objectives, and risks relevant to the
engagement.
Engagement Objectives
- Performance Standard 2210

Assurance engagements Consulting engagements

 2210. A1 – Internal auditor must  2210. C1 – Consulting
conduct a preliminary assessment engagement objectives must
of the risks relevant to the activity address governance, risk
under review. Engagement
objectives must reflect the results of
management, and control
this assessment. processes to the extent agreed

upon with the client.
2210. A2 – Internal auditors must
consider the probability of  2210. C2 – Consulting
significant errors, fraud, engagement objectives must
noncompliance, and other be consistent with the
exposures when developing the
organization’s values,
engagement objectives.
strategies, and objectives.
 2210. A3 – Adequate criteria are
needed to evaluate governance, risk
management, and controls.
Engagement Objectives
Type of audit: Operating Engagement
objective: objective:

 IIA Glossary defines it as – Marketing Increase product Identify and

“broad statements Department recognition in evaluate controls in
China market place to increase
developed by internal product recognition
auditors that define in China.
intended engagement
accomplishments.” Accounts Pay invoices on a Evaluate accurate
 payable timely basis after and timely payment
Engagement objectives help department verifying receipt of invoices based
define audit’s deliverables – of services or on mitigation of
its measurable, verifiable products. risk, adequacy of
controls, and
work products. compliance with
company policies
 Engagement objectives vs. and procedures.
Operational objectives –
examples:
Engagement Scope
- Performance Standard 2220 1/2
The established scope must be sufficient to achieve the objectives of the
engagement.

Assurance engagements Consulting engagements

 2220. A1 – The scope of the  2220. C1 – In performing consulting
engagement must include engagements, internal auditors must
consideration of relevant systems, ensure that the scope of the
records, personnel, and physical engagement is sufficient to address the
properties, including those under the agreed-upon objectives. If internal
auditor develop reservations about the
control of third parties.
scope during the engagement, these
 2220. A2 – If significant consulting reservations must be discussed with the
opportunities arise during an client to determine whether to continue
assurance engagement, a specific with the engagements.
written understanding as to the  2220. C2 – During consulting
objectives, scope, respective engagements, internal auditors must
responsibilities, and other address controls consistent with the
expectations should be reached and engagement objectives and be alert to
the results of the consulting significant control issues.
engagement communicated in
accordance with consulting
standards.
Engagement Scope
- Performance Standard 2220 2/2

Scope establishes the boundaries of the internal

audit.

It defines what the internal auditor will do by

specifying – which activities will be reviewed, and
which activities will be excluded from the
engagement.

Type of audit: Accounts

Referring to example II) payable department
from “Engagement Scope: All payments of
Objectives”:- invoices from Jan 1, 20XX to
Dec 31, 20XX
Engagement Criteria

Criteria should be consistent with audit engagement

objectives, and ultimately yield useful information to the
client.

Examples:
• Acts and regulations
• Policies and procedures; Standards or guidelines
• Client management roles and responsibilities
• Industry best practice
• Guidance provided by recognized bodies of experts
Part II Planning the Engagement
A Establish Engagement Objectives and Scope
B Conduct Engagement Risk Assessment
C Prepare Engagement Procedures and Work
Program
D Determine Staff and Resources for the
Engagement
E Construct an Audit Staff Schedule for Effective
Use of Time
 Risk-based approach

• Focus the audit on the most important areas based

on risk assessment results.
• The engagement planning leverages information
from the entity-level risk assessment.
• The engagement is focused on risk.
Conduct
Use of a risk control matrix
Engagement • Contains all the pertinent data about each critical
Risk Assessment control in a process, including control description,
risks mitigated, test procedures, frequency of
occurrence, etc. Some form of an RCM is required for
SOX Compliance.
• Helps to ensure
• Risk at the engagement level is adequately
accounted for;
• Significant risks identified are addressed in
fieldwork.
Conduct Engagement Risk Assessment
Example of Risk Control Matrix
Part II Planning the Engagement
A Establish Engagement Objectives and Scope
B Conduct Engagement Risk Assessment
C Prepare Engagement Procedures and Work
Program
D Determine Staff and Resources for the
Engagement
E Construct an Audit Staff Schedule for Effective
Use of Time
Engagement Work Program
- Performance Standard 2240 1/3
Internal auditors must develop and document work programs that
achieve the engagement objectives.

Assurance engagements Consulting engagements

 2240. A1 – Work programs  2240. C1 – Work programs for
must include the procedures consulting engagements may
for identifying, analyzing, vary in form and content
evaluating, and documenting depending upon the nature of
information during the the engagement.
engagement. The work
program must be approved
prior to its implementation, and
any adjustments approved
promptly.
Engagement Work Program
- Performance Standard 2240 2/3
IIA Glossary defines it as – “a document that lists the procedures to
be followed during an engagement, designed to achieve the
engagement plan.”

Key considerations before developing a work program:-

The risk Judgments

The
register or and
appropriate
risk matrix How Whether the conclusions
The scope of sample size
and how it engagement necessary made during
the for testing
applies to the objectives will resources are the
engagement and
development be achieved available engagement’s
methodologie
of the work planning
s to be used.
program phase.
Engagement Work Program
- Performance Standard 2240 3/3
What are included in a Why do we need a work
work program? program?
  Its primary purpose is to help ensure
In simple words,
that audit work is properly planned
 A work program specifies how and documented.
the audit is to be performed,  Provides an outline of work to be
who is going to perform and performed and facilitates an
what the steps are to be understanding of the audited unit.
followed.  Furnishes evidence that the work is
 It is a set of instructions for adequately planned.
proper execution of audit.  Provides a record for management
review.
 Provides assurances that all risks have
received adequate consideration.
 Assist in controlling work and
assignment responsibilities.
 Gives order and coherence to the
audit.
Engagement Procedures (Audit
Tests)
Engagement procedures refer to detailed steps, instructions, or
guidelines for auditors for the collection and accumulation of a particular
type of audit evidence.
 There is no definitive list of internal audit procedures for matching
procedures to engagement objectives.
 Auditors need to discriminate between procedures that may be relevant
and those are unimportant.
 One approach is to ensure that procedures are designed to test that
controls achieve key attributes.
 Attributes include – accuracy, existence, completeness, ownership, cut-off
and presentation.
 Example – “obtain physical inventory sheets, verify the accuracy of
inventory extension by multiplying the quantity with cost /price figures.
Note any exceptions.”
 Procedures usually begin with action words, such as – review, verify,
analyze, confirm, identify, and inquire etc.
Part II Planning the Engagement
A Establish Engagement Objectives and Scope
B Conduct Engagement Risk Assessment
C Prepare Engagement Procedures and Work
Program
D Determine Staff and Resources for the
Engagement
E Construct an Audit Staff Schedule for Effective
Use of Time
Engagement Resource Allocation
- Performance Standard 2230 1/3

Internal auditors must determine appropriate and sufficient

resources to achieve engagement objectives based on an
evaluation of the nature and complexity of each engagement, time
constraints, and available resources.

Before determining how best to allocate engagement resources,

internal auditors should understand the nature and complexity of
the engagement through discussions with key stakeholders,
including management in the area to be audited.
Engagement Resource Allocation
- Performance Standard 2230 2/3
It is important to assign the appropriate personnel to the
engagement based on their availability, knowledge, skills, and
experiences.

If the specialized skills of the available internal auditors are not

sufficient to perform the engagement, internal auditors typically
consider whether additional training is an option, or whether closer
supervision would be appropriate.

In situations where the existing internal audit staff lacks the

expertise or knowledge to perform the engagement, internal
auditors may consider supplementing existing resources with other
options (e.g. using guest auditors, employing a subject matter
expert, or co-sourcing).
Engagement Resource Allocation
- Performance Standard 2230 3/3
 They should be aware of the number of hours budgeted for the engagement, as
well as any time, language, logistical, or other constraints for any relevant party.

 During the audit, the actual time spent performing the engagement should be
tracked against the budget time, significant overrun may be documented as a
lesson learned for future planning purposes.

 Documents that may demonstrate conformance with Standard 2230 may include
–
 Approved engagement work program
 Internal auditing activity’s planning notes
 Timesheets or tracking documentation used to monitor budgeted hours
against actual hours
 A post-audit client survey on the quality of internal audit resources and
timeliness of the audit report.
Part II Planning the Engagement
A Establish Engagement Objectives and Scope
B Conduct Engagement Risk Assessment
C Prepare Engagement Procedures and Work
Program
D Determine Staff and Resources for the
Engagement
E Construct an Audit Staff Schedule for Effective
Use of Time
Construct an Audit Staff Schedule
for Effective Use of Time 1/3
 A staff schedule is an important tool for managing the
activity’s resources efficiently.
 Gantt chart, a project scheduling technique can be used
for audit staff scheduling.
 Gantt chart divides each project into sequential activities with
estimated start and completion times.
 It helps plan tasks that need to be completed; and provides a
basis for scheduling when tasks will be executed.
 It also provides a quick look of the project status and
progress, allows for the assessment of key resources against
the plan, and also allows for the assessment of the project’s
performance against the plan.
Construct an Audit Staff Schedule
for Effective Use of Time 2/3
 Example:

 Notes:
1) Each task has three time estimates: the optimistic time estimate (O), the most likely or normal
time estimate (M), and the pessimistic time estimate (P).
2) The expected time (TE) is estimated using the beta probability distribution for the time
estimates, using the formula (O + 4M + P) ÷ 6.
Construct an Audit Staff Schedule
for Effective Use of Time 3/3
 A Gantt The Gantt chart also shows the task milestones and the task
relationships between predecessor and successor tasks.
References
 The IIA’s CIA Learning System, 2: Internal Audit Practice
 Wiley CIAexcel Exam Review 2018, Part 2: Internal Audit Practice.
 The IPPF’s Implementation Guidance – 2017
 Gleim Part 2 CIA Review 2020 Edition
 https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards-
Glossary.aspx
 https://linfordco.com/blog/audit-procedures-testing/
 https://en.wikipedia.org/wiki/Gantt_chart
 ASQ Green Belt Handbook
Q & A