Cia Review: Part 2 Study Unit 4: Engagement Planning

CIA REVIEW: PART 2 4.
1 Engagement Objectives, Scope, and Criteria

4.2 Planning and Risk Assessment
Study Unit 4 4.3 Risk Based Audit Plan
4.4 Internal Audit Resource Requirements
Engagement Planning 4.5 Staff and Resources
Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com. 1 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com. 2
CIA 2, SU 4 CIA 2, SU 4
Engagements
• An engagement is a specific internal audit assignment,
task, or review activity, such as an internal audit, control
self assessment review, fraud examination, or consultancy
(The IIA Glossary).
Engagement Objectives,
Scope, and Criteria • Performance Standard 2200: Engagement Planning
o Internal auditors must develop and document a plan for
each engagement, including the engagements
4.1 objectives, scope, timing, and resource allocations. The
plan must consider the organizations strategies,
objectives, and risks relevant to the engagement.
Engagement Objectives Engagement Scope
• IG 2210, Engagement Objectives • Performance Standard 2220: Engagement Scope
o Objectives assist in determining the procedures to o The established scope must be sufficient to achieve the
perform and the priorities for testing risks and controls. objectives of the engagement.
o Objectives ordinarily are based on identified key risks
relevant to the subject matter.
o Preliminary objectives of engagements are based on • Implementation Standard 2220.A1
• The plan of engagements o The scope of the engagement must include
• Prior results consideration of relevant systems, records, personnel,
• Stakeholder feedback and physical properties, including those under the
• The auditees mission and objectives control of third parties.
o Risk assessment exercises should be performed related
to the auditees governance, risk management, and
controls.
Criteria Multiple-Choice Question

• Criteria are needed to measure the effectiveness of internal Which of the following is an appropriate objective in an engagement to review a personnel
department? Determining whether
control.
• Management and internal audit also have different
A. Hourly employees are being paid only for hours actually worked as indicated by time cards or
responsibilities regarding this process. similar reports.
B. An equitable training program exists that provides all employees with approximately the same
amount of training each year.
• Implementation Standard 2210.A3
C. Reference checks of prospective employees are being performed.
o Adequate criteria are needed to evaluate governance, risk
management, and controls. Internal auditors must ascertain D. Recruitment is being delegated to the various departments that have personnel needs.
the extent to which management and/or the board has
established adequate criteria to determine whether
objectives and goals have been accomplished. If adequate,
internal auditors must use such criteria in their evaluation. If
inadequate, internal auditors must identify appropriate
evaluation criteria through discussion with management
and/or the board.
Multiple-Choice Answer
Which of the following is an appropriate objective in an engagement to review a personnel
department? Determining whether
A. Hourly employees are being paid only for hours actually worked as indicated by time cards or
similar reports.
B. An equitable training program exists that provides all employees with approximately the same
amount of training each year. Planning and Risk
C. Reference checks of prospective employees are being performed.
D. Recruitment is being delegated to the various departments that have personnel needs. Assessment
An effective personnel function is necessary for hiring, training, and monitoring human
resources. One purpose of this function is to recruit, select, hire, train, supervise, and
evaluate individuals who are suitable in light of job requirements, job descriptions, and job
4.2
specifications (the abilities needed for particular jobs). In a review of this function, an
appropriate objective is to determine whether the selection process is being properly
performed. Thus, a potential employees references should be checked to determine whether
(s)he is truthful and has the desired qualifications.
Planning Considerations Engagement Planning

• Performance Standard 2201: Planning Considerations • IG 2200, Engagement Planning
o In planning the engagement, internal auditors must consider: o Planning requires internal auditors to understand the internal
audit plan of engagements.
• The strategies and objectives of the activity being
o Setting objectives is crucial to planning.
reviewed and the means by which the activity controls its
performance. o Setting risk based objectives permits definition of the scope
of the engagement.
• The significant risks to the activitys objectives, resources, o Other considerations during engagement planning:
and operations and the means by which the potential • Resources required and their most effective and efficient
impact of risk is kept to an acceptable level. use
• The adequacy and effectiveness of the activitys • Retention of documents and decisions about
governance, risk management, and control processes requirements and formats
compared to a relevant framework or model. • Beginning preparation of the engagement program, with
• The opportunities for making significant improvements to attention to budgets, forms of final communications, and
the activitys governance, risk management, and control logistical concerns
processes. • The CAE determines how, when, and to whom results are
communicated.
Identify Key Risks and
Controls Risk
• During planning, internal auditors must identify key business • Risk is the possibility that an event will occur having an
risks and controls, especially the clients inherent risks. impact on the achievement of objectives.
• This risk assessment should include both the impact (effect) • It is measured in terms of impact and likelihood (The IIA
of the risk and its likelihood. Glossary).
• Implementation Standard 2210.A1

o Internal auditors must conduct a preliminary assessment
of the risks relevant to the activity under review.
Engagement objectives must reflect the results of this
assessment.
Risk Assessment Multiple-Choice Question

• After completing the preliminary survey, the internal auditors To determine the extent of testing to be performed during field work, preparing the engagement
perform a preliminary risk assessment. work program should be the next step after completing the
• Internal auditors consider managements assessment of risks; its

reliability; the process for addressing risk and control matters; the A. Preliminary survey.
reporting about, and the responses to, events exceeding the risk B. Survey of company policies.
appetite; and risks in related activities.
C. Assignment of audit staff.
• Internal auditors obtain background information about the
activities reviewed to determine their effect on the objectives D. Time budgets for specific audit tasks.
and scope.
• A survey is usually performed to become familiar with the clients
activities, risks, and controls; identify areas of emphasis; and
invite comments from the client.
• A summary of results is prepared that includes significant issues;
objectives and procedures; critical control points, deficiencies, or
excess controls; methods, such as those that are technology
based; and reasons for modifying objectives or not continuing the
engagement.
To determine the extent of testing to be performed during field work, preparing the engagement
work program should be the next step after completing the
A. Preliminary survey.
B. Survey of company policies.
C. Assignment of audit staff.
Risk-Based Audit Plan

D. Time budgets for specific audit tasks.
Planning includes performing, if appropriate, a survey to (1) become familiar with

the activities, risks, and controls to be reviewed to identify areas for engagement
4.3
emphasis and (2) invite comments and suggestions from engagement clients.
Writing the work program is the next step.
Priorities Based on the Risk Performance and

Assessment Interpretation
• Internal auditors should use market, product, and industry • Performance Standard 2010: Planning
knowledge to identify new internal audit engagement
opportunities. o The chief audit executive must establish a risk based
• The work plan of any internal audit activity must reflect the plan to determine the priorities of the internal audit
organizations assessment of many diverse risks. activity, consistent with the organizations goals.
• The audit plan must be logically related to identified risks of the
organization.
• Interpretation of Standard 2010
• Making this connection between identified risks and how they
relate to strategic and operational goals is the primary advantage o To develop the risk based plan, the chief audit executive
of risk based audit planning. consults with senior management and the board and
• Planning also involves considering what services stakeholders obtains an understanding of the organizations
want. strategies, key business objectives, associated risks, and
• Planning for consulting services involves considering what risk management processes. The chief audit executive
benefits these engagements may offer. must review and adjust the plan, as necessary, in
response to changes in the organizations business, risks,
operations, programs, systems, and controls.
Implementation The Risk-Based Audit Plan
• Implementation Standard 2010.A1 • Developing the internal audit activitys audit plan often
o The internal audit activitys plan of engagements must be based on
a documented risk assessment, undertaken at least annually. The follows developing or updating the audit universe.
input of senior management and the board must be considered in
this process. • The internal audit activitys audit plan is based on the audit
universe, input from senior management and the board,
• Implementation Standard 2010.A2 and assessed risk and exposures.
o The chief audit executive must identify and consider the
expectations of senior management, the board, and other • Key audit objectives are to provide assurance and
stakeholders for internal audit opinions and other conclusions. information to senior management and the board.
• Work schedules are based on an assessment of risk priority
• Implementation Standard 2010.C1
o The chief audit executive should consider accepting proposed
and exposure.
consulting engagements based on the engagements potential to • An internal audit usually is prepared for an annual period.
improve management of risks, add value, and improve the
organizations operations. Accepted engagements must be included But it might be for a rolling 12 month cycle or two or more
in the plan.
years with annual evaluation.
The Risk-Based Audit Plan The Risk-Based Audit Plan

• The plan of engagements must consider the organizations • Risk management process continued
risk management process. o The internal auditor considers the significant risks of the
o Risk management (RM) is critical to sound governance activity and the means by which management mitigates the
of all organizational activities. Consistent RM should be risks.
fully integrated into management at all levels. o Inherent and residual risks should be identified and assessed.
o Effective RM assists in identifying key controls related to Mitigating controls, contingency plans, and monitoring
significant inherent risks. Enterprise risk management activities should be linked to events or risks. Risk registers
(ERM) is a common term. It has been defined as a should be systematic, complete, and accurate. Risks and
process, effected by the board, management, and activities should be documented.
others, applied in setting strategy across the entity.
o The internal auditor also coordinates with other assurance
o Inherent risk and residual risk (also known as current providers and considers planned reliance on their work.
risk) are basic concepts.
o The internal audit activity needs to identify high inherent and
o Key controls reduce an otherwise unacceptable risk to a
residual risks and key control systems, and management
tolerable level. Controls are processes that address risks. needs to be notified about unacceptable residual risk.
The Risk-Based Audit Plan AICPA Audit Risk Model
• Risk management process continued • Internal auditors must establish a framework for assessing risk.
o Risk registers may document risks below the strategic level. • The American Institute of Certified Public Accountants (AICPA) is
o Lower risk audits need to be included in the audit plan to give the private sector body that establishes standards for external
them coverage and confirm that their risks have not changed. audits of financial statements in the United States.
o An internal audit plan normally focuses on unacceptable • The audit risk model used by the AICPA is
current risks requiring management action, control systems o Audit risk = Risk of material misstatement × Detection risk
on which the organization is most reliant, areas where the
o Audit risk = (Inherent risk × Control risk) × Detection risk
difference between inherent risk and residual risk is great,
and areas where inherent risk is very high. • This model is used by an independent auditor engaged to report
o When planning individual audits, the internal auditor on whether financial statements are fairly represented, in all
identifies and assesses risks relevant to the area under material respects, in accordance with the applicable financial
review. reporting framework.
Audit Risk and Its Components Audit Risk and Its Components
• Audit risk is the risk that an auditor expresses an • Control risk is the risk that internal control will not timely
inappropriate opinion on materially misstated financial prevent, or detect and correct, a material misstatement of
statements. an assertion.
o Control risk is the risk that the system of internal control
o Audit risk is the risk that the auditor will provide senior
designed and implemented by management will fail to
management and the board with flawed or incomplete achieve managements goals and objectives for the
information about governance, risk management, and account or activity under review.
control.
• Detection risk is the risk that the audit procedures intended
• Inherent risk is the susceptibility of an assertion about a to reduce audit risk to an acceptably low level will not
transaction class, balance, or disclosure to a material detect a material misstatement.
misstatement before considering relevant controls. o Detection risk is the risk that the auditor will fail to
o Inherent risk is the risk arising from the nature of the discover conditions relevant to the established audit
account or activity under review. objectives for the account or activity under review.
Auditor Response to Assessed Rank and Validate Risk
Risk Priorities
• Of the three components, only detection risk is under the • Risk modeling is an effective method used to rank and
auditors direct control. validate risk priorities when prioritizing engagements in the
• The internal auditor must first determine the levels of audit plan.
inherent and control risk for the account or activity under • Risk is the possibility that an event will occur having an
review. Detection risk is then adjusted to achieve an overall impact on the achievement of objectives.
acceptable level of audit risk. • Risk is measured in terms of impact and likelihood.
• All three components may be assessed in quantitative (e.g.,
scale of 1% to 100%, with 100% being maximum risk) or
nonquantitative (e.g., high, medium, low) terms.
Example Multiple-Choice Question

• A chief audit executive is reviewing the following enterprise wide risk map: When a risk assessment process has been used to construct an audit engagement schedule, which
of the following should receive attention first?
A. The external auditors have requested assistance for their upcoming annual audit.
B. A new accounts payable system is currently undergoing testing by the information technology
department.
• In establishing the appropriate priorities for the deployment of limited internal audit resources, the
CAE undertakes the following analysis:
C. Management has requested an investigation of possible lapping in receivables.
o Risk D clearly takes precedence over Risk C because D has a higher likelihood. D. The existing accounts payable system has not been audited over the past year.
o Risk C also clearly has a higher priority than Risk A because C has a higher likelihood and the
same impact.
• Choosing the higher priority between Risk B and Risk A is a matter of professional judgment based on
the organizational risk assessment and the stated priorities of senior management and the board.
o If the more likely threat is considered the greater risk, Risk B will rank higher in the internal audit
work plan.
o Likewise, if the threat with the greater possible impact causes senior management and the board
more concern, the internal audit activity will place a higher priority on Risk A.
Multiple-Choice Answer Multiple-Choice Question
When a risk assessment process has been used to construct an audit engagement schedule, which Risk is measured in terms of significance and likelihood. Excessive cash disbursements due to
of the following should receive attention first? duplicate payments to vendors are events that most likely are placed in which area of a risk map?
A. The external auditors have requested assistance for their upcoming annual audit. A. Low significance, low likelihood.
B. A new accounts payable system is currently undergoing testing by the information technology B. Low significance, high likelihood.
department.
C. High significance, medium likelihood.
C. Management has requested an investigation of possible lapping in receivables.
D. High significance, low likelihood.
D. The existing accounts payable system has not been audited over the past year.
Prioritizing is needed to make decisions about applying resources to engagements

based on the relative significance of their risk and exposure estimates. Most risk
models use risk factors to establish engagement priorities. Internal auditors
traditionally regard fraud as significant even if the immediate exposure is not.
Thus, managements request to investigate a possible fraud in the accounts
receivable unit must take precedence.
Risk is measured in terms of significance and likelihood. Excessive cash disbursements due to
duplicate payments to vendors are events that most likely are placed in which area of a risk map?
A. Low significance, low likelihood.

B. Low significance, high likelihood.
C. High significance, medium likelihood. Internal Audit Resource
Requirements
D. High significance, low likelihood.
Duplicate payments to vendors are considered high significance because they

result in a material loss of cash if undetected. The likelihood is medium because
4.4
they are a common irregularity. However, there is most often a good chance (not
guaranteed) that a vendor will detect the error and correct it.
Managing Internal Audit
Standard and Interpretation Resources
• Performance Standard 2030: Resource Management • The CAE is primarily responsible for the sufficiency and
o The chief audit executive must ensure that internal audit management of resources, including communication of
resources are appropriate, sufficient, and effectively needs and status to senior management and the board.
deployed to achieve the approved plan. These parties ultimately must ensure the adequacy of
resources.
• Interpretation of Standard 2030 • The competencies of the internal audit staff should be
o Appropriate refers to the mix of knowledge, skills, and appropriate for the planned activities. The CAE may conduct
other competencies needed to perform the plan. a documented skills assessment based on the needs
Sufficient refers to the quantity of resources needed to identified in the risk assessment and audit plan.
accomplish the plan. Resources are effectively deployed
when they are used in a way that optimizes the
achievement of the approved plan.
Managing Internal Audit Managing Internal Audit

Resources Resources
• Resources need to be sufficient for audit activities to be • The CAE considers succession planning, staff evaluation and
performed in accordance with the expectations of senior development, and other human resource disciplines.
management and the board. Resource planning considers • The CAEs ongoing communications with senior
the audit universe, relevant risk levels, the internal audit management and the board include periodic summaries of
plan, coverage expectations, and an estimate of resource status and adequacy, e.g., the effect of temporary
unanticipated activities. vacancies and comparison of resources with the audit plan.
• Resources must be effectively deployed by assigning • When selecting the appropriate audit staff, the CAE must
consider these factors:
qualified auditors and developing an appropriate resourcing
o Complexity of the engagement
approach and organizational structure.
o Experience levels of the auditors
o Training needs of the auditors
o Available resources
Outsourcing the Internal Audit
Activity Multiple-Choice Question
• An organizations governing body may decide that an external The advantage attributed to the establishment of internal auditing field offices for work at foreign
service provider is the most effective means of obtaining internal locations is best described as
audit services.
A. The possibility of increased objectivity of personnel assigned to a field office.
• Performance Standard 2070: External Service Provider and B. A reduction of travel time and related travel expense.
Organizational Responsibility for Internal Auditing C. The increased ease of maintaining uniform organization wide standards.
o When an external service provider serves as the internal audit
D. More contact with senior personnel leading to an increase in control.
activity, the provider must make the organization aware that
the organization has the responsibility for maintaining an
effective internal audit activity.
• Interpretation of Standard 2070

o This responsibility is demonstrated through the quality
assurance and improvement program which assesses
conformance with the Code of Ethics and the Standards.
The advantage attributed to the establishment of internal auditing field offices for work at foreign
locations is best described as
A. The possibility of increased objectivity of personnel assigned to a field office.

B. A reduction of travel time and related travel expense.
C. The increased ease of maintaining uniform organization wide standards.
Staff and Resources

D. More contact with senior personnel leading to an increase in control.
The advantages of field offices compared with sending internal auditors from the
home office include (1) reduced travel time and expense, (2) improved service in 4.5
the operating locations served by the field offices, (3) better morale of internal
auditors as a result of increased authority, and (4) the possibility of employing
persons who do not wish to travel.
Resources at the Engagement
Level Audit Staff Schedules
• Performance Standard 2230: Engagement Resource • Audit staff schedules should be prepared to achieve
Allocation effective use of time.
o Internal auditors must determine appropriate and o Audit teams are selected based on their knowledge,
sufficient resources to achieve engagement objectives skills, and other competencies to meet engagement
based on evaluation of the nature and complexity of
each engagement, time constraints, and available objectives efficiently and effectively.
resources. o All engagements should be under budgetary control.
Project budgets and schedules should be developed for
• Engagement resource allocation is based on evaluation of each engagement.
o The number and experience of staff; o Budget adjustments need to be justified and approved
o The knowledge, skills, and competencies of the staff;

at a level higher than the engagement supervisor.
o Training needs; and o Monitoring time budgets and schedules allows the CAE
o Whether external resources are required.

to control projects and avoid overruns.
Multiple-Choice Question Multiple-Choice Answer

Any program for selecting and developing the human resources of the internal audit activity will fail Any program for selecting and developing the human resources of the internal audit activity will fail
unless compensation is adequate at all levels of responsibility. Policies concerning compensation unless compensation is adequate at all levels of responsibility. Policies concerning compensation
should should
A. Link internal auditors compensation to the pay for comparable positions in the controllers A. Link internal auditors compensation to the pay for comparable positions in the controllers
department. department.
B. Provide for cost of living, longevity, and merit increases annually. B. Provide for cost of living, longevity, and merit increases annually.
C. Be informal and as flexible as possible to allow the chief audit executive to respond to unusual C. Be informal and as flexible as possible to allow the chief audit executive to respond to unusual
situations. situations.
D. Be clearly stated and based on evaluations of position requirements and individual D. Be clearly stated and based on evaluations of position requirements and individual
performance. performance.
Internal auditing job descriptions are important because, among other things, they may
be used to justify adequate salaries. As part of an overall personnel management and
development program, they should be used together with periodic, formal performance
appraisals as a basis for compensation adjustments and promotions.

Cia Review: Part 2 Study Unit 4: Engagement Planning

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cia Review: Part 2 Study Unit 4: Engagement Planning

Uploaded by

Copyright:

Available Formats

CIA REVIEW: PART 2 4.

1 Engagement Objectives, Scope, and Criteria

Criteria Multiple-Choice Question

Planning Considerations Engagement Planning

• Implementation Standard 2210.A1

Risk Assessment Multiple-Choice Question

• Internal auditors consider managements assessment of risks; its

Risk-Based Audit Plan

Planning includes performing, if appropriate, a survey to (1) become familiar with

Priorities Based on the Risk Performance and

The Risk-Based Audit Plan The Risk-Based Audit Plan

Example Multiple-Choice Question

Prioritizing is needed to make decisions about applying resources to engagements

A. Low significance, low likelihood.

Duplicate payments to vendors are considered high significance because they

Managing Internal Audit Managing Internal Audit

• Interpretation of Standard 2070

A. The possibility of increased objectivity of personnel assigned to a field office.

Staff and Resources

o The knowledge, skills, and competencies of the staff;

o Whether external resources are required.

Multiple-Choice Question Multiple-Choice Answer

You might also like

Cia Review: Part 2 Study Unit 4: Engagement Planning

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cia Review: Part 2 Study Unit 4: Engagement Planning

Uploaded by

Copyright:

Available Formats

CIA REVIEW: PART 2 4.

1 Engagement Objectives, Scope, and Criteria

Criteria Multiple-Choice Question

Planning Considerations Engagement Planning

• Implementation Standard 2210.A1

Risk Assessment Multiple-Choice Question

• Internal auditors consider managements assessment of risks; its

Risk-Based Audit Plan

Planning includes performing, if appropriate, a survey to (1) become familiar with

Priorities Based on the Risk Performance and

The Risk-Based Audit Plan The Risk-Based Audit Plan

Example Multiple-Choice Question

Prioritizing is needed to make decisions about applying resources to engagements

A. Low significance, low likelihood.

Duplicate payments to vendors are considered high significance because they

Managing Internal Audit Managing Internal Audit

• Interpretation of Standard 2070

A. The possibility of increased objectivity of personnel assigned to a field office.

Staff and Resources

o The knowledge, skills, and competencies of the staff;

o Whether external resources are required.

Multiple-Choice Question Multiple-Choice Answer

You might also like

• Internal auditors consider managements assessment of risks; its