Professional Documents
Culture Documents
The internal auditing process may be divided into four major categories:
1. Engagement Planning
2. Performing the Engagement
3. Communicating the Result
4. Monitoring Progress
I. ENGAGEMENT PLANNING
In any internal audit activity, planning plays a critical role in the achievement of its
objectives. Planning on the nature and scope of audit work to be performed ensures
effective and efficient use of audit resources. The standards also provide that internal
auditors must develop and document a plan for each engagement including its
objectives, scope, timing and resources allocations.
Objectives/Purpose
Nature of Planning
Planning Considerations
● The objectives of the activity being reviewed and the means by which the
activity controls its performance;
● The significant risks to the activity, its objectives, resources and operations and
the means by which the potential impact of risk is kept to an acceptable level
● The adequacy and effectiveness of the activity's risk management and control
processes compared to a relevant control framework or model
● The opportunities for making significant improvements to the activity's risk
management and control processes.
Planning Responsibility
● The chief audit executive is the primary responsible for developing a risk based
audit plan
● The CAE consults with senior management and board, and must consider their
expectations
● Communication of audit activity plans and resource requirements
Terms of Engagement:
Engagement Letter
● The internal auditor informs the auditee the terms of the engagement through a
formal communication called an engagement letter.
● Internal auditor provides for the term of reference to be sent to the auditee which
the latter needs to conform including:
a. the scope of work to be performed
b. objectives of the audit
c. criteria to be used and;
d. the auditor assigned and other relevant information
● The need to have an opening meeting may be of use
Opening Meeting
● Internal auditor clarifies the details of the program, and the activity or the
organization to be audited.
● Explains the auditee responsibilities in the process.
Audit Criteria
● Should be relevant, reliable, neutral and complete.
● Reasonable and attainable standards of performance and controls against which
compliance, the adequacy of systems and practices and the economy,
efficiency and cost effectiveness of operations can be evaluated and assessed
● Basis for developing audit observations and formulating audit conclusions
● An understanding between the internal auditor and auditee must be reached
regarding the appropriate and suitable criteria to be used.
● It must be reviewed and discussed to acquire an acknowledgement that the
criteria are suitable to the audit.
● Failure to identify and obtain auditee acceptance of audit-appropriate criteria
may result in an inappropriate and contestable conclusion.
● If there is no agreement, it must be reflected in the planning documentation with
an explanation.
- The success of the audit engagement ultimately depends on how well the
internal audit understands the auditee.
Survey
● Risk is the uncertainty of any events occurring that could have an impact on the
attainment of the objectives.
● Risk assessment refers to the consideration of probable material effects of
uncertain events in achieving company objectives.
Inherent risks
- The risk to the auditee, in the absence of any actions or controls management
might take to reduce or otherwise manage identified risks.
Audit Risk
a. Inherent Risk
b. Control Risk
c. Detection Risk
4. Analytical Procedures.
The internal auditor needs to obtain an understanding on the design of the auditee
internal control structure as it may impact the fairness of the auditee financial
statement.
The Internal Auditor may apply the following:
● Inquiry with appropriate management;
● Inspection of documents and records produced by the accounting and internal
control system
● Observation of the auditee activity and operations, and
● Perform a walk through test, where the auditor trace a few transactions through
the accounting system.
The nature, timing and extent of the performance of procedures will depend upon the
auditor assessment of the presence of control risk.
After gaining understanding, the internal auditor should document the design and
operations of the internal control.
(a) narrative description
(b) questionnaire
(c) flowchart,
7. Resource Allocation
- This step in planning ensures that the resources are properly allocated.
The following may be considered in allocating resources:
● The number and experience level of the internal auditing staff required
● Knowledge, skills and other competencies of the internal auditing staff
● Training needs of the internal auditors
● Consideration of the use of external resources
Initial Meeting - the auditor discusses the unit or system to be reviewed, the available
resources, and other relevant information.
● Introduction of the team and client’s personnel
● Communication standards
● Targeted timeline
● Reconfirm the scope of the engagement
Continuous communication - the auditor discusses any significant findings with the
owners of the processes. At the same time the owners of the processes will discuss
the compensatory controls as well as supporting documents.
Exit Meeting - upon completion of the fieldwork, the auditor will meet the client to
discuss the preliminary findings and proposed recommendations.
Preliminary Audit Report - The auditor will prepare the draft of the internal audit report
outlining the entities audited, the scope of work, the recommendations and its time
frame for implementation.
Management Response - The management will then prepare a response to the audit
findings in the audit report. This will include the action taken based on the internal audit
report and the timeline for its implementation.
Final Report - When the management response is integrated in the draft audit report,
the report becomes final which the auditor will present to the audit committee.
Follow-up Review - The auditor will keep an updated log of issues to be followed-up
from the previous audit. Client and auditor will analyze and understand the process
being implemented, including the deadline for the implementation of the proposed and
agreed upon recommendations.
Follow-up Report - It will be issued to the management and a copy sent to the audit
committee describing the issue followed up on, the management's control
implementation, the assessment and appropriateness of the control and a listing of
unresolved findings, including their deadline.
Please see attached file of our group's presentation regarding the Engagement Process and
Planning. Please see the files attached for our group's presentation on the topic Engagement
Process and Planning. Thank you and stay safe.