Engagement Process and Planning

The conduct of an examination requires a systematic, disciplined approach in order to

evaluate and improve the effectiveness of risk management, control and governance
processes. Organization may come up and identify different steps in order to obtain a
systematic and disciplined approach.

The internal auditing process may be divided into four major categories:

1. Engagement Planning
2. Performing the Engagement
3. Communicating the Result
4. Monitoring Progress

I. ENGAGEMENT PLANNING

If you fail to plan, you plan to fail.

In any internal audit activity, planning plays a critical role in the achievement of its
objectives. Planning on the nature and scope of audit work to be performed ensures
effective and efficient use of audit resources. The standards also provide that internal
auditors must develop and document a plan for each engagement including its
objectives, scope, timing and resources allocations.

Objectives/Purpose

1. Establish the objectives and scope of the engagement;

2. Determine the priorities in order to establish a cost effective means of
achieving its objective
3. Assist in the direction and control of audit work
4. Ensure that attention is devoted to critical aspect of audit work
5. Ensure that work is completed in accordance with pre-determined targets.
a. Same agenda
b. Skills and time are utilized
c. Compliance with IIA

Nature of Planning

● In any internal audit activity, planning is a continuous process.

● Modifications can be made but with the approval of those persons in charge of
governance
 ● It depends on the nature and complexity of the engagement.

Planning Considerations

● The objectives of the activity being reviewed and the means by which the
activity controls its performance;
● The significant risks to the activity, its objectives, resources and operations and
the means by which the potential impact of risk is kept to an acceptable level
● The adequacy and effectiveness of the activity's risk management and control
processes compared to a relevant control framework or model
● The opportunities for making significant improvements to the activity's risk
management and control processes.

Planning Responsibility

● The chief audit executive is the primary responsible for developing a risk based
audit plan
● The CAE consults with senior management and board, and must consider their
expectations
● Communication of audit activity plans and resource requirements

Terms of Engagement:

Engagement Letter

● The internal auditor informs the auditee the terms of the engagement through a
formal communication called an engagement letter.
● Internal auditor provides for the term of reference to be sent to the auditee which
the latter needs to conform including:
a. the scope of work to be performed
b. objectives of the audit
c. criteria to be used and;
d. the auditor assigned and other relevant information
● The need to have an opening meeting may be of use

Opening Meeting

● Internal auditor clarifies the details of the program, and the activity or the
organization to be audited.
● Explains the auditee responsibilities in the process.

Audit Criteria
 ● Should be relevant, reliable, neutral and complete.
● Reasonable and attainable standards of performance and controls against which
compliance, the adequacy of systems and practices and the economy,
efficiency and cost effectiveness of operations can be evaluated and assessed
● Basis for developing audit observations and formulating audit conclusions
● An understanding between the internal auditor and auditee must be reached
regarding the appropriate and suitable criteria to be used.
● It must be reviewed and discussed to acquire an acknowledgement that the
criteria are suitable to the audit.
● Failure to identify and obtain auditee acceptance of audit-appropriate criteria
may result in an inappropriate and contestable conclusion.
● If there is no agreement, it must be reflected in the planning documentation with
an explanation.

Key Planning Activities:

1. Determine engagement objectives and scope.

- It defines what needs to be accomplished.

Factors to consider in planning the engagement objectives and scope:

1. Business objectives categories

2. Deliverables the internal audit are expected to produce
3. Boundaries of the engagement

2. Understand the Auditee.

- The success of the audit engagement ultimately depends on how well the
internal audit understands the auditee.

Getting to know the auditee may involve the following:

● Objective and Goals

● Policies, plans, procedures, laws and regulations that bear impact on auditee
operations and reports
● Organization information
● Budget information, operating results and financial data
● Authoritative and technical literature appropriate to the activity

How the internal auditor obtain knowledge or understanding auditee business:

 ● Inquiry with client management and personnel
● Observation and tour of company's facility
● Review of prior year audited working papers
● Study and review of published articles regarding the client and of the
industry it belongs
● Review of correspondences, files to determine potential significant audit
issue
● Survey

Survey

● Is a process of gathering information without detailed verification, on the activity

being examined.
● Is an effective tool for applying internal audit activity’s resources where they can
be used most effectively
● To identify areas of engagement emphasis and to invite comments and
suggestions

3. Identify and Assess Risk

● Risk is the uncertainty of any events occurring that could have an impact on the
attainment of the objectives.
● Risk assessment refers to the consideration of probable material effects of
uncertain events in achieving company objectives.

Inherent risks

- The risk to the auditee, in the absence of any actions or controls management
might take to reduce or otherwise manage identified risks.

Audit Risk

- Risk of providing incorrect audit conclusions

Components of Audit Risk

a. Inherent Risk
b. Control Risk
c. Detection Risk

4. Analytical Procedures.

● Analysis of significant ratios and trends

 ● Applied as the risk assessment procedures at the planning and overall review
stages of the engagement
● During the planning stage, it may reveal process activities that warrant closer
attention and more detailed testing
● It provides the internal auditor with an efficient and effective means of making an
assessment of information collected in an audit

5. Evaluate adequacy of internal control

- Internal control are a set of processes designed to provide reasonable assurance
on the achievement of the objectives:
a. effectiveness and efficiency of operation;
b. reliability and accuracy of financial reporting
c. compliance with laws and regulations.

The internal auditor needs to obtain an understanding on the design of the auditee
internal control structure as it may impact the fairness of the auditee financial
statement.
The Internal Auditor may apply the following:
● Inquiry with appropriate management;
● Inspection of documents and records produced by the accounting and internal
control system
● Observation of the auditee activity and operations, and
● Perform a walk through test, where the auditor trace a few transactions through
the accounting system.

The nature, timing and extent of the performance of procedures will depend upon the
auditor assessment of the presence of control risk.
After gaining understanding, the internal auditor should document the design and
operations of the internal control.
(a) narrative description
(b) questionnaire
(c) flowchart,

6. Develop a Work Program (Audit Program)

● A work program otherwise known as an audit program is an audit approach
designed by the auditor that will provide the most meaningful with a less cost
conduct of examination.
 ● It is considered as the end stage of audit planning wherein it establishes the
procedures for identifying, analyzing, evaluating and recording information
during the engagement.
● A work program should be aligned to the Engagement objectives.

Purpose of Audit Program

● A guide for conducting and coordinating the audit work to be done
● A framework for assigning audit work
● A framework for effectively supervising work and assessing the cost and quality
of the work performed
● A vehicle to document the exercise of due care requirements and compliance
with standards.

7. Resource Allocation
- This step in planning ensures that the resources are properly allocated.
The following may be considered in allocating resources:
● The number and experience level of the internal auditing staff required
● Knowledge, skills and other competencies of the internal auditing staff
● Training needs of the internal auditors
● Consideration of the use of external resources

II. PERFORMING THE ENGAGEMENT

Initial Meeting - the auditor discusses the unit or system to be reviewed, the available
resources, and other relevant information.
● Introduction of the team and client’s personnel
● Communication standards
● Targeted timeline
● Reconfirm the scope of the engagement

Transaction Testing - transactions will be tested using various techniques.

Assessment if controls are operating effectively.

Continuous communication - the auditor discusses any significant findings with the
owners of the processes. At the same time the owners of the processes will discuss
the compensatory controls as well as supporting documents.
Exit Meeting - upon completion of the fieldwork, the auditor will meet the client to
discuss the preliminary findings and proposed recommendations.

III. COMMUNICATING THE RESULT

Preliminary Audit Report - The auditor will prepare the draft of the internal audit report
outlining the entities audited, the scope of work, the recommendations and its time
frame for implementation.

Management Response - The management will then prepare a response to the audit
findings in the audit report. This will include the action taken based on the internal audit
report and the timeline for its implementation.

Final Report - When the management response is integrated in the draft audit report,
the report becomes final which the auditor will present to the audit committee.

IV. MONITORING THE PROGRESS

Follow-up Review - The auditor will keep an updated log of issues to be followed-up
from the previous audit. Client and auditor will analyze and understand the process
being implemented, including the deadline for the implementation of the proposed and
agreed upon recommendations.

Follow-up Report - It will be issued to the management and a copy sent to the audit
committee describing the issue followed up on, the management's control
implementation, the assessment and appropriateness of the control and a listing of
unresolved findings, including their deadline.

Good day Sir Allan,

Please see attached file of our group's presentation regarding the Engagement Process and
Planning. Please see the files attached for our group's presentation on the topic Engagement
Process and Planning. Thank you and stay safe.