INTERNAL AUDIT ENGAGEMENTS (2022-2023)

Engagement Value Enabler 9: Audit Report as possible words, while still conveying clear, accurate,
complete and factual messages.
Engagement reporting - it is a reporting that is based on
verbal discussions, conference calls, meetings,
presentations, email communications, full size audit
reports, or executive summaries.
IPPF’S REQUIREMENTS
2400 – Communicating Results
2410 – Criteria for Communicating
2420 – Quality of Communications
2421 – Errors and Omissions
2430 – Use of “Conducted in Conformance with the
International Standards for the Professional Practice of
Internal Auditing”
2431 – Engagement Disclosures of Non conformance
2440 – Disseminating Results

STANDARDISATION
It is a best practise to standardise the following
elements of the audit engagement reporting:
 design, structure, format and presentation of the
cover page The key elements of this template are:
 design, structure, format and presentation of the
 The description of the transactional control or the
executive summary page
management activity and its objective
 design, structure, format and presentation of the
 Control weakness, exception or risk
pages of the body of the report,
 Criticality of the weakness
 describing the individual audit issues
 (Root) causes of the weakness
 distribution list
 Impact of the control weakness or risk
 engagement-dependent
 Recommendation for mitigating the weakness or
 writing style
risk
 the use of tools such as risk maps and key-control
 Management’s response to the issue, risk and
matrixes
recommendation
 the process for filling the content during the audit
 Agreed management action to mitigate the
engagement
weakness or risk
 the supervisory and approval process
PROCESS FOR THE FINAL AUDIT ENGAGEMENT Why split the recommendation and the management
REPORTING action?

Developing a best practice content of the audit
engagement report can be done in 7 steps:
STEP 1: WHAT IS THE STRUCTURE OF THE
REPORT BODY?
Exception reporting
The most comprehensive documentation which
remain internal documentation that is not shared
outside the audit function.
Two methods available for sharing this work:
o Describing all the work and the results
o Describing only those results that need
action.
Template structure
This is where engagement team and auditor is
to report the results of the audit engagement in as few
This separation enables the audit function to
express its opinion on the required level of risk
mitigation, while at the same time management can
deviate from the recommendation.
 Person responsible for the mitigation
 Due date of the mitigation
The appropriate due date depends on:
o the resource availability
o the priorities
o the urgency
o the difficulty of the measure.
STEP 2: WHAT AUDIT RESULTS ARE INCLUDED IN THE
REPORT BODY?
Determining which results from the audit
fieldwork end up in the body of the audit engagement
report is difficult for many new and some experienced

pg. 1

auditors. Though this does not have to be difficult at all,
when the following guidelines are consistently applied:
Based on the exception reporting, only include the
identified control weaknesses.
 Exception reporting
The audit fieldwork that confirm the proper
design and operating effectiveness of controls do not
need to be included in the body of the audit report.
 Control weaknesses
The results of the audit tests that identify
weaknesses in the design adequacy or operating
effectiveness of the control must be included in the
body of the audit report, while the exceptions may
relate to transactional objectives or management
activity objectives.
Assess the significance of the weaknesses.
 Review the possibilities for consolidating audit
issues.
Some control weaknesses may relate to the
same objective, result in the same risks, and need the
same mitigations. In such cases the engagement team
must assess whether all these related issues should be
reported separately, or whether they can be merged
into one larger topic.
 Determine the potential for the accumulation of
risks.
Individual issues may each have a low risk
impact, but accumulated they might have a moderate
or high risk impact. This situation may arise when
related, or non-related, control weaknesses have a
snowball or multiplying effect.
 Develop the storyline.
The individual audit issues to be reported in the
body of the engagement report must be illuminating,
meaningful and tell a story of the substance of the
subject matter.
STEP 3: WHAT IS THE STRUCTURE OF THE EXECUTIVE
SUMMARY?
The three key elements of the executive summary are:
1. The audit engagement objective and scope
2. The results of the audit engagement
3. The audit opinion
The storyline must be: assurance, scope,
objectives, risks, root causes, risk mitigations and
conclusion
Limited space
The best practice size for that is only one page.
It is because that is the maximum time an executive has
(or wants to make) available for taking in the results of
an audit engagement.
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
Audit engagement objective
It describes the type of internal audit work that
was performed, on what management activity it was
executed, and to what management objectives (for the
underlying activity of the subject matter) the assurance
is provided.
Audit engagement scope
It describes what was audited, where was
audited, who was audited and what period was audited.
Results of the audit engagement
The engagement results describe two main elements.
The executive reader of the audit engagement report
should understand:
 The audit rating: what is the quality of the internal
controls, risk management and governance over
each of the main sub-processes of the subject
matter.
 The key risks and mitigation: what risks have been
identified that may prevent the achievement of the
subject matter’s objectives. What has caused these
risks to arise, why were they not identified earlier
or why were they insufficiently mitigated. What are
the risk mitigating actions that will be undertaken
by management and by when these will be
effective.
Audit rating
It provides detailed insight into the audit results
in each of the subject matter’s main sub-processes. This
helps the engagement team single out the areas that
performed well in the audit, or where significant
weaknesses, risks or issues were identified.
Audit rating matrix
It is a simple to complex, depending on how
much information the CAE wants to have included. The
following figures serve as examples of what such an
audit rating matrix can look like.
Audit rating matrix
These ratings can be done with colour coding
(e.g., red, yellow, green) or with words. Following are
the rating definitions:
 Poor, weak (red warning light) - The quality of the
risk management and internal controls is very low
for the sub-process reviewed.
 Inadequate, unsatisfactory (yellow warning light)-
The quality of the risk management and internal
controls is insufficient for the processes reviewed.
 Adequate, satisfactory (green light )- The quality
of the risk management and internal controls is
satisfactory for the processes reviewed.
 Good, strong(dark green light) - The quality of the
risk management and internal controls is good for
the processes reviewed.
pg. 2
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

Root causes literature, so that the auditors must learn on-the-job,

This statement can refer to either one level:
explaining the audit rating matrix or explaining the
significant risks.
Most of the time, such root cause statements link
the audit results to:
 the qualities of the process owner and
his/her team managing the subject matter,
 the availability of the tools and systems,
 the risk and control awareness of
management,
 the focus, priority setting and style of
management,
 the culture and pressures,
 the inherent risk profile,
 the risk appetite of the process owner, and
so forth.
and gain the experience by doing. In many audit
functions, the leadership of the CAE and the
engagement supervisors is required to achieve a high
level and consistent standard of quality for the audit
engagement reports.
STEP 5: HOW TO WORD THE AUDIT OPINION?
KEY ELEMENTS OF THE AUDIT OPINION
 “In the Opinion Of ”
 Link to Audit Objective
 Link to Significant Risks
 Link to Business
 Link to Higher Organization
A few simple guidelines can be used for developing the
audit opinion:

Audit opinion  Use the words “in the opinion of internal

It is presented after the objective, scope
and results have been presented, the audit function
concludes on the audit work from a more holistic
point of view.
STEP 4: WHAT AUDIT RESULTS ARE INCLUDED IN
THE EXECUTIVE SUMMARY?
Linking the executive summary to the report body
audit”
 Link the audit opinion to the audit objective
 Link the audit opinion to the significant risks
 Link the audit opinion to the audit rating
 Link the audit opinion to the business
 Link the audit opinion to the higher organizational
units
 Put it to the test

STEP 6: HOW TO RESOLVE DISAGREEMENTS?

KEY ELEMENTS OF RESOLVING DISAGREEMENTS
 Cause of Disagreement
 Disagreement is healthy
The following guidelines are consistently  Identified Risks
applied, developing the executive summary should be  Risk Impact
easy:  Root Causes
 Risk Mitigation
1. Select the issues, risks or weaknesses to be  Due Dates
included in the executive summary  Audit Opinion
2. Condense the selected issues, risks or  Distribution List
weaknesses
3. Develop the storyline Triggering Disagreement
They should investigate the reasons for
Result management not objecting to any of the findings or the
Results can be measured in: all the moderate and high wording in the audit report. Such reasons could be:
risk issues, and the low risk issues that have an  Cultural
accumulated risk, have been selected for the executive  Intimidation
summary which audit issues are streamlined and  Disinterest
condensed in such a way that they reveal the key
problems in the internal controls, risk management and Disagreement is healthy
governance processes of the subject matter.  Disagreements lead to discussions, and
discussions lead to (re-) validation of the topic.
Training on the job  Disagreements must cause the engagement team
to rethink their findings, assessments and wording.
These judgemental processes are not taught at
seminars and are seldom described in the internal audit
pg. 3
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

 Disagreements are a measure of quality Auditees with actions - must receive a written
control, as they must bring the audit confirmation of what they need to do and by when.
engagement team to reassess the results of their
work. Layers between the process owner till the board –
must also be shared with the management levels below
Identified Risks the board, in the direct hierarchy till the level of the
process owner is reached.
 An event that may cause a shortfall on the 2nd lines of defense – must provide them the full audit
achievement of an objective. report, or only those sections of the audit report that
 Based on the transactional exceptions resulting contain the issues relevant to those functions.
from the audit testing of a sample of the
population. Others:
 Caused by a wrong design of a control or by an Internal – Special stakeholders, such as project
insufficiently effective operation of the control. managers, regional or other matrix managers.
Risk Impact External – Consultants who are involved in the projects.
NOTE: Reporting to third parties is normally subjected
 The engagement team needs to come to an
to enhanced quality, format, formality, diligence and
assessment about the severity or significance
sensitivity requirements.
(likelihood and impact) of the risks.
 Assessment may be subject to judgemental and
subjective.
Root Causes
 The root causes are the underlying real reasons
why the risks were not prevented or the exceptions
slipped through the transactional controls.
 Multiple (3, 4 or 5) times asking the question
“Why?” usually gets the auditor to the root
cause.

Risk Mitigation

It is a measurement that is fact based, it is

difficult to eliminate the subjective part. As such, this
leaves room for disagreements between the audit
engagement team and the process owner.

Audit Opinion

 It is a special section in the audit report. The title

already indicates that this represents the subjective
and judgemental view of the audit function.
 It is must be based on facts to support its
conclusion on the audit engagement, however, the
wording of this text is allowed to be judgemental
and subjective.

Distribution List

Disagreement on the distribution list seldom

arises. The list always consists of two parts:
 The standard list
 The list tailoredto the subject matter

STEP 7: WHO NEEDS TO RECEIVE THE REPORT?

KEY RECIPIENTS OF FINAL AUDIT ENGAGEMENT
REPORT:
Process Owner or manager - must receive a full copy of
the audit report.
pg. 4

Engagement Value Enabler 10: Performance
Management
Performance Management - ensures that the audit
engagements deliver the added value consistent with
the strategic objectives of the internal audit function.
The performance at the audit engagement level,
management is concerned with;
People: assigning people with the necessary skills,
competencies, and experience to complete the audit
engagement objectives.
Price: controlling the cost of audit engagements and
auditor productivity.
Product: meeting key customers' expectations in terms
of audit engagement work quality and impact.
Process: making the best use of automation tools to
achieve the desired level of engagement efficiency and
effectiveness.
Standardization
Performance management can be standardized in two
aspects:
Process: applying a best practice performance
management process.
Content: applying the appropriate performance
management content.
The performance management of the audit
engagement needs to address the following questions
in four steps:
Step 1: What are the audit engagement performance
targets?
Step 2: How to achieve the audit engagement
performance targets?
Step 3: What are the audit engagement detection risks?
Step 4: How to mitigate the audit engagement
detection risks?
STEP 1: WHAT ARE THE AUDIT ENGAGEMENT
PERFORMANCE TARGETS?
The CAE must determine performance targets
for each audit engagement, as part of the planning
process. And their target engagement are;
 Target added value of the audit engagement for
the board and management
 Work quality targets
 Process and project control targets
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
Target added value of the audit engagement for the
board and management
It is the time when CAE are depending on the
audit engagement. It will undoubtedly be depending on
the annual risk assessments and the level of the
concerns raised by the board of directors/management
prompted the inclusion of the subject matter in the
annual audit plan.
Work quality targets
These can be measured using a standard
engagement performance template and evaluated at
the end of the audit engagement. It can be backed up
by a self-assessment of the engagement process
completed by the audit engagement team, as well as a
quality survey completed by local management and the
process owner.
Process and Project control Targets
These process and project control targets can
be measured based on a standard engagement
performance template, to be assessed at the
completion of the audit engagement.
The Importance of Target Setting
These process is to express clear performance
targets for each audit engagement and provide them
with guidance for the criteria based on which they will
be assessed.
STEP 2: HOW TO ACHIEVE THE PERFORMANCE
TARGETS?
The CAE has a number of tools and levers
available to ensure that the audit engagements achieve
their targets:
 Supervision
 Standardisation
 Quality assurance
 Allocating auditors with the appropriate skills,
competencies and experience
 Understanding the subject matter and its risk
profile
 Risk focus of the work programme
 Coordination with management and the process
owner.
The professional judgement of the CAE
determines which tools to mobilize for reaching the
engagement objectives.
ADDED VALUE TARGETS
The target added value of the audit
engagement for the board and management can be
achieved as follows:
 Addressing their major business concerns and risks
for the subject matter
pg. 5

 The identification and mitigation of the subject
matter’s significant business risks
 The identification of significant control
improvements to the subject matter’s risk
management, internal control, governance and
compliance processes.
Process and project control targets
The process and project performance targets
relate to the audit function’s internal target setting and
can be achieved as follows:
 Cost target: the allowable cost of the audit
engagement, measured in monetary terms.
 Productivity target: the allowable time spend on
the audit engagement, measured in the number of
audit person-days.
 Cycle-time target: the allowable cycle time from
the start of the engagement planning till the
publication of the audit report, measured in
calendar days.
Engagement team activities for achieving the cycle time
target are:
For planning: Setting a specific number of days to be
used for the audit planning.
For fieldwork: Standardizing the working paper formats
and setting minimum requirements to have an open line
of communication with the auditors in the field, so that
any questions on the audit approach or audit work
programme can be cleared immediately.
For report writing: Using a standard audit report
template with exception reporting, ensuring that the
audit report is short and lean. The objective must be to
write the full audit report before leaving the field.
For report review: Minimizing the number of editors
and reviewers within the audit engagement to follow-
up on the questions and collect additional data. Using
workflow management which audit automation tools
enable the sharing of the working papers, results, and
issues, as the fieldwork is ongoing.
For report agreement: sharing the audit results during
the field work, obtaining the inputs and discuss the
results and interpretations, as well as the risk
mitigations, with the process owners and local
management, as soon as the issues are identified and to
be agree on the full audit report with the process owner
before leaving the field.
STEP 3: WHAT ARE THE ENGAGEMENT DETECTION
RISKS?
SIX KEY ELEMENTS OF AUDIT ENGAGEMENT
DETECTION RISKS
 Audit Engagement Risk Focus
 Understanding the Subject Matter
 Engagement Supervision
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
 Coordination with management process owner
 Auditors Experience
 Audit Engagement Quality Control
ENGAGEMENT RISK ASSESSMENT MODEL
Audit Engagement Risk =
Subject Matter Inherent Risk x Subject Matter Control
Risk x Audit Engagement Detection Risk
Note: In computing the Audit Engagement Risk we must
keep in mind the product of three types of risks;
1. Inherent risk of the subject matter
2. Control Risk of the Subject matter
3. Detection risk of the Audit Engagement
DETECTION RISK - the probability of an error in the
Audit Engagement Planning and Execution, caused by
the low effectiveness of the audit function control
processes. For instance, the planning process of the
audit engagement lead to failures and risk; the audit
engagement team does not have a proper supervision
of process.
ELEMENTS THAT INFLUENCE THE LEVEL OF THE
DETECTION OF RISK
 The LEVEL OF QUALITY of Audit Engagement team
and the CAE;
 The LEVEL OF FORMALISATION AND THE
EXTENSIVENESS of the Audit Engagement
processes and quality control procedures;
 The LEVEL OF COMMUNICATION AND
COORDINATION WITH MANAGEMENT for
determining the Audit Engagement plan, scope,
focus, and the interpretation of the audit results.
DETERMINING RISK LEVELS
Consider that the Audit Engagement processes
have a HIGH detection risk when;
 There are no supervision and quality control
processes in place.
 Working with inexperienced audit managers.
 The Audit engagement planning is generic.
 Not tailored to the subject matter.
 There is limited and no communication and
coordination with management and the process
owner regarding the audit engagement focus and
priorities.
Consider that the Audit Engagement processes have a
LOW detection risk when;
 The Audit engagement team understands the
subject matter very well.
pg. 6

 Supervision and quality control process are
formalised and effective.
 Audit supervisors are qualified and experienced.
 The Audit engagement plan is tailor-made to the
risk profile of the subject matter.
 It is based on extensive coordination with
management and the process owner.
PURPOSE OF AUDIT ENGAGEMENT DETECTION RISK
INDICATORS
 Summarizes the main risk indicators for the
detection risk.
 The risk indicators themselves are easy to
understand and can be easily identified.
 Enable the audit engagement team and the CAE to
quickly grasp the risks that the audit processes
pose to the success of the audit engagement, i.e.
the achievement of the audit assurance contained
in the audit engagement objective.
STEP 4: HOW TO MITIGATE THE ENGAGEMENT
DETECTION RISKS?
Performing more substantive tests and allocating the
most experienced people to an audit, the level of
detection risk can be decreased. Classification testing,
completeness testing, occurrence testing, and
valuation testing are a few examples of the tests that
can be carried out.
Trade-off between inherent risk, control risk and
detection risk
In the audit engagement risk model
- factors such as subject matter's inherent risk
and control risk and the audit function's detection risk
which play a role in determining whether or not an
audit is deemed appropriate to engage with by the
auditing service provider.
When the subject matter's inherent risk is high, and
the control risk is also high
- it means the risk to auditors is high.
When the subject matter's inherent risk is low, and the
audit engagement team can accept a high detection
risk
- it means that it needs less elaborate audit
engagement procedures to ensure a proper focus of the
audit engagement.
Audit Engagement Detection Risk Indicators Model
provides guidance for keeping the detection risk at an
acceptable level
- it means audit engagement team understands
the risk profile of the subject matter, they need to
manage the detection risks within the audit process to
compensate for the subject's inherent and control risks.
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
Audit engagement processes and procedures must be
so good that the audit work captures all the subject
matter's areas with a risk of significant deviations from
achieving their strategies and objectives
- it means low detection risk means that the
auditing team cannot rely on the subjects' control and
risk management processes to capture and manage
these risks.
Risk appetite
- it is used for managing and mitigating the risks
relating to not achieving the audit objective. What
constitutes an acceptable level of residual audit
engagement detection risk (after risk mitigation)
depends on the risk appetite of the CAE and the board.
Mitigating the impact of the subject matter’s inherent
risks
The audit function needs to accept the
complexities, management style, and degree of clarity
of strategies and business objectives for what it is. They
need to mitigate the inherent risk through the audit
engagement processes and procedures.
Mitigating the impact of the subject matter’s control
risks
 Audit engagement teams need to be aware of the
control risk and insubordinate risk that they are
putting their clients at risk this relates to the risk
that the management control and risk systems will
not prevent deviations from their business
objectives.
 Increase the duration and depth of the audit
engagement, in the event that the subject matter
has a high business priority or there is a complete
absence of internal controls.
Inherent and control risks of the company/subject
matter can be reduced by the audit function
If the subject matter has a level zero or one
maturity, there could be significant scope for
improvement. The best practice audit function would
see it as within their scope to help management
optimise their business structures and control processes.
Audit Engagement Detection Risk Mitigations Model
The following measures lend themselves for
reducing the dismissal risk associated with external
auditing:.
 Improving the risk focus of the audit engagement.
 Increasing the understanding of the subject matter.
 Detailed supervision over the audit engagement
planning and execution.
 Increasing the level of communication and
coordination with management and the process
owner for determining the audit engagement
priorities.
 Increasing the level of proficiency of the audit
engagement team.
pg. 7
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

 Formalizing and expanding the audit engagement

processes, procedures, quality assurance and
improvement processes.

Performance management as value enabler

Analyzing the audit detection risks enables the
CAE to identify the levers for controlling the added
value of the audit engagement. The subsequent
adjustments to refocus the engagement staffing,
scoping, work programs, testing and reporting must
ensure that this added value is indeed achieved.

PREPARED BY:
LEADER:
SALAMENA, Sheena Camille

MEMBERS:
BOMBITA, Dainalyn
DELA ROSA, Clifford
LOPEZ, Giselle
NEMENIO, Ma. Pauline
SULASCO, Jonnabel
TATING, Joel

pg. 8