Module 2: Engagement Planning Phase

● Engagement Planning Activities

o Determine engagement objectives and scope

o Understand the auditee, including audit objectives and assertions

o Identify and assess risks

▪ Business risks that threaten the achievement of the auditee’s

objectives and, ultimately, the organization's objectives

o Identify key controls

o Evaluate the adequacy of control design

o Create a test plan

▪ Effectiveness of internal control

o Develop a work program

▪ A work program specifically outlines the audit procedures required to

accomplish the engagement objectives.

▪ Internal auditors sign off on the procedures to indicate that the work
has been completed.

o Allocate resources to the engagement

▪ The last step

▪ This involves determining the audit expertise needed, estimating the

time it will take to complete engagement, assigning appropriate
internal auditors to the engagement, and scheduling the work so that it
is completed timely.

● Risk assessments

o A risk assessment is the process of identifying, measuring, and analyzing

risks relevant to a program or process. This assessment is systematic,
iterative, and subject to both quantitative and qualitative inputs and factors.
Furthermore, it is also dependent on the timeframe of the review.
 ▪ Risk assessment vs. Risk management

● Risk assessment (meso-level) - within the risk management

● Risk management (macro-level) - large in scope, includes risk

assessment; distinct from risk assessment because risk
management requires strategy to mitigate risks.

● Control Frameworks