Planning audit engagements

Paul Davis
Internal Audit Manager
Friends Life

May 2014

1
1
 Introductions

That’s enough about me . .

2 2
2
 Contents

1. Objectives
2. IIA guidelines on audit engagement planning
3. Practical examples
4. Useful hints and tips

. . . . I will be asking for your input . . .

3 3
3
 Objectives
Why plan your audit engagement?

Over to you . . . .

- Identify the risks that you want to provide assurance over

- Determine your scope
- Obtain the right resources
- Set your time line
- Communicate with key stakeholders
- Manage expectations
- Manage your (personal) risk

Deliver your audit to time, cost and quality

Manage your audit like a project. . . . this session aims to give you
4
some skills to do just that – from a planning perspective. . .
4
4
IIA Guidelines on audit engagement planning
Outlined in “Definition of Internal Auditing Code of Ethics – International Standards”
which form part of the “International Professional Practices Framework”
What do the standards say we must do?
- Develop and document a plan including objectives, scope, timing and resources (2200).
-Consider the objectives of the area in scope, how risks to achieving these objectives
are identified and controlled to an acceptable level, the adequacy of governance and
risk management in comparison to a relevant framework or model; and opportunities to
improve the area’s governance, risk management and control processes (2201).
-Establish engagement objectives reflecting results of our preliminary risk
assessment, our consideration of fraud, error and non-compliance with laws,
regulations and policy; and identification or development of appropriate criteria to
evaluate governance, risk management and controls (2210).
-Define Engagement scope that supports the achievement of engagement objectives
and includes consideration of relevant systems, records, personnel and physical
properties (including those controlled by third parties) (2220).
-Determine appropriate and sufficient resources to achieve engagement objectives –
based upon evaluation of nature and complexity of the engagement. . . (2230).
-Develop and document work programmes to achieve engagement objectives, which
must include procedures for identifying, analysing, evaluating and documenting
information during the engagement (2240).
5
5
5
IIA Guidelines - other considerations
Outlined in “Definition of Internal Auditing Code of Ethics – International Standards”
which form part of the “International Professional Practices Framework”
- Delivery for third parties outside the organisation have special considerations . . .
Including restrictions on distribution of results of engagement and access to
engagement records (2201.A1).
- Consulting engagements also have to clearly define respective responsibilities
(2201.C1), ensure consistency with organisation’s values, strategy and objectives
(2210.C2), ensure scope of engagement is sufficient to address agreed-upon
objectives (2220.C1) and may vary in form and content depending upon nature of
engagement (2240.C1).

- Importantly, the standards don’t define how we go about meeting these requirements

6
6
Practical planning examples – setting scope
So, how do you go about planning?
What’s your starting point?

The annual audit plan?

An emerging issue (performance or delivery failure in a specific area)?

An event impacting the entire organisation (merger or integration of

new operation, legal or regulatory announcements)?

How do you define your scope? I.e. What is the remit of your audit?
At a process level (end-to-end – e.g. Payment processing)
Organisation perspective (team, department basis, e.g. contact centre or sales force)
Thematic review (e.g. Info Sec, legal / regulatory matters, customer complaints)
Systems level (e.g. Application reviews – such as General Ledger)
Will normally have a mix of people, processes and systems.
Always consider the interaction of scope with the risks under review.
7
7
Practical planning examples – identifying objectives & risks
Where do you go for information to identify objectives and risks?
Strategy and plans for your organisation overall, or at a departmental / project level.
Management information or reporting packs.
Risk and issue registers.
Risk Management Systems.
Outcomes of Controls Self Assessment (e.g. as required by Combined Code) or similar.
Management themselves.
Risk Management (second line) staff.
External sources (industry / regulatory bodies, standards, peers or even consultants).

Consider if there is clear linkage between objectives, risks and controls (i.e. do
management use a framework or model that is appropriate e.g. CObIT for IT).
Understand the mechanisms for applying governance and oversight (e.g. Business
performance reviews, steering committees, executive oversight/ challenge, etc).

This information guides us in setting audit engagement objectives . . .

8
8
Practical planning examples – audit engagement objectives
We need to perform a preliminary assessment of risks – therefore need to be clear on
scope of review and risks to the audit area’s objectives.
How do you perform risk assessment?
Compare management’s view on risk with your own experience or expectations, use
external information – or both?
As part of this exercise, we must consider the probability of significant error, fraud or
non-compliance with legislation, regulation or policy.
This enables us to determine which risks we will focus on during our engagement.

Key aspect of planning is to determine the criteria by which we will evaluate governance,
risk management and controls.
-Ascertain the extent to which management and / or the board has established criteria. If
we believe they are adequate, we must use these criteria in our evaluation of GRC.
- If we believe the criteria are not adequate, we must work with management and / or the
board to develop appropriate evaluation criteria.
Examples. . . COSO, Combined Code, ITIL and CobIT . . .
. . . Risk Management Policy (risk identification, evaluation, mitigation, appetite, etc)
Others? . . . .
9
9
Practical planning examples – Documentation / evidence
We need to demonstrate that we’ve followed due process in planning audit engagements.
How do you document this information?
- Planning notes
- Placing documents on audit file
- Preparing summary planning document
- Terms of reference (for use internally and externally)
We prepare a Planning Oversight Document summarising:
- Prior audits (including numbers and categories of actions, delays in closures) – not only
internal audit but other assurance providers (2nd line, external reviews, external audit)
- Background information
- Key roles / responsibilities, organisational structure and executive level ownership
- Products / services delivered – and what systems / applications are used to do this
- Applicable laws, regulations or policies
- Key committees / oversight mechanisms
- Significant processes / controls for managing performance and risk
- Relevant performance MI
- Initial control environment assessment (strengths and weaknesses)
- High level: Governance structure, key stakeholder involvement, controls culture
- Local management: Experience, accessibility, risk & control expertise
- IT control environment: Complexity, reliance, EUCs, ITGC, etc
10
10
Practical planning examples – Documentation / evidence
Planning Oversight Document continued. . .
- Risks, issues and other factors for consideration
- Key risks – an assessment of significance and any mitigating factors and
concluding as to whether to be included as a risk in scope of the audit
engagement
- Audit delivery risk – timescales, subject matter, nature of assurance, outsourced
service providers, etc.
- Other factors - considering team knowledge / experience / availability, key
stakeholder availability, deadlines for reporting and purpose / users of report
- Team composition – including any 3rd party (co-source) service providers
- Internal approvals
- We document our planning considerations in a Terms of Reference - the external
communication of our scope, engagement objectives (rationale for the audit and
risks to be assessed), key stakeholders, timescales, team, etc.
- We then seek and obtain approval for the ToR both internally and externally (with key
stakeholders) - this typically involves at least one review cycle. . .

11
11
Practical planning examples – Engagement Work Programme

Risk Control environment

Relevant evidence/ Docs

required
(in working paper file \03
Expected control Actual control
Risk ref Risk description Audit work performed/Testing Control environment assessment Conclusion Audits\01 2014 Audits\Embassy
environment environment
Transition - phase 2 - 14.FL-
UK.A06\NGPe CS Audit\B.
Fieldwork)

Control Environment
Scope Area A
Risk 1 Risk 1 desciption - Describe expected control Describe desgin of Describe the testing we performed here - Describe our conclusion on the design and operating effectiveness of the control environment in List evidence reviewed and
linekd back to environment here actual control including the evaluation of the controls design. place to address the risk identified. where it is stored.
corporate level environment here
risks

We use a Risk Assessment & Control Evaluation template

to develop and document our work programme – once we
have an agreed Terms of Reference.
Once we have an (internally) agreed RACE, we develop a
detailed plan (typically using Excel) to determine timing and
duration of audit activities, allocate tasks, set the budget,
etc.
12
12