CHAPTER 7

INTERNAL AUDITING
PROCESS
Learning Objectives
After going through this chapter, you should be able
to:
Describe audit planning methodology
Explain risk-based auditing process

2
Related Standards
Standard Content
2010 Planning
2020 Communication and Approval
2030 Resource Management
2050 Coordination
2200 Engagement Planning
2210 – Engagement Objectives
2220 – Engagement Scope
2230 – Engagement Resource Allocation
2240 – Engagement Work Program
2300 Performing the Engagement
2310 – Identifying Information
2320 – Analysis and Evaluation
2330 – Documenting Information
2340 – Engagement Supervision
2400 Communicating Results
2410 – Criteria for Communication
2420 – Quality of Communication
2440 – Disseminating Results
2450 – Overall Opinions
2500 Monitoring Progress
3
Overall Framework of Audit Process
Strategic Audit Planning

Engagement Planning

Performing the Engagement

Evaluation/
Conclusion

Communication
(reporting)

Follow Up
4
Importance of Strategic Planning

To ensure that the governance, risk and

control issues are properly addressed during
the implementation of the audit itself

Ensure effective conduct and audit

Incorporation of IA strategies

5
 Steps in Developing Strategic Plan

Consider Perform a
Understand
the strengths,
the relevant The Update the
Internationa Define the weaknesses,
industry and Understand internal
l critical opportunitie Identify key
the stakeholder audit vision
Professional success s, and initiatives
organisation expectations and
Practices factors. threats
’s . mission.
Framework (SWOT)
objectives.
(IPPF). analysis.

6
 Overall view on an Internal Audit
Strategic Plan

7
 Audit Universe and Audit Area
 List of auditable areas – list of all areas
in an organization that are possible to
be audited
 Audit universe – population; audit area
– sample selected
 Three methodologies in selecting audit
area from the audit universe:
 Risk assessment
 Audit cycle
 Feedback from top management

8
Audit Plan Methodologies
Risk assessment
 For the company that has a risk management process, it will be practical for the
internal audit team/dept. to use the risk assessment committee as a guide &
compare it with the team own assessment.
 If the company without a risk management process, internal auditor needs to
prepare its own risk assessment in selecting the areas to be audited.
Audit cycle
 Is the method of auditing each auditable area within a certain period
 Co. that implements a risk based audit process usually combines risk
assessment with audit cycle.
Feedback from top management
 Internal auditor should get feedback from top management on areas of concern
or on departments they deem to be crucial.
 However, bear in mind that there is always a possibility that top management
may not share their actual concern and choose to inform the audit team that
everything is in order.
9
Risks and Control Assessment
1) Likelihood Assessment of Risk -
Example
Almost
A More specific
Certain
guidance might be
B Likely provided for this, for
example
C Probable E: Once in 10 years
D: Once a year
D Unlikely
C: Several times a

E Rare year
B: Every day
10
A: Several times a
 Risks and Control Assessment
2) Consequence Assessment - Example
Often a table of threshold
1 Negligible events is used.
5:The impact would stop the area
from reaching its key objectives
2 Minor 4: The impact would threaten the
area’s key objectives
3: The impact would not threaten
3 Moderate the area’s key objectives, but
subject it to significant review or
change the area’s function
4 Major 2: The impact would threaten a
minor aspect of the area’s
operations but it would not effect
the overall performance of the area
5 Catastrophic 1: The impact poses no threat and
routine procedures deal with it
11
 Risk Scoring - Example
1 2 3 4 5

A
Significant Significant High High High

B
Moderate Significant Significant High High

C
Moderate Moderate Significant High High

D
Low Moderate Moderate Significant High

E
Low Low Moderate Significant High

12
 Risk-based Planning and Auditing
Form a risk assessment to determine the priorities for
assurance

Form organisational plans to consider the timing for

each assurance activity

Form consultation to determine activity of other

assurance providers

Identify un-addressed assurance priorities

Determine the degree of reliance to be given to other

providers

13
 What is Risk-Based Audit?
 Selection of areas to be audited is based on the
risk assessment prepared by:
 Those involved in risk management process (e.g.
Risk Management Department), or
 Internal auditors (for companies without risk
management process)
 Or, combination of both
 Audit plan will be formulated based on the level
of risk in each of the auditable area
 High risk areas may need to be audited more
frequently compared to low risk areas
 Refer figure 6.2 & 6.3 pg 80/81 for illustration on
risk assessment

14
 Risk-based Auditing Process
 Involves 4 main steps:
1. Engagement planning
 Scope
 Objectives
 Timing
 Resource allocation
 Work program
2. Performing engagement
 Identifying information
 Analysis & evaluation
 Recording information
 Engagement supervision
3. Communication & results
 Criteria
 Quality
 Disclosure
 Disseminating
4. Monitoring

15
 Differences between Traditional and
Risk-based Audit
 Traditional approach
 focuses on the internal auditor’s risk
 concerned about the internal controls are in place and
functioning effectively
 audit is designed to detect shortcoming or pitfalls

 Risk-based approach
 focuses not only on the internal auditor’s risk but also the
auditee’s business risks
 auditor has to really understand how the business is operated
and the challenges and exposure the company is facing

16
Advantages of Risk-based Audit

Mitigate the perception that the internal auditors are

not the right person to advise auditee
Save time, costs and resources
Truly know about the company or processes
More focus on critical areas

17
 Risk Assessment
 Risk – any events, incidents or action which may
materially impair one company’s success potentials.
(eg. reputation, assets, capital, profitable, performance
or liquidity (cash)).
 Enterprise Risk Management (ERM) – a structured
and disciplined approach aligning strategy, processes,
people, technology and knowledge with the purpose of
evaluating and managing the risks a company faces as
it creates value.
 ERM should involved;
 Identification of business risk (High risk/Low risk)
 Measurement of the risk (look at probability & impact)
 The control or the way the risk is managed with the needs of
the company’s policies and procedures (make sure proper internal
control in place to minimize risk)
 Constant monitoring and communicating of risks associated
with any activity. (to avoid unknown risks of even greater consequence)
18
 Preliminary Work During Engagement
Planning
 Preliminary work is important for risk-based audit
 IA must ensure that the company has embedded a
structured and systematic risk management
framework to handle risk effectively
 All the information from the auditee’s ERM report will
eventually be translated into the auditor’s audit
programme and schedule
 Preliminary survey
 Entry meeting
 Physical site-visit
 Review of documents
 Document all relevant information
 Analytical procedures
19  Document the controls
 Considerations when Preparing
the Engagement Plan 
The objectives of the activity being reviewed
and the means by which the activity controls its
performance;

The significant risks to the activity, its

objectives, resources, and operations and the
means by which the potential impact of risk is
kept to an acceptable level;

The adequacy and effectiveness of the activity’s

governance, risk management, and control
processes compared to a relevant framework or
model; and

The opportunities for making significant

improvements to the activity’s governance, risk
20 management, and control processes.
 Setting up the Objectives
Understanding of the auditee.

Preliminary assessment of the risks

relevant to the activity under review.

Probability of significant errors, fraud,

non-compliance, and other exposures
when developing the engagement
objectives.

Criteria that can adequately evaluate

governance, risk management, and
controls.
21
 Performing Engagement – Field Work
(Start to audit)

The first phase of the audit field work is to

determine the risks and the location to perform
audit
Steps are divided into as follows:
i) understanding the business process flow
ii) identifying the prescribed internal controls
iii) assessing the controls
iv) developing the audit procedures
v) audit testing
vi) audit report
vii) engagement supervision

22
 Information Gathering Process
Activities Detail examples
Interviewing or conducting Discuss with payroll manager on payroll calculation.
inquiry  
Verifying or vouching Review the payroll payment instruction letter sent to the
bank.
Observation Observe employee clock in attendance.
Re-performance/ Recalculate amount of tax deduction.
Recalculation
Questionnaires Issue survey on employee satisfaction.
Analytical procedures Calculate ratio on total monthly tax deduction for 12
months.
Computer assisted audit tools Using audit software to reconcile payroll file and
and techniques (CAATTs) employee master file.
Physical inspection Test drive the company car used by the chief executive
officer to ensure that it is in good condition
Review of published reports Review minutes of meeting to identify decision on
or minutes bonuses for the year.
Confirmation Send letters to employees who took company car loan to
confirm the loan balance due.
23
 Audit Sampling
Process of applying audit procedures to less than
an entire population to draw conclusions about
process overall total population
Manual or CAATs
Sampling Risk Vs. Non-sampling Risk
Statistical sampling Vs. Non-statistical sampling

24
 Statistical Sampling
Types of statistical sampling techniques
 Random sampling: The IA just select the sample without a formula
or randomly from the population such as from the total no. of the staff.
 Systematic sampling: The IA chooses a few samples for certain
periods for example, if the total population or total no. of staff is 2000,
he/she will select sample based on a level which means that each for
each level, certain staff are being selected.
Steps in sampling
Planning the sample
Selecting the sample
Testing the sample
Evaluating the sample results

25
 Audit Evidence
Types of audit evidence
Observed processes e.g. observations of activities
Documentary evidence e.g. invoices, control logs,
transactions
Representations e.g. interviews, policies, procedures
Analysis e.g. data comparison
Benchmarking with other departments or organizations

Methods used to gather evidence:

 Observations, interviews, questionnaires, confirmation,
monitoring, re-inspection
All audit evidence and audit procedures will
documented in the working papers

26
 Analysing audit evidence

Sufficiency
Reliability

Relevancy

27
 Documentation - Working papers

Purpose

Tools for efficient Support audit Review and Form of

conduct Conclusion Quality Control evidence
And supervision And report

28
Evaluation and Conclusion Process

Review and evaluate audit evidence

Formulating audit opinion

Formulating recommendations

29
 Evaluation and Conclusion Process
PS2320 – Analysis and Evaluation – IA should base conclusions
And engagement results on appropriate analyses and evaluations

Practice Advisory 2320-1:Analysis and Evaluation

Analysis can be conducted by performing analytical

procedures.
Analytical audit procedures are useful in identifying, among
other things:
• Differences that are not expected.
• The absence of differences when they are expected.
• Potential errors.
• Potential irregularities or illegal acts.
• Other unusual or nonrecurring transactions or events

30
 Evaluate Evidence Gathered and Reach
Conclusion

Corroborating evidence

E.g. whether control activities are adequately

designed & operating effectively, requires
significant degree of professional judgment.

IA team MUST ultimately reach logical conclusions

(informed decisions) based on the evidence
gathered.
31
 Evaluate Evidence Gathered and
Reach Conclusion

Review all materials prepared

and determine key results

Determine the criteria to

evaluate the results, risk and
specific controls
Evaluate the results with
respect to the risks and good
internal control standards
32
 Audit Reporting
 Standard 2400 – communicating results

 Risk-based audit report should highlight:

 the risk profile
 the controls established and degree of compliance
with the controls
 analysis of the root causes of not complying with the
established controls
 the recommendation form Internal auditors
 management comments and status of rectification
measures taken by mgmt

33
 Process of Preparing an Audit
Communication
Preparation of the initial draft of the
report.
Review and edit by members
of the audit team.
Preparation of the revised audit
report.
Review and edit by the
manager of audit assignment
Preparation of the second revision
of the report.
Review and edit by the head of
internal auditdepartment
Preparation of the third revision of
the report.
Combined review and edit by
the audit team leader,
manager, and director.
Preparation of the “discussion draft”
of the report for review by auditee
management.
Review by management and
response provided on audit
findings.
Preparation of the final draft of the
audit report for distribution.

34
 Criteria of Quality Communication
Quality

Timely Accurate

Complete Objective

Constructiv
Clear
e

35
Concise
 Follow Up Activities
Factors to consider in determining the nature, timing and
extend of the follow up procedures:
The significance of
the reported
observation or
recommendation.

The degree of
effort and cost
The time period
needed to correct
involved.
the reported
condition.

The impact that

The complexity may result
of the corrective should the
action. corrective action
36 fail.
END CHAPTER 7