Course Outcome

AUDB433 At the end of this course, students should be able to:

INTERNAL AUDITING CO2: Able to apply the internal audit process (procedural and practical
aspects) during an audit engagement (Engagement Process) in
accordance with the relevant standards and able demonstrate a good
understanding on the importance of technology in the internal audit
4. ENGAGEMENT PLANNING work. (C4)

1 2

Introduction The IPPF Performance Standards

Standard Content
2010 Planning
2020 Communication and Approval
2030 Resource Management
• The overall framework of an internal audit process is generically 2050 Coordination
2200 Engagement Planning
suitable for any type of audits conducted by internal auditors (for 2210 – Engagement Objectives
example, the operation of an information technology audit). 2220 – Engagement Scope
2230 – Engagement Resource Allocation
• The process commences from the planning stage and finishes at the 2240 – Engagement Work Program
2300 Performing the Engagement
completion of follow-up procedures 2310 – Identifying Information
2320 – Analysis and Evaluation
2330 – Documenting Information
2340 – Engagement Supervision
2400 Communicating Results
2410 – Criteria for Communication
2420 – Quality of Communication
2440 – Disseminating Results
2450 – Overall Opinions
2500 Monitoring Progress

3 4

Overall Framework of Internal Audit Process:

Strategic Audit Planning
Strategic Audit Planning

Engagement Planning IMPORTANCE OF STRATEGIC PLANNING

To ensure that the G, R and C issues are properly addressed
Performing the Engagement during the implementation of the audit itself

Evaluation/Conclusion Ensure effective conduct and audit

Communication (reporting)
Incorporation of IA strategies
Follow Up
5 6
 Overall view on an Internal Audit Strategic Plan
Steps in Developing Strategic Plan

Understan Consider Perform a

d the the strengths,
The
relevant Internation Update the Define the weaknesses,
Understand
industry al internal critical opportunitie Identify key
stakeholder
and the Professiona audit vision success s, and initiatives
expectation
organisatio l Practices and mission. factors. threats
s.
n’s Framework (SWOT)
objectives. (IPPF). analysis.

7 8

The IPPF Requirement on Planning Risk-Based Planning and Auditing

2010 – Planning • Form a risk assessment to determine the priorities for assurance
• Form organisational plans to consider the timing for each assurance
• The chief audit executive must establish a risk-based plan to activity
determine the priorities of the internal audit activity, consistent with • Form consultation to determine activity of other assurance providers
the organisation’s goal • Identify un-addressed assurance priorities
• Determine the degree of reliance to be given to other provider
• Build an internal audit plan to address residual priorities

9 10

Engagement Plan Considerations when preparing the Engagement Plan

The IIA, in its IPPF Standard 2200 stipulated that; The objectives of the activity being reviewed and the means
by which the activity controls its performance;

Internal auditors must develop and document a plan for each The significant risks to the activity, its objectives, resources,
engagement, including the engagement’s objectives, scope, timing, and and operations and the means by which the potential impact
resource allocations. of risk is kept to an acceptable level;
The adequacy and effectiveness of the activity’s governance,
risk management, and control processes compared to a
relevant framework or model; and
The opportunities for making significant improvements to the
activity’s governance, risk management, and control
processes.
11 12
 Risks and Control Assessment
Setting up the objectives
Understanding of the auditee.
LIKELIHOOD ASSESSMENT OF RISK -EXAMPLE
• More specific guidance might be A Almost Certain
Preliminary assessment of the risks relevant to the activity provided for this, for example
under review.
• E: Once in 10 years B Likely
Probability of significant errors, fraud, non-compliance, and
other exposures when developing the engagement objectives.
• D: Once a year
• C: Several times a year C Probable
Criteria that can adequately evaluate governance, risk • B: Every day
management, and controls. D Unlikely
• A: Several times a day
Consulting engagement, address G,RM, C processes to the E Rare
extent agreed upon with the client.

13 14

Risks and Control Assessment

Risk Scoring Matrix - Example
CONSEQUENCE ASSESSMENT - EXAMPLE
• Often a table of threshold events is used. 1 2 3 4 5

• 5:The impact would stop the area from reaching its 1 Negligible
key objectives A
Significant Significant High High High
• 4: The impact would threaten the area’s key
objectives 2 Minor B
Moderate Significant Significant High High
• 3: The impact would not threaten the area’s key
objectives, but subject it to significant review or 3 Moderate C
change the area’s function Moderate Moderate Significant High High

• 2: The impact would threaten a minor aspect of the 4 Major D

area’s operations but it would not effect the overall Low Moderate Moderate Significant High
performance of the area
• 1: The impact poses no threat and routine 5 Catastrophic E
Low Low Moderate Significant High
procedures deal with it

15 16

Creating a Test Plan Develop a Work Program

• Creating a test plan involves determining the nature, timing & extent
of the procedures needed to gather required evidence.
• Test plans include tests of control activities, direct tests of
performance gauges.
• A plan for testing control activities already placed in operation should
be designed to gathered sufficient competent evidence – determine
whether control activities auditee has already determined are
adequately designed are also operating effectively.
17
Practice Advisory 2240-1, “Internal auditors must develop and document
work programs that achieve the engagement objectives. The work program
includes methodologies to be used, such as technology-based audit and
sampling techniques.”
Extremely pertinent planning device.
Specifically outlines audit procedures required to accomplish engagement objectives.
Over the course of engagement, IAs sign off on the procedures to indicate – work has been
completed.
In turn, enables engagement team supervisors to review work done & monitor the work that
remains to be done.
At the end, completed program serves as a record of the work completed & documents who
completed the work & when it is completed.
18
 Allocate Resources to the Engagement Documentation and Communication
Standard 2230 – Engagement Resource Allocation states that
“Internal auditors must determine appropriate and sufficient
• The engagement plan needs to be clearly documented and approved
resources to achieve engagement objectives based on an at the appropriate levels. Documentation is in fact required
evaluation of the nature and complexity of each engagement, time throughout the overall audit process. The well documented plan
constraints, and available resources.” should be made available to the staff involved in the engagement to
ensure that everyone understands the objectives, scope, test plan,
This involves determining; resource allocation and the expected output.
• Audit expertise needed
• Estimating the time taken to complete engagement
• Assigning appropriate IAs to engagement
• Scheduling the work so that it is completed on time.
19 20

Performing the Engagement The Audit Fieldwork - Data Collection/audit evidence

• IPPF 2300 – Performing the Engagement
• Internal auditors must identify, analyze, evaluate, and document sufficient
information to achieve the engagement’s objectives.
Audit
• IPPF 2310 – Identifying Information Internal auditors must identify sufficient, Audit
reliable, relevant, and useful information to achieve the engagement’s objectives. Evidence
Requirement supervision
Interpretation:
• Sufficient information is factual, adequate, and convincing so that a prudent,
informed person would reach the same conclusions as the auditor. Reliable Data Collection
information is the best attainable information through the use of appropriate –identifying
engagement techniques. Relevant information supports engagement
observations and recommendations and is consistent with the objectives for the information
engagement. Useful information helps the organization meet its goals.
21 22

Audit Evidence Requirement Activities of the information gathering process

Activities Detail examples
Interviewing or conducting inquiry Discuss with payroll manager on payroll calculation.
Types of
Verifying or vouching Review the payroll payment instruction letter sent to the bank.
evidence
Observation Observe employee clock in attendance.
Re-performance/Recalculation Recalculate amount of tax deduction.
Availability Questionnaires Issue survey on employee satisfaction.
Analytical procedures Calculate ratio on total monthly tax deduction for 12 months.

Computer assisted audit tools and Using audit software to reconcile payroll file and employee master
Selection techniques (CAATTs) file.
Physical inspection Test drive the company car used by the chief executive officer to
ensure that it is in good condition
Review of published reports or Review minutes of meeting to identify decision on bonuses for the
Nature minutes year.
Confirmation Send letters to employees who took company car loan to confirm
23 the loan balance due. 24
Analysing audit evidence Documentation

Practice Advisory 2330-1:

Sufficiency Recording Information
Working papers that document the
Reliability engagement should be prepared by
the internal auditor and
reviewed by management of the
internal audit activity.
Relevancy

25 26

Documentation - Working papers Content

Purpose • Planning
• Risk assessment
• The examination and evaluation of the adequacy and effectiveness of
the system of internal control
• The engagement procedures performed, the information obtained,
Tools for efficient Support audit and the conclusions reached
Review and Form of • Review
conduct Conclusion
Quality Control evidence • Communication
And supervision And report
• Follow-up

27 28

Evaluation and Conclusion Process Evaluation and Conclusion Process

PS2320 – Analysis and Evaluation – IA should base conclusions
Review and evaluate audit evidence and engagement results on appropriate analyses and evaluations

Practice Advisory 2320-1:Analysis and Evaluation

Analysis can be conducted by performing Analytical procedures. Analytical
Formulating audit opinion audit procedures are useful in identifying, among other things:
• Differences that are not expected.
• The absence of differences when they are expected.
• Potential errors.
Formulating recommendations • Potential irregularities or illegal acts.
• Other unusual or nonrecurring transactions or events
29 30
Evaluate Evidence Gathered and Reach Conclusion Evaluate Evidence Gathered and Reach Conclusion

Review all materials prepared and

Corroborating evidence determine key results

E.g. whether control activities are adequately designed & Determine the criteria to evaluate the
operating effectively, requires significant degree of results, risk and specific controls
professional judgment.

IA team MUST ultimately reach logical conclusions Evaluate the results with respect to the
(informed decisions) based on the evidence gathered. risks and good internal control standards
31 32

Process of Preparing an Audit Communication

Communicating the Results
Preparation of the initial draft of the
report.
Review and edit by members
IPPF 2400 Internal auditors must communicate the results of Preparation of the revised audit
of the audit team.

engagements. report.
Review and edit by the
manager of audit assignment
Preparation of the second revision
of the report.
Review and edit by the head of
internal auditdepartment
Preparation of the third revision of
the report.
Combined review and edit by
the audit team leader,
manager, and director.
Preparation of the “discussion draft”
of the report for review by auditee
management.
Review by management and
response provided on audit
findings.
Preparation of the final draft of the
audit report for distribution.

33 34

Criteria of Quality Communication Follow Up Activities

• Factors to consider in determining the nature, timing and extend of
the follow up procedures;

The significance of the reported

observation or recommendation.

The degree of effort and cost

The time period involved. needed to correct the reported
condition.
The complexity of the The impact that may result should
corrective action. the corrective action fail.

35 36
Questions and Answers

37