In order to continue enjoying our site, we ask that you confirm your identity as a human. Thank you very much for your cooperation. The Standard states: Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement. The organisation’s Internal Audit Manual (IAM) should provide suitable working guidance in respect of the expected internal process to be followed by the team when planning any audit. The IAM should also provide any standard documentation templates which the team are expected to utilise when performing their work. In practice what processes are key to demonstrating that the Chief Internal Auditor (CIA) has considered the organisation’s strategies, objectives and risks when planning an engagement’s scope and resources? The CIA will already have performed or overseen the performance of the Audit Needs Assessment (ANA) and resulting Internal Audit Strategy (IAS); this provides the starting point. Thereafter, when planning an individual assignment:
Planning of audit assignments, their scope and resources directed to them is incredibly important; failure to give this stage suitable consideration could devalue the entire audit process, impact negatively upon relationships with auditees, jeopardise the quality of the end product, value derived from our input and ultimately the assurance we are able to provide back to Executive and Board. Clearly documenting the planned audit scope, testing, resources and timeframes provides a benchmark against which to monitor the execution of our work, demonstrate we have discharged our responsibilities and reflect upon to improve our service moving forward. Core Evidence Demonstrating Compliance
The CIA should ensure that risk assessment is clearly evident throughout Strategic and Assignment Planning. Whilst the Strategy provides the justification for the prioritisation of the audit, the Brief provides the specific scope and objectives of the review immediately prior commencement to ensure that it is focused upon current risks as they present themselves at that moment, recognising that the environment may have moved on since the development of the Strategy. Ideally, the Brief should follow a consistent agreed upon format, following any guidance within the IAM; capturing both audit and management’s view of the risk and control environment. Formal acceptance of the Brief and any amendment to scope will help minimise the risk of any expectation gap. The Brief provides the auditor with the ‘plan’ against which audit quality and resources will be subsequently monitored.
Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations. —IIA Standard 2200 We arrive now at detailed engagement planning, where long-term plans get translated into actual audits. An audit engagement is described as: A specific internal audit assignment, task, or review activity, such as an internal audit, Control Self-Assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.1 Each engagement should be planned and a work program that can be used to guide the auditor through the work needed to complete the engagement should be prepared. An engagement work program is described as: A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.2 IIA standards help set the scene for this all-important aspect of risk-based audit planning: In planning the engagement, internal auditors should consider: The objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activity's risk management and control systems compared to a relevant control framework or model. The opportunities ... |