CHAPTER 3:

INTERNAL AUDIT
ENGAGEMENT PROCESS
CHAPTER CONTENT
3.1. Types of Internal audit engagements
3.2. Planning the internal audit engagement
 3.1.TYPES OF INTERNAL AUDIT ENGAGEMENTS

3.1.1. Assurance engagements

3.1.2. Consulting engagements
3.1.3. The difference between assurance engagement and consulting engagement
 a. Definition

Implementation Standards defined Assurance services as “An

objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and
control processes for the organization. Examples may include
financial, performance, compliance, system security, and due
diligence engagements”.

3.1.1. ASSURANCE b. Classification of Assurance engagements:

ENGAGEMENTS - Financial assurance services (financial auditing)

- Compliance assurance services (compliance auditing)

- Operational assurance services (Operational auditing)

- IT assurance services (IT auditing)

1. Compliance auditing is the review of financial and operating controls to assess conformance with
established laws, regulations, policies, plans, procedures, contracts and other requirements.
2. Operational auditing is the review of a function or process to appraise the efficiency and economy of
operations and the effectiveness with which those functions achieve these objectives. Operational auditing is
closely aligned with the organization’s mission, vision, and objectives.
+ Effectiveness refers to the right things are done;
+ Efficiency refers to things are done in the right way;
+ Economy refers to cost-effectiveness
Operational auditing areas as product quality, custumer service, revenue maximum, expense minimum, fraud
prevention, asset safeguarding, corporate social responsibility, safety and planning
• Two typical operational auditing:
1. Process (functional) engagements (follow process- crossing organizational lines,
service units, geographical locations);
2. Program-results engagements are intended to obtain information about the costs,
outputs, benefits, and effects of a program.
• Measures used to assess the effectiveness and efficiency include:
- The productivity ratio measures output relative input.
- The productivity index measures production potential.
- The resource usage rate measures resource use relative to available resources.
- The operating ratio measures the operational efficiency of an organization.
• Performance auditing

a. A performance audit may provide assurance about the organization’s key performance
indicators.

b. Internal auditor assesses an organization’s ability to measure its performance, recognize

deficiencies, and take corrective actions.

c. Measures used to assess the performance is a balance scorecard (through SWOT analysis)
(Strengths and weaknesses refer to internal factors; Opportunities and threats arise from
external factors).
BALANCED SCORECARD
SAMPLE INTERNAL AUDIT BALANCED
SCORECARD
 COMBINATION OF ENGAGEMENTS:
ENVIRONMENTAL, SOCIAL, GOVERNANCE ISSUES
 3.1.2. CONSULTING ENGAGEMENTS
a. Definition

Implementation Standards defined Consulting services as “Advisory and related service activities, the nature and scope
of which are agreed with the client, are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation, and training”.

b. Classification:

- Advisory Consulting Engagements

- Educational Consulting Engagements

- Facilitative Consulting Engagement

- Blended Engagements
EXAMPLE OF BLENDED ENGAGEMENT
- Internal auditor may provide consulting services relating to operations for which they had
previous responsibilities. In this case, the CAE confirms that the board understands and approves
the concept of providing consulting services before offering consulting services.
- Independence and objectivity may be impaired if assurance services are provided within 1 year
after a formal consulting engagement. Steps can be taken to minimize the effects of impairment by
1. Assigning different auditors to perform each of the services,
2. Establishing independence management and supervision,
3. Defining separate accountability for the result of the project, and
4. Disclosing the presumed impairment.
QUESTIONS

1. Which of the following actions would be a violation of auditor independence and why?
a. Continuing on an audit assignment at a division for which the auditor will soon be
responsible as the result of a promotion.
b. Reducing the audit scope due to budget restrictions.
c. Participating on a task performance which recommends standards for control of a new
distribution system.
d. Reviewing a purchasing agent’s contract draft prior to their execution.
2. In which of the followings does an internal auditor potentially lack objectivity?
a. An internal auditor reviews procedures for a new informatic technology system
connection to a major customer before it is implemented.
b. A former purchasing assistant performs a review of internal control over purchasing 6
months after being transferred to the internal auditing department.
c. An internal auditor recommends standards of control and performance measures for a
contract with a services organization for the processing of payroll and employee
benefits.
d. A payroll accounting employee assists an internal auditor in verifying the physical
inventory.
OVERVIEW OF INTERNAL AUDIT ENGAGEMENT PROCESS
 The assurance engagement process
Determine engagement Testing and gathering Perform observation

Testing

Communicating
Planning
objectives and scope evidence evaluation
Understand the auditee Evaluate evidence Interim and final
Identify and assess risks gathered and reach engagement
conclusions communication
Identify key controls
Develop observations Mornitoring and follow-
Evaluate adequacy of and formulate up
control design recommendations
Create a test plan
Develop a work
program
Allocate resources to
the engagements
3.2. PLANNING THE INTERNAL AUDIT ENGAGEMENT
(FOR AN ASSURANCE ENGAGEMENT)
3.2.1. Determine engagement objectives and scope

Establishing engagement objectives

• Establishing objectives at the beginning of an engagement is a critical step. Without the
establishment of formal engagement objectives, the internal audit team may not be
aligned with the reasons for the engagement and, consequently, may conduct inadequate
or unnecessary tasks.
• For example, ■ Evaluate the design adequacy of… ■ Determine the operating
effectiveness of… ■ Assess compliance with… ■ Determine the effectiveness and
efficiency of… ■ Evaluate the accuracy of… ■ Assess the achievement of… ■ Determine
the performance of…
Scope of the engagement

• Scope statements must specifically state what is or is not included within an engagement.
Such scope statements may include:
- Boundaries of the process: what point in the process the engagement will begin (for
example, the initial inputs from transactions or other processes and where it will end (for
example, reports, financial statements, or outputs to other processes).
- Time frame: An engagement may cover a calendar year, the previous 12 months, a specific
point in time (for example, as of December 31), or some other time frame.
 Expected outcomes and deliverables

1. Potential outcomes of the tests to be performed during the engagement: Financial statement
errors or misclassifications within financial accounts, balances, or disclosures; Control
deficiencies indicating specific controls that are not achieving the desired effect, that is, mitigating
the corresponding risks to the desired level. • Shortfalls in objective achievement due to
control deficiencies or inadequate performance. • Inefficiencies due to resources not being
deployed in an optimal manner. • Out-of-compliance situations when laws, regulations, or
policies are not complied with consistently.
2. Auditee expectations regarding engagement communications helps the internal auditor ensure
that all necessary information is gathered during the engagement.
3.2.2. Understand the auditee

Types and Sources of Relevant

Information: depend on the
information regarding how the
process works such as: Policies
Gathering Information: analysis relating to the process;
of data and entity-level controls Procedures manuals;
Determining Auditee Objectives
can help provide additional Organizational charts; Process
insights into a process. maps or flowcharts depicting the
overall flow of the process. ■
Narrative descriptions of key
tasks or portions of the
process…

Entity-Level Controls Analysis:

Gather Information About: — Understanding – Deficiencies –
Analytical Procedures
Inputs — Processing — Output Focus risks in an audit – Audit
tests
3.2.2. Understand
the auditee 7. Documenting the Process 8. Identifying Key Performance 9. Evaluating Process-Level
Flow: The most common Indicators: it is helpful for the Fraud Risks: Identify potential
ways of documenting process internal auditor to also fraud scenarios; Understand
flows are flowcharts (high-level understand how process-level potential fraud impact;
or detailed) and narrative management monitors Determine whether to test for
memoranda. performance for example, key specific fraud risks.
performance indicators (KPIs).
3.2.3. Identify and assess risks

1. Identifying Process-Level Risk Scenarios: is to identify the risk scenarios that are inherent
in the process. Risk scenarios are potential real-life events that may adversely impact the
achievement of objectives.
2. Defining Process-Level Risks
3. Evaluating the Impact and Likelihood of Risks
4. Understanding Management’s tolerable risk: (tolerable risk is the acceptable levels of risk
size and variation relative to the achievement of objectives, which must align with the
organization’s risk appetite).
The risk based audit plan:
1. Developing or updating the audit universe
a. The audit universe (all auditable risk areas) may include the organization’s strategic
plan. The audit universe should be assess at least annually
b. The audit universe includes all business units, processes, or operations that can be
evaluated and defined. They include accounts, divisions, functions, procedures, products,
services, systems, controls, etc.
2. The following factors affect the internal audit plan:
a. Inherent risks and residual risks should be identified and assessed;
b. Risk register should be systematic, complete and accurate
- A risk register identifies and analyses risks. It describes (a) each risk, its impact and
likelihood and the risk score (impact * likelihood); (b) responds.
 3.2.4. Identify key controls

1. Key Control: An activity designed to reduce risk associated with a critical business objective. For
example, Approving, Calculating, Examining, Matching, Monitoring, Segregating, Supervising.
(Determining key controls for answering the following question: If not performed as designed, which of
these controls would likely result in the inability to achieve the process-level objectives?)
2. Link the process level controls to the process-level risks - risk and control matrix.
Example for risk and control matrix for cash disbursement
3.2.5. EVALUATE ADEQUACY OF CONTROL DESIGN

• The key to this step is determining whether the key controls are designed adequately to
reduce the individual process risks to an acceptable level.
• The internal auditor’s judgment about adequacy of control design by following: ■ The
indicated key controls are designed adequately to manage this risk to an acceptable level.
■ The indicated key controls are not designed adequately to manage this risk to an
acceptable level (describe design gap).
3.2.6. Create a test plan

• A test plan should be designed to gather sufficient appropriate evidence to support an

evaluation of how effectively the key controls are operating.
• Based on the understanding gained from the previous engagement planning steps, the
internal auditor is now prepared to: 1) determine which controls are important enough
to test, 2) develop an approach for testing those controls, and 3) document judgments
supporting the chosen audit tests.
3.2.7. Develop a work program

• This work program may take different forms, such as: a standard template or checklist
that the lead internal auditor prepares to document the completion of the planning steps,
a memorandum summarizing the tasks completed.
3.2.8. Allocate resources to the engagements

• Budgeting: 1. Engagement Resources: Internal auditors, Other people (internal/external),

Travel, Technology, Other
• Timing
• Other costs.
REVIEW QUESTIONS
• Types of controls:
1. Entity-level control: a control that operates across an entire entity and, as such, is not
bound by individual process (deal with organizational environment and has pervasive
effect on the achievement of objs).
2. Process-level control: an activity that operates within a specific process for the
purpose of achiving process-level objs. Examples: control related to CE; controls over
management override; company’s risk management process; controls over period end
financial reporting process…
3. Transaction-level control:
Examples: reconciliation of key controls; Physical verifications of assests; monitoring of
specific transactions; authorizations; documemtations; IT application controls;
segregrations…