Part 2 Notes
Part 2 Notes
Part 2 Notes
They are important tool with CAE for confirming that IA dept. is following a systematic & disciplined
approach to internal audit operations. And IA is meeting the expectation laid out by standard and senior
management. They should be reviewed periodically, and any changes may be communicated through in
writing, IA staff meetings & training.
Polices Procedures
Overall, Purpose of IA dept. Preparing Risk based Audit plan
Adhering the guidance provided by IPPF Planning Audit engagements
Independence Performing audit engagement
Confidentiality Documenting audit engagement
Ethics Reporting results
Record retention Monitoring & follow up processes
First CAE will get a deeper understanding about Board pre-approved resources including:
CAE will then address if there are any issues regarding quality/quantity of IA resources by:
CAE should develop a program for selecting and developing human resources of IA dept.
CAE will develop a schedule for engagements as part of audit plan and will consider
Management of Employees
As they are very close to business activities, they can provide valuable insight on risk facing by
organization. Techniques include (i) Interviews (ii) Focus groups (iii) Questionnaires/surveys
Regulatory Mandates
Arise from self regulating bodies and professional societies e.g., privacy Law.
First audit dept. will look for any RM framework in organization use, if there is no framework then
management can develop a new one or can use a third-party framework such as COSO. If auditor design
any part of framework, he cannot give objective assurance about that framework or that part.
IA dept. uses engagement risk assessment activities such as Assurance Map which help identify all
internal/external risk and assurance providers who cover those risks. It also helps in development of
audit plan and in engagement prioritization. Steps include in assurance map are:
Focus on providing assurance related to Risk, control and governance in regard to efficiency &
effectiveness of operations.
Objective – specific objective will depend on Org. or Dept. under audit, but 3 key considerations will be
made in evaluation of overall effectiveness of governance, Risk and controls associated with a business
process are:
Risks –risk related to operational effectiveness include a business process that failed to work achieve
the organizations’ objective. Risk related to operational efficiency includes achieving goals in a manner
that is more costly to the organization that the value it has added. Suboptimization (Departments Silo
mentality) can affect both efficiency and effectiveness.
Security Engagements
Objective –Focus on risk, governance and control related to safeguarding of assets and integrity &
reliability of information.
Stakeholders – includes all stakeholders responsible for the security of their areas. E.g security guards or
IT professionals. Board & senior management are also the stakeholders to whom CAE will report the
security issues.
Stakeholders – Board & senior management, Audit committee, other stakeholders (regulators etc.)
Risk - Restructuring, mergers & acquisition, new products & systems, Regulatory compliance, fraud risk
Compliance Engagements
Evaluating Adequacy & effectiveness of controls that keep the organization in compliance with
applicable laws, regulations contracts etc.
Risk –Many risks including environmental compliance risk, health & safety risk etc.
Performance Audit
Objective –to assure management has adequate monitoring & controlling activities to assess the
performance of organization as a whole, specific unit and specific job or individual
Risk–Measuring wrong KPI, measuring too may KPI’s instead of key one, receiving info too late to use
Privacy Engagements
Objective – to assess (i) Possible privacy breaches (ii) Record retention issues (iii) privacy assessment
performed by other assurance providers
Stakeholders – Board & audit committee, Senior management, employees &Others (e.g., court)
Risk –Reputational damage of Org. or individual, sanctions imposed, bad practices, legal liability
Privacy
Auditors can give board/management advice to (i) help them keep updated regarding latest trends,
values regarding privacy and (ii) advice in selection of most appropriate privacy framework & most cost-
effective investment in privacy.
Due Diligence
Method to understand what should be done VS what is being done but is not adding any value to end
customer. System owners perform walkthrough to auditor. Auditor then make a flowchart of the
process to see where more value & business improvements can be made.
Training on internal controls e.g COSO make client more comfortable with audit of internal controls and
in this way can provide more timely/accurate information to auditors.
Internal audit more involved with the activity in question rather than just offering knowledge to
individuals. Examples include Benchmarking, Facilitating Risk assessment process, management controls
self-assessment, facilitating a task force charged with redesigning of controls or procedures.
Benchmarking
A process where management and employee teams continuously make awaring of factors affecting
achieving the organization objective enabling them to make appropriate adjustments. Internal auditors
will be involved in the process & will report to senior management and board committees. CSA
integrates business objectives & risks with control processes.
To ensure full coverage and avoid duplicate of work. CAE is still responsible for his work‘s conclusion.
Communication is informal in small and formal in large org. CAE should have clear understanding of
scope, objective and results of other assurance provider’s work.CAE will discuss annual report discussing
(i) Assurance Framework
(ii) How it is employed
(iii) Results of assurance engagements to be shared with board & Executive management
Their independence, objectivity, competency, due professional care, scope, obj., result of actual
work performed
Prior to communicating plan to the board CAE will determine the resources (people, technology,
fund) needed. Consulting engagement and required resources should also be included in the
plan. A portion of current resources is saved for any unplanned changes to audit plan.Before
presenting plan to board CAE meets with individual senior executives to take their input to:
Address their concerns Incorporate their feedback Obtain their support
Gather more information about the
timing of proposed engagement and staff availability
Once approved, CAE should communicate the plan with senior management to include the plan in
overall budget and so on.
Internal audit charter (Purpose, authority & responsibility of IA dept. CAE will periodically review
it and approve it from board)
Organizational independence of IA dept. (Any interference in engagement scope, reporting or
work performing along with interference magnitude will be reported to board)
QAIP reporting (internal & external assessments)
IA dept. plans, resource requirements & performance relative to its plans
Results of audit engagements (engagement communication, protocols in case of error or
omission or non-conformance with code of ethics)
Conformance or non-conformance of IA dept. with code of ethics & standards and disclosure of
reasons of non-conformance
Significant risk & control issues and management acceptance of risks
Engagement reporting can be presented in 3 ways: By
(i) providing a summary of audit work by area (ii) Discussing only major issues
(iii) distributing copies of all audit reports
KPI reporting
KPI's should be aligned with org. strategic objectives and goals. CAE can periodically benchmark with
peer organizations. KPI allows CAE to:
CAE will report on QAIP to board regarding internal assessment (at least annually) and may recommend
for any improvement or external assessment (at least every 5 years). External assessment discussion
must cover external assessor’s qualification, independence and any potential conflict of interest.
SECTION-2 (PLANNING THE ENGAGEMENT)
Engagement Objective
Audit Engagement objective should be aligned with related organizational objective and should reflect
preliminary risk assessment related to the activity/process under review.
Information from discussion with stakeholders can also be obtained by interview to better understand
design, operation and environment of the activity/process under review.
i. Operational – How entity strives to efficiently & effectively manage its business operations
ii. Reporting –reporting obj. related to developing reliable Financial & non-financial reports
iii. Compliance – Obj. relate to entity compliance with applicable laws & regulations
Engagement Criteria
Adequate criteria would be needed to evaluate Governance, Risk and control. Criteria can be Internal,
External or industry best practices. If there is no adequate criteria then auditor must identify adequate
criteria to use after discussion with management.
Engagement Scop
Engagement scope must be sufficient to achieve Engagement objective. Scope must include
consideration of relevant systems, records, personnel and physical properties including with 3rd parties.
Scope shows the boundaries under which to assess those activities that are to be reviewed and not to
be reviewed. Objective and procedures collectively define scope.Key consideration for setting scope
include:
Objectives and operations of the department under review and how the dept. controls its
performance.
Risk to Department’s Objectives, resources and operations and how it is kept this risk to an
acceptable level.
Opportunities to make improvements to dept. governance, risk management and control
processes.
Adequacy and effectiveness of dept. governance, risk management and control process
compared to relevant framework.
Risk & control matrix is a useful tool for auditors to ensure that auditors account for risks at engagement
level and all risks identified are addressed in subsequent fieldwork.
Risk Based Auditing: It requires auditors to first understand the entity & its environment in order to
identify risk. Understanding the entity involves documenting:
This information can be gathered in many ways including initial client meeting, preliminary survey,
conducting interviews, observation, inspection of process, performing analytical procedures, prior audit
reports and benchmarking.
Result of risk assessment categorizes the audit engagement into significant and non-significant risk
areas.
In determining the level of audit staff for an engagement, Audit leader should consider:
How to best allocate resources to an engagement auditor should understand the engagement
Objectives, Scope, Nature and complexity.
Documents include workpapers, finding, reports, replies, auditor comments, related information.
Positive confirmation ask recipient to reply whether the info is correct or not while negative
confirmation ask to reply only if the info is incorrect.
Familiarity with the audit area Overview what to expect in the area
Prior auditors’ approach to assignment Identify repeat problem areas
Status of promise to correct any deficiency Strength still exists identified previously
Walkthrough
Step by step demonstration to auditor about a process/task. It helps auditors to better understand a
process flow. It also helps to show the root cause of a control failure.
Observation
Obserwation can be in any form including walkthrough. Observation is generally a weak evidence but to
gain force in an audit report it needs to be backed up by other evidence& analysis that confirms what
the auditor has seen.
Interviews
A structured discussion where 1 person is asked question about his job or activity. Audit interview
occupies a middle ground between a polite conversation and interrogation. During engagement
planning process interviews are conducted to:
Clarify information about an area
Collect additional necessary information
Provide an observation about activities of organizationbeing audited
Secure the perspective of management responsibility for activity being audited
Checklist
is a visual tool to collect, analyze and track data. They are developed at planning stage at the end of
preliminary survey. A checklist can be used as a (i) Reminder (ii) Tracking tool (iii) method of getting
info from a respondent
They can help to support important admin tasks such as travel arrangements
They help to establish consistency throughout the audit team
Help to ensure that audit team has addressed & collect information from all important areas
Questionnaires
IA can use questionnaire in preliminary survey & control self assessment. Their format can be in simple
Yes/No, Grading scale (in numbers or words), Limited/unlimited length narrative.
They can be best used for gathering information about (i) multiple branches having same SOPs,
objectives and risks (ii) Regulatory compliance matters
ICQs differ from an open ended questionnaire because the ICQ starts with a known answer. ICQs are
easy to administer & they help in further evaluation after an initial risk is identified. But they also do not
provide in-depth investigation.
ICQ can be completed by auditor or by the process owner. Observation is better than enquiry but not
better than testing.
Evidence Considerations
Auditors need to consider matters related to evidence such as source, reliability, confidentiality and
access to audit evidence.
Source: External evidence directly obtained is most reliable than internal one. Strength or weakness of
evidence depends on its persuasiveness. its persuasive if it results in a well-founded conclusion or
advice. To be persuasive source must be sufficient, reliable, relevant, and useful.
Availability: Auditor need to consider the time it will take for the evidence to be present for testing.
Confidentiality: Auditor need to consider not to distribute data to unauthorized individual and need to
keep special care while extracting the data from system to keep it safe from being corrupt.
Access: Auditors must have free access to evidence when it requires during engagement.
Sufficient: There should be enough evidence that a prudent person would reach the same conclusion as
the auditor
Reliability: Evidence must come from a credible source whether auditor obtained it directly or
indirectly.
Relevant: Evidence must be relevant to the matter on hand. Non pertinence evidence can increase audit
risk.
Usefulness: Information is useful if its timely available and its relevant to the organization.
Processes that are examined in engagement are documented in a process map. forms include
Flowcharts, narratives, block diagram, spaghetti maps, RACI diagrams.
(ii) Narratives: Show step by step picture of a process in a single document without using symbols/keys.
Purpose is to identify key controls & under or over control areas. They can provide more detailed
information than a flowchart.
(iii) Blocked Diagrams: Representation of process using boxes and connecting lines to show their
association. Easy to quickly construct and simple than flowchart. Appropriate for high level
representation and not for detailed analysis.
(iv) Spaghetti Maps: They are limited in scope to a particular area. They are used to track people,
process, paperwork. different line colors can be used to show different flows.
(v) RACI Chart: It list various stakeholders of a process or area in rows and columns for R,A,C,I & a
checkmark is placed on the chart to indicate whether a party has one or more of these designations.
Responsible: Means that this person will perform the process or activity.
Accountable: Means that the person will be accountable for the success or failure of the activity.
Consulted: Means that the person performing the activity will have a say in various decisions
that has to be made regarding the activity.
Informed: Means that stakeholder needs to be kept informed of the matters, but he would not
have any say in decision being made.
Evaluating effectiveness of control means assessing control in context of risk to objectives. To evaluate
the control, Auditor should consider:
Whether any weakness discovered from audit work performed or information gathered?
If yes, then whether it is corrected or improved?
Do this weakness leads to the conclusion that a pervasive condition exist leading to
unacceptable level of business risk.
Just existence of weakness or risk doesn’t necessarily mean it leads to business risk. Factors to consider
whether it will lead to business risk includes.
Opinion: Opinion may relate to an individual engagement (micro level) or relate to an overall GRC of
organization (macro level).
Types of Opinion: (i) Positive Assurance (ii) Negative/limited assurance (iii) Qualified Opinion
Engagement Supervision
Engagement must be properly supervised to ensure objectives are achieved, quality is assured and staff
is developed. It also depends on auditors experience/skills and engagement complexity.
CAE can use IA policies & procedures to :
Engagement supervisor is responsible for approving work program and other aspects of planning
process. He will also review work papers, evaluates whether information, testing and results are
sufficient, reliable, relevant and useful. And will review engagement communication to ensure they are
timely, accurate, complete, concise, clear and objective.
Coordination: In initial meeting supervisor meet with audit team to ensure all aspects of program are
covered and work is not duplicated. Coordination can be challenging in large/complex audits, multiple
sites with remote sites also, in global organization audits with different cultures and business practices.
In initial meeting its also discussed:
(i) Assignments (ii) Agreement on procedures (iii) Commitments (iv) Open issues
Working paper Review: CAE or supervisor can review working paper to ensure that:
He may use a checklist when reviewing working papers quality. Working papers will be then initialed and
dated by supervisor. If he has a question regarding working papers, he may make a written record:”
“Review notes” for the auditor to consider.
Performance review provide an opportunity to auditor to define professional objectives, cooperate with
audit manager to design an action plan and periodically discuss problems to the plan.
Annual Review: It consider job competencies and it may vary organization to organization. Global
competency framework includes four areas for competencies which can be used during an annual
review. Each of these competencies may be rated as general awareness, applied and Expert.
Schedule the interview in advance and be specific about the time it will take and agenda
Start with a discussion what will be covered. Negative news should be delivered without an
accusatory tone of voice.
Be straightforward during discussion. Objective of the reviewer is to develop the auditor
Summarize the review at the end and gain commitment from the auditor whatever action have
been agreed upon.
Once these standards are met, auditor will consider how results will be communicated. Workpapers will
indicate which result will be communicated verbally and which in writing.
2400 series can be documented by Internal audit policies & procedures manual which contains:
Final communication must include conclusion, recommendation and action plan. Opinion should also be
provided where possible. opinion must take into account expectations of senior management, board &
other stakeholders.
Report Elements include Objective of engagement, scope, Audit methods, Results and other optional
sections including background information, summaries, client accomplishment, Client view or client
perspective regarding engagement conclusion or recommendation.
Accurate : Communication must be free from error and are faithful to underlying facts. Auditor must
present all the facts known to them & precise wording should be used. if an error occur CAE must
communicate the corrected information as per standard 2421.
Complete: Communication must contain everything including significant information that is essential to
the target audience.
Constructive: Communication must be helpful to the client and organization and lead to improvements
where needed.
Clear: Communications must be clearly understood and logical avoiding any unnecessary technical
language. Clarity is enhanced when auditor communicate important observation & logically support
recommendation and conclusion for a particular engagement.
Objective: Communications are fair, unbiased and are the results of a balanced assessment of all
relevant facts and circumstances.
3. Interim Reporting: may be verbal, written, transmitted formally or informally. may used to:
Communicate information that required immediate attention
If there is any change in objective or scope of engagement
If engagement extends over a long period of time
Inform management of matters not related to the engagement
Interim reporting has advantages such as:
Engagement process become more efficient as auditors can clarify issues before unnecessary
work is done
Engagement process become more effective as information is uncovered and understood before
evaluations are made & recommendations formulated.
Auditor-client relationship is strengthened.
Interim report can be a path to high quality & increase detail in final report and it also reduce
time to create a final report.
Auditor should maintain their objectivity when drawing conclusion. Auditors should consider:
CAE may give authority for this to any appropriate person but the responsibility rest with the CAE. To
whom and how to communicate the final result, CAE will consider the following:
CAE will need to consult with legal advisor when to communicate outside the organization as
ramification will be needed to sensitive information. he will also consider the party receiving the result
have any business need for this or have any responsibility for management action plan. CAE may
develop a distribution list including who will receive all communication and who will receive their
specific related area communications.
If CAE discover Error or Omission at a later stage in final communication, he must communicate it in the
best way to all parties who received the original communication. CAE will need to understand which
error or omission is significant to board/management. He will need to determine significance from
following questions:
Drafting: When drafting report, it is important to keep need of audience in mind. if there is 1 audience
then 1 or more than 1 version of report may be made. if there are different versions then the overall
objective substance (recommendation, opinion, management response) of report will not be change.
Basic principles of drafting include creating an outline & then two or three draft reports.
Outline may include headings with brief summaries and in what order? Then first draft will include
getting the information down. Then second and third draft will focus on cleaning up the writing, making
it clear and concise.
Reviewing: Audit client or audit supervisor can read and comment on the draft report. Reviewer will
consider whether the information in the report is factual, complete and Conclusions are supported by
evidence. it is important to emphasize on completion time line and urgency related to management
action plan.
Approving: CAE or a designated person by CAE will approve or sign all final communication and to whom
it should be communicated but CAE would still be responsible for all final communication. He may
designate:
Distribution: CAE will be responsible to distribute the report to those who will be responsible for taking
corrective action, to board, external auditors or other who are effected or interested in the report. If
substantive correction have to be made to the report, CAE will have to ensure that it is distributed to all
recipients highlighting the changes made in final report.
Same people attend the exit meeting who attended entrance meeting as they have know how of the
operations and power to take decision of the related area. Objective of exit meeting includes:
If CAE determine unacceptable level of risk which management has accepted but unacceptable to
organization, he must discuss it with management responsible for the area under review then he must
communicate it with senior management, if the matter is still not resolved he should discuss it with
board. If Organizations has a formal risk management framework and formally accept risks, then
CAE/auditors should understand this. But CAE is not responsible for resolving residual risk. Residual risk
may be found from assurance/consulting engagement and actions taken on previous audit results. High
significance risk includes those:
CAE should know to whom typically high-risk issues are communicated in organization. CAE must be able
to identify unacceptable risky areas, he must have access to senior management and board and CAE
must have strong management & communication skills.
CAE use judgment to whom and when such matters will be reported based on:
CAE is responsible to monitor the disposition of results communicated. The monitoring process must
capture relevant observation, corrective action and current status. CAE may develop or purchase a tool
to track, monitor and report such information. Tracked & captured information includes:
8. Monitoring & follow-up: CAE must establish a follow-up process to monitor & ensure that
management actions have been implemented or that management has accepted a risk by not
taking any action. Factors to consider when determining appropriate follow up procedures are:
Significance of reported observation/recommendation
Degree of Effort, Time and cost needed for corrective action
Complexity of corrective action
Impact if corrective action failed
An observation is not considered remedial until Re-testing is performed to confirm that implemented
controls are operating effectively and risk is reduced to acceptable level.