Professional Documents
Culture Documents
CONTENTS
Objectives ................................................................................................................ 3
Introduction .............................................................................................................. 3
The Audit Approach .................................................................................................... 4
Planning an Audit ....................................................................................................... 5
What you need to know planning an audit ..................................................................... 5
Preliminary Audit Engagement Activities ....................................................................... 6
Planning Activities ................................................................................................... 7
Audit Objectives ...................................................................................................... 9
Setting the Audit Scope ........................................................................................... 10
The Audit Methodology ........................................................................................... 11
Risk Assessment..................................................................................................... 12
Identifying Key Business Processes and Performing Control Environment Reviews ................. 13
Audit Criteria and Risk Rating ................................................................................... 17
FieldWork ............................................................................................................ 21
Communications Management Processes ..................................................................... 24
Documenting The Audit Plan .................................................................................... 24
Summary ................................................................................................................ 25
References .............................................................................................................. 26
APPENDIX ................................................................................................................ 27
OBJECTIVES
The objectives that are intended to be achieved by this guide are to:-
INTRODUCTION
This guide will provide procedures and guidelines, practical examples, tools and
information as it relates to planning an audit. It is intended to help auditors to
improve the quality of their performance and promote professional competence in
planning and conduction audit engagements. The guide will address the performance
concerns of management while meeting the needs of auditors as it explains key
considerations for planning and conducting an audit in keeping with the Institute of
Internal Auditors Standards (IIA Standards) for the Professional Practice of Internal
Auditing.
One of the key roles of internal audit is to provide assurance that the risks of an
organization are being properly managed. As a professional institution the Internal
Audit Department can best achieve its mission to add value to and improve the
operations of government ministries and departments by positioning its work in the
context of the audited organization’s own risk management framework. This
approach is call a risk based approach. It is an approach that is applied to produce
the most meaningful audit result in the most efficient and cost effective way. To
establish a risk based framework for timely delivery of high-quality audit reports and
avoid performing unnecessary tasks and activities a SMARTEST approach must be
undertaken. Auditors must ensure that:-
PLANNING AN AUDIT
Improve audit efficiency and meet the audit objectives with minimum effort,
Employ the correct audit strategies to detect all relevant risk areas, and
In keeping with IIA standard 2210.A1 1 (p.355), as auditors you should perform the
following preliminary activities prior to beginning to plan the audit so that they can
get an overview of the area to be audited. This will help to gain a foundation on
which to prepare a risk based audit program that concentrates on those matters
which are of paramount interest to management.-
Define the information and resource needs for management and control
purposes.
Establish the procedures for maintaining the client relationship and for
conducting the specific audit engagement.
1
IIA Standard 2210.A1- Risk Assessment in Engagement Planning – Internal auditors should conduct
preliminary assessments of risk relevant to the activity under review. Engagement objectives should
reflect the results of this assessment. P355
Establish an understanding of the terms of the audit engagement.
These preliminary activities will allow the auditor to get to know the staff,
understand the operations of the organization and focus on the objectives, controls
and risk. This will equip the auditor with knowledge to effectively plan the audit.
PLANNING ACTIVITIES
The nature and extent of the planning activities that are necessary depend on the
size and complexity of the audited entity, your previous experience as an auditor,
and changes in circumstances that occur during the audit. Planning of the audit
involves defining the objectives; setting the audit scope, determining the audit
methodology and documenting the detailed audit plan as depicted below.
Job descriptions
Process charts
Matters affecting the industry in which the entity operates, such as financial
reporting practices, economic conditions, and technological changes
The extent of recent changes, if any, in the entity, its operations, or its
internal control over financial reporting
Risk assessments
Other activities may include discussions with the engagement client, interviews
with the individuals affected by the activity (for example customers and other
stakeholders), and on-site observations (IIA Standards, 2005, p357).
AUDIT OBJECTIVES
To provide assurance that the Procurement Unit made an accurate forecasting of the materials needs for the
From the example given you will observe that the following were included:-
The scope defines the boundaries of the audit, in other words it outlines how deep
the audit will go and what specific activities and timelines will be subject to the
audit evaluation. It is not practical or efficient to cover every possible aspect in a
single audit. Consequently, it is important to restrict the nature, timing and extent
of audit procedures to a limited number of issues of concern so as to complete the
audit and maximize the use of resources needed. However, the established scope
must be sufficient to achieve the objectives of the engagement -IIA Standard 22003.
The scope is determined through a review of the audited organization’s activities,
3
IIA Standard 2200 – Engagement Planning – Internal auditors should develop and record a plan for
each engagement, including the scope, objectives, timing, and resource allocations.
discussions with management and the auditor’s judgement. It should clearly state
the time period to be audited and the activities not audited to delineate the
boundaries of the audit. Below is an example of an audit scope statement.
This audit will examine the objectivity, efficiency and effectiveness of the governance and
monitoring practices that support the approval and oversight functions for the administration of
government offered scholarships and training – Training Division. It will assess the management
control framework and operational practices in place for the period 2008 to 2017. This work will
establish the number of students that received scholarships and training over that last 10 years.
Determine the number of students that were due to return to the country to serve in accordance
with their student bonds for the period 2012 to 2017. Establish the current level of arrears owed by
students who have dishonored their bonds between 2012 and 2017. This audit relates specifically
to government offered scholarships and training overseas.
The audit objectives and scope influence the design of the methodology for
conducting the audit. Consideration must be given to each of the following
activities which occur during the execution of the audit:-
The entry meeting with management and other representatives of the audited
entity
Conducting the field work and documenting evidence
Evaluating the evidence and establishing findings
Drawing conclusions based on established criteria
Identifying causes and effects of any deficiencies
Developing preliminary recommendations
Exit meeting with management and other representatives of the audited
entity
RISK ASSESSMENT
A risk assessment is the identification of any risk factors or potential hazards that
could threaten the existence of an organization, its operations or its employees. As
an auditor you must be able to analyze the risk that such an event or action may
adversely affect the audited organization for example by assessing the probability
that event or action under consideration may cause financial loss, reputational
damage or prevent the organization from performing its functions efficiently and
effectively. The relative significance of the risks identified must also be analyzed
by looking at the likelihood of occurrence and the possible impact. Consideration
must also be given to the actions taken by the organization to mitigate those risks.
To remain compliant with IIA Standard 2201- Planning Considerations4 (IIA, 2012, p
13) it is important to identifying key business processes and performing control
environment reviews. This involves reviewing the plans and objectives of the
organization, its structure and the core business functions. The work activities
related to those functions which are necessary to accomplish the objectives must be
examined to identifying who is responsible for the tasks and the procedures for
completing them. Below is an example of some core business process activities:-
Core Functions
4
IIA Standard 2201 can be accessed from
https://na.theiia.org/standards-guidance/Public%20Documents/IPPF%202013%20English.pdf
Core Functions of An Organization
Information
Sales Administration Accounting Payroll
Tecnology
Records System
Invoicing General Ledger Benefits
Management Administration
Information
Inventory Authorization Purchasing Salaries & Wages
Security
Audit evidence will be collected during the audit to check how well the organization
meets the established audit criteria for example how well:-
After conducting risk assessments using established criteria it is important to assess the
impact of the risks identified. The magnitude of the impact of risks may be rated using a
five point scale as follows:-
Once the risks have been identified and the likelihood of occurrence, the possible
impact must be established. This important because one of the objectives performing
a risk analysis is to help management to determine the significance of the risks
identified. The relationship between risk and the likelihood of occurrence and the
impact can be shown like this:-
Impact of Risk
By rating the risks in order of significance management of the organization can decide
how they will respond to or manage this risk. The significance and response can be
described as:-
FIELDWORK
The importance for risk matrix to the auditor is that based on the nature of the risk
audit procedures are designed for conducting fieldwork and analyzing the
information gathered. Depending on the risks identified the scope and objectives of
the current engagement may be refined and additional procedures for substantive
testing may be used. An example of when this may occur is if some irregularities
were discovered that caused suspicion of fraud. A new objective specific to the issue
identified would be developed and the necessary procedures to collect sufficient
appropriate audit evidence would be utilized from which conclusions can be drawn.
Procedures used can include for example:-
Observation,
Inspection of records and documents,
Vouching (Tracing transactions from the accounts to source
documents to check the occurrence, accuracy, completeness etc.)
Tracing (using source documents to check existence, valuation,
completeness etc. of transactions)
Scanning (following transactions from beginning to end for example
from the point of sale to when the revenue has been deposited to
the bank)
Confirmation, and
Analytical procedures
Account balance comparisons (compare balance amounts with
previous years balances)
Computation of significant ratios (current year’s ratios compared to
industry ratios or prior years ratio to determine)
Computation of ratio using financial and non-financial data (cost of
asphalt per square foot of road)
Other Statistical analyses
The internal audit activity must be independent, and internal auditors must be objective in
performing their work.
Interpretation: Independence is the freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve
the degree of independence necessary to effectively carry out the responsibilities of the internal
audit activity, the chief audit executive has direct and unrestricted access to senior management and
the board. This can be achieved through a dual-reporting relationship. Threats to independence must
be managed at the individual auditor, engagement, functional, and organizational levels.
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
Internal auditors must possess the knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its responsibilities.
Interpretation: Knowledge, skills, and other competencies is a collective term that refers to the
professional proficiency required of internal auditors to effectively carry out their professional
responsibilities.
Internal auditors must apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.
Documenting the audit plan requires documenting the details of the agreed approach
to conducting the audit. A practical approach is to outline the tasks necessary to
achieve the objectives and map out:-
Coordinating these details and grouping similar tasks will save time and effort.
SUMMARY
Internal Auditor (2012). International Standards for the Professional Practice of Internal Auditing
https://na.theiia.org/standardsguidance/Public%20Documents/IPPF%202013%20English.
Internal Auditor (2013). Due Professional Care: What is reasonable and competent? Retrieved
from
https://iaonline.theiia.org/due-professional-care-what-is-reasonable-and-competent
International Standards on Auditing (2009). Materiality in Planning and Performing an Audit.
Retrieved from
http://www.ifac.org/system/files/downloads/a018-2010-iaasb-handbook-isa-320.pdf
APPENDIX
Organizational Scan:
Risk Assessment:
Identified Risks
Criteria
Implication
Tests of Controls:
Substantive Tests:
Approval