Standard 2200 Engagement planning
The Standard states:
Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.
The organisation’s Internal Audit Manual (IAM) should provide suitable working guidance in respect of the expected internal process to be followed by the team when planning any audit. The IAM should also provide any standard documentation templates which the team are expected to utilise when performing their work.
In practice what processes are key to demonstrating that the Chief Internal Auditor (CIA) has considered the organisation’s strategies, objectives and risks when planning an engagement’s scope and resources? The CIA will already have performed or overseen the performance of the Audit Needs Assessment (ANA) and resulting Internal Audit Strategy (IAS); this provides the starting point.
Thereafter, when planning an individual assignment:
- Consider the underlying risk assessment performed by internal audit when performing the ANA and identifying the areas for inclusion within the IAS and any outline scope therein; update the understanding through considering any significant changes since its approval.
- Review any updated risk assessment performed by management such as risk register entries; to gain further understanding of objectives, the identified risks to their achievement, the policies and procedures put in place and relied upon by management to mitigate risk, any management review and reporting in place to monitor and measure their success and the results of any work performed by other external assurance providers.
- Review any legislation, regulatory or recognised good practice control frameworks relating to the area of review; ensure these are suitably captured within the control environment or record and highlight any gaps.
- Hold and document planning meetings with Executive and auditees to gain further insight into the objectives, performance indicators, risks and controls of the area subject to review.
- The auditor should consider the extent of work necessary to provide reasonable assurance over and opportunity for significant improvements to the risk management, governance and internal controls in place to mitigate risk to an acceptable level within the organisation’s risk appetite.
- Create an Audit Planning Brief, based upon the organisation’s adopted template; this should include the objective for the area under review, scope of the assignment, result of risk assessment, key controls, focus of audit testing and expected dissemination of results.
- The Brief should clearly identify both what is ‘in scope’ and ‘out of scope’ to provide clarity and avoid scope creep.
- The Brief should clearly identify any work of third parties upon which it is planned to place reliance; including what work will be undertaken to gain assurance over the robustness of that work (See Standard 2050).
- Areas of audit testing should be prioritised based upon both impact and likelihood; it is important to ensure that controls recognised as managing the most significant risks are adequately designed and operating effectively.
- The audit resources necessary to deliver the intended scope should be considered and outlined; covering both execution and supervision of the assignment. It is the CIA responsibility to ensure not only the quantity but also the quality of resources allocated; considering necessary knowledge, skills, experience and technology to complete the engagement with suitable professional care and diligence. It may be necessary for the CIA to bring in additional resources to meet this need; including supervision, subject matter experts and co-sourcing.
- When planning resources, the CIA should pay suitable attention to any departmental skills audit and declared conflicts of interest.
- The Brief should be reviewed and approved by the CIA, the auditee responsible and ultimately the Executive team with whom responsibility lies. This helps to promote the recognition of auditees’ views and buy-in to the audit process.
- To ensure the smooth execution of the audit it is often desirable to provide an explicit timetable for key stages of the audit process and prior information needs.
- The audit process should not be immovable; if based upon audit work performed, the auditor identifies that the scope and audit work would benefit from change, these should be brought to the attention of the CIA, suitably considered, discussed with client and approved. As auditors we must remain agile; especially in today’s fast paced environments. The CIA should confirm any agreed change to the Executive lead.
- Any limitation to an audit’s scope or performance should be clearly reported to Executive and Audit Committee.
Planning of audit assignments, their scope and resources directed to them is incredibly important; failure to give this stage suitable consideration could devalue the entire audit process, impact negatively upon relationships with auditees, jeopardise the quality of the end product, value derived from our input and ultimately the assurance we are able to provide back to Executive and Board.
Clearly documenting the planned audit scope, testing, resources and timeframes provides a benchmark against which to monitor the execution of our work, demonstrate we have discharged our responsibilities and reflect upon to improve our service moving forward.
Core Evidence Demonstrating Compliance
- Audit Needs Assessment documentation
- Internal Audit Strategy
- Audit Planning Briefs
- Minutes/records of meetings with auditees
The CIA should ensure that risk assessment is clearly evident throughout Strategic and Assignment Planning. Whilst the Strategy provides the justification for the prioritisation of the audit, the Brief provides the specific scope and objectives of the review immediately prior commencement to ensure that it is focused upon current risks as they present themselves at that moment, recognising that the environment may have moved on since the development of the Strategy.
Ideally, the Brief should follow a consistent agreed upon format, following any guidance within the IAM; capturing both audit and management’s view of the risk and control environment. Formal acceptance of the Brief and any amendment to scope will help minimise the risk of any expectation gap. The Brief provides the auditor with the ‘plan’ against which audit quality and resources will be subsequently monitored.