Key controls reviewed as part of an internal audit must be operating effectively to provide reasonable assurance over the management of risk. It takes careful planning to ensure a thorough enough understanding of the risk environment to identify those key controls that need to be in place.

Effective assignment planning considers everything from the assessment of risk, work required, resources available and deadlines, to effective team and stakeholder engagement.

The key output of the planning stage is a terms of reference document clearly stating the scope, audit objectives/risks, resources, timing and ideally any prior information needs which will assist in the smooth delivery of the audit.  

The advance warning of information needs also assists in reducing the pressure upon management when handling the impact of an internal audit while continuing with their day-to-day job, and alleviates some of the concerns occasionally raised by management when notified of an audit.

Your assessment of risk may include a review of:

  • organisation / department / system objectives
  • policy and procedural documentation
  • risks, related risk appetite, exposure, acceptance and key controls as reported on risk registers / board assurance framework
  • key risk indicators and key performance indicators
  • organisation information from the intranet, material incidents reported, and self-assessment reports
  • reports from risk oversight functions, external auditors, and regulators, etc
  • previous audit reports, known weaknesses and progress on resulting actions
  • management concerns and those of the audit team with their knowledge of that risk / area / process / system / legislation and regulation
  • recent and planned changes such as key staff / systems / process / legislation and regulation / risk, etc

Your assessment of work required may include consideration of:

  • volumes and values of transactions / budgets to determine sample size
  • work locations and the number of business areas / senior managers involved
  • the time it will take to create or update existing audit process / risk documentation
  • whether reliance can be placed upon assurance provided and planned by other assurance providers
  • testing methodology to be used - for example, whether it will be highly manual or employ computer-assisted audit techniques (CAATs)
  • timing to achieve optimal assurance and internal reporting deadlines

Your assessment of resources may include:

  • availability, experience, skills, specialist technical knowledge required and base location
  • need for co-sourcing, availability, cost and budget available
  • selection of a suitable person to lead the audit

Effective stakeholder engagement may include:

  • an assessment of all likely stakeholders, including regulators
  • face-to-face meetings with key stakeholders to understand their roles, recent and planned changes, their key drivers, their views and key concerns and for you to explain how the audit will be undertaken, by whom, when and to ‘sell’ the value of the assurance that’s being provided
  • agreement over who in the business will ‘own’ the audit report
  • agreement over how they wish to be updated on the progress and findings

Your assessment of limitations may include:

  • limitation of any sampling methodology vs testing entire populations
  • any limitations which may be placed upon your ability to fulfil your role, for example the absence of right to audit clauses in third party provider contracts
  • exclusion of specific areas of scope, for example the technical IT security surrounding systems may be subject to another specialist IT audit
  • statement re the limitations of audit and the provision of reasonable assurance
  • statement re the approved budget for the assignment, especially if this is less than the internal audit team originally proposed to management and audit committee
  • extent to which the validity of supporting documentation may be verified back to source
  • statement re the responsibility for the operation of the system of internal control residing with management

The resulting terms of reference document should be circulated to key stakeholders, discussed and approach agreed with the auditee and ideally the senior management team member responsible for the area under review.  

A clear terms of reference should provide guidance to the audit team in respect delivery, help ensure stakeholders have a common understanding of the assignment and assist manage any expectation gaps.

IIA IPPF Standard 2200 – engagement planning

IIA IPPF Standard 2300 – performing the engagement