2023/08/11

IAU 200
LEARNING AREA 8
Prof Plant

References
The Internal Audit Process: Planning and
performing an Internal Audit Engagement
Performance Standards 2200-2600*

• Chapter 6 – Internal Auditing: An Introduction

• Study pack

* Only standard 2200 & 2300 in detail for IAU200

Attribute Performance
1000 – PAR 2000 – Managing the IAA
1100 – 2100 – Nature of work
Independence & Objectivity
1200 – 2200 – Planning the audit*
Proficiency and DPC 2300 – Performing the audit*
2400 – Communicating results
2500 – Monitoring results
1300 – 2600 –
Quality Assurance and Management’s Acceptance of risk
Improvement programme
 2023/08/11

What is an audit?
To verify the correctness of representations
Examination- verify
correctness of
representations

What is an audit?
- Audit
• Action
• Example of buying a mobile
phone/car/….
• Criteria-What should be place?
• Condition-What is in place?
• Finding-Evidence to support

What is an engagement?
Engagement:
- A specific internal audit assignment,
task or review activity
- Examples:
- An audit
- A review
- A fraud examination
- A consulting activity
 2023/08/11

NB Terminology
We refer to:
- An audit engagement or an audit;
- Engagement client or audit client;
- Engagement objectives or audit objectives;
- Engagement procedures or audit procedures;
- An engagement work programme or an audit
programme
- Etc.

Understanding the business environment

Organisational level
• Strategic: Influence the reputation (public relations
strategies)
e.g. Mission/vision statements
• Business unit: e.g. Sales division, human resource division
• Business process: e.g. Credit sales, payroll process, leave
process

Apple mission statement

•We believe that we’re on the face of the Earth to make great products.
•We believe in the simple, not the complex.
•We believe that we need to own and control the primary technologies behind
the products we make.
•We participate only in markets where we can make a significant contribution.
•We believe in saying no to thousands of projects so that we can really focus
on the few that are truly important and meaningful to us.
•We believe in deep collaboration and cross-pollination of our groups, which
allow us to innovate in a way that others cannot.
•We don’t settle for anything less than excellence in every group in the
company, and we have the self-honesty to admit when we're wrong and the
courage to change.
 2023/08/11

Understanding the
business environment
Considerations:
•Organisational objectives 6.3.1
•Organisational risks 6.3.2.

•Engagement objectives 6.3.3

Levels:
•Strategic
•Business unit
•Business process
•Refer to class discussion 1

Global
Education
Regional
National Economy

Society

Politics
Organisation

Technology

Spirituality Environment

The world keeps on changing!

Risk assessment matrix

– linked to the strategic objectives

5: Global Economy
Almost
Certain

(Expand) 8: Price
1: Change
Management competitiveness
(Easy) (Operational))
Probable

2: Systems &
Highly

4: Like for like

supply chain
7: Investment in Growth
(Easy)
people (Expand)
(One Team)
3: Combined
Probable

Purchasing
6: Agility & capability (Common)
10: Health &
to expand overseas
Safety
(Expand)
(Operational)
11: Ethics &
Likely
Fairly

Compliance
(Operational)
9: Supplier
Resilience
Occurrence

(Operational)
Unlikely

Manageable Major Significant Critical Catastrophic

Impact
 2023/08/11

Audit Methodology
Organisational objectives

Risk assessment

Id type of audit

Obtain understanding
Risk areas Planning the
Engagement objectives audit
Criteria engagement
Work programme

MAIN STAGES of AUDIT PROCESS: p123-124

■ 2200 Engagement Planning: Internal auditors must develop and document a
plan for each engagement including the engagement’s objectives, scope, timing
and resource allocations. The plan must consider the organisation’s strategies,
objectives, and risks relevant to the engagement.
■2300 Performing the Engagement: Internal auditors must identify, analyse,
evaluate, and record sufficient information to achieve the engagement's objectives.
■ 2400 Communicating Results: Internal auditors should communicate the
engagement results promptly.
■ 2500 Monitoring Progress: The chief audit executive should establish and
maintain a system to monitor the disposition of results communicated to
management

Standards
2000 – Managing the IAA
2100 – Nature of work
2200 – Planning the audit
2300 – Performing the audit
2400 – Communicating results (only findings)
2500 – Monitoring results
2600 – Managements acceptance of risk
 2023/08/11

Managing the Internal Audit Activity - 2000

Standard 2000 (as background)
• The chief audit executive (CAE) must effectively manage the internal audit
activity to ensure it adds value to the organisation.

• If internal audit activity (IAA) is effectively managed it will:

• achieve the purpose and responsibility.

• conform with the Standards.
• have its individual members conform with the Code of Ethics and the
Standards.
• consider trends and emerging issues that could impact the organisation.

Nature of work done by the internal

audit activity - 2100
Standard 2100 (as background)
-IAA must evaluate and contribute to the improvement of the organisation’s
governance, risk management and control processes by using a systematic,
disciplined and risk-based approach.

2110 - Governance
2120 - Risk Management
2130 - Control

Professional guidance:
Engagement planning - 2200
2201 – Planning considerations

2210 – Engagement objectives

2220 – Engagement scope

2230 – Engagement resource allocation

2240 – Engagement work programme

 2023/08/11

Internal Audit Process (2200-2600)*

2200 - Engagement Planning
IA MUST:
• develop a plan for each engagement (engagement plan)
which includes the:
- engagement objectives (refer to 2210)
- engagement scope (refer to 2220)
- timing of the engagement and
- resource allocation (refer to 2230)

2201 Planning Considerations:

IA MUST:
2201 In planning, consider:
– Strategies and objectives of the activity/dept being reviewed….
– The significant risks…
– The adequacy and effectiveness of the governance, risk
management and control processes…
– The opportunities for making significant improvements..
2201.A1 & C1
– Written understanding for services rendered to parties
outside the organisation

2210 Engagement objectives

• Engagement objectives must be established for each audit
• Broad statements developed by the internal auditor and
define what the engagement is intended to accomplish.
• Engagement objectives should address risks associated
with the activity under review
.A1 IA MUST conduct preliminary assessment of risks
Example:
• Risk – Unauthorised leave might be taken
• Objective – To test/assess/determine/evaluate that
(whether) all leave forms are authorised beforehand and
valid
 2023/08/11

2210 Engagement objectives

.A2 Must consider the probability of significant errors, fraud,
non-compliance and other exposures
.A3 Adequate criteria are needed to evaluate controls
.C1 Consulting engagement objectives must address
governance, risk and control processes to the extent agreed
upon with the client
.C2 Must be consistent with the organisation’s values, strategies
and objectives

2220 Engagement scope

• MUST be sufficient to satisfy the objectives of the
engagement
.A1 MUST include consideration of relevant systems,
records, personnel, physical properties
.A2 Significant consulting opportunities = written
agreement
.C1 scope sufficient to reach agreed-upon objectives
.C2 address controls consistent with engagement obj.

2230 Engagement Resource Allocation

• IA MUST determine appropriate and sufficient resources to achieve
engagement objectives by:
• evaluating the following:
– nature and complexity of the engagement
– time constraints and
– available resources
• Also consider:
– Training needs of internal auditors
– The use of external resources
 2023/08/11

2240 Engagement Work Programme (EWP)

Document a EWP to achieve audit objectives
.A1 MUST include the procedures for:
– Identifying, (refer to std 2310)
– analysing, (refer to std 2320)
– evaluating and (refer to std 2320)
– documenting information (refer to std 2330)
– during the engagement
• Approved prior to engagement
• Any adjustments should be approved promptly as well.
.C1 - EWPs for consulting engagements may vary in form and content.

2300 Performing the Engagement

IA must:
- identify (std 2310)
- analyse and evaluate (std 2320) and
- Document (std 2330)
sufficient information to achieve audit
objectives

2310 Identifying Information

IA must identify: (SRRU)
Sufficient, relevant, reliable and useful
information to achieve audit objectives
 2023/08/11

2320 Analysis and Evaluation

IA must base conclusions and audit results on
appropriate analyses and evaluations

2330 Documenting information

IA must document SRRU information to support audit results
and conclusions
.A1
The CAE must control access to audit records
The CAE must obtain approval of senior management / legal
counsel prior to releasing such records to external parties
.A2
The CAE must develop retention requirements for audit
records.
.C1
The CAE must develop retention requirements for consulting
records

2340 Engagement Supervision

Engagements must be properly supervised to ensure:
= objectives are achieved,
= quality is assured,
= staff is developed.
Extent of supervision – depends on proficiency and
experience of auditors and complexity of audit
CAE takes overall responsibility
Evidence of supervision must be documented and retained
What is included in supervision? (Page 130)
 2023/08/11

Planning the Engagement – 2200

(stage 1)
Schematic representation of recommended steps
not necessarily prescribed by Standards

STEP 1: Obtain an understanding of client and business unit

• factors to be considered
• industry
• types of services/goods
• organisational structure & culture
• labour matters
• politics
• technology (and more …)

Planning the Engagement - 2200

STEP 2: Preliminary contact/ meet with engagement client
- discuss:
• purpose & extent of engagement
• proposed scope of work
• management’s overview of division
• documentation required
• job & systems descriptions
• time budget
- physical tour

Planning the engagement - 2200

STEP 3: Conduct a preliminary survey
• process for gathering information
• purpose:
• obtain understanding of client
• without detailed verification
• includes:
• identify significant engagement issues
• identify potential control deficiencies
• walk-through test
• techniques to obtain this information:
• Study documentation (vision, mission, systems descriptions)
• Layout of facilities
• Previous year’s audit file
• Flow charts
• Interviews
• Research the industry
 2023/08/11

Planning the engagement - 2200

STEP 4: Identify risks
• areas which require specific attention
• high risk areas to be identified for further investigation
• Risk assessment (risk report – risk register – risk heat map)
• guidelines to identify risk (see bullet points)
• Different risk categories:
• Business risks
• Financial risks

Planning the engagement - 2200

STEP 5: Identify engagement objectives
• depends on type of audit
• Objectives - aimed at achieving a purpose or end
• Procedures - techniques to achieve objectives
• Refer to examples in text book

Planning the engagement -2200

STEP 5: Identify engagement criteria
• criteria
• what should be in place
• expectations used against which to make an evaluation
• condition
• what is currently in place
• based on factual evidence obtained
• audit findings
• comparison between what should be with what is
• example
• sources for the development of criteria
 2023/08/11

Planning the engagement - 2200

•STEP 5: Identify engagement scope
• work to be performed
• boundaries of the work
• nature and extent of work, time period and scope
limitations
–Refer to Table 6.6

–Refer to class discussion 3

Planning the engagement - 2200

STEP 6: Resource allocation
• Appropriate – mix of knowledge and skills & competencies
• Sufficient –quantity needed.
• considerations
• nature and complexity of audit
• competencies of internal audit team
• time constraints
• use of external resources
• other requirements

Planning the engagement - 2200

STEP 7: Prepare engagement work programme
• engagement work programme:
• list of steps, actions or procedures to be executed
• performed to gather evidence and express an opinion
• includes (audit procedures):
• HOW - action
• WHAT - document/process/transaction/balance
• WHY - engagement objective
 2023/08/11

Planning the engagement -2200

•STEP 8: Final confirmation to proceed
–prepare engagement letter
• confirmation that engagement will proceed
• based on agreed-upon principles

•Refer to class discussion 4

Performing the Engagement – 2300

(stage 2)
• IA should identify, analyse, evaluate and record information
• support engagement results & report

• Refer to Table 6.7

Performing the Engagement - 2300

• 2310 – Identifying information
• 2320 – Analysis and Evaluation
• 2330 – Documenting the information
• 2340 – Engagement supervision
 2023/08/11

Performing the Engagement - 2300

STEP 1: Identify engagement information (2310)
Characteristics of engagement information (SRRU):
sufficient
factual, adequate & convincing
informed person same conclusion as IA
relevant
supports engagement observations & recommendations
consistent with engagement objectives
approved & processed orders = NO relevance whether sold goods were
delivered
reliable
best attainable evidence
original versus copy
Nature and source of evidence NB
useful
enables IA to substantiate engagement objectives

Performing the Engagement - 2300

Nature / types of evidence (2310)
• physical
• observing
• people, property or events
• testimonial
• enquiries / interviews
• letters / statements
• should be supported by documentation
• documentary
• external versus internal documents
• analytical
• computations of relationships
• debtors collection period
• comparisons of specific information
• current year with previous years’ sales

Performing the Engagement - 2300

• Source (2310)
• auditor √√√
• 3rd party (external evidence) √√
• client (internal evidence) √

• Nature and source of information will influence reliability of information

• Refer to Table 6.8
• Refer to class discussion 5
 2023/08/11

Performing the Engagement - 2300

STEP 2: Perform engagement procedures (2310)
• HOW – WHAT - WHY
• performed to gather evidence
• with reference to criteria
• Internal auditor’s actions
• (Some of the) types of procedures
• Compliance
• Internal control activities are functioning as intended (Control
Effectiveness Tests)
• Laws, policies etc. are complied with (Compliance procedures)
• Substantive
• Transaction or balance correctly reflected as indicated in records
• transactions
• balances
• analytical procedures
• Refer to class discussion 6

Performing the Engagement - 2300

•STEP 3: Analyse and evaluate engagement information (Std 2320)

•STEP 4: Document engagement information (Std 2330)

•SUPERVISION (Step 1-4: Std 2340)

Types of audit engagements

• Compliance audit engagements
• Financial audit engagements
• Operational audit engagements
 2023/08/11

Types of audit engagements

• Compliance audit engagements
• assurance service
• assurance on organisation’s achievement of internal control objectives
• purpose – to supply evidence on:
• adequacy and effectiveness of internal control and/or
• compliance to laws, legislation, policies, procedures
• responsibilities
• management
• Implementation of controls
• IA
• evaluates/tests/assesses/determines adequacy and effectiveness of
IC and/or
• evaluates/tests/assesses/determines compliance to laws and
regulations

Types of audit engagements

• Compliance audit engagements
• Internal control objectives achieved by management
• compliance with applicable policies, procedures, laws & regulations
• achievement of activity objectives
• reliability and integrity of information
• economical and efficient use of organisational resources
• safeguarding of organisational assets
• These general internal control objectives can be applied to any
specific activity or process
• Refer to Table 6.11

Types of audit engagements

• Financial audit engagements
• assurance service
• purpose
• to express an opinion on the reasonableness of financial
information
• concept of fair presentation
• responsibilities
• internal auditor versus external auditor
 2023/08/11

Types of audit engagements

• Financial audit engagements
• management’s objectives (assertions/statements)
• existence and occurrence
• validity
• assets, liabilities & equity existed at specific time
• income & expenses actually occurred
• completeness
• all transactions and balances are recorded
• cut-off
• all transactions are recorded in correct financial period
• accuracy
• all transactions are recorded at correct amount

Types of audit engagements

• Financial audit engagements
• management’s objectives (assertions/statements)
• rights and obligations
• assets = rights
• liabilities = obligations
• classification and allocation
• transactions
• correct classification of repairs and maintenance = expense not asset
• balances
• correct allocation of a finance lease as a liability not an expense
• valuation
• all balances are correctly valued
• inventory at lower of cost or net realisable value
• presentation and disclosure
• all transactions & balances recognised in accordance with relevant accounting
framework

I/S B/S
Income , expenses Assets, liabilities, equity
Existence √
Occurrence √

Completeness √ √

Accuracy √

Rights and obligations √

Classification √

Allocation √

Valuation √

Presentation and disclosure √ √

 2023/08/11

Types of audit engagements

• Operational audit engagements
• performance audit engagements
• purpose
• add value to process
• by identifying possible opportunities for benchmarking or best
practices
• engagement objectives
• economy
• terms & conditions under which entity acquires its resources
• appropriate quality and quantity at lowest cost
• efficiency
• relationship between goods/services and resources used to supply them
• effectiveness
• degree to which objectives are achieved

• Example 1: Production operation

• economy (inputs)
• are we buying raw materials at best possible price?
• efficiency (conversion)
• are we productive in converting inputs (raw materials) into outputs (finished
goods)?
• effectiveness (outputs)
• are we achieving our objectives (target – 100 products per day)?

• Example 2: Study process

• economy (inputs)
• are we studying economically? – number of hours a day
• efficiency (conversion)
• are we productive / efficient in converting inputs (learning materials) into
outputs (knowledge and skills)?
• effectiveness (outputs/outcomes)
• are we achieving our objectives (pass / distinction / competent)?
• Refer to class discussion 7