Engagement Planning & Fieldwork – Internal Audit Notes

Introduction to Engagement Planning

  • Internal auditing (IA) Common Body of Knowledge (CBOK) demands mastery of modern control, governance, and IT-security topics.

  • Chapter focus: end-to-end steps to plan, perform, and complete an individual internal audit engagement.

  • Preconditions assumed:

    • Board/Audit Committee–approved Audit Charter.

    • Risk-based Annual Audit Plan already sanctioned.

    • Function is sufficiently resourced and adheres to the IIA International Standards for the Professional Practice of Internal Auditing (ISPPIA).

  • Core idea: IA is the “eyes & ears” of Audit Committee and senior management—goes beyond paperwork review by physically observing operations, gathering evidence, and testing controls on-site.

  • Applicability: same methodology works for finance, manufacturing, IT, telecom, SOX §404, etc.

  • Hypothetical multinational manufacturer/distributor of IT-security hardware & software.

  • Sites in United States, India, Netherlands; focal audit location in Minneapolis, MN.

  • Engagement chosen: Purchasing & Accounts Payable (A/P) controls review.

Organising & Planning Internal Audits

  • Three foundational building blocks:

    • \bullet Audit Charter & IA organisational structure.

    • \bullet Approved long-range / annual risk-based audit plan.

    • \bullet Standardised methodologies aligned with ISPPIA (e.g., evidence evaluation, COSO framework, report protocols).

  • Consistency across auditors elevates IA credibility and perceived value.

Internal Audit Preparatory Activities

  • Triggers for an audit: annual schedule, Audit Committee / management request, regulatory change, fraud indications, economic shocks, etc.

  • Steps before fieldwork:

    1. Determine/confirm Audit Objectives (high-level purpose statements).

    • Example: “Assess adequacy of purchasing controls at Minneapolis facility, branch interfaces, corporate A/P linkage, and supporting automation.”

    1. Draft Scope Statement (optional but clarifies boundaries, e.g., only AUS/NZ operations).

    2. Prepare Audit Planning Memo (internal; Exhibit 7.1) capturing objective, team, timing, hours, SOX §404 tie-in.

    3. Produce/maintain Project Schedule (Exhibit 7.2) with monthly hour allocations by auditor & activity.

    4. Estimate resources—break engagement into tasks, match auditor skills, incorporate staff development.

    5. Conduct Preliminary Survey:

    • Review prior workpapers & reports (identify repeat issues, sample-size optimisation).

    • Analyse org charts, budgets, KPIs, mission statements.

    • Gather relevant external/internal reviews (SOX, regulators, external audit, press releases).

    • Document potential segregation-of-duties weaknesses.

Engagement Communication – Engagement Letter

  • Purpose: formal notification to auditee (who/what/why).

  • Key contents:

    • Addressee (responsible manager).

    • Objective & scope.

    • Start date & duration.

    • Audit team leader & contacts.

    • Advance requests (reports, workspace, IT/network access).

    • CC senior stakeholders.

  • Exceptions: fraud or surprise cash counts may forego advance notice.

Field Survey (Initial On-Site Work)

  • Goals:

    1. Familiarise with local processes & environment.

    2. Assess control structure & inherent/control risk.

  • Activities:

    • Validate org charts & responsibilities.

    • Obtain manuals, directives, laws, online procedures.

    • Analyse management/operational reports & prior inspection results.

    • Perform walk-through/tour; document observations.

    • Preliminary interviews with key personnel.

  • Deliverables:

    • Updated permanent file, flowcharts of major processes (SOX requires).

    • Field Survey Summary (Exhibit 7.4) – may propose scope tweaks or cancellation.

Audit Programme Development

  • Definition: blueprint of step-by-step procedures to meet objectives.

  • Forms:

    1. Generalised programme (high-level; Exhibit 7.5 – Direct Expenditure Cycle).

    2. Detailed procedural programme (petty cash example – Exhibit 7.6).

    3. Checklist/questionnaire (ethics & compliance – Exhibit 7.7).

  • Each step records initials, date, and workpaper reference (control & QA).

  • Program may be:

    • Standard (library) → minimal adaptation.

    • Customised → unique risks, new systems, past issues.

  • Incorporate advanced techniques:

    • Computer Assisted Audit Tools & Techniques (CAATTs).

    • Statistical Sampling\text{Statistical Sampling} for large data sets.

Types & Hierarchy of Audit Evidence (Exhibit 7.8)

  1. Most persuasive: Direct auditor observation, independent confirmations, original signed documents.

  2. Corroborative: Documentary evidence from reliable systems.

  3. Moderate: Photocopies, internally generated but unaudited reports.

  4. Weakest: Verbal statements, casual answers without validation.

Performing the Audit (Fieldwork)

  • Initial Procedures:

    • Entrance meeting; share tentative schedule & info needs.

    • Request auditee help to inform staff.

    • Address logistical issues (workspace, system access).

  • Problem-solving strategies for missing data or non-cooperation:

    • Adjust procedures.

    • Note limitation in report.

    • Reschedule portion, reconstruct data.

  • Workpaper Control:

    • Each step initialled & dated.

    • Use Point Sheets (Exhibit 7.9) to log emerging issues, link to programme steps & evidence.

    • In-charge auditor reviews in real-time.

  • Technical Assistance:

    • Escalate unfamiliar accounting or IT issues; consult specialists or research; document time/cost impact.

  • Management Monitoring:

    • For large/critical audits, management visits or virtual check-ins ensure quality & resolve issues.

    • Review workpapers, approve or request more work.

  • Potential Findings Process:

    • Raise Preliminary Findings Sheets (Exhibit 7.10) – include condition, criteria, cause, effect, recommendation, discussion outcome, disposition.

    • Discuss with responsible manager; decide retain/drop/defer.

  • Programme/Schedule Modifications:

    • Approved by audit management; document reasons (e.g., local differences, new risks, staffing changes).

  • Ongoing Communication:

    • Weekly or exit meetings to validate facts, gauge significance, allow quick corrective action on minor issues.

Practical / Philosophical Considerations

  • Balance between announced vs. surprise audits – surprise only for justified fraud or cash counts; otherwise pre-notice minimises disruption and improves cooperation.

  • Flexibility vs. Rigour:

    • IA must adapt to evolving business conditions without sacrificing audit quality or independence.

  • Travel-cost paradox: while budgets matter, risk coverage cannot be sacrificed—site visits are essential for robust assurance.

Ethical & Governance Implications

  • IA upholds fiduciary duty to board and stakeholders by independently assessing controls.

  • Engagement planning embodies transparency, risk-based resource allocation, and professional scepticism.

  • Proper documentation (charter, programmes, workpapers) provides traceability, supports accountability, and satisfies legal/regulatory requirements (SOX §404, etc.).

Key Numerical / Statistical References

  • Example hours from GCP schedule (Exhibit 7.2): 20, 80, 4520,\ 80,\ 45 hours for IT-control testing (Hollerith).

  • Audit period planning often covers one fiscal year but schedules may span 1–3 months\text{1–3 months} blocks.

  • Petty cash audit sample sizes may be reduced if prior tests showed low error rates (risk-based sampling).

Connections to Wider CBOK Topics

  • Links to COSO Internal Control-Integrated Framework.

  • Risk-based planning ties into Enterprise Risk Management (ERM).

  • Workpaper quality & engagement supervision intersect with Quality Assurance & Improvement Programme (QAIP) requirements (ISPPIA 1300 series).

Study Tips & Take-aways

  • Memorise the sequence: Charter ➜ Annual Plan ➜ Engagement Letter ➜ Field Survey ➜ Audit Programme ➜ Fieldwork ➜ Findings ➜ Report.

  • Understand the why behind each document (planning memo vs. engagement letter vs. point sheet).

  • Practise drafting objective/scope statements—clarity here drives entire audit success.

  • Be able to explain evidence hierarchy and give real-life examples.

  • Anticipate exam scenarios asking for responses to missing data, uncooperative staff, or scope changes.

  1. What are the two (2) types of services do internal auditors provide? Provide 3 examples of each type of engagement.
    Internal auditors primarily provide two types of services: Assurance Services and Consulting Services.

  • Assurance Services: These involve an objective examination of evidence for the purpose of providing an independent assessment to the board, management, or third parties regarding the effectiveness of governance, risk management, and control processes. The provided note focuses heavily on these.

    • Examples:

      1. Review of Purchasing & Accounts Payable Controls: As described in the example context, assessing the adequacy of controls at a facility, including branch interfaces and corporate linkage.

      2. IT-Security Control Testing: Evaluating the effectiveness of controls related to IT security hardware and software, often involving specific hour allocations for testing (e.g., 20, 80, 4520,\ 80,\ 45 hours for IT-control testing).

      3. SOX §404 Compliance Audit: Assessing an organization's internal controls over financial reporting to meet regulatory requirements.

  • Consulting Services: These are advisory and related client service activities, the nature and scope of which are agreed with the client, and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility.

    • Examples:

      1. Process Improvement Advisory: Advising management on optimising operational workflows or reducing inefficiencies in specific business areas.

      2. Risk Management Training: Providing workshops or training sessions to various departments on identifying and mitigating risks relevant to their operations.

      3. System Implementation Review: Offering guidance and recommendations during the roll-out of new IT systems to ensure internal controls are adequately integrated.

  1. What are the four (4) phases of the assurance engagement planning?
    Based on the typical internal audit process and the steps outlined in the provided notes, the four phases of assurance engagement planning can be structured as follows:

  • Phase 1: Initiation and Objective Setting: This phase involves establishing the need for the audit and defining its high-level purpose.

  • Phase 2: Preliminary Information Gathering and Risk Assessment: This involves conducting initial research and surveys to understand the auditable entity, its controls, and associated risks.

  • Phase 3: Resource Allocation and Scheduling: This phase focuses on determining the necessary personnel and timeframes for the engagement.

  • Phase 4: Audit Program Development: This involves creating the detailed, step-by-step procedures to be performed during the fieldwork.

  1. What steps are included in the planning phase of an assurance engagement?
    The planning phase of an assurance engagement includes several key steps:

  • Determine/confirm Audit Objectives: Defining the high-level purpose statements for the audit.

  • Draft Scope Statement: Clarifying the boundaries of the audit, specifying what will and will not be covered.

  • Prepare Audit Planning Memo: An internal document detailing objectives, team, timing, estimated hours, and any regulatory ties (e.g., SOX §404).

  • Produce/maintain Project Schedule: Allocating monthly hours by auditor and activity.

  • Estimate Resources: Breaking down the engagement into tasks and matching auditor skills, while considering staff development.

  • Conduct Preliminary Survey:

    • Reviewing prior workpapers and reports.

    • Analysing organisational charts, budgets, and Key Performance Indicators (KPIs).

    • Gathering relevant external/internal reviews (e.g., SOX, regulators).

    • Documenting potential segregation-of-duties weaknesses.

  • Conduct Field Survey (Initial On-Site Work):

    • Familiarising with local processes and environment.

    • Assessing control structure and inherent/control risk.

    • Validating organisational charts, obtaining manuals, and reviewing reports.

    • Performing walk-throughs and preliminary interviews.

  • Prepare Engagement Letter: Formal notification to the auditee detailing objective, scope, start date, duration, and audit team contacts (unless a surprise audit is necessary).

  • Develop Audit Programme: Creating a blueprint of step-by-step procedures, which can be generalised, detailed, or checklist-based, ensuring each step records initials, date, and workpaper reference. It may incorporate advanced techniques like CAATTs and statistical sampling.

  1. What is the relationship between business objectives and business assertions?

  • Business Objectives are the high-level goals that an organisation aims to achieve, such as increasing market share, optimising operational efficiency, or ensuring regulatory compliance. In internal audit, audit objectives are set to assess whether these business objectives are being met, and whether the controls supporting them are adequate. For example, a business objective might be