Chapter 4: Engagement

Process and Planning

 Engagement
 A specific internal audit assignment, task, or
review activity, such as an internal audit, control
self-assessment review, fraud examination, or
consultancy.
 An engagement may include multiple tasks or
activities designed to accomplish a specific set of
related objectives.
Engagement Process (Audit Process)

Engagement Performing the Communicating

Monitoring
Planning engagement results
 2200 Engagement Planning

“Internal auditors ‘must’develop and document

a plan for each engagement, including the
engagement’s objectives, scope, timing, and
resource allocations. The plan must consider the
organization’s strategies, objectives, and risks
relevant to the engagement. “
 2200 Engagement Planning Activities

1. Understand the engagement planning process

used by the organization’s internal audit activity
2. Define the overall engagement objectives,
scope and resource allocation
3. Conduct Preliminary survey
4. Prepare Audit Work Program
2200 Engagement Planning Activities

1  Understand the engagement planning

process used by the organization’s
internal audit activity, which is often
described in the internal audit policies and
procedures
IA Policies & Procedures
Sample
Sample documents
2200 Engagement Planning Activities

2 Define the overall engagement

objectives, scope and resource
allocation
This must be documented
2200 Engagement Planning Activities

3  Conduct Preliminary survey

 Involves obtaining information about the
department/unit/process to be audited
 To familiarize with the strategies,
objectives, and risks related to the
department, area, or process to be reviewed
 Results of survey must be documented
2201 – Planning Considerations
3
 The strategies and objectives of the activity being reviewed and the
means by which the activity controls its performance.
 The significant risks to the activity’s objectives, resources, and
operations and the means by which the potential impact of risk is
kept to an acceptable level.
 The adequacy and effectiveness of the activity’s governance, risk
management, and control processes compared to a relevant
framework or model.
 The opportunities for making significant improvements to the
activity’s governance, risk management, and control processes.
2200 Engagement Planning Activities

How to conduct Preliminary survey?

3
 Review of policies and procedures of
auditee (e.g. flowcharts)
 Conduct interviews with process owners
 Research
 Review of previous audit
 Review of risk assessments
 2200 Engagement Planning Activities
How to document Preliminary survey? 3
 Flowcharts and/or
 Narrative
 Risk and Control Matrix

All of these must be approved by the

auditee to confirm the understanding of
process
 2200 Engagement Planning Activities

How to make a Risk and Control Matrix?

3
1. Based on your Preliminary Survey, plot
the processes and process objectives
2210.A2 – Internal auditors must consider the
probability of significant errors, fraud,
noncompliance, and other exposures when
developing the engagement objectives.
 2200 Engagement Planning Activities

How to make a Risk and Control Matrix? 3

2. Identify risks that are related to the process
3. Provide the possible impact/effect of the risks
if it happens, the likelihood it will happen and
how severe will it be
4. Provide benchmark controls to mitigate the risk
5. Plot the current controls being implemented by
the auditee
6. Measure the residual risk
Definition
 Benchmark controls
 a standard controls or point of reference against which things may be
compared or assessed.
3
 2210.A3 – Adequate criteria are needed to evaluate governance, risk
management, and controls. Internal auditors must ascertain the extent to
which management and/or the board has established adequate criteria to
determine whether objectives and goals have been accomplished. If
adequate, internal auditors must use such criteria in their evaluation. If
inadequate, internal auditors must identify appropriate evaluation criteria
through discussion with management and/or the board.
 Types of criteria may include:
 Internal (e.g., policies and procedures of the organization).
 External (e.g., laws and regulations imposed by statutory bodies).
 Leading practices (e.g., industry and professional guidance).
Definition
 Inherent Risk 3
is an assessed level of raw or untreated risk or
risk in a process or activity without doing
anything to reduce the likelihood or mitigate
the severity of a mishap, or the amount
of risk before the application of
the risk reduction
 Residual risk
 isthe threat that remains after all efforts to identify
and eliminate risk have been made
 Risk and Control Matrix Sample
Inherent Risk
3
Process & Risks Effect Likelihoo Impact Rating Benchmark Current With Gap? Residual Risk
Objective d Controls Controls
Recruitment Acceptanc Inefficiencie 5 4 Catastr A thorough HR No Moderate
e and s in ophic pre- conducts
To select and hiring of performing employme verificatio
hire the best and applicant the job nt n process
most qualified with screening by
applicants who incomplet Financial process is performing
meet the e or Losses due consistentl backgroun
necessary falsified to possibility y d check
educational credential of fraud administer and drug
requirements, s and ed such as: testing.
skills, requireme Verificatio
competency and nts. n and
attitude or documenta
behavioral tion of
requirements for references
the job and
vacancies. licensure
2200 Engagement Planning Activities

4  Prepare
 Internal
Work Program
auditors must develop and document work
programs that achieve the engagement objectives.
 2240.A1 – Work programs must include the
procedures for identifying, analyzing, evaluating,
and documenting information during the
engagement. The work program must be approved
prior to its implementation, and any adjustments
approved promptly.
 Sample Audit Program
Done by &
Audit Procedure Risk Ref. Control Ref W/P Ref. Conclusion
Date
From the list of newly hired employees, randomly select 201 files and perform the following:
a. Determine if the position of the hired employee was included in the department’s plantilla. Note for non-compliance
and inquire for reason/s
b. Check appropriateness of justification and completeness of documentation (prepared by the requesting department
and approved by the Executive Committee) if the position of the hired employee is not included in the plantilla. Note
for non-compliance and inquire for reason/s
c. Verify if approved personnel requisition form (PRF) is present for each sampled employee. Examine
appropriateness and completeness of job descriptions, requirements, and duties and responsibilities
d. Ensure that series of interviews were performed from HR Manager to Department Manager, and Executives
e. Determine if written examination was performed. If not, inquire for reason/s
f. Check if pre-employment checklist was filed and completed. Note for non-compliance and inquire for reason/s.
Determine the completion date for the submission of all requirements and note significant delays. Inquire for the
FZC
reason. 10,12 10,12 HR2.2.2 With findings
3/7/16
g. Ascertain that an endorsement letter to perform background and school records check was sent to Vanguard and
properly filed
h. Check if reference check, employee background investigation, and school records verification were performed. Note
for non-compliance and inquire for reason/s
i. Ensure that pre-employment medical examination was performed by company’s authorized hospitals. Note for non-
compliance and inquire for reason/s
j. Obtain sufficient documentation of services performed during the pre-employment medical examination and ensure
the completeness of medical test requirements
k. Job description and performance evaluation are ackowldge the employee
Ensure that the following documents are filed in the 201.
• curriculum vitae/resume
• appointment letter signed by the President/Authorized Officer, countersigned by HRD Officer and the employee.