Loading...
Menu

Internal Audit Engagement Planning

INTERNAL AUDIT ENGAGEMENT PLANNING
KAYA KWINANA, CIA

Published by Kaya Kwinana at Shakespir
Copyright 2015 Kaya Kwinana

ISBN 9781311385192

Shakespir Edition, License Notes

This e-book is licensed for your personal enjoyment only. It is not for sale. This e-book may therefore not be re-sold or given away to other people. If you would like to share this book with another person, please direct that person to your favourite e-book retailer or www.Shakespir.com.

TABLE OF CONTENTS

Foreword

Chapter 1 Fundamental Purpose of Internal Auditing

Chapter 2 Nature of Internal Auditing

Chapter 3 Scope of Internal Auditing

Chapter 4 Engagement Planning

Chapter 5 Performing the Engagement

Chapter 6 Communicating Results

Chapter 7 Internal Audit Charter

Chapter 8 Internal Audit Activity Conformance

Chapter 9 Internal Auditor Conformance

Chapter 10 Other Management Issues

Conclusion

Annexure A Mandatory IPPF Guidance

Annexure B Fundamental Chief Audit Executive Responsibilities

Bibliography

Foreword

Since I last tackled the issue of internal audit engagement planning in my book, “Understand Internal Auditing”, I have come to understand that there is still a lot of confusion about the activity.

The task would be that much simpler if the people involved were aware of the confusion, but they are not. They think that whatever they are doing is unquestionably the right thing to do.

Why conduct an internal audit engagement?

Who decides where to conduct an internal audit engagement?

Who decides which engagement to conduct?

What are legitimate internal audit engagement objectives?

What are the components of internal audit engagement planning?

Who is responsible for what in internal audit engagement planning?

This book is intentionally brief. In observing how regulators and job advertisements, particularly, muddy the waters by insisting on internal auditing according to IIA standards and then immediately expand on that by specifying contrary activities, a quotation attributed to Albert Einstein kept going through my mind:

Everything should be made as simple as possible, but not simpler.

Indeed!

Most internal audit engagements derive their authority from an internal audit plan. Some are a result of “management requests”.

I won’t be discussing the above as they are in my opinion part of internal audit planning.

Our concern in this book is with an identified internal audit engagement which the Chief Audit Executive instructs to be conducted.

Beginning of chapter

Table of Contents

Chapter 1 What is an internal audit engagement?

Before an internal audit engagement can be conducted, whoever has been given the responsibility to do so, who I shall henceforth call the “internal auditor in charge of the engagement”, must ensure that he/she is very clear as to what an internal audit engagement is.

This should not be too difficult to find out.

A first step to doing so is by reference to the definition of internal auditing, which is meant to state the fundamental purpose, nature and scope of internal auditing.

It is the second sentence of that definition which articulates its stated objectives and it says:

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The “systematic, disciplined approach”, which consists of engagement planning, performing the engagement and communicating results, is not part of what the definition of internal auditing was meant to state.

From the above, the fundamental purpose of internal auditing is “It (internal auditing) helps an organization accomplish its objectives”. This is the promised outcome of the evaluation and improvement of governance, risk management and control processes.

The nature of internal auditing is “to evaluate and improve, that is assurance and consulting. These are the activities which internal auditing is required to carry out.

The scope of internal auditing is “risk management, control, and governance processes”. To be consistent with the rest of the mandatory IPPF guidance, this is best restated as “governance, risk management and control processes.” These are the processes to be evaluated and advice provided on.

The scope of internal auditing is applied to the organisational objectives. Internal auditing evaluates and provides advice (as is appropriate) on how this is done.

What is most important is how the nature of internal auditing, the activities which internal auditing commits itself to, are formally defined. The definitions of these activities not only focus on the activities themselves but also on what the focus of those activities is and the objective thereof.

We call these activities engagements. They are referred to in the Glossary as assurance services and consulting services. In the light of the abundant confusion about these activities, it is best to refer to them explicitly as internal audit assurance engagements and internal audit consulting engagements respectively. They are defined as follows:

Internal audit assurance engagements are defined as “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.

Internal audit consulting engagements are defined as “Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility.

Note that these definitions articulate:

1. What the activities are – “An objective examination of evidence” for assurance engagements and “Advisory and related client service activities” for consulting engagements.

2. What the objectives are – “for the purpose of providing an independent assessment” for assurance engagements and “intended to add value and improve” for consulting engagements, and

3. What their focus is on – “governance, risk management, and control processes” for both of them.

Consulting engagements have one important addition, the “without the internal auditor assuming management responsibility” rider, which one does not find in the case of assurance engagements.

In answer to the chapter title then, an internal audit engagement is one which satisfies points 1 and 3 above.

Point 1 articulates the nature of internal auditing and point 3 articulates to the scope of internal auditing. For an internal audit engagement to be adequately defined is has to relate to BOTH the nature of internal auditing and the scope of internal auditing.

One may ask why I do not include point 2. Points 1 and 2 are two sides of the same coin.

If the internal audit engagement objective is to provide an independent assessment of the governance, risk management and control processes, that can only be provided by an internal audit assurance engagement and an assurance engagement can only provide an independent assessment.

If the internal audit engagement objective is to contribute to the governance, risk management and control processes, that can only be provided by a consulting engagement and an internal audit consulting engagement can only contribute to the governance, risk management and control processes.

Beginning of chapter

Table of Contents

Chapter 2 What does internal audit engagement planning entail?

It was mentioned in the previous chapter that the systematic disciplined approach consisted of engagement planning, performing the engagement and communicating results.

Engagement planning itself consists of planning considerations (commonly known as the opening meeting or similar), engagement objectives, engagement scope, engagement resource allocation and engagement work program.

I would like to reorder the above, with engagement resource allocation and engagement work program swapping places.

From the above, it is clear that the engagement objective and engagement scope are to be developed DURING engagement planning and NOT before.

It is the most damaging thing organisations and internal auditors are not aware of when the engagement objective and/or engagement scope (beyond the identification of the engagement area, which as I said earlier is the preserve of the internal audit plan) are decided on (by whoever) before the appropriate phase of engagement planning!

So, when the internal auditor in charge of an internal audit engagement accepts the responsibility of conducting an internal audit engagement, even he/she should not have made up his/her mind as to the engagement objective and engagement scope.

While some may claim as motivation for specifying the two the desire to “add value”, the phrase has a very specific, technical meaning in internal auditing which is contrary to that expressed, as to “add value” is defined technically to mean to conduct the appropriate engagement for particular circumstances.

The exercise of due professional care also requires the internal auditor to evaluate certain criteria before deciding on the engagement type (and therefore engagement objective), one of which is costs compared to benefits. (1220.A1 and 1220.C1)

If the engagement objective and/or engagement scope are specified by anyone other than the internal auditor in charge of the engagement, and is not challenged, that constitutes impairment of the independence of the internal auditor in charge of the engagement.

If the engagement objective and/or engagement scope are specified by anyone other than the internal auditor in charge of the engagement, and is challenged, or the engagement objective and/or engagement scope are specified by the internal auditor in charge of the engagement before the appropriate phase of engagement planning or contrary to evidence to be required to be considered before making that decision, that constitutes impairment of the objectivity of the internal auditor in charge of the engagement.

Internal audit engagement planning seals the fate of an engagement and it is therefore important that it be done well for the engagement to be said to have been conducted according to the IIA Standards.

An ignored aspect of engagement planning is the requirement for it to be documented, as required by 2200, “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.

In essence, this is a requirement to document not only the outputs of these activities but also how one intends deciding on them, and not only on them only, but all five components of engagement planning.

I would like to point out that while throughout the engagement planning section, the Standards refer to “internal auditors”, common sense and context dictate that this applies to the internal auditor in charge of the engagement. Otherwise, one would have different internal auditors doing their own engagement planning with no unified engagement objective, engagement scope, engagement work program or engagement resource allocation.

Yes, the internal auditor in charge of the engagement may, and I would support and suggest it, have one or two junior internal auditors, simply for educational purposes, to get used to or see the engagement planning processes in action. The junior internal auditors may also, especially if they had been part of the process previously, be given some tasks to assess their readiness for being in charge of an internal audit engagement by themselves.

A last point before we get into engagement planning proper is that the internal auditor in charge of the engagement, in approaching the engagement, must be aware of 2100, “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”

This should focus the internal auditor in charge of an internal auditor in charge of an internal audit engagement on what he/she is expected to do. This standard is a reminder of the nature and scope of internal auditing.

Beginning of Chapter

Table of Contents

Chapter 3 Planning considerations or the opening meeting

While there are other things which might be part of the opening meeting discussions, I would like to focus on four things which MUST happen.

The four are articulated by 2201 as follows: “In planning the engagement, internal auditors must consider:

1. The objectives of the activity being reviewed and the means by which the activity controls its performance;

2. The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;

3. The adequacy and effectiveness of the activity’s governance, risk management and control processes compared to a relevant framework or model; and

4. The opportunities for making significant improvements to the activity’s governance, risk management and control processes.”

Regarding point 1, the very least which should be obtained from the engagement client is the job description of both the person in charge of the engagement area (from now on to be called the “process owner”) and his/her boss. It would help if their latest performance assessments could also be obtained.

Regarding point 2, the engagement area’s risk register MUST be provided.

Regarding point 3, both the results and documentation of the engagement area’s periodic self-assessment (PSA), or separate evaluation as it is called in the 2120 interpretation, into the adequacy and effectiveness of the engagement area’s “governance, risk management and control processes compared to a relevant framework or model

Point 4 affords the engagement client the chance to share perceived “The opportunities for making significant improvements to the activity’s governance, risk management and control processes”.

It should be noted that for every engagement area, the engagement client is BOTH the process owner and his/her boss, for the simple reason that each has specific responsibilities regarding the implementation of governance, risk management and control processes in that engagement area.

Internal auditors spend a lot of time in practice looking for and doing things which not only do not help them with regard to an internal audit engagement, but take them further away from what an internal audit engagement requires.

Why the above is required becomes apparent from the next section on the engagement objective.

Beginning of Chapter

Table of Contents

Chapter 4 The engagement objective

The 2210 group of standards deal with the considerations for deciding on the engagement objective.

It is important to bear in mind that at the end of this process, when the internal auditor in charge has made his/her mind based on the evaluation of obtained information, he/she should document the process and the result and present it to the CAE or delegate in line with engagement supervision.

The CAE/delegate only have to satisfy themselves that enough competent information was obtained and that it was evaluated properly in favour of the decision made, failing which, like in any other review, the internal auditor in charge of the engagement should be requested to make the required changes for the criteria to be satisfied.

The CAE/delegate may not change the decision of the internal auditor in charge for any other reason as that would amount to impairment of the independence of the internal auditor in charge of the engagement. I indicated earlier that should the internal auditor in charge of the engagement not challenge such improper action from the CAE/delegate, that would amount to impairment of objectivity of the internal auditor in charge of the engagement.

A way around this, should the internal auditor in charge of the engagement, bearing in mind workplace realities, is to ensure that working papers always reflect activities. When corrections are made, the original documentation must NEVER be overwritten. If it is, in the interests of neatness, the mere signature of the CAE/delegate of supervision would constitute the only proof of actual supervision, which in my opinion is insufficient evidence thereof.

Another avenue to explore, especially where spreadsheet working papers are used, is to email working papers to the CAE/delegate for supervision. That way, what was there before correction is preserved.

So, the first point to note is that, having obtained the required information from the opening meeting, the internal auditor in charge of the engagement must document how that information was processed in deciding what the engagement objective should be, because that is precisely what that information is for.

2210.A1 requires that “Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

There is a lot of confusion about this requirement.

First of all, on the face of it, the second sentence seems to imply that ONLYthe results of this assessment” determine the engagement objective. Nothing could be further from the truth. If that were the case, there would be no need for 2210.A2 and 2210.A3.

Others believe that what is required is a risk assessment in the sense of risk identification, as the process owner would do. This could also not so. Internal auditors evaluate how the engagement client has implemented the governance, risk management and control processes, rather than doing it for them. Internal auditors do not need to do it even for themselves – it is contrary to the definitions of an internal audit engagement.

What then does 2210.A1 require the internal auditor in charge of the engagement to do?

He/she is required to assess, on a cursory basis, the engagement client risk register from the opening meeting as to whether it caters properly for the control/risk management framework components and the objective criteria. For example, to link to the information obtained in the opening meeting, are all the process owner objectives included in the risk register?

The benefit of the requirements of 2210.A1 becomes clearer from 2210.A2 which requires that “Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

From the assessment described above, the internal auditor in charge of the engagement needs to consider whether any of these exposures are present. THAT is what the 2210.A1 preliminary assessment was all about.

2210.A3 requires that “Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management and/or the board to develop appropriate evaluation criteria.”

In my opinion, the second sentence, in trying to provide more clarity, ends up muddying the waters. The issue here relates to the PSA results and documentation. Yes the result would be positive or negative, but were the criteria used there adequate? If they were not, of what use then is the result? In that situation, even if the engagement client were to be implementing adequate and effective governance, risk management and control processes, it would be more by sheer luck rather than through deliberate action because the engagement client would not have been able to properly assess whether the adequacy and effectiveness of the processes.

In light of the above, the link between the information required during the opening meeting and how it helps in deciding on the engagement objective should be clear.

For completeness, the internal auditor in charge of the engagement would also consider the representation by the engagement client regarding “The opportunities for making significant improvements to the activity’s governance, risk management and control processes”.

I referred earlier to the exercise of due professional care, the definitions of internal auditing, added value, assurance services and consulting services. Consideration of these, in addition to those explicitly mentioned in the 2210 group of standards, should also be considered and incorporated in support of the decision on the engagement objective

As mentioned before, having analysed, evaluated documented the evidence collected, and satisfied himself/herself that his/her decision is supported by that evidence, the internal auditor in charge of the engagement should present it to the CAE/delegate for review before going on.

It needs to be explicitly stated that in internal auditing, as discussed previously, there are only two legitimate engagement objectives, as represented by the engagement types. One is to provide an independent assessment of governance, risk management and control processes and the other is to provide advice of the governance, risk management and control processes.

There is no other engagement objective in internal auditing.

Beginning of Chapter

Table of Contents

Chapter 5 The engagement scope

The CAE/delegate having agreed with the internal auditor in charge of the engagement, the way is now clear for the engagement scope to be decided on.

2220 requires that “The established scope must be sufficient to achieve the objectives of the engagement.

This is enough information but the mandatory guidance, 2220.A1, goes on to say “The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

Essentially the engagement scope is a selection of the organisational objectives the engagement will assess (assuming an assurance engagement) whether adequate and effective governance, risk management and control processes were applied to.

For a consulting engagement, the engagement scope would be tailored, as agreed with the engagement client, to the deficiencies discovered during the previous section.

We need to point out that although we will be concentrating on assurance engagement requirements, knowledge of what such engagement will assess helps in the composition of the consulting engagement scope.

The “relevant systems, records, personnel, and physical properties, including those under the control of third parties” referred to derive from those organisational objectives.

The internal auditor in charge of the engagement merely has to satisfy himself/herself that that selection of organisational objectives is sufficient to achieve the engagement objective.

The choice of organisational objectives should represent a broad enough spectrum of the activities of the engagement area. The engagement opinion at the end of the engagement seeks to say that it properly reflects how the governance, risk management and control processes are applied in the engagement area, irrespective of organisational objective. The chosen organisational objectives are therefore a representative sample of the engagement area activities.

There is a lot to evaluate, something lost to those internal auditors who concern themselves with activities outside the scope of internal auditing. So much so, I dare say, it is impossible and inefficient to attempt to assess even the selected organisational objectives on everything. The internal auditor may decide to evaluate some objective aspects thereof on one or the other of the components.

That decision is part of the specification of the engagement scope and once made, should as usual be presented for review by the CAE/delegate, with the justification thereof.

Beginning of chapter

Table of Contents

Chapter 6 The engagement work program

2240 says “Internal auditors must develop and document work programs that achieve the engagement objectives.

Both engagement scope and engagement work program deal with the amount of work required to achieve the engagement objective, the only difference being that the latter is more detailed than the former.

Since the engagement objective and engagement scope have already been approved, it makes sense that the detail of that work be also approved before the allocation of staff, whose only impact really, as shall be seen from the discussion of the engagement work program, is on how long it will take to conclude the engagement.

Achievement of the engagement objective is not negotiable. Resource allocation only affects when the objective will be achieved.

The other reason is that while the internal auditor in charge of the engagement is mostly in full control of all the other aspects of engagement planning, as long as sufficient information is obtained to support his/her decisions, the allocation of resources is mostly outside of his/her control.

By getting all the required approvals up front, the onus is then put on those who approved them, the CAE/delegate, to provide the required resources to cater for any time constraints.

The internal auditor in charge of the engagement is responsible for identifying information to achieve the engagement objective. He/she will know this from her internal audit experience and competence. That is why he/she is in charge of the engagement. This is not part of the engagement work program but simply preparation for it.

Once that information has been identified, he/she then has to issue instructions to the junior internal auditors, (that is what the engagement work program is), detailing what information to collect, how to analyse it, how to evaluate it and how to document it.

For the sake of the efficiency and effectiveness of the engagement, these instructions must be detailed so that they can be executed correctly first time. This is where the internal auditor in charge really earns his/her stripes.

Yes, the information to collect has been specified, but from whom in what format, for what period (remember internal auditing is concerned about what is happening now rather than history), how is it to be rearranged during analysis, what criteria are to be used to evaluate the information.

A well-developed engagement work program is a very powerful educational tool.

Of course, the internal auditor in charge may involve the junior internal auditors who have been with him/her in the development of the engagement work program. Their presence would have ideally have been preceded by having performed internal audit engagements where they saw the quality of engagement work programs required.

The engagement work program must be presented for approval to the CAE/delegate before execution.

It is my firm belief, based on the overall responsibility for the engagement of the CAE, that where an internal audit service provider is involved, it be explicitly made clear whether or not approval of the engagement work program is delegated or not, or for that matter which of the above activities are included in the delegation.

While it is accepted that there may be changes in the engagement work program, which also need prompt approval, this is the last normal chance to influence a work related activity. Changes later on almost always involve inefficiency and ineffectiveness somewhere.

Beginning of chapter

Table of Contents

Chapter 7 Engagement Resource Allocation

2230 says the following regarding engagement resource allocation, “Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

Given how detailed engagement work programs have to be, the only concerns, and they are related, are time constraints and available resources.

Based on the approved work program, the internal auditor in charge should be able to estimate how many hours will be required to complete the engagement and to present expected completion time for given resources.

The detailed work having been approved, the CAE/delegate will now have to strike a balance between the time constraints and the available resources, if necessary. In essence, the time constraints could be renegotiated or resources to meet the time constraints made available.

Of course there is the option of reducing the engagement scope and therefore engagement work program. in my opinion, that would be a poor option, reflecting dereliction of duty on the part of the CAE/delegate, in that at their level, they should have ensured that the engagement scope and engagement work program are the minimum required to achieve the engagement objective. Lowering that bar therefore seems to me that it would be such an admission, which CAEs/delegates are loath to make.

Beginning of chapter

Table of Contents

Chapter 8 Conclusion

There are only TWO legitimate internal audit engagement objectives. Added value is conducting the appropriate one of the two for particular circumstances. Impairment of either independence or objectivity is present when engagement objective or engagement scope is not determined at the appropriate stage by the internal auditor in charge of the engagement. The impact of non-conformances to the Standards do not disappear simply because internal auditors do not report them as required, they are felt by organisations sooner or later, fortunately for internal auditing, they do not know what hit them.

Any internal auditor professing to be conducting internal auditing according to the IIA standards (of course you know that unless the context dictates otherwise, this means the mandatory IPPF guidance), MUST consider whether he/she really does so, in light of the following guidance from the IIA:

“The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.” 2100

“The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.” Added value

“An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.” Assurance services

“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility.”

“…It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Internal auditing

“Internal auditors must exercise due professional care by considering the … cost of assurance in relation to potential benefits.” 1220.A1

“Internal auditors must exercise due professional care during a consulting engagement by considering the … cost of the consulting engagement in relation to potential benefits.”

“Adequate criteria are needed to evaluate governance, risk management, and controls. … If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management and/or the board to develop appropriate evaluation criteria.” 2210.A3

“Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.” 2200

“Objectives must be established for each engagement.” 2210

“The established scope must be sufficient to achieve the objectives of the engagement.” 2220

“Internal auditors must develop and document work programs that achieve the engagement objectives.” 2240

“Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.” 2230

“Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.” 1100 interpretation

“Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made.” 1100 interpretation

“The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.” 1110.A1

“If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.” 1130

“When non-conformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the non-conformance and the impact to senior management and the board.” 1322

“When non-conformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the:

1. Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved;

2. Reason(s) for non-conformance; and

3. Impact of non-conformance on the engagement and the communicated engagement results.” 2431

Code of Ethics

Integrity – The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

*
p<>{color:#000;}. Internal auditors shall perform their work with honesty, diligence, and responsibility.

*
p<>{color:#000;}. Internal auditors shall observe the law and make disclosures expected by the law and the profession.

*
p<>{color:#000;}. Internal auditors shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

*
p<>{color:#000;}. Internal auditors shall respect and contribute to the legitimate and ethical objectives of the organization.

Objectivity – Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments

*
p<>{color:#000;}. Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

*
p<>{color:#000;}. Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment.

*
p<>{color:#000;}. Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

Confidentiality – Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

*
p<>{color:#000;}. Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.

*
p<>{color:#000;}. Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

Competency – Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

*
p<>{color:#000;}. Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience.

*
p<>{color:#000;}. Internal auditors shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.

*
p<>{color:#000;}. Internal auditors shall continually improve their proficiency and the effectiveness and quality of their services.

Beginning of chapter

Table of Contents


Internal Audit Engagement Planning

Internal audit engagement planning determines whether or not an internal audit engagement will be conducted, and whether or not the appropriate internal audit engagement will be conducted. It is the most evident differentiator between internal auditing and external auditing. It is my belief that more than 90% fo organisations in the world have never experienced internal audit engagement planning. When internal audit activities do not conduct internal audit engagement planning properly, the consequences are felt sooner or later. Fortunately for internal auditing, the organisations involved do not know what hit them and of course, the culprits won't confess!

  • ISBN: 9781311385192
  • Author: Kaya Kwinana
  • Published: 2016-01-01 04:40:07
  • Words: 5511
Internal Audit Engagement Planning Internal Audit Engagement Planning