Course Name: Internal Auditing and Controls Module: 4 Module Title: Planning the Internal Audit

Lectures and handouts by: Chuck Campbell

Copyright The Certified General Accountants Association of British Columbia. All rights reserved.

Planning the internal audit Module 4

This module covers the planning phase of internal auditing. Internal audit planning ranges from long-term planning which sets the overall strategic audit direction for several years, to annual audit plans and finally to planning a specific audit engagement. A comprehensive case study will help demonstrate the points made in the course notes, readings and lectures.
2

Internal Auditing & Controls

Module 4 Part 1 Topic 4.1 The internal auditing process Topic 4.2 Internal audit planning process Part 2 Topic 4.3 Long-term planning overview Topic 4.4 Long-term planning risk assessment matrix Topic 4.5 Long-term planning case study Part 3 Topic 4.6 Short-term (annual) audit planning Part 4 Topic 4.7 Engagement planning Topic 4.8 Engagement planning case study Part 5 Module summary Learning objectives Recent examination questions Assignment hints
3

Internal Auditing & Controls Module 4

Part 1
Topic 4.1 The internal auditing process Topic 4.2 Internal audit planning process

Phases in the internal audit process

1. The planning phase which determines what will be audited and how frequently. This will be the subject matter of this module.

Phases in the internal audit process (contd)

1. 2. The planning phase which determines what will be audited and how frequently. The examination phase where internal auditors perform specific audits following the audit programs developed in the planning phase. This phase consists of gathering audit evidence, analyzing it and reaching conclusions on the subject matter of the audit. (This will be covered in Module 5.)

Phases in the internal audit process (contd)

1. 2. The planning phase which determines what will be audited and how frequently. The examination phase where internal auditors perform specific audits following the audit programs developed in the planning phase. The reporting phase in which the auditors report their findings to the management of the audited unit and to senior management. (This will be covered in Module 6 of this course.)
7

3.

Phases in the internal audit process (contd)

1. The planning phase which determines what will be audited and how frequently. 2. The examination phase where internal auditors perform specific audits following the audit programs developed in the planning phase. 3. The reporting phase in which the auditors report their findings to the management of the audited unit and to senior management. 4. The monitoring phase in which the internal auditor determines the extent to which management has implemented corrective action to address reported weaknesses and the degree to which the actions have remedied the weaknesses. (This will also be addressed in Module 6.)
8

Purpose of internal audit planning

Audit planning is necessary in order to ensure that the audit resources used produce the greatest benefit for the organization. Long-term audit planning involves identifying those the areas with the greatest potential risk to the organization in order to assess if managements efforts to keep the risks within acceptable levels are adequate and effective. Annual audit plans and engagement plans for specific audits carry through with maximizing the benefit to the organization of its internal audit activities.
9

Ethical considerations in the audit process

Ethical considerations internal audit process:

apply

throughout

the

in the planning phase, you must incorporate the organizations ethical policies and ethical responsibilities; in the examination phase, you must use ethical ways of obtaining audit evidence; in the reporting phase, you must report with fairness and objectivity; in the monitoring phase, you must use ethical monitoring methods.
10

The internal audit planning process

Internal audit planning consists of four steps:
1.

Gaining knowledge of the organization.

11

The internal audit planning process (contd)

Internal audit planning consists of four steps:
1. 2.

Gaining knowledge of the organization. Preparing the long-term audit plan.

12

The internal audit planning process (contd)

Internal audit planning consists of four steps:
1. 2. 3.

Gaining knowledge of the organization. Preparing the long-term audit plan. Preparing the annual audit plan.

13

The internal audit planning process (contd)

Internal audit planning consists of four steps:
1. 2. 3. 4.

Gaining knowledge of the organization. Preparing the long-term audit plan. Preparing the annual audit plan. Preparing plans for specific internal audit engagements, including developing audit programs.
14

Internal Auditing & Controls Module 4

Part 2
Topic 4.3 Long-term planning overview Topic 4.4 Long-term planning risk assessment matrix Topic 4.5 Long-term planning case study

15

Overview of the long-term planning process

1. 2. 3. 4.

Define the audit universe. Perform an overall risk assessment. Determine the frequency of audits. Prepare the long-term audit plan (and have it approved).

16

Defining the audit universe

The audit universe must consist of all auditable activities or units. Auditable activities include:

policies, procedures and practices cost centres, profit centres and investment centres general ledger account balances information systems major contracts

17

Defining the audit universe (contd)

The audit universe must consist of all auditable activities or units. Auditable activities include:

major programs organizational units such as product or service lines functions such as purchasing, marketing, treasury transaction systems such as sales or payroll compliance with laws and regulations geographical locations such as plants or sales offices

18

Performing an overall risk assessment

In performing an overall risk assessment, the internal auditor considers three factors:
1.

controllability (which measures the ability of those in the organization to control specific risks)

19

Performing an overall risk assessment (contd)

In performing an overall risk assessment, the internal auditor considers three factors:
1.

controllability (which measures the ability of those in the organization to control specific risks) likelihood that a weakness will occur (a combination of inherent risk and control risk)

2.

20

Performing an overall risk assessment (contd)

In performing an overall risk assessment, the internal auditor considers three factors:
1.

controllability (which measures the ability of those in the organization to control specific risks) likelihood that a weakness will occur (a combination of inherent risk and control risk) impact of that weakness, if it does occur

2.

3.

21

Performing an overall risk assessment (contd)

In performing an overall risk assessment, the internal auditor considers three factors:
1. 2. 3.

controllability (which measures the ability of those in the organization to control specific risks) likelihood that a weakness will occur (a combination of inherent risk and control risk) impact of that weakness, if it does occur

The overall risk is the product of the likelihood and impact.

22

Using assurance maps

Assurance mapping can be performed to identify significant risks with inadequate coverage and areas of duplicated assurance coverage. The internal audit activity needs to consider areas of inadequate coverage when developing their audit plan.

23

Using assurance maps (contd)

An assurance map includes:

Identification of the significant risk category who is responsible for managing the risk risk assessments (likelihood and impact) extent of external audit coverage of the risk extent of internal audit coverage of the risk extent of coverage by other assurance providers, both internal and external to the organization.

24

Using a risk assessment matrix

Current (or residual) risk is the product of likelihood and impact after taking into account the effectiveness of risk management activities (including internal controls). Risk ranking for purposes of audit planning uses a risk factor which is the product of likelihood, impact and controllability.
25

Factors affecting the assessment of likelihood or inherent risk

The complexity of the activity or function The nature of the function, activity or operations The frequency of changes in personnel procedures Staff and managements grasp of operations Environmental pressures Competency of personnel Expressed concerns of management

or

26

Factors affecting the assessment of likelihood or inherent risk (contd)

Previous audit results Managements response to prior audit recommendations Management and corporate values and attitudes Competitive market conditions Impact of government regulations Political risk (particularly of foreign operations)

27

Factors in assessing the impact of weaknesses

The financial impact

28

Factors in assessing the impact of weaknesses (contd)

The financial impact The impact on continuity of operations

29

Factors in assessing the impact of weaknesses (contd)

The financial impact

The impact on continuity of operations The impact on competitiveness

30

10

Factors in assessing the impact of weaknesses (contd)

The financial impact The impact on continuity of operations The impact on competitiveness The impact on customer service and

reputation
31

Factors in assessing the impact of weaknesses (contd)

The financial impact The impact on continuity of operations The impact on competitiveness The impact on customer service and reputation Legal consequences

32

Factors in assessing the impact of weaknesses (contd)

The financial impact The impact on continuity of operations The impact on competitiveness The impact on customer service and reputation Legal consequences Impact on public or regulatory relations
33

11

Preparing the long-term audit plan

Input can be obtained from managers throughout the organization. The final risk rankings must reflect the thinking of the internal audit group. Auditable entities are ranked from highest to lowest based on the three relevant factors (likelihood, impact and controllability). A risk-based audit plan is developed based on the risk rankings.
34

Chuckle Belly Toys case study

Review the case study (Topic 4.5 in your module notes). Outline the advantages of preparing a riskbased long-term audit plan. Outline the process used in preparing a riskbased long-term audit plan.

35

Internal Auditing & Controls Module 4

Part 3
Topic 4.6 Short-term (annual) audit planning

36

12

The annual audit plan

1.

The short-term or annual audit plan is based on the long-term strategic internal audit plan.

37

The annual audit plan (contd)

1.

The annual audit plan is based on the long-term strategic internal audit plan. The long-term plan should be up-dated to reflect the work done in the previous year.

2.

38

The annual audit plan (contd)

1.

The annual audit plan is based on the long-term strategic internal audit plan. The long-term plan should be up-dated to reflect the work done in the previous year. Risk assessments should be reviewed annually to identify significant changes to the organization (and the risks that it faces) and/or its risk management, control and governance processes.

2.

3.

39

13

The annual audit plan (contd)

1.

The annual audit plan is based on the long-term strategic internal audit plan. The long-term plan should be up-dated to reflect the work done in the previous year. Risk assessments should be reviewed annually to identify significant changes to the organization (and the risks that it faces) and/or its risk management, control and governance processes. Specific requests and concerns of management and the audit committee should be taken into account.
40

2.

3.

4.

The annual audit plan (contd)

1.

The annual audit plan is based on the long-term strategic internal audit plan. The long-term plan should be up-dated to reflect the work done in the previous year. Risk assessments should be reviewed annually to identify significant changes to the organization (and the risks that it faces) and/or its risk management, control and governance processes. Specific requests and concerns of management and the audit committee should be taken into account. Scheduling must take into account the specific skill set required for each audit engagement.
41

2.

3.

4.

5.

The annual audit plan (contd)

1. 2. 3.

The annual audit plan is based on the long-term strategic internal audit plan. The long-term plan should be up-dated to reflect the work done in the previous year. Risk assessments should be reviewed annually to identify significant changes to the organization (and the risks that it faces) and/or its risk management, control and governance processes. Specific requests and concerns of management and the audit committee should be taken into account. Scheduling must take into account the specific skill set required for each audit engagement. Allowance must be made for new issues that may arise during the year.
42

4. 5. 6.

14

Internal Auditing & Controls Module 4

Part 4
Topic 4.7 Topic 4.8 Engagement planning Engagement planning case study

43

Planning the internal audit engagement

1.

2.

3. 4.

Obtain specific knowledge (background information) about the unit to be audited. Establish the audit objectives and scope for the engagement. Determine the audit methodology to be used. Set audit criteria.

44

Planning the internal audit engagement (contd)

5. 6. 7.

Prepare staffing plans and time budgets. Communicate with those to be audited. Draft the audit program for the engagement.

45

15

Sources of information about the unit to be audited

Organization charts Mission statements Policy and procedure documents Systems descriptions Earlier internal audit reports External auditors management letters

46

Sources of information about the unit to be audited (contd)

Consultants reports Management reports Minutes of boards and committees Corporate and operational plans Budgets and forecasts Discussions with management and other personnel

47

The audit objectives and scope

The audit objectives must address the risks, controls and governance processes associated with the activity under review and should be based on a preliminary assessment of risk.

48

16

The audit objectives and scope (contd)

The audit objectives must address the risks, controls and governance processes associated with the activity under review and should be based on a preliminary assessment of risk. The audit scope defines the function or organizational unit to be reviewed and the activities and time period to be covered by the audit. The scope must be wide enough to permit accomplishment of the audit objectives for the engagement.
49

Determine the audit approach or methodology

The auditor will sometimes have a choice of approaches to the audit to be performed. Specific methodologies such as information systems audits, control self - assessment exercises, compliance audits, etc. may be appropriate for a specific audit. The methodology and approach must be designed taking into account the audit objectives and scope and the risk assessment which has preceded the audit. The methodology used will be designed to gather sufficient, appropriate evidence to allow the internal auditor to draw the necessary conclusions concerning the risk management, control and/or governance processes for the unit and activities being audited.
50

Setting audit criteria

Audit criteria are the standards against which actual performance is to be compared in assessing the risk management, control and governance processes of the unit being audited. Audit criteria should be agreed with the management of the unit being audited prior to the start of audit work.

51

17

Sources of audit criteria

Sources of audit criteria include:

laws and regulations governing the organization policies, procedures and directives standards recommended by professional associations authoritative literature benchmarking studies

52

Sources of audit criteria (contd)

Sources of audit criteria include:

earlier internal audits interviews with management of the organization advice and counsel from subject matter experts common sense and experience

53

The final steps in engagement planning

1.

Preparation of staffing plans and time budgets. (These are based on the objectives, scope and methodology of the engagement, considered in the light of actual time taken in previous audits, the experience of the staff to be assigned to the engagement, etc.)

54

18

The final steps in engagement planning (contd)

1.

Preparation of staffing plans and time budgets. (These are based on the objectives, scope and methodology of the engagement, considered in the light of actual time taken in previous audits, the experience of the staff to be assigned to the engagement, etc.) Communication with those to be audited. (Matters discussed should include timing, objectives and scope, criteria, assistance needed from the units personnel and the process for on-going communication during the audit.)

2.

55

The final steps in engagement planning (contd)

1.

Preparation of staffing plans and time budgets. (These are based on the objectives, scope and methodology of the engagement, considered in the light of actual time taken in previous audits, the experience of the staff to be assigned to the engagement, etc.) Communication with those to be audited. (Matters discussed should include timing, objectives and scope, criteria, assistance needed from the units personnel and the process for on-going communication during the audit.) Preparing the audit program. (This will be considered in
detail in Module 5 of the course.)

2.

3.

56

Connon Chemicals Inc. case study

Review the case study (Topic 4.8 in your module notes). Attempt to identify and assess the risks faced by Connon Chemicals when using outside toll manufacturers. Establish the objectives and scope of an audit of the companys toll manufacturing activities.

57

19

Internal Auditing & Controls Module 4

Part 5
Module summary -- Learning Objectives Recent past examination questions Assignment hints

58

Module 4 Learning Objectives

1. Identify the main phases of the internal

auditing process and explain their purposes; explain how to incorporate ethics into the process. (Level 1)

59

Module 4 Learning Objectives

2. Outline the steps for preparing the different

types of plans in the planning phase of internal auditing. (Level 1)

60

20

Module 4 Learning Objectives

3. Explain the steps for preparing a long-term

audit plan, including how an audit universe is defined and factors that may affect overall risk assessment. (Level 2)

61

Module 4 Learning Objectives

4. Explain how a risk-assessment matrix is

used for long-term audit planning. (Level 2)

62

Module 4 Learning Objectives

5. Outline the process of preparing a long-term

audit plan. (Level 2)

63

21

Module 4 Learning Objectives

6. Explain how the auditor plans a short-term

(annual) audit plan. (Level 2)

64

Module 4 Learning Objectives

7. Design a specific audit engagement

(including determining the scope, objectives, and audit criteria), and list seven design areas that must be considered. (Level 1)

65

Module 4 Learning Objectives

8. Design a plan for a specific audit

engagement using information from a case study. (Level 1)

66

22

Recent examination questions

The examination blueprint specifies that 8%10% of the questions on the course examination will come from Module 4.

Typical examination questions:

Multiple choice questions

67

Assignment hints Assignment 2

Question 2 You may set out your answer as a table within a properly formatted memo. The table should consist of one column listing the risks to which Canadian Wood Toys Inc. is exposed and a second column setting out possible methods of mitigating the identified risks. Question 3 This question is typical of the exam questions for this course. You are expected to outline your presentation using Microsoft Word. Your answer should set out the steps in developing a long-term audit plan and the use of a risk assessment matrix in doing so. Question 4 Your answer should address the first six of the seven steps in developing the audit plan for a specific internal audit engagement (preparing the audit program is specifically excluded).

68

23