Anda di halaman 1dari 56

AUDIT PLANNING

Managing the Internal Audit Activity (IAA)


q The Chief Audit Executive (CAE) must effectively
manage the IAA to ensure it adds value to the
organization
q Add Value
The IAA adds value to the organization (and its
stakeholders) when it provides objective and relevant
assurance, and contributes to the effectiveness and
efficiency of governance, risk management, and control
processes.

IPPF PS 2000

Annual Audit Plan


q Audit planning is a vital area of the audit primarily
conducted at the beginning of audit process to ensure
that appropriate attention is devoted to important areas,
potential problems are promptly identified, work is
completed expeditiously and work is properly
coordinated. "Audit planning" means developing a
general strategy and a detailed approach for the
expected nature, timing and extent of the audit. The
auditor plans to perform the audit in an efficient and
timely manner

Annual Audit Plan


q Audit plan documents the IAAs objective, scope, timing,
risk assessment of audit universe, target auditable units,
resource requirement (competencies and manpower),
available resources, types of audits and frequency, and
strategies/action plans
q Usually conducted at the beginning of the year; may
cover one year or more than one year
q The risk-based audit plan must be approved by the board

Policies and Procedures


q
q

The CAE must establish policies and procedures to


guide the IAA.
The form and content of policies and procedures are
dependent upon the size and structure of the IAA and
complexity of its work.

Small IAA
q managed informally
q audit staff may be directed

and controlled through


daily, close supervision and
memoranda containing
policies and procedures

IPPF PS 2040

Large IAA
q more formal and

comprehensive policies and


procedures
Technical manuals
Administrative manuals

Policies and Procedures

Organizing

Planning

Directing

IAA
Policies and
Procedures

Monitoring

Planning: Policies and Procedures


Important policies and procedures (examples)
q

Audit planning process is aligned with the organizations


strategic objectives

The perspectives of senior management and the board


are considered in audit planning

The process of audit planning ensures that all activities


of the organization (audit universe) are considered for
audit, risk-assessed, and prioritized

There is a process of reporting progress toward


achieving the established plan

IIA-P

Organizing: Policies and Procedures


Important policies and procedures (examples)
q
q

q
q

IIA-P

Internal audit resources are appropriate, sufficient, and


effectively deployed to achieve the approved plan
The IAA collectively possesses or sources the
knowledge, skills, and other competencies to perform its
responsibilities
Internal auditors display due professional care in the
performance of their responsibilities
Continuing professional development is provided to allow
internal auditors to enhance their knowledge, skills, and
other competencies

Directing: Policies and Procedures


Important policies and procedures (examples)
q

Engagements must be properly supervised to ensure


objectives are achieved, quality is assured, and staff is
developed (PS 2340)

The CAE or designee is responsible for reviewing and


approving the final engagement communication before
issuance and for deciding to whom and how it will be
disseminated. When the CAE delegates these duties, he
or she retains overall responsibility (PS 2440)

IIA-P

Monitoring: Policies and Procedures


Important policies and procedures (examples)
q The CAE must report periodically to senior management
and the board on the IAAs performance relative to its
plan
q w performed through self-assessments or assessments
by other persons within the organization with sufficient
knowledge of internal audit practices (AS1311)
q Internal assessments must include:
Ongoing monitoring of the performance of the IAA, and
Periodic review
q

IIA-P

The CAE must establish and maintain a system to


monitor the disposition of results communicated to
management (PS 2500)

Direct Interaction with the Board


The CAE must communicate and interact directly with the
board.
q Regular attendance & participation in board meetings on
auditing, control, financial reporting & organizational
governance
q Private meetings at least annually

Audit Planning
q

The CAE must establish a risk-based plan to determine


the priorities of the IAA, consistent with the organizations
goals.

The IAAs plan of engagements must be based on a


documented risk assessment, undertaken at least
annually.

The input of senior management and the board must be


considered in this process.

IPPF PS 2010

Audit Planning
q

The CAE takes into account the


organizations risk management framework, and
risk appetite levels set by management for the different
activities or parts of the organization
If there is no framework, the CAE uses his/her own
judgment of risks after considering
Input from the senior management and the board
The CAE must review and adjust the plan, as necessary, in
response to changes in the organizations business, risks,
operations, programs, systems, and controls

IPPF PS 2010

Audit Planning
q

The CAE must identify and consider the expectations of


senior management, the board, and other stakeholders
for internal audit opinions and other conclusions (2010.A1)

The CAE should consider accepting proposed consulting


engagements based on the engagements potential to
improve management of risks, add value, and improve
the organizations operations. (PS 2010.A1)

Accepted engagements must be included in the plan. (PS


2010.A1)

IPPF PS 2010

Mandatory Considerations for


IA Risk-based Plan
q Consistent with the goals of the organization
q Based on a documented risk assessment, undertaken at
least annually
q Input of senior management and the board
q Changes in the organizations business, risks,
operations, programs, systems, and controls
q Expectations of senior management, board and other
stakeholders for IA opinions and conclusions
q Includes accepted consulting engagements to the annual
audit plan
q Overall opinion on controls, risk management and
governance
IIA-P

Why Risk-Based?
q
q
q
q
q
q
q
q

IIA-P

ISPPIA mandate
Regulatory reasons: banks, corporations, etc.
Changes happening constantly externally and internally
Increasing fraud risks
Broad audit universe
Limited budget
Limited manpower and fast turnover of audit personnel
Limited expertise, especially technical skills

ISPPIA Mandate
q

The IAA must evaluate and contribute to the


improvement of governance, risk management, and
control processes using a systematic disciplined
approach (PS 2100)

The CAE must establish a risk-based plan to determine


the priorities of the IAA, consistent with the organizations
goals. (PS 2010)

The IAAs plan of engagements must be based on a


documented risk assessment, undertaken at least
annually. (PS 2010)

Mandate of the Code of Corporate


Governance
q

Provide oversight over Managements activities in


managing credit, market, liquidity, operational, legal, and
other risks of the corporation. This function should include
regular receipt from Management of information on risk
exposures and risk management activities.
- Function of the Audit Committee, Code of Corporate
Governance SEC Memorandum Circular No. 6 (effective July
15, 2009)

The internal auditors should submitan annual report


that include significant risk exposures, control issues and
such other matters as may be needed or requested by the
Board and Management.
- Accountability and Audit, Code of Corporate Governance
SEC Memorandum Circular No. 6 (effective July 15, 2009)

BSP Circular No. 499, series of 2005


Subsec. X164.3 Qualification Standards of
the Internal Auditor
q

The internal auditor should conform with the Code of


Professional Ethics for CPAs and ensure compliance
with sound internal auditing standards, such as the IIAs
ISPPIA. and other supplemental standards issued by
regulatory authorities/government agencies. The
Standards address independence and objectivity,
professional proficiency, scope of work, performance of
audit work, management of internal audit, quality
assurance reviews, communication, and monitoring of
results

Top Approaches Used by Internal Auditors in


Establishing their Internal Audit Plan
Approach
Use of a risk-based methodology
Requests from management
Consult previous years audit plan
Consultation with divisional or business heads
Compliance/regulatory requirements
Audit committee requests
Requests form or consultation with external
auditors
Other
IIA-P

2010
21.9%
18.1%
15.3%
14.2%
13.9%
12.6%
8.2%
2.1

IA Planning Process
Understandin
g the Process

Monitor IA
Plan

Conduct Risk
Assessment

Report and
Approve IA
Plan

Identify and
Select
Engagements

Prepare IA
Plan

IIA-P

Identify
Resource
Requirements

Understanding the Business

Understanding
the Process

Review of the organizations strategic plan


A strategic plan is a document used to
communicate with the organizations goals, the
actions needed to achieve those goals and all of the
other critical elements developed during the strategic
planning exercise.

By incorporating components of the organizations


strategic plan, the audit universe will consider and reflect
the overall business objectives.

Strategic plans also likely reflect the organizations


attitude toward risk and the degree of difficulty to
achieving planned objectives

IIA-P

Understanding the Business


q

The organizations strategic plan considers the


environment in which the organization operates

Internal
Governance,
organizational structure,
roles, and accountabilities
Policies and objectives
Information system
Business models
Financial

IPPF PS 2000

External

Regulations
Technology
Economy
Competition

Business Analysis Framework


Market
Overview
Competitive
Environment
Regulatory
Environment
Macro-economic
environment

IIA-P

Strategy
Goals and
Objectives
Organizational
Design
Governance

Value
Creating
Activities

Financial
Performance

Financial Position
Risk Profile
Economic
Performance
Segmental Analysis
Accounting Policies

Customers
People
Innovation
Brands
Supply Chain
Environmental.
Social, and Ethical

Audit Universe
q Audit universe a list of all the possible audit
engagements that could be performed
Business Unit Based
Scope includes
business unit/
specific tasks/
project/ program
Review focuses on
documentation and
compliance
IPPF PS 2000

Process Based
Scope is expanded
to include links of
business units/tasks
to broader systems
Review focuses not
only on compliance
but also
effectiveness of the
process

Business Process
q Business Process is a set of connected activities linked
with each other for the purpose of achieving one or more
business objectives

Strategic management
Core business
Resource management

Glossary, The IIAs Global Internal Audit Survey

Risk Assessment in IA Planning


Conduct Risk
Assessment

q The identification and analysis (typically in terms of


impact and likelihood) of relevant risks to the
achievement of an organizations objectives,
q Forming a basis for determining how the risks should be
managed

IIA-P

Purpose of Risk Assessment


q

Gain an understanding of the risks that threaten


achievement of strategic objectives

Develop foundations that will assist in identifying


business processes or activities that mitigate strategic
risks and to focus process-level assessment

Develop the basis for the internal audit plan (single or


multi-year)

IIA-P

Inherent or Residual Risk?


q

q
-

Inherent Risk
- Financial/external auditors have long had a concept of
inherent risk that can be summarized as the
susceptibility of information or data to a material
misstatement, assuming that there are no related
mitigating controls.
Residual Risk (Current Risk)
The risk remaining after management takes action to
reduce the impact and likelihood of an adverse event,
including control activities in responding to a risk.
It is the risk managed within existing controls or control
system

IPPF PA 2010-2

Focus of IA Plan
q

Unacceptable current risks where management action is


required. These would be areas with minimal key
controls or mitigating factors that senior management
wants audited immediately

Areas where the inherent risk is above the risk tolerance


of senior management and the audit committee

Control systems on which the organization is most reliant

Areas where the differential is great between inherent


risk and residual risk

IPPF PA 2010-2

ERM Role in IA Planning


q

Enterprise Risk Management (ERM) is a process,


effected by an entitys board of directors, management,
and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance
regarding the achievement of objectives.

IPPF PA 2010-2

ERM Role in IA Planning


q

Internal audit planning needs to make use of the


organizational risk management framework, where one
has been developed

Including using risk appetite levels set by management


for the different activities or part of the organization

Internal auditors assess the organizations risk


management process and determine what parts can be
used in developing the internal audit activitys plan and
what parts can be used for planning individual internal
audit assignments

IPPF PA 2010-2

What if the organization does not have


a formal risk management framework?
q

The CAE first considers the input of senior management


and the audit committee

Then uses his/her judgment about risks

IPPF PS2010

Audit Planning Without ERM


q

In planning an engagement, the internal auditor


considers the significant risk of the activity and the
means by which the management mitigates the risk to an
acceptable level
The internal auditor uses risk assessment techniques in
developing the IAAs plan and in determining priorities for
allocating internal audit resources
Risk assessment is used to examine auditable units and
select areas for review to include in the IAAs plan that
have the greatest risk exposure

IPPF PA 2010-2

Risk Assessment Process

Understand the
vision, mission
and strategic
objectives

IIA-P

Conduct entity
or business-level
risk assessment

Analyze
relationship of
risks to audit
universe
elements (risk
sourcing)

Prioritize
engagement
projects

Risk Assessment Process


An overall process of risk identification, analysis, and
evaluation.

IIA-P

IDENTIFY

What can go wrong?


Where/When can it happen?

ANALYZE

What is the likely cause?


What is the impact?
What is the likelihood?

EVALUATE

Which should be attended first?


Which should be handled directly/can
be delegated?

Risk Identification Techniques

IIA-P

Brainstorming
Questionnaire
Industry benchmarking
Scenario analysis
Risk assessment workshops
Incident investigation
Auditing and inspection

Risk Sourcing
Processes
Strategy management process
Corporate planning
Risk management
Core business
Product conceptualization
Research and development
Proto typing
Manufacturing
Distribution
Resource management
Finance and accounting
Human resource
Information and management
Legal and tax
IIA-P

Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk Sourcing
Processes

Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Strategy management process


Corporate planning

Risk management

Product conceptualization

Research and development

x
x

Core business

Proto typing
Manufacturing
Distribution

Finance and accounting

Human resource

Information and management

Resource management

Legal and tax


IIA-P

Other Factors Affecting Selection of


Projects
q
q
q
q
q
q
q
q
q
q
q
q
q
IIA-P

Quality of internal control system (based on previous


audit result)
Competence of management
Integrity of management
Size of unit
Recent change in accounting system
Complexity of operations
Liquidity of assets
Recent change in key personnel
Economic condition of unit
Rapid growth
Extent of computerized data processing
Time since last audit
Extent of government regulation

Audit Project Prioritization


Weight
30%

40%

10%

20%

Criteria

Rate

Quality of internal control system


Ineffective
Fairly Effective
Effective

3
2
1

Required by regulators to be audited


Annually
Every 2 years
Every 3 years

3
2
1

Date of last audit


More than 2 years
1 year to less than 2 years
Less than 1 year

3
2
1

Complexity of operations
Very complex
Moderately complex
Simple

3
2
1

100%

1. The planner ranks each auditable item in each category


2. Multiply that number by the weight on the left
3. All risks are summed for the total point ranking of the activity

Risk Scoring Finance and Accounting


Weight
30%

40%

10%

20%

Criteria

Rate

Score

Quality of internal control system


Fairly Effective

0.6

Required by regulators to be audited


Annually

1.2

Date of last audit


Less than 1 year

0.1

Complexity of operations
Very complex

0.6

TOTAL

2.5

1. The planner ranks each auditable item in each category


2. Multiply that number by the weight on the left
3. All risks are summed for the total point ranking of the activity

Types of Engagements

Identify and
Select
Engagements

The internal auditor will, as a result of conducting a


strategic audit planning process, be able to identify
Different kinds of activities to include in the IAAs plan
including:
q Control reviews/assurance activities where the internal
auditor reviews the adequacy and efficiency of the control
system and provides assurance that the controls are
working and the risks are effectively managed
q Inquiry activities where organizational management has
an unacceptable level of uncertainty about the controls
related to a business activity or identified risk area and the
internal auditor performs procedures to gain a better
understanding of the residual risk
q Consulting activities where the internal auditor advises
organizational management in the development of the
control systems to mitigate unacceptable risks
PA 2010-2

Resource Management

Identify
Resource
Requirements

The CAE must ensure that the internal audit resources are:
q Appropriate
q Sufficient, and
q Effectively deployed
q to achieve the approved plan
Appropriate refers to the mix of knowledge, skills, and other
competencies needed to perform the plan
Sufficient refers to the quantity of resources needed to
accomplish the plan
Resources are effectively deployed when they are used in a
way that optimizes the achievement of the approved plan

IPPF PS 2030

Resource Planning
q

The CAE is primarily responsible for the sufficiency and


management of internal audit resources in a manner that
ensures the fulfillment of internal audits responsibilities,
as detailed in the internal audit charter.
This includes effective communication of resource needs
and reporting status to senior management and the
board.
Ensuring the adequacy of internal audit resources is
ultimately a responsibility of the organizations senior
management and board
The CAE should them in discharging this responsibility

PA 2030-1

IA Resource Requirements
Employees
- skills, capabilities, and technical knowledge of the
internal audit staff
q External service providers, employees from other
departments within the organization, or specialized
consultants
q Technology-based audit techniques
q Financial budget
q

PA 2030-1

Resource Planning Considerations


q

q
q

The staffing analysis or plan considers the:


- Audit universe
- Relevant risk levels
- Internal audit plan
- Coverage expectations
- Estimate of unanticipated activities (fraud, requests
from management and audit committee)
- Monitoring and follow-up of audit recommendations
- Quality Assurance and Improvement Program
The staffing plan or analysis should be realistic
Skills assessment (performed periodically)

PA 2030-1

Effective Skills Deployment


q

Assigning auditors who are competent and qualified for


specific assignments
- Technical knowledge
- Language skills
- Business acumen
- Fraud detection and prevention competency
- IT, accounting, and audit expertise

developing a resourcing approach and organizational


structure appropriate for the business structure, risk
profile, and geographical dispersion of the organization

IIA-P

Sourcing Options
q
q

q
q

Full in-house staffing only using internal resources


Limited co-sourcing internal resources perform
majority of activity with outsourced resources providing
specialized skills
Significant co-sourcing CAE is supported primarily by
external resources
Full outsourcing external resources perform entire
activity

PA 2010-2

Monitoring IA Resources
q

The CAE periodically presents a summary of status and


adequacy of resources to senior management and the
board
- Comparisons of resources to the internal audit plan
- Impact of temporary shortages or vacancies
- Educational and training activities
- Changes to specific skill needs based on changes in
the organizations business, operations, programs,
systems, and controls

PA 2010-2

Development of the IA Plan

Prepare IA
Plan

Objectives of the IA Plan


- Provide senior management and the board with
assurance and information to help them accomplish
the organizations objectives
- Includes assessment of the effectiveness of
managements risk management activities

Basis of the IA plan


- Assessment of risks and exposures affecting the
organization
- Audit universe
- Input from senior management and board

IIA-P

Elements of the IA Plan


q
q
q

Engagement type and work schedule


Staffing plan
Financial budget

PA 2010-2

Engagement Work Schedule


q
q

q
q
q
q
q
q

IIA-P

Carry-over projects (from previous years)


Audit projects based on
- Risk assessment
- Management requests
- Board requests
accepted consulting activities
Internal audit planning activities
Processes that will be reviewed
QAIP activities
Man-days/man hours per project/activity
Scheduled date, month, quarter for activities

Communication and Approval


q

Report and
Approve IA
Plan

The CAE must communicate the IAAs plan and


resource requirements, including significant interim
changes, to senior management and the board for review
and approval.
The CAE must also communicate the impact of resource
limitations

PA 2010-2

Communication and Approval


q

The CAE will submit annually to senior management and


the board for review and approval a summary of the
internal audit plan, work schedule, staffing plan, and
financial budget.
This summary will inform senior management and the
board of the scope of internal audit work and of any
limitations placed on that scope.
The CAE will also submit all significant interim changes
for approval and information.

PA 2010-2

Communication of IA Plan
What to communicate
-
-
-
-

Summary of IAAs plans


IAAs resource requirements (staffing and financial
budget)
Significant interim changes
Impact of resource limitations

To whom and for what purpose


- Senior management and the board
- Review and approval
Frequency - annually
IIA-P