Standard 2300 Performing the engagement
Performing the engagement
The Standard states:
Internal auditors must identify, analyse, evaluate, and document sufficient information to achieve the engagement’s objectives.
The standards do not specify the format, presentation, maintenance or supervision of engagements; these remain within the gift of the Chief Internal Auditor (CIA) who is ultimately responsible for the audit work undertaken and conclusions reached. With this in mind the CIA should establish their own operating policies, procedures and templates which are documented within the Internal Audit Manual (IAM). Working papers to evidence the work undertaken can be maintained in either hard copy (physical) or soft copy (electronic) files.
The key objective is to establish working processes that ensure the golden thread exists between the Audit Planning Brief, performance, the conclusions reached and reported outcomes, so that a prudent, informed person would reach the same conclusion. The litmus test being that another person could open the audit file repeat the engagement, confirm outcomes, consider results and come to materially the same conclusion.
When undertaking engagements:
- The auditor should follow the audit plan established during the Engagement Planning process and documented within the Audit Planning Brief; following a systematic approach to identifying, obtaining, analysing, evaluating and documenting sufficient audit evidence.
- Document and review the design of controls; if the design of a control is immediately lacking then it is not necessary to test its effectiveness, as even if it is being applied consistently an improvement regarding the design weakness remains.
- Where design is deemed appropriate its effectiveness should be tested; this analysis may be performed through either manual or analytical audit techniques. The auditor’s approach to analysis should clearly document the population, sampling process and method (if applicable), however, the auditor should avoid excessive narrative on test schedules unless required to explain specific exceptions.
- Manual audit processes include walk-through, verification, completeness, reperformance and confirmation. The auditor should evidence their work through obtaining examples, photocopies, scans or screenshots to evidence their thought process and support the conclusions of their work.
- Analytical audit processes include benchmarking, forecasts, ratio analysis, reasonableness and investigation of exceptions. The auditor should evidence their thought process, data collection, analysis methods, outcomes and summarise the conclusions of their work.
- Supervision of audit teams should be undertaken to assure the CIA over quality and provide for the development of staff; the supervisory environment, processes and evidencing should be clearly documented within the IAM.
- Supervisor review should assist in achieving the intended objective that another person could open the audit file repeat the engagement, confirm outcomes, consider results and come materially to the same conclusion. To this end; the supervisor ensures that the information, testing and results support the conclusions reached by the auditor in their working papers.
- Documented review and clearance of review points demonstrates the effective supervision and oversight of the audit process; whilst it is not strictly necessary to keep a record of cleared review points, it can provide valuable intelligence when identifying and developing individual and group training.
- Clear referencing system should be consistently adopted with working papers cross-referenced to the appropriate section of the audit work programme.
Core Evidence Demonstrating Compliance
- Adoption of consistent working paper formats (included within IAM)
- Clearly explain testing & sample methodology used
- Clearly evidence supervision & clearance of review points
The Brief provides the auditor with the ‘plan’ against which the engagement is delivered; the objective thereafter is for the auditor to evidence the work they have undertaken to fulfil the plan and which another suitably qualified and experienced individual could repeat, confirming outcomes and materially arrive at the same conclusion.
The adoption of specific working paper formats is useful to ensuring that work is sufficiently and consistently documented; however, it is evidence of the thought process followed and outcomes which is most important. Supervision and internal quality review processes should seek to verify the accuracy of work undertaken, sufficiency of evidence to support the audit outcomes and evidence any review points which feed continuous improvement processes.
Formats and process should be documented within the IAM.