Potential Engagement Sources

avatar
Created by
Jinny D

Cards (22)

  • What does the performance standard 2020 "planning" state?
    The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.
  • Planning is done by the CAE working with SM and the board to understand what?
    • Organizational strategies.
    • Key business objectives.
    • Associated risks.
    • Risk management processes.
  • What does the implementation standard "planning" - 2010.A1 state? (hint: planning basis)
    The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process
  • What does the implementation standard "planning" - 2010.A2 state?
    The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and conclusions.
  • What is used for developing the internal audit plan?
    • The expectations and requests of senior management, the board, and other stakeholders.
    • The internal audit activity’s ability to rely on the work of other internal and external assurance providers.
  • What does the implementation standard "planning" - 2010.C1 state?
    The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.
  • Both internal and external risks must be examined and linked to specific objectives and business processes to organize and prioritize the risks.
  • What are internal & external risks related to?
    • Internal risks may affect key products and services, personnel, and systems.
    • External risks may be related to competition, suppliers, or other industry issues.
  • What are the relevant risk factors for internal and external risks?
    • internal risk factors: the degree of change in risk since last audited, the quality of controls, and others.
    • external risk factors: pending regulatory or legal changes, other political and economic factors, reputation risk, financial impacts.
  • What may an internal audit plan include?
    • A list of proposed audit engagements and whether the engagements are assurance or consulting in nature.
    • The rationale for selecting each proposed engagement.
    • Objectives and scope of each engagement.
    • A list of initiatives or projects that result from the IA strategy but may not be directly related to an internal audit, e.g., monitoring an ethics hotline or conducting fraud awareness training.
  • What does the audit universe?
    • Major functions.
    • Operations.
    • Operating units.
    • Subsidiaries.
    • Third parties.
    • IT.
    • Business, service, and product lines.
    • Any applicable areas (e.g., financial reporting or compliance) that have a organization-wide impact and fall under the IA “umbrella” from an assurance coverage perspective.
    • Relevant regulatory mandates in highly regulated industries.
    • Independent compliance assessments of high-risk areas as mandated by government agency examiners.
  • There will be a number of functional areas or auditable units that may or may not need auditing in a given audit cycle.
  • The audit universe is not defined solely by operating entities, their overarching processes, and their related functional activities, what else does it encompass?
     It also encompasses the strategic plan and the controls management has in place to mitigate risks, achieve organizational goals and objectives, and ensure that stakeholder needs are being met.
  • What are strategic plans based on?
    Some degree of environmental analysis (environmental scanning)provides intelligence on what is and what will potentially be happening inside and outside the organization.
  • In SWOT analysis,
    • Strength and weakness reviews look at the organization’s internal capabilities.
    • Opportunities and threats are then focused mostly on external factors that can impact organizational success for good or for ill.
  • What factors do opportunity and threat reviews look at?
    • Legal factors
    • Regulatory factors
    • Market forces, industry trends, and the competition
    • Stakeholder groups
    • Technology trends and related internal capabilities
    • Customers
  • what are the responsibilities of executives and key operational managers?
    • Establishing plans.
    • Defining risk tolerances.
    • Allocating resources to achieve the plans.
    • Monitoring the activities being done to achieve the plans.
    • Reviewing results.
  • Management may have special projects that should be included in the audit universe. However, the internal audit function must have the competencies and resources required to perform such work for it to be accepted.
  • What are the most common techniques to solicit information from management and employees?
    • Interviews.
    • Focus groups.
    • Questionnaires/surveys.
  • Risk issues posed by current industry or economic situations could be valid sources for potential engagements.
  • The market for a product or service has a life cycle, and an industry that produces the product or service will be facing certain trends depending on demand needs changes. What can these changes be driven by?

    • Technology changes.
    • Customer preference changes.
    • Societal shifts.
  • In some organizations, internal assurance functions (e.g., security, quality, health and safety) or external assurance providers (e.g., external auditors, regulators, partners) may be sources of potential engagements. Internal audit may review areas of weakness identified by these assurance functions and may also evaluate the quality of the assurance functions as part of the audit universe.