Engagement Planning Considerations

Created by

Jinny D

Cards (7)

What does the performance standard 2201 "planning considerations" state
In planning the engagement, internal auditors must consider:
The strategies and objectives of the activity and how it controls its performance.
The significant risks to the objectives, resources, and operations and how the impact of risk is kept to an acceptable level.
The adequacy and effectiveness of the activity’s GRC processes compared to a relevant framework or model.
The opportunities for making significant improvements to the activity’s GRC processes.
When planning the engagements, the auditors typically need to gather information on client policies. They seek to understand IT systems used as well as the sources, types, and reliability of information used in processes.
What is a risk and control matrix also known as?
engagement-level or audit risk assessments
What is a risk and control matrix?
It is a useful tool to help ensure that internal auditors adequately account for risk at the engagement level and that all significant risks identified are addressed in subsequent fieldwork.
What information do risk and control matrices contain?
business objective, inherent risk, impact, likelihood, control.
a risk and controls can be time consuming to develop, but what are its benefits? 
make the audit more effective and efficient by focusing on the greatest risk
tie the audit together by documenting the complete thought process from risk identification to audit program development
enable the area management become a more effective control owner
facilitate participatory auditing
What are other uses of risk and control matrix?
Many organizations use the risk and control matrix to develop a list of controls to be tested during the internal audit; By including this level of detail, the matrix can also serve as the work/audit program for the engagement; Further, incorporating testing results can make the risk and control matrix the major workpaper.