TIAPS Module 1 Audit and Assurance workbook
• Determination of nature and scope: for assurance engagements this must include governance, risk management, and internal control; for consulting engagements it is a matter to be decided through discussion. • Parties involved: assurance engagements are agreed with the involvement of the internal auditor, manager of the activity being audited, senior management, and the governing body; consulting engagements may be agreed between the internal auditor and manager of the activity being audited. Despite these differences, assurance and advisory engagements have many synergies and do not need to be kept separate. There are advantages from conducting a blended engagement through which the auditor delivers both assurance and advice. Auditors are continuously increasing their knowledge and understanding about the organization and its internal and external operating environments. Indeed, the Standards require auditors to apply their knowledge gained through consulting to assurance engagements. It is common to conclude an assurance engagement with recommendations through which the auditor advises the manager of the audited activity on opportunities for innovation and improvement and this may be extended to include involvement with some of the developmental work. Sometimes what is planned as an assurance engagement may be extended to include consulting as well. For example, the auditor may identify through the course of an assurance engagement that members of staff do not fully understand key concepts about risk management and internal control and as a result offers to provide training. Extensions to scope in this way need to be approved by the manager and audit supervisor. It is also possible for an engagement that starts as consulting to be extended to include assurance too. For example, when an internal auditor participates as an advisor to an IT project, it may transpire that existing hardware and software controls need to be reviewed. The auditor will be able to test and provide assurance. Once again, extensions to engagements should be approved by the audit supervisor. It is also possible for an engagement to be planned as a blend of assurance and consulting. Consideration should be given to the following as part of the planning process: • Risk-based planning should ensure priority is given to the most significant risks, objectives, and activities. Where management is planning major projects – such as public administration reform organizational restructuring, long-term financial strategies, IT upgrades, introduction of new services, or relocation of activities, personnel, and resources – internal audit may be invited to act as an advisor. This may create natural opportunities for blended engagements. • Allocation of scarce resources should follow the risk-based prioritization of engagements. Efficiencies may be gained through planning a blended engagement. • Significant findings and necessary follow-up resulting from prior engagements may also suggest opportunities for blended engagements. 50
C.1.5 Internal Audit Opinions Auditors may be asked to provide an opinion either within an individual audit report or at a broader level. Assurance may be provided at the process, function, or entity level. This includes an opinion on the adequacy and effectiveness of governance, risk management, and internal control for the organization. In some situations, the head of internal audit is asked to offer such an opinion periodically. This may be limited to the system of internal control or enterprise risk management (ERM). Such an opinion may be more limited still, such as an opinion of internal control over financial reporting or for aspects of compliance. When asked to provide such an opinion, the head of internal audit may plan a specific audit engagement but is also likely to draw upon the results of multiple engagements. The opinion may be expressed in terms of a grade for the level of assurance (such as by “traffic lights” red, yellow (amber), or green, or a grade from 1-4). The assurance may be expressed as reasonable (or positive) assurance or limited (or negative) assurance, although such terms are not defined in the IPPF (see section C.1.1). However, The IIA allows for Internal auditors providing an opinion in the form of reasonable or limited assurance in its Practice Guide: Formulating and Expressing Internal Audit Opinions. 47 Whatever form it takes, it is important there is clear understanding about the meaning and the basis on which the opinion is given. Macro level opinions are usually based on multiple engagements. This requires care as the findings may have been gathered over different periods of time using different criteria. Other evidence may be drawn from multiple formal and informal sources, placing appropriate reliance according to the characteristics of each. According to the Practice Guide, macro level opinions may include: • An opinion on the organization’s overall system of internal control over financial reporting. • An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries. • An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. In comparison, micro level opinions are often derived from a single engagement and may include: • An opinion on an individual business process or activity within a single organization, department, or location. • An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit. • An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units. 48 47 Practice Guide: Formulating and Expressing Internal Audit Opinions, The IIA, 2009. 48 Practice Guide: Formulating and Expressing Internal Audit Opinions, The IIA, 2009. 51
- Page 1 and 2: Module 1: Audit and Assurance TIAPS
- Page 3 and 4: Table of Contents Module 1: Audit a
- Page 5 and 6: Relevant Standards Reference is mad
- Page 7 and 8: • Close scrutiny. The activities
- Page 9 and 10: A.2 Public Sector Governance IIA In
- Page 11 and 12: The need for governance arises for
- Page 13 and 14: Although developed for government a
- Page 15 and 16: A.3 Governance Models When evaluati
- Page 17 and 18: defensive aspects to minimize negat
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49: helping managers developing control
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67 and 68: IT controls may be manual, automate
- Page 69 and 70: The IIA’s Cybersecurity Toolkit d
- Page 71 and 72: C.3: Reflection Fraud: How are susp
- Page 73 and 74: Global Perspectives and Insights -
- Page 75: CIPFA: 77 Mansell Street, London E1
• Determination of nature <strong>and</strong> scope: for assurance engagements this must include<br />
governance, risk management, <strong>and</strong> internal control; for consulting engagements it is<br />
a matter to be decided through discussion.<br />
• Parties involved: assurance engagements are agreed with the involvement of the<br />
internal auditor, manager of the activity being audited, senior management, <strong>and</strong> the<br />
governing body; consulting engagements may be agreed between the internal<br />
auditor <strong>and</strong> manager of the activity being audited.<br />
Despite these differences, assurance <strong>and</strong> advisory engagements have many synergies <strong>and</strong><br />
do not need to be kept separate. There are advantages from conducting a blended<br />
engagement through which the auditor delivers both assurance <strong>and</strong> advice. <strong>Audit</strong>ors are<br />
continuously increasing their knowledge <strong>and</strong> underst<strong>and</strong>ing about the organization <strong>and</strong> its<br />
internal <strong>and</strong> external operating environments. Indeed, the St<strong>and</strong>ards require auditors to<br />
apply their knowledge gained through consulting to assurance engagements. It is common<br />
to conclude an assurance engagement with recommendations through which the auditor<br />
advises the manager of the audited activity on opportunities for innovation <strong>and</strong> improvement<br />
<strong>and</strong> this may be extended to include involvement with some of the developmental work.<br />
Sometimes what is planned as an assurance engagement may be extended to include<br />
consulting as well. For example, the auditor may identify through the course of an assurance<br />
engagement that members of staff do not fully underst<strong>and</strong> key concepts about risk<br />
management <strong>and</strong> internal control <strong>and</strong> as a result offers to provide training. Extensions to<br />
scope in this way need to be approved by the manager <strong>and</strong> audit supervisor.<br />
It is also possible for an engagement that starts as consulting to be extended to include<br />
assurance too. For example, when an internal auditor participates as an advisor to an IT<br />
project, it may transpire that existing hardware <strong>and</strong> software controls need to be reviewed.<br />
The auditor will be able to test <strong>and</strong> provide assurance. Once again, extensions to<br />
engagements should be approved by the audit supervisor.<br />
It is also possible for an engagement to be planned as a blend of assurance <strong>and</strong> consulting.<br />
Consideration should be given to the following as part of the planning process:<br />
• Risk-based planning should ensure priority is given to the most significant risks,<br />
objectives, <strong>and</strong> activities. Where management is planning major projects – such as<br />
public administration reform organizational restructuring, long-term financial<br />
strategies, IT upgrades, introduction of new services, or relocation of activities,<br />
personnel, <strong>and</strong> resources – internal audit may be invited to act as an advisor. This<br />
may create natural opportunities for blended engagements.<br />
• Allocation of scarce resources should follow the risk-based prioritization of<br />
engagements. Efficiencies may be gained through planning a blended engagement.<br />
• Significant findings <strong>and</strong> necessary follow-up resulting from prior engagements may<br />
also suggest opportunities for blended engagements.<br />
50
Change language