INTERNAL AUDIT ENGAGEMENTS (2022-2023)

Engagement Value Enabler 3: Audit It is best practice to maintain a database as a repository.

This database enables the standardisation and an
Objective efficient and effective process for the use and re-use of
An engagement objective must be clearly determined, the audit engagement objectives. The repository can also
serve as a reference catalogue for developing new
formulated and documented.
engagement objectives.
Objectives must be established for each engagement that
are clear, concise and link to risk assessment.
The objectives should articulate the coverage of the audit Step 1: Why to audit?
review. It is also important to establish what will not be The process for determining the audit
covered by the review and state the period under review. engagement objectives is the easiest process within the
procedures of the audit engagement. It actually does not
The audit engagement objective determines the type of
internal audit work that needs to be performed belong within the audit engagement process. The best
practice annual audit planning process already
(assurance or consulting) and on what management
determines and defines the exact topic (subject matter) to
activity (the subject matter) it is executed.
be audited. The selected audit topics result from a
What happens if the Audit Objective is not properly combination of understanding the business and
defined? company, risk assessments against company objectives,
audit resource allocations, and coordination with
• Failing to address the significant risks management and the board.
• Failing to make sure management understand the
purpose of your review Why to audit?
• Duplicating efforts or performing work which
Why to audit? is important during the audit
does not add value
engagement planning. This is, however, not the case.
• Not completing the review on time or using The time lag between the annual audit planning process
resources effectively. and the preparations of the audit engagement generates
An example of an audit objective would be wording such uncertainty whether the objective and risk assumptions
as “to assess the adequacy and effectiveness of the from the annual audit plan are still valid at the time of
governance, risk management and controls in place over planning the audit engagement.
a specific process/area under review”. The audit engagement team must have a healthy
skepticism and address the question why this audit needs
to be done:
Three main input factors:
* Do the objectives of the subject matter still provide an
1. The results of the preliminary risk assessment of important contribution to the overall strategies and
the subject matter. objectives of the company (from the perspective of the
2. The probability and impact of “significant higher organizational units)?
errors, fraud, non-compliance and other exposures”. * Does the risk profile of the subject matter still show
3. The results of their assessment whether the significant potential or risks for not achieving those
criteria set by management or the board for evaluating subject matter objectives?
“governance, risk management and controls” are
sufficient and adequate for the measurement of the
achievement of the goals and objectives. These criteria Valid Reasons for Conducting the Audit
may relate to internal “policies and procedures”, external
• Board and management requests
“laws and regulations” and “industry and professional
practices”. In case such criteria do not exist, the internal A board or management request, outside the annual audit
auditors must identify According to the guidance, the plan, could also be the reason for the audit. Management
main sources for determining the engagement objectives or the board may have specific business-, operations-, or
can be: compliance- concerns for which they ask the audit
function to provide assurance that management has
• The annual internal audit plan identified the key risks and that these are being
• Prior engagement results mitigated. For each board or management request, the
• Assessment of the risks relevant to the activity usual audit engagement objective will have to be
under review formulated, to be used as input into the engagement
• Discussion with stakeholders scoping process.
• Consideration of the mission, vision, and
objectives of the areas/process under review
alternative benchmarks in "discussion with the
management and/or the board".
pg. 1
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

• Input into the engagement planning • The enhanced understanding of the subject matter
shows that management’s objectives for the activity
The topics selected for the individual audit engagements
and its risk profile are still the same. The
are based on an understanding of the (high-level) risk
predetermined engagement objective is reconfirmed
profile, as determined during the annual audit planning
and can continue to be used.
process. Those audit managers involved in the annual
• The enhanced understanding of the subject matter
planning process will have a good understanding of the
shows that management’s objectives for the activity
reasons for selecting the subject matter for the audit
are still the same, but the risk profile seems to have
engagement. Ideally, these audit staff should already
shifted (lower or higher). The predetermined
formulate the audit objective as part of the annual audit
engagement objective is confirmed and can continue
planning process.
to be used.
• Input from management or process owner
Management or the process owner knows best what they Step 2: What is the required level of assurance?
try to achieve with the subject matter that will be
The primary responsibility of the audit function is to
audited. Usually, the objectives are formalized and
provide assurance. This assurance has to be provided for
documented in business plans, strategies, annual targets,
the topics/projects that are included in the annual audit
budgets, policies and directives, and so forth.
plan. These projects are executed through the individual
• Handling the time lag audit engagements. Consequently, the primary focus of
the audit engagement is to provide assurance. The
The time lag between the annual audit planning process assurance is achieved by conducting the audit
and the preparations of the audit engagement can be engagement and subsequently communicating the results
anywhere between 0 and 14 months. of this audit work to the stakeholders of the audit
function.
Assuming that the majority of the risk assessments for
the annual audit plan take place in the period Reasonable Assurance
September/October and the execution of the last audit
engagements take place in December of the subsequent Usually it is not possible (nor desirable) to
year, a long time can pass between the determination of provide an absolute assurance.
the initial risk assessment and performance of the audit The reason why auditor is unable to obtain absolute
engagement. As any business manager will know, a lot assurance is not because auditor’s do not conduct audit
can happen in 6 to 14 months (that could not have been engagements with enough care rather there are
foreseeable). This generates uncertainty whether the limitations and these limitations restricts the auditor to
objective and the risk assumptions from the annual audit obtain only reasonable assurance and even with such
plan are still valid and applicable at the time of limitations and restrictions auditor tries his best to
performing the audit engagement. provide some level of assurance to the users to reinforce
Based on the principle that the audit objective should their confidence in the financial statements.
be determined during the annual audit planning, two Such limitations that restrict the auditor to gain absolute
solutions come to mind: assurance are known as Inherent limitations of an Audit.
1. The CAE can prepare regular (e.g., quarterly) updates This would leave no room for error, misinterpretations,
to the annual audit plan to cater for the significant shifts insufficient sampling, and so forth; it would drive the
in the risk profile of the company. costs of the audit engagements sky-high.
This quarterly (high-level) reassessment of the audit In general, the audit function customers do not require
priorities will ensure that the audit engagement an absolute assurance anyway; they are satisfied with a
objectives stay up to date, or at least, are reconfirmed reasonable assurance. This has to do with the following:
during the year, prior to the start of the audit
engagement. • The audit function is required to maintain an
adequate level of efficiency.
2. At the time of the audit engagement planning the audit
• The audit resources are limited and need to be
team uses the predetermined objective from the annual
spread over multiple tasks and engagements.
audit plan as a starting point.
• Audit testing of 100 percent of the population is
For the purpose of the scoping of the audit work, the usually not necessary to be able to make a
engagement team will have to perform a preliminary statement about the whole population. In most
risk assessment, basically a more detailed and updated engagements sample testing suffices.
risk assessment (compared to the annual audit
The reasonable assurance can be achieved through the
planning process) on the subject matter. This could
materiality consideration during the audit engagement.
result in the following:
As it is not cost-efficient to test every risk and every
control, the reasonable assurance means that:

pg. 2
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

• All the significant risks are identified. The following are examples of how audit engagement
• All the significant control weaknesses, objectives could be worded for different types of
ineffective and poorly designed controls are subject matters:
addressed.
• Engagement objective for progress reporting
• Some small risks may still occur, though these
have a relatively low impact and probability, so • Engagement objective for an IT security audit
that they do not materially endanger the • Engagement objective for M&A audit work
achievement of the objective of the subject • Engagement objective for a review of sales
matter. agents
• It is not the task of the audit function to make • Engagement objective for a review of orders on
management’s control system water-tight. This hand
means that some exceptions may still slip • Engagement objective for a payroll process audit
through, causing a risk of not achieving the • Engagement objective for a review of a working
subject matter’s objective. The size of the risks capital reduction project
that may slip through is based on the risk
appetite of the board. When building on the example of a review of a sales
process consistent with the other chapters, the audit
engagement objective could look as follows:
Board’s risk appetite
The board’s risk appetite has an impact on the audit tests
to be selected. This impact is based on the level of
evidence that is needed, which again depends on the
level of assurance that is required. The latter is steered
by the risk appetite of the board, which feeds the level of
the risk identification and mitigation. Please refer to
other chapters for more details.
Risk Appetite is the amount of risk, at a broad level, that
an organization is willing to accept in pursuit of its
strategic objectives

Step 3: What is the subject matter of assurance?

The subject matter is the management activity or
transactional process that will be audited. This can be a Figure 31 – Example of audit engagement objective
function, a project, a process, an activity, a legal entity, a
strategy, a strategic initiative, a document, a plan, a Engagement objective as value enabler
department, and so forth. The formulation of the engagement objective is a clear
Step 4: What are the objectives of assurance? value enabler, as a well formulated, accurate and
complete engagement objective serves the purpose:
The purpose of the audit engagement is to help
management and the board achieve their business 1. To determine the right amount of resources, in
objectives. An individual audit engagement reviews a quantity and quality, that need to be allocated to an audit
slice of the company’s business and aims to support the engagement during the annual audit planning process.
achievement of the objectives of this part of the 2. To steer the audit team in the right direction for the
business. Therefore, the wording of the audit engagement planning and execution. When being
engagement objective needs to reflect the objective of assigned to an audit, the audit staff and supervisors
the subject matter. Management may or may not have a understand what needs to be audited, and against which
clear wording for the objective of the subject matter. management/control objectives the risk assessments
Such wording can be derived from the following (preliminary and during field work) need to takeplace.
sources: 3. To inform the customer/reader of the audit report
• The annual audit planning process about the purpose of the audit work and the overarching
objectives against which the risk assessments during the
• The understanding of the business and subject
audit work have been performed. It gives the
matter
stakeholders of the audit function the information about
• Management or the process owner the management objectives that were subjected to the
audit work and for which the assurance is provided.

pg. 3
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

Engagement Value Enabler 4: If this expected knowledge of the audit engagement

team is presented in each of its members, the audit work
Understanding the Subject Matter will be given a detailed interpretation and results
thereafter.
II. Process for understanding the subject Within this chapter “Understanding the Subject
matter Matter”, it will focus on the additional aspects of
understanding the business and company with the
primary relevance for successfully performing the
detailed engagement planning, audit scoping, audit
execution and interpretation of the results of the audit
work.
The chapter has three (3) parts. The first part starts
with an analysis of the IPPF’s requirements for
understanding the subject matter, an elaboration on the
standardization of understanding the subject matter. On
its second part, there are given topics about the 3-step
process description of understanding the subject matter,
and an example. The third part of the chapter finishes
with a summary explaining why understanding the
subject matter is a critical value enabler for the audit
engagement.

Figure 32– Twelve key elements of understanding the subject IPPF’S Requirements for Understanding the Subject
matter Matter
According to the purposes of the direct
Standards
engagement manual, the term “subject matter” is used
The IIA’s IPPF describes the requirements for
and refers to both the relevant entity/entities and topic
understanding the subject matter in the Performance
areas being audited, as relevant. In some cases, the
Standards:
subject matter will be primarily a government entity.
When there is knowledge of the subject matter, this
a) 2200 – Engagement Planning
informs the audit team's risk assessment, significance
Internal auditors must develop and document a
considerations, scoping decisions, and audit approach. In
plan for each engagement, including the engagement’s
the case of performance audits, it may also inform the
objectives, scope, timing, and resource allocations. The
audit objective.
plan must consider the organization’s strategies,
Methodically understanding the subject matter also
objectives, and risks relevant to the engagement.
pertains to the understanding towards the following:
• the industry in which the activity is active b) 2201 – Planning Considerations
• the business model that is used Assurance:
• the business process maturity of the processes 2201.A1 - When planning an engagement for parties
• the product life cycle stage of the primary outside the organization, internal auditors must establish
products a written understanding with them about objectives,
• and the regulatory environment in which the scope, respective responsibilities, and other expectations,
subject matter is active including restrictions on distribution of the results of the
Being able to understand these information and data engagement and access to engagement records.
within the subject matter will help every audit Consulting:
engagement team in identifying relevance towards the 2201.C1 - Internal auditors must establish an
subject matter. But to be able to do this, audit understanding with consulting engagement clients about
engagement team is expected to have a good objectives, scope, respective responsibilities, and other
understanding of the following information within an client expectations. For significant engagements, this
entity. understanding must be documented.
• how the subject matter is structured and
organized c) 2210 – Engagement Objectives
• the management style, pressures, culture and Assurance:
ethics 2210.A1 - Internal auditors must conduct a preliminary
• its main goals, strategies and objectives assessment of the risks relevant to the activity under
• the business operations and how they are review. Engagement objectives must reflect the results
organized of this assessment.
• the essential tools and reporting; the financial 2210.A2 - Internal auditors must consider the probability
statement related impacts of significant errors, fraud, noncompliance, and other
• the systems and applications that the activity’s exposures when developing the engagement objectives.
management uses to monitor and steer the 2210.A3 - Adequate criteria are needed to evaluate
activity governance, risk management, and controls. Internal
• the significant issues that occurred in the past auditors must ascertain the extent to which management

pg. 4
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

and/or the board has established adequate criteria to the risk assessment process from which the internal
determine whether objectives and goals have been audit plan is derived.
accomplished. If adequate, internal auditors must use b) For unplanned engagements, the objectives are
such criteria in their evaluation. If inadequate, internal established prior to the start of the engagement and
auditors must identify appropriate evaluation criteria are designed to address the specific issue that
through discussion with management and/or the board. prompted the engagement.
The risk assessment during the engagement’s planning
Consulting: phase is used to further define the initial objectives and
2210.C1 - Consulting engagement objectives must identify other significant areas of concern.
address governance, risk management, and control h) IG2220 – Engagement Scope
processes to the extent agreed upon with the client. Scope defines "what will and will not be
2210.C2 - Consulting engagement objectives must be included in the engagement."
consistent with the organization's values, strategies, and Internal auditors generally consider the following
objectives. factors, among others, when establishing the engagement
scope:
d) 2220 – Engagement Scope a. The boundaries, sub processes, and components
Assurance: of the area or process under review.
2220.A1 - The scope of the engagement must include b. In-scope versus out-of-scope locations.
consideration of relevant systems, records, personnel, c. Time frame.
and physical properties, including those under the
control of third parties.
2220.A2 - If significant consulting opportunities arise Standardization
during an assurance engagement, a specific written Standardization of the topic of understanding the
understanding as to the objectives, scope, respective subject matter has the following aspects:
responsibilities, and other expectations should be
reached and the results of the consulting engagement a) Creating standard questionnaires for selecting
communicated in accordance with consulting standards. and obtaining information about the subject matters.
For the content of these questionnaires, I refer to the
Consulting: key elements of understanding the subject matter as
2220.C1 - In performing consulting engagements, described in Volume I of Driving Audit Value, as
internal auditors must ensure that the scope of the well as the further indications in this chapter and the
engagement is sufficient to address the agreed-upon other chapters of this book.
objectives. If internal auditors develop reservations
about the scope during the engagement, these b) Time scheduling the information requests
reservations must be discussed with the client to sufficiently in advance of the time that the
determine whether to continue with the engagement. information is needed as input into the audit
2220.C2 - During consulting engagements, internal engagement.
auditors must address controls consistent with the
engagement's objectives and be alert to significant c) Maintaining permanent audit files containing the
control issues. information about the subject matter (and the higher
e) IG2200 – Engagement Planning organizational units) that is reusable in future audits.
The internal auditor plans and conducts the engagement,
with supervisory review and approval. d) For repeated audits on subject matters, increase
f) IG2201 – Planning Considerations the time-efficiency by requesting information about
The auditor must conduct a preliminary assessment of the major changes to the management activities since
the risks relevant to the activity under review. the last audit engagement.
Engagement objectives must reflect the results of this
assessment. The auditor also considers: e) Capturing and storing the information in such a
• Management’s assessment of risks relevant to the way that it is easily (but secure) accessible for all
activity under review. audit engagement team members.
• The reliability of management’s assessment of
risk. Summary
• Management’s process for monitoring, reporting, In summary, the IPPF sets the following criteria
and resolving risk and control issues. for understanding the subject matter:
The auditor obtains or updates background information
about the activities to be reviewed a) For the purpose of the engagement planning the
to determine the impact on the engagement objectives internal auditors must understand:
and scope. i. the organization’s strategies, objectives, and
g) IG2210 – Engagement Objectives risks relevant to the engagement
Objectives must be established for each ii. Governance, risk management, and control
engagement. The auditor establishes engagement processes
objectives to address the risks associated with the
activity under review. b) The auditors may review the:
a) For planned engagements, the objectives
proceed and align to those initially identified during

pg. 5
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

i. organization structure, management roles and Step 1: What are the process characteristics?
responsibilities, management reports, and operating
procedures What is a process?
ii. Process flow and controls documentation to
meet regulatory requirements There is one key approach to ensure that the audit
engagement teams are always able to identify the
c) The internal auditors should gather information appropriate information that is needed in understanding
with respect to the: the management activities to be audited. This approach
i. subject matter’s “policies and procedures”, IT is based on the core characteristics of the management
systems, along with “sources, types, and reliability activity processes.
of information used in the process”
ii. Any “new processes or conditions” that may
have caused new risks

d) For setting the engagement objectives:

i. the internal auditors must perform a preliminary
risk assessment of the subject matter
ii. Assess the criteria set by management for
evaluating “governance, risk management and
controls”. These criteria may relate to internal
“policies and procedures”, external “laws and
regulations” and “industry and professional
practices”.

e) For the purpose of the engagement scoping the

internal auditors must consider the “relevant
systems, records, personnel and physical properties”
of the subject matter.

f) The standards of course specify much more to be

understood from the subject matter, for which I refer
to the individual chapters of the audit engagement Figure 34 – General characteristics of a process
risk assessment, planning, objectives and scoping.
✓ Process information

When each management activity or subject matter can be

depicted as a process, immediately structure is
determined for knowing what to understand:

1. Descriptions of the process as a whole and of the

key sub-processes.
2. Objectives of the process and its sub-processes.
3. Measurements of the results and the
transformations of the process and the sub-
processes.
4. The handling of the process deviations,
exceptions, risks, issues and the process risk
management.
5. The IT aspects of the process and sub-processes:
systems, applications, security, data integrity.
6. Compliance aspects of the process and sub-
processes.
7. Financial aspects: impact on the financial
Figure 33 – Process for understanding the subject matter statements, financial performance indicators.
8. Governance aspects.
9. Internal control systems.
This process needs to address the following questions in 10. Sub-process interfaces, inputs and outputs.
three (3) steps: 11. Efficiency and effectiveness of the sub-processes.
12. The required skills and resources to achieve the
A. Step 1: What are the process characteristics? sub-process objectives.
B. Step 2: What are the sources of information? 13. Interfaces to the 2nd and 3rd lines of defense.
C. Step 3: Why understand two levels?

pg. 6
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

• All activities can be defined as a process ✓ The manager responsible for the subject matter,
the process owner or the sub-process owners.
The clearest examples are the value chain processes, ✓ The managers of the 2nd lines of defense.
such as research and development, purchasing and sales, ✓ The managers of the organizational unit in which
but also the support processes such as human resources, the subject matter is embedded.
finance and legal. Management has the habit of
regarding these as a process and will have most of the Note:
process-related information readily available.
These will be the first entry points into the
Note: subject matter for obtaining information. These
managers will not have all the information that is needed
All other types of management activities can be at their direct disposal, but understanding the
described as a process. For example, management’s information that they use to manage their business is
activities in the areas of: health and safety; succession already very helpful. They will be able to point the audit
planning; credit management; managing the company engagement team to the lower-level managers or the
car pool; office security; the implementation of an IT operating staff for more and detailed information.
application; maintaining a holding company; acquiring
or divesting businesses; intellectual property Step 3: Why understand two levels?
management; compliance with loan covenants; social
media; and so forth. Understanding the subject matter is based on the same
principles that are applied for understanding the
• Process review
company and business. the understanding is categorized
✓ During the audit engagement, the process review at two levels:
has to provide the reasonable assurance that the
(sub-)process is: 1. Understanding the subject matter.
2. Understanding the strategies, objectives, and
1. Adequately managed on a meta level. organizational structures of the higher
2. Suited to transform the appropriate input organizational units in which the subject matter is
through authorized transformation into the
embedded.
correct output.
3. Adequately controlled.
4. Suited to deal with exceptions. This two-level understanding is required for the
5. Suited to adequately support the goals of following reasons:
the company.
a. During the audit engagement planning phase, the
• Recent and upcoming process changes audit function needs to ensure that the focus of the
o The audit engagement team should not only audit is on those aspects of the subject matter that
understand the management activity as it is contain the highest risks of not achieving the local
currently executed, but also be aware of the strategies and objectives. Those risks need to be
recent changes, as well as the upcoming assessed from the perspective of the subject matter
changes. as well as of the higher organizational units.
b. During the audit engagement reporting phase, the
o The audit engagement team must therefore
audit team needs to ensure that the results of the
understand what those changes are, how the
structures, policies and procedures have audit are correctly interpreted from the perspective
been adapted, in order to determine the of the audit objective and the materiality of the
appropriate focus in the engagement scope risks in relation to the subject matter’s objectives.
and the work programmed.
How to handle a distributed understanding?
o The audit engagement team must therefore,
understand what those changes will be in
The supervising audit manager and the audit staff
order to determine the appropriate focus in
the engagement scope and the work usually have a better understanding of a subject matter
programmed. than the CAE. The auditors in the field interact directly
and observe first-hand the details of the local activity to
be audited.
Step 2: What are the sources of information?
Particularly, this will be the case when there is
• Once the audit engagement team determined the
continuity in the audit team that performs the audit
process characteristics of the subject matter to be
audited, they need to identify the sources of the engagement. When the same audit team and audit
relevant information: managers visit a certain location multiple times over the
years, they will be able to capitalize on their knowledge

pg. 7
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

and understanding of the local activity. They will already

know:

(1) local management, their strengths and

weaknesses,
(2) the local structures and organization,
(3) the value chain and support processes,
(4) the general quality of governance,
(5) risk management and internal control
processes.

In such a case, the understanding of the subject matter

and the preliminary risk assessment can be performed
very efficiently by assessing the major changes since the
last visit.

The CAE will usually have a better

understanding of the higher organizational units,
particularly at the division, corporate and group level.
The CAE maintains his contacts and relations mainly at
the level of senior management, executive management
and the board. Because of the CAE’s deep involvement
in the annual audit planning process, she accumulates a
thorough understanding of the groups and business
divisions strategies, objectives and their key initiatives
and projects.

✓ Understanding the business and company is of

primary importance for the CAE
✓ Audit managers preparing the annual audit plan,
understanding the subject matter is of primary
importance for the audit engagement team (the staff
auditors and the audit supervisor).

Example
When building on the example of the sales process from
the previous chapters, the summary results of
understanding the subject matter might be captured as
follows.

Figure 35 – Example of sales process characteristics

pg. 8
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

MULTIPLE CHOICE QUESTIONS 7. Which of the following does not belong in the group?
a. failing to address the significant risks
1. Broadly defined, the subject matter of any audit b. failing to make sure management understand the
consists of purpose of your review
a. Financial statements c. duplicating efforts or performing work which does
b. Economic data not add value
c. Assertions d. it articulates the coverage of the audit review
d. Operating data and prevent scope creep

2. An audit of financial statements is conducted to 8. The one key approach in process characteristics to
determine if the ensure the audit engagement teams are always able to
identify the appropriate information needed in
a. Organization is operating efficiency and effectively understanding ________________.
b. Auditee is following specific procedures or rules set
down by some higher authority a. Management activities to be audited
c. Overall financial statements are started in b. Process owner/sub-process owner
accordance with the applicable financial c. Results Interpretation
reporting framework d. Scoping
d. Client's internal control is functioning as intended

9. Which of these sources is not belong in identifying the

3. The management activity or transactional process that relevant information?
will be audited. This can be a function, a project, a a. The manager responsible for the subject matter, the
process, an activity, a legal entity, a strategy and so process owner or the sub-process owners.
forth. b. The managers of the 2nd lines of defense.
a. Subject Matter c. The managers of the organizational unit in which
b. Risk Appetite the subject matter is embedded.
c. Reasonable assurance d. The manager responsible for the work
d. Absolute Assurance programme.

4. S1: The audit function customers do not require an 10. A ________ is a person who is given the
absolute assurance. responsibility and authority for managing a particular
process. The person immediate accountable for creating,
S2: The board’s risk appetite has an impact on the audit sustaining and improving a particular process, as well as
tests to be selected. being responsible for the outcomes of the process.
a. Both statements are True a. Project Manager
b. Both statements are False b. Process owner
c. S1 is true; s2 is false c. Auditor
d. S1 is false; s2 is true d. Accountant

5. The primary responsibility of the audit function is to 11. The following are examples of how audit
provide? engagement objectives could be worded for different
a. Subject Matter types of subject matters except:
b. Risk Appetite a. Engagement objective for Annual audit planning
c. Assurance process
d. None of the above b. Engagement objective for Progress reporting
c. Engagement objective for IT security audit
d. Engagement objective for Payroll process audit
6. An (blank) must be clearly determined, formulated
and documented.
a. Objective
b. Engagement objective
c. Engagement standard
d. Audit Engagement Planning

pg. 9
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

12. It is an IPPF standard where Internal auditors must

develop and document a plan for each engagement,
including the engagement’s objectives, scope, timing,
and resource allocations. The plan must consider the
organization’s strategies, objectives, and risks relevant to
the engagement.
a. 2200 – Engagement Planning
b. 2201 – Planning Considerations
c. 2210 – Engagement Objectives
d. 2220 – Engagement Scope

13. It is the standard where the internal auditor plans and

conducts the engagement, with supervisory review and
approval.
a. IG2200 – Engagement Planning
b. IG2201 – Planning Considerations
c. IG2210 – Engagement Objectives
d. IG2220 – Engagement Scope

14. The following are critical value enabler for

understanding the subject matter in the audit engagement
except;
a. Can increase audit added value, enables
identification of business strategy
b. Drive the focus of audit engagement scope and
work programmed
c. Enables interpretation of audit results with a right
perspective
d. Enables organization structures for lower
organization units in which subject matter is
embedded

15. During the engagement planning phase, the function

of the audit is to ensure the audit focuses on those
aspects of the subject matter that contains
____________.
a. Lower risk of not achieving the local strategies
b. Higher boundary of local strategies
c. Higher risk of not achieving the local strategies
and objectives
d. Higher and lower risk of not achieving the local
strategies and objectives

pg. 10