Factors for Evaluating the Reliability of the Internal Audit Function
Objectivity • Whether the organizational status of the IAF, including the function’s authority and accountability, supports the ability of the function to be free from
bias, conflict of interest, or undue influence of others to override professional judgments (e.g., the IAF reports to audit committee or an officer with appropriate authority, or if the function reports to management, whether it has direct access to audit committee).
• Whether the IAF is free of any conflicting responsibilities (e.g., having managerial or operational duties or responsibilities that are outside of the IAF). • Whether audit committee oversees employment decisions related to the IAF. • Whether any constraints or restrictions placed on the IAF by management or audit committee exist (e.g., in communicating the IAF’s findings to the
external auditor). • Whether the internal auditors are members of relevant professional bodies and their memberships obligate their compliance with relevant professional
standards relating to objectivity or whether their internal policies achieve the same objectives.
Competence • Whether the IAF is adequately and appropriately resourced relative to the size of the entity and the nature of its operations. • Whether established policies for hiring, training, and assigning internal auditors to internal audit engagements exist. • Whether the internal auditors have adequate technical training and proficiency in auditing (e.g., the internal auditors’ possession of a relevant profes-
sional designation and experience). • Whether the internal auditors possess the required knowledge relating to the entity’s financial reporting and the applicable financial reporting frame-
work and whether the IAF possesses the necessary skills to perform work related to the entity’s financial statements. • Whether the internal auditors are members of relevant professional bodies that oblige them to comply with the relevant professional standards, includ-
ing continuing professional development requirements.
Systematic and Disciplined Approach • The existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs,
documentation, and reporting, the nature and extent of which is commensurate with the size and circumstances of an entity. • Whether the IAF has appropriate quality control policies and procedures or quality control requirements in standards set by relevant professional bodies
for internal auditors. Such bodies may also establish other appropriate requirements such as conducting periodic external quality assessments.
T A B L E 3 – 2
Final PDF to printer
78 Part 2 Audit Planning and Basic Auditing Concepts
mes32502_ch03_067-097.indd 78 10/14/15 02:03 PM
Audit Strategy and Plan Engagement planning involves all the issues the auditor should consider in developing an overall audit strategy for conducting the audit. In establishing the audit strategy, the auditor should determine the scope of the engagement, ascertain the reporting objectives to plan the timing of the audit, and consider the factors that will determine the focus of the audit team’s efforts. Developing the audit strategy helps the auditor determine what resources are needed to perform the engagement.
Once the overall audit strategy has been established, the auditor develops an audit plan. The audit plan is more detailed than the audit strategy. In the audit plan, the auditor docu- ments a description of the nature, timing, and extent of the planned audit procedures to be used in order to comply with auditing standards. Basically, the audit plan should consider how to conduct the audit in an effective and efficient manner.
The nature and extent of planning activities that are necessary depend on the size and complexity of the entity and the auditor’s previous experience with the entity. The auditor should be guided by the results of the entity acceptance/continuance process, procedures per- formed to gain the understanding of the entity, and preliminary engagement activities. The auditor should modify the overall audit strategy and the audit plan as necessary if circum- stances change significantly during the course of the audit. Additional steps that should be performed include:
∙ Assess business risks. ∙ Establish materiality. ∙ Consider multilocations. ∙ Assess the need for specialists. ∙ Consider violations of laws and regulations. ∙ Identify related parties. ∙ Consider additional value-added services. ∙ Document the overall audit strategy, audit plan, and prepare audit programs.
Assess Business Risks In Chapter 1, audit risk was defined as the risk that the auditor expresses an inappropriate audit report when the financial statements are materially misstated. One way that the auditor reduces audit risk to an acceptably low level is by obtaining an understanding of the entity and its environment. Based on this understanding, the auditor identifies those business risks that may result in material misstatements. The auditor then evaluates how the entity responds to those business risks and ensures that those responses have been adequately implemented. Based on this information, the auditor assesses the level of risk of material misstatement in the financial statement accounts. The risk of material misstatement is used to plan the audit- ing procedures to be performed. Chapter 4 provides a detailed discussion of the auditor’s risk assessment process.