This document outlines the planning process for an assurance engagement being conducted by an internal audit team. The team is comprised of 4 members: Ahmed Hassan Ali, Mohamed Abdullahi Dahir, Abdulkadir Mohamed Mohamud, and Najma Hassan Mohamed. The planning process involves understanding the auditee, identifying and assessing risks, identifying key controls, evaluating control design, creating a test plan, developing a work program, and allocating resources to the engagement.

1. GROUP MEMBERS
1. Ahmed Hassan Ali
2. Mohamed Abdullahi Dahir
3. Abdulkadir Mohamed Mohamud
4. Najma Hassan Mohamed
1

4. Assurance Engagement
An engagement involving an objective examination of evidence for
the purpose of providing an independent assessment on governance,
risk management, and control processes for the organization.

6. DETERMINE ENGAGEMENT OBJECTIVES & SCOPE
Reasons for Conducting an Engagement
• The engagement was identified in the internal audit plan because of inherent
risks identified during the business risk assessment process, risks detected
the last time the area was audited, and other relevant factors.
• The engagement is part of an annual requirement to evaluate the
organization’s system of internal controls for external reporting purposes
• A recent event (for example, natural disaster, fraud, or customer
bankruptcy) has tested the process under unusual circumstances and
management desires a "post mortem" to determine where the process was
effective and where it was not.
• Emerging risks or other changes in the business or industry require
immediate modifications to the process and management desires a quick
validation that these modifications appear to be designed appropriately to
address the changes.

7. Establishing Engagement Objectives
Evaluate the design adequacy
Determine the operating effectiveness
Assess compliance
Determine the effectiveness and efficiency
Evaluate the accuracy
Assess the achievement
Determine the performance

8. Scope of the Engagement
Boundaries of the process: While some processes are small and self-
contained, many are very broad and overlap with other processes.
In-scope versus out-of-scope locations: For processes that cover
multiple locations, only some of those locations may be included in
the engagement.
Subprocesses: A discrete and recognizable portion or component of a
process.
Components: Certain portions, or components, of a process may be
omitted.
Time frame: An engagement may cover a calendar year.

9. Expected Outcomes and Deliverables
Before moving on to the next step in the planning process, one final
task should be performed. While the objectives and scope have been
determined, it is helpful to apply one of the Seven Habits of Highly
Effective People: "Begin with the end in mind." There are two
important "ends" to consider that will help validate the engagement
objectives and scope
1) Potential outcomes of the tests to be performed during the
engagement, and
2) Auditee expectations regarding engagement communications.

10. UNDERSTAND THE AUDITEE
When planning an engagement, the internal audit team must first
understand the auditee. Failure to gain a comprehensive understanding
of the area under review may result in an incomplete testing plan or a
misallocation of internal audit resources deployed in the engagement.
Therefore, gaining an understanding of the process is very important.
Gathering Information
There are many ways to gather information about a process. The internal
auditor should consider different types and sources of readily available
relevant information. Additionally, analysis of data and entity-level
controls can help provide additional insights into a process

11. Types and Sources of Relevant Information
Policies relating to the process.
Procedures manuals
Organizational charts
Job descriptions for people involved in the process.
Process maps or flowcharts
portions of the process
Copies of key contracts with customers, vendors, outsourcing partners,
etc.
Relevant information regarding laws and regulations affecting the
process.
Other documentations

12. Analytical Procedures
Analytical procedures involve reviewing and evaluating existing
information, which may be financial or nonfinancial, to determine
whether it is consistent with predetermined expectations.
Data analysis involves compiling and analyzing large amounts of data,
typically through the use of technology.
Data Analysis Using Computer-Assisted Audit Techniques
(CAATs)

13. Entity-Level Controls Analysis
Controls that operate across an entire entity and, as such, are not bound
by or associated with, individual process.
Entity-level controls are commonly evaluated annually.
Documenting the Process Flow
1. Process maps: Depicts the broad inputs, activities, workflows, and
interactions with other processes and outputs.
2. Flowcharts: include additional information, frequently depicting
computer systems and applications, document lows, detailed risks and
controls, manual versus automated steps
3. Narrative memoranda: provide information about the process low
using only written words.

15. High-Level Flowcharts and Detailed Flowchart
The purpose of a high-level flowchart is to depict broad inputs, tasks,
workflows, and outputs. A high-level flowchart helps reviewers
understand the overall activities, systems, reports, and interfaces with
other processes or subprocesses.
A detailed flowchart is a close-up view of the process which have more
specific inputs, tasks, actions, systems, decisions, and outputs. In
addition to providing a more detailed depiction of the process low,
detailed flowcharts provide additional information that enhances the
understanding of the process.

19. Narrative Memoranda
There may be situations in which the internal auditor believes it is more
appropriate to document the understanding of the process using
narrative write-ups instead of flowchart.
Reasons for Narrative Memoranda:
Simple process
Complicated process
Process owner request
More efficient

20. Identifying Key Performance Indicators
After gaining an understanding of the process low, it is helpful for the
internal auditor to also understand how process-level management
monitors performance.
There are certain characteristics of good key performance indicators.
They should be:
Relevant
Measurable
Available
Aligned
Articulated

21. Evaluating Process-Level Fraud Risks
1. Identify potential fraud scenarios. Brainstorming with individuals
involved in the process is an effective way to identify the possible
means by which individuals, working alone or in collusion with
others, could circumvent the process.
2. Understand potential fraud impact. The potential impact of each
fraud scenario should be determined.
3. Determine whether to test for specific fraud risks. Based on the
first two steps, the internal auditor can assess, based on the inherent
risk of fraud within the process, whether specific tests should be
designed to determine the vulnerability for fraud.

22. IDENTIFY AND ASSESS RISKS
The first task in assessing process-level risks is to identify the risk
scenarios that are inherent in the process. Risk scenarios are potential
real-life events that may adversely impact the achievement of
objectives.
It is common for these two steps
1. Understand the Auditee and
2. Identify and Assess Risks

23. Defining Process-Level Risks
There are many ways to define risks. The optimal approach depends on
the culture and "risk language" of the organization. However, regardless
of the unique approaches that may exist from one organization to the
next, it is important to be consistent. Lack of consistency may make it
more difficult for risks to be broadly understood throughout the
organization.
One common and effective approach for defining risks is to use a "cause
and effect" protocol. Under this approach, risks begin with a "cause"
(for example, failure to..., lack of..., inability to...) and continue with the
effect (for example, financial loss, personal injury, data corruption, or
reputational damage).

24. Evaluating the Impact and Likelihood of Risks
The purpose of evaluation is to help
identify the risks that will have the
greatest adverse effect on the
achievement of process-level
objectives. Such risks deserve most
of the attention during an assurance
engagement.

25. Understanding Management’s Risk Tolerance
Risk tolerance is the acceptable levels of risk size and variation relative
to the achievement of objectives, which must align with the
organization’s risk appetite.
To gain an understanding of management’s risk tolerance levels, the
following three steps should be conducted:
1. Identify possible risk outcomes.
2. Understand established tolerance levels.
3. Assess tolerance levels for outcomes that have not been established.

27. IDENTIFY KEY CONTROLS
To execute this task in engagement planning, it is important to
understand the different types of controls that may be considered key
controls at the process level.
Although the following is not an exhaustive list, it represents examples
of common control types:
 Approving
 Calculating
 Documenting
 Examining
 Matching
 Monitoring
 Restricting
 Segregating
 Supervising

28. EVALUATE THE ADEQUACY OF CONTROL DESIGN
The next step in the engagement planning process is to evaluate the
adequacy of process design. The key to this step is determining whether
the key controls are designed adequately to reduce the individual
process risks to an acceptable level.

29. CREATE A TEST PLAN
A test plan should be designed to gather sufficient appropriate evidence
to support an evaluation of how effectively the key controls are
operating. This evaluation and the evaluation of the process design
adequacy, taken together, provide reasonable assurance that the process-
level objectives will be achieved.
Based on the understanding gained from the previous engagement
planning steps, the internal auditor is now prepared to:
1) determine which controls are
important enough to test,
2) develop an approach for testing
those controls, and
3) document judgments supporting
the chosen audit tests. Each of these
tasks is discussed in more detail in
the following sections.

30. Developing a Testing Approach
A testing approach involves determining the nature, extent, and timing
of tests to perform.
the following outlines the decisions that must be made when developing
a testing approach.
Nature of tests.
Extent of tests.
Timing of tests.
Determining Which Controls to Test
the primary focus of testing is to determine whether the key controls are
operating effectively enough to ensure process-level risks are managed
sufficiently.

31. Documenting the Testing approach

32. DEVELOP A WORK PROGRAM
The next step in engagement planning is to document all of the
judgments and conclusions made during the planning phase.
This work program may take different forms, such as:
A standard template or checklist that the lead internal auditor
prepares to document the completion of the planning steps.
Standard templates are frequently used to ensure each
engagement covers all of the necessary tasks.
A memorandum summarizing the tasks completed. In situations
in which the planning is dynamic and not consistent from
engagement to engagement, this free-form approach may be more
appropriate.

33. ALLOCATE RESOURCES TO THE ENGAGEMENT
The Final step in planning the engagement is to determine the
necessary resources needed to carry out the planned tasks. This
step involves:
1) estimating, or budgeting, the resources that are needed,
2) allocating the appropriate human resources to the
engagement, and
3) scheduling those resources to ensure the engagement is
completed on time.

34. Budgeting
The first task is to estimate the resources that are needed to
conduct the engagement. A budget should be prepared that
considers the number of hours needed to complete the
engagement, as well as other costs that may be required:
• Hours needed to complete the engagement.
• Other costs.

35. Allocating Human Resources
Once the engagement budget has been determined, it is time to
identify and allocate the resources needed to complete the
engagement. The allocation of human resources is the most
important and challenging task. This involves answering the
following questions:
• What types of skills are needed on this engagement (e.g. financial
reporting or IT)?
• What previous experience will be required on the engagement
• Who in the department has the skills and experience to meet these
needs?

36. Scheduling
After determining the appropriate human resources, the next
task is to formally schedule those resources to the engagement.
Resource scheduling can be a very dynamic process, and the
following items need to be considered:
Availability of key process personnel.
Availability of engagement resources.
Availability of outside resources.
Availability of key reviewers.

37. CONDUCT TESTS TO GATHER EVIDENCE
At this point, the assurance engagement transitions from the
planning phase to the performing phase. The testing approach
developed in the planning phase and outlined in the Risk and
Control Matrix (refer to exhibit 13-11) must now be executed
to determine whether the controls are operating as designed. As
each test is conducted, evidence will be gathered to support the
internal auditor’s conclusions regarding how effectively the
controls are operating. The results of testing can be
documented in the Risk and Control Matrix.

38. EVALUATE EVIDENCE GATHERED AND REACH
CONCLUSIONS
Conducting audit tests allows the internal auditor to gather the evidence
needed to evaluate the design adequacy and operating effectiveness of key
controls and reach conclusions about the effectiveness of the process or area
under review.
The following are questions that the internal auditor may need to answer
Are the key controls designed adequately?
Are the key controls operating effectively, that is, as they are designed to
operate?
Are the underlying risks being mitigated to an acceptable level?
Overall, do the design and operation of the key controls support achievement
of the objectives for the process or area under review?

41. DEVELOP OBSERVATIONS AND FORMULATE
RECOMMENDATIONS
After completing the testing, gathering and evaluating the evidence
needed, and reaching conclusions, the internal auditor must develop the
observations and formulate the recommendations that should be
communicated to the auditee and other internal audit stakeholders. The
key elements of a well-written observation are discussed briefly in
chapter 12, and further elaboration of these elements can be found in
chapter 14.

42. OPPORTUNITIES TO PROVIDE INSIGHT

43. THANK YOU