INTERNAL AUDIT ENGAGEMENTS (2022-2023)
Engagement Value Enabler 3: Audit It is best practice to maintain a database as a repository.
Objective
An engagement objective must be clearly determined,
formulated and documented.
Objectives must be established for each engagement that
are clear, concise and link to risk assessment.
The objectives should articulate the coverage of the audit
review. It is also important to establish what will not be
covered by the review and state the period under review.
The audit engagement objective determines the type of
internal audit work that needs to be performed
(assurance or consulting) and on what management
activity (the subject matter) it is executed.
What happens if the Audit Objective is not properly
defined?
• Failing to address the significant risks
• Failing to make sure management understand the
purpose of your review
• Duplicating efforts or performing work which
does not add value
• Not completing the review on time or using
resources effectively.
An example of an audit objective would be wording such
as “to assess the adequacy and effectiveness of the
governance, risk management and controls in place over
a specific process/area under review”.
Three main input factors:
1. The results of the preliminary risk assessment of
the subject matter.
2. The probability and impact of “significant
errors, fraud, non-compliance and other exposures”.
3. The results of their assessment whether the
criteria set by management or the board for evaluating
“governance, risk management and controls” are
sufficient and adequate for the measurement of the
achievement of the goals and objectives. These criteria
may relate to internal “policies and procedures”, external
“laws and regulations” and “industry and professional
practices”. In case such criteria do not exist, the internal
auditors must identify According to the guidance, the
main sources for determining the engagement objectives
can be:
• The annual internal audit plan
• Prior engagement results
• Assessment of the risks relevant to the activity
under review
• Discussion with stakeholders
• Consideration of the mission, vision, and
objectives of the areas/process under review
alternative benchmarks in "discussion with the
management and/or the board".
This database enables the standardisation and an
efficient and effective process for the use and re-use of
the audit engagement objectives. The repository can also
serve as a reference catalogue for developing new
engagement objectives.
Step 1: Why to audit?
The process for determining the audit
engagement objectives is the easiest process within the
procedures of the audit engagement. It actually does not
belong within the audit engagement process. The best
practice annual audit planning process already
determines and defines the exact topic (subject matter) to
be audited. The selected audit topics result from a
combination of understanding the business and
company, risk assessments against company objectives,
audit resource allocations, and coordination with
management and the board.
Why to audit?
Why to audit? is important during the audit
engagement planning. This is, however, not the case.
The time lag between the annual audit planning process
and the preparations of the audit engagement generates
uncertainty whether the objective and risk assumptions
from the annual audit plan are still valid at the time of
planning the audit engagement.
The audit engagement team must have a healthy
skepticism and address the question why this audit needs
to be done:
* Do the objectives of the subject matter still provide an
important contribution to the overall strategies and
objectives of the company (from the perspective of the
higher organizational units)?
* Does the risk profile of the subject matter still show
significant potential or risks for not achieving those
subject matter objectives?
Valid Reasons for Conducting the Audit
• Board and management requests
A board or management request, outside the annual audit
plan, could also be the reason for the audit. Management
or the board may have specific business-, operations-, or
compliance- concerns for which they ask the audit
function to provide assurance that management has
identified the key risks and that these are being
mitigated. For each board or management request, the
usual audit engagement objective will have to be
formulated, to be used as input into the engagement
scoping process.
pg. 1

• Input into the engagement planning
The topics selected for the individual audit engagements
are based on an understanding of the (high-level) risk
profile, as determined during the annual audit planning
process. Those audit managers involved in the annual
planning process will have a good understanding of the
reasons for selecting the subject matter for the audit
engagement. Ideally, these audit staff should already
formulate the audit objective as part of the annual audit
planning process.
• Input from management or process owner
Management or the process owner knows best what they
try to achieve with the subject matter that will be
audited. Usually, the objectives are formalized and
documented in business plans, strategies, annual targets,
budgets, policies and directives, and so forth.
• Handling the time lag
The time lag between the annual audit planning process
and the preparations of the audit engagement can be
anywhere between 0 and 14 months.
Assuming that the majority of the risk assessments for
the annual audit plan take place in the period
September/October and the execution of the last audit
engagements take place in December of the subsequent
year, a long time can pass between the determination of
the initial risk assessment and performance of the audit
engagement. As any business manager will know, a lot
can happen in 6 to 14 months (that could not have been
foreseeable). This generates uncertainty whether the
objective and the risk assumptions from the annual audit
plan are still valid and applicable at the time of
performing the audit engagement.
Based on the principle that the audit objective should
be determined during the annual audit planning, two
solutions come to mind:
1. The CAE can prepare regular (e.g., quarterly) updates
to the annual audit plan to cater for the significant shifts
in the risk profile of the company.
This quarterly (high-level) reassessment of the audit
priorities will ensure that the audit engagement
objectives stay up to date, or at least, are reconfirmed
during the year, prior to the start of the audit
engagement.
2. At the time of the audit engagement planning the audit
team uses the predetermined objective from the annual
audit plan as a starting point.
For the purpose of the scoping of the audit work, the
engagement team will have to perform a preliminary
risk assessment, basically a more detailed and updated
risk assessment (compared to the annual audit
planning process) on the subject matter. This could
result in the following:
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
• The enhanced understanding of the subject matter
shows that management’s objectives for the activity
and its risk profile are still the same. The
predetermined engagement objective is reconfirmed
and can continue to be used.
• The enhanced understanding of the subject matter
shows that management’s objectives for the activity
are still the same, but the risk profile seems to have
shifted (lower or higher). The predetermined
engagement objective is confirmed and can continue
to be used.
Step 2: What is the required level of assurance?
The primary responsibility of the audit function is to
provide assurance. This assurance has to be provided for
the topics/projects that are included in the annual audit
plan. These projects are executed through the individual
audit engagements. Consequently, the primary focus of
the audit engagement is to provide assurance. The
assurance is achieved by conducting the audit
engagement and subsequently communicating the results
of this audit work to the stakeholders of the audit
function.
Reasonable Assurance
Usually it is not possible (nor desirable) to
provide an absolute assurance.
The reason why auditor is unable to obtain absolute
assurance is not because auditor’s do not conduct audit
engagements with enough care rather there are
limitations and these limitations restricts the auditor to
obtain only reasonable assurance and even with such
limitations and restrictions auditor tries his best to
provide some level of assurance to the users to reinforce
their confidence in the financial statements.
Such limitations that restrict the auditor to gain absolute
assurance are known as Inherent limitations of an Audit.
This would leave no room for error, misinterpretations,
insufficient sampling, and so forth; it would drive the
costs of the audit engagements sky-high.
In general, the audit function customers do not require
an absolute assurance anyway; they are satisfied with a
reasonable assurance. This has to do with the following:
• The audit function is required to maintain an
adequate level of efficiency.
• The audit resources are limited and need to be
spread over multiple tasks and engagements.
• Audit testing of 100 percent of the population is
usually not necessary to be able to make a
statement about the whole population. In most
engagements sample testing suffices.
The reasonable assurance can be achieved through the
materiality consideration during the audit engagement.
As it is not cost-efficient to test every risk and every
control, the reasonable assurance means that:
pg. 2

• All the significant risks are identified.
• All the significant control weaknesses,
ineffective and poorly designed controls are
addressed.
• Some small risks may still occur, though these
have a relatively low impact and probability, so
that they do not materially endanger the
achievement of the objective of the subject
matter.
• It is not the task of the audit function to make
management’s control system water-tight. This
means that some exceptions may still slip
through, causing a risk of not achieving the
subject matter’s objective. The size of the risks
that may slip through is based on the risk
appetite of the board.
Board’s risk appetite
The board’s risk appetite has an impact on the audit tests
to be selected. This impact is based on the level of
evidence that is needed, which again depends on the
level of assurance that is required. The latter is steered
by the risk appetite of the board, which feeds the level of
the risk identification and mitigation. Please refer to
other chapters for more details.
Risk Appetite is the amount of risk, at a broad level, that
an organization is willing to accept in pursuit of its
strategic objectives
Step 3: What is the subject matter of assurance?
The subject matter is the management activity or
transactional process that will be audited. This can be a
function, a project, a process, an activity, a legal entity, a
strategy, a strategic initiative, a document, a plan, a
department, and so forth.
Step 4: What are the objectives of assurance?
The purpose of the audit engagement is to help
management and the board achieve their business
objectives. An individual audit engagement reviews a
slice of the company’s business and aims to support the
achievement of the objectives of this part of the
business. Therefore, the wording of the audit
engagement objective needs to reflect the objective of
the subject matter. Management may or may not have a
clear wording for the objective of the subject matter.
Such wording can be derived from the following
sources:
• The annual audit planning process
• The understanding of the business and subject
matter
• Management or the process owner
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
The following are examples of how audit engagement
objectives could be worded for different types of
subject matters:
• Engagement objective for progress reporting
• Engagement objective for an IT security audit
• Engagement objective for M&A audit work
• Engagement objective for a review of sales
agents
• Engagement objective for a review of orders on
hand
• Engagement objective for a payroll process audit
• Engagement objective for a review of a working
capital reduction project
When building on the example of a review of a sales
process consistent with the other chapters, the audit
engagement objective could look as follows:
Figure 31 – Example of audit engagement objective
Engagement objective as value enabler
The formulation of the engagement objective is a clear
value enabler, as a well formulated, accurate and
complete engagement objective serves the purpose:
1. To determine the right amount of resources, in
quantity and quality, that need to be allocated to an audit
engagement during the annual audit planning process.
2. To steer the audit team in the right direction for the
engagement planning and execution. When being
assigned to an audit, the audit staff and supervisors
understand what needs to be audited, and against which
management/control objectives the risk assessments
(preliminary and during field work) need to takeplace.
3. To inform the customer/reader of the audit report
about the purpose of the audit work and the overarching
objectives against which the risk assessments during the
audit work have been performed. It gives the
stakeholders of the audit function the information about
the management objectives that were subjected to the
audit work and for which the assurance is provided.
pg. 3

Engagement Value Enabler 4:
Understanding the Subject Matter
II. Process for understanding the subject
matter
Figure 32– Twelve key elements of understanding the subject
matter
According to the purposes of the direct
engagement manual, the term “subject matter” is used
and refers to both the relevant entity/entities and topic
areas being audited, as relevant. In some cases, the
subject matter will be primarily a government entity.
When there is knowledge of the subject matter, this
informs the audit team's risk assessment, significance
considerations, scoping decisions, and audit approach. In
the case of performance audits, it may also inform the
audit objective.
Methodically understanding the subject matter also
pertains to the understanding towards the following:
• the industry in which the activity is active
• the business model that is used
• the business process maturity of the processes
• the product life cycle stage of the primary
products
• and the regulatory environment in which the
subject matter is active
Being able to understand these information and data
within the subject matter will help every audit
engagement team in identifying relevance towards the
subject matter. But to be able to do this, audit
engagement team is expected to have a good
understanding of the following information within an
entity.
• how the subject matter is structured and
organized
• the management style, pressures, culture and
ethics
• its main goals, strategies and objectives
• the business operations and how they are
organized
• the essential tools and reporting; the financial
statement related impacts
• the systems and applications that the activity’s
management uses to monitor and steer the
activity
• the significant issues that occurred in the past
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
If this expected knowledge of the audit engagement
team is presented in each of its members, the audit work
will be given a detailed interpretation and results
thereafter.
Within this chapter “Understanding the Subject
Matter”, it will focus on the additional aspects of
understanding the business and company with the
primary relevance for successfully performing the
detailed engagement planning, audit scoping, audit
execution and interpretation of the results of the audit
work.
The chapter has three (3) parts. The first part starts
with an analysis of the IPPF’s requirements for
understanding the subject matter, an elaboration on the
standardization of understanding the subject matter. On
its second part, there are given topics about the 3-step
process description of understanding the subject matter,
and an example. The third part of the chapter finishes
with a summary explaining why understanding the
subject matter is a critical value enabler for the audit
engagement.
IPPF’S Requirements for Understanding the Subject
Matter
Standards
The IIA’s IPPF describes the requirements for
understanding the subject matter in the Performance
Standards:
a) 2200 – Engagement Planning
Internal auditors must develop and document a
plan for each engagement, including the engagement’s
objectives, scope, timing, and resource allocations. The
plan must consider the organization’s strategies,
objectives, and risks relevant to the engagement.
b) 2201 – Planning Considerations
Assurance:
2201.A1 - When planning an engagement for parties
outside the organization, internal auditors must establish
a written understanding with them about objectives,
scope, respective responsibilities, and other expectations,
including restrictions on distribution of the results of the
engagement and access to engagement records.
Consulting:
2201.C1 - Internal auditors must establish an
understanding with consulting engagement clients about
objectives, scope, respective responsibilities, and other
client expectations. For significant engagements, this
understanding must be documented.
c) 2210 – Engagement Objectives
Assurance:
2210.A1 - Internal auditors must conduct a preliminary
assessment of the risks relevant to the activity under
review. Engagement objectives must reflect the results
of this assessment.
2210.A2 - Internal auditors must consider the probability
of significant errors, fraud, noncompliance, and other
exposures when developing the engagement objectives.
2210.A3 - Adequate criteria are needed to evaluate
governance, risk management, and controls. Internal
auditors must ascertain the extent to which management
pg. 4

and/or the board has established adequate criteria to
determine whether objectives and goals have been
accomplished. If adequate, internal auditors must use
such criteria in their evaluation. If inadequate, internal
auditors must identify appropriate evaluation criteria
through discussion with management and/or the board.
Consulting:
2210.C1 - Consulting engagement objectives must
address governance, risk management, and control
processes to the extent agreed upon with the client.
2210.C2 - Consulting engagement objectives must be
consistent with the organization's values, strategies, and
objectives.
d) 2220 – Engagement Scope
Assurance:
2220.A1 - The scope of the engagement must include
consideration of relevant systems, records, personnel,
and physical properties, including those under the
control of third parties.
2220.A2 - If significant consulting opportunities arise
during an assurance engagement, a specific written
understanding as to the objectives, scope, respective
responsibilities, and other expectations should be
reached and the results of the consulting engagement
communicated in accordance with consulting standards.
Consulting:
2220.C1 - In performing consulting engagements,
internal auditors must ensure that the scope of the
engagement is sufficient to address the agreed-upon
objectives. If internal auditors develop reservations
about the scope during the engagement, these
reservations must be discussed with the client to
determine whether to continue with the engagement.
2220.C2 - During consulting engagements, internal
auditors must address controls consistent with the
engagement's objectives and be alert to significant
control issues.
e) IG2200 – Engagement Planning
The internal auditor plans and conducts the engagement,
with supervisory review and approval.
f) IG2201 – Planning Considerations
The auditor must conduct a preliminary assessment of
the risks relevant to the activity under review.
Engagement objectives must reflect the results of this
assessment. The auditor also considers:
• Management’s assessment of risks relevant to the
activity under review.
• The reliability of management’s assessment of
risk.
• Management’s process for monitoring, reporting,
and resolving risk and control issues.
The auditor obtains or updates background information
about the activities to be reviewed
to determine the impact on the engagement objectives
and scope.
g) IG2210 – Engagement Objectives
Objectives must be established for each
engagement. The auditor establishes engagement
objectives to address the risks associated with the
activity under review.
a) For planned engagements, the objectives
proceed and align to those initially identified during
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
the risk assessment process from which the internal
audit plan is derived.
b) For unplanned engagements, the objectives are
established prior to the start of the engagement and
are designed to address the specific issue that
prompted the engagement.
The risk assessment during the engagement’s planning
phase is used to further define the initial objectives and
identify other significant areas of concern.
h) IG2220 – Engagement Scope
Scope defines "what will and will not be
included in the engagement."
Internal auditors generally consider the following
factors, among others, when establishing the engagement
scope:
a. The boundaries, sub processes, and components
of the area or process under review.
b. In-scope versus out-of-scope locations.
c. Time frame.
Standardization
Standardization of the topic of understanding the
subject matter has the following aspects:
a) Creating standard questionnaires for selecting
and obtaining information about the subject matters.
For the content of these questionnaires, I refer to the
key elements of understanding the subject matter as
described in Volume I of Driving Audit Value, as
well as the further indications in this chapter and the
other chapters of this book.
b) Time scheduling the information requests
sufficiently in advance of the time that the
information is needed as input into the audit
engagement.
c) Maintaining permanent audit files containing the
information about the subject matter (and the higher
organizational units) that is reusable in future audits.
d) For repeated audits on subject matters, increase
the time-efficiency by requesting information about
the major changes to the management activities since
the last audit engagement.
e) Capturing and storing the information in such a
way that it is easily (but secure) accessible for all
audit engagement team members.
Summary
In summary, the IPPF sets the following criteria
for understanding the subject matter:
a) For the purpose of the engagement planning the
internal auditors must understand:
i. the organization’s strategies, objectives, and
risks relevant to the engagement
ii. Governance, risk management, and control
processes
b) The auditors may review the:
pg. 5

i. organization structure, management roles and
responsibilities, management reports, and operating
procedures
ii. Process flow and controls documentation to
meet regulatory requirements
c) The internal auditors should gather information
with respect to the:
i. subject matter’s “policies and procedures”, IT
systems, along with “sources, types, and reliability
of information used in the process”
ii. Any “new processes or conditions” that may
have caused new risks
d) For setting the engagement objectives:
i. the internal auditors must perform a preliminary
risk assessment of the subject matter
ii. Assess the criteria set by management for
evaluating “governance, risk management and
controls”. These criteria may relate to internal
“policies and procedures”, external “laws and
regulations” and “industry and professional
practices”.
e) For the purpose of the engagement scoping the
internal auditors must consider the “relevant
systems, records, personnel and physical properties”
of the subject matter.
f) The standards of course specify much more to be
understood from the subject matter, for which I refer
to the individual chapters of the audit engagement
risk assessment, planning, objectives and scoping.
Figure 33 – Process for understanding the subject matter
This process needs to address the following questions in
three (3) steps:
A. Step 1: What are the process characteristics?
B. Step 2: What are the sources of information?
C. Step 3: Why understand two levels?
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
Step 1: What are the process characteristics?
What is a process?
There is one key approach to ensure that the audit
engagement teams are always able to identify the
appropriate information that is needed in understanding
the management activities to be audited. This approach
is based on the core characteristics of the management
activity processes.
Figure 34 – General characteristics of a process
✓ Process information
When each management activity or subject matter can be
depicted as a process, immediately structure is
determined for knowing what to understand:
1. Descriptions of the process as a whole and of the
key sub-processes.
2. Objectives of the process and its sub-processes.
3. Measurements of the results and the
transformations of the process and the sub-
processes.
4. The handling of the process deviations,
exceptions, risks, issues and the process risk
management.
5. The IT aspects of the process and sub-processes:
systems, applications, security, data integrity.
6. Compliance aspects of the process and sub-
processes.
7. Financial aspects: impact on the financial
statements, financial performance indicators.
8. Governance aspects.
9. Internal control systems.
10. Sub-process interfaces, inputs and outputs.
11. Efficiency and effectiveness of the sub-processes.
12. The required skills and resources to achieve the
sub-process objectives.
13. Interfaces to the 2nd and 3rd lines of defense.
pg. 6

• All activities can be defined as a process
The clearest examples are the value chain processes,
such as research and development, purchasing and sales,
but also the support processes such as human resources,
finance and legal. Management has the habit of
regarding these as a process and will have most of the
process-related information readily available.
Note:
All other types of management activities can be
described as a process. For example, management’s
activities in the areas of: health and safety; succession
planning; credit management; managing the company
car pool; office security; the implementation of an IT
application; maintaining a holding company; acquiring
or divesting businesses; intellectual property
management; compliance with loan covenants; social
media; and so forth.
• Process review
✓ During the audit engagement, the process review
has to provide the reasonable assurance that the
(sub-)process is:
1. Adequately managed on a meta level.
2. Suited to transform the appropriate input
through authorized transformation into the
correct output.
3. Adequately controlled.
4. Suited to deal with exceptions.
5. Suited to adequately support the goals of
the company.
• Recent and upcoming process changes
o The audit engagement team should not only
understand the management activity as it is
currently executed, but also be aware of the
recent changes, as well as the upcoming
changes.
o The audit engagement team must therefore
understand what those changes are, how the
structures, policies and procedures have
been adapted, in order to determine the
appropriate focus in the engagement scope
and the work programmed.
o The audit engagement team must therefore,
understand what those changes will be in
order to determine the appropriate focus in
the engagement scope and the work
programmed.
Step 2: What are the sources of information?
• Once the audit engagement team determined the
process characteristics of the subject matter to be
audited, they need to identify the sources of the
relevant information:
INTERNAL AUDIT ENGAGEMENTS (2022-2023)
✓ The manager responsible for the subject matter,
the process owner or the sub-process owners.
✓ The managers of the 2nd lines of defense.
✓ The managers of the organizational unit in which
the subject matter is embedded.
Note:
These will be the first entry points into the
subject matter for obtaining information. These
managers will not have all the information that is needed
at their direct disposal, but understanding the
information that they use to manage their business is
already very helpful. They will be able to point the audit
engagement team to the lower-level managers or the
operating staff for more and detailed information.
Step 3: Why understand two levels?
Understanding the subject matter is based on the same
principles that are applied for understanding the
company and business. the understanding is categorized
at two levels:
1. Understanding the subject matter.
2. Understanding the strategies, objectives, and
organizational structures of the higher
organizational units in which the subject matter is
embedded.
This two-level understanding is required for the
following reasons:
a. During the audit engagement planning phase, the
audit function needs to ensure that the focus of the
audit is on those aspects of the subject matter that
contain the highest risks of not achieving the local
strategies and objectives. Those risks need to be
assessed from the perspective of the subject matter
as well as of the higher organizational units.
b. During the audit engagement reporting phase, the
audit team needs to ensure that the results of the
audit are correctly interpreted from the perspective
of the audit objective and the materiality of the
risks in relation to the subject matter’s objectives.
How to handle a distributed understanding?
The supervising audit manager and the audit staff
usually have a better understanding of a subject matter
than the CAE. The auditors in the field interact directly
and observe first-hand the details of the local activity to
be audited.
Particularly, this will be the case when there is
continuity in the audit team that performs the audit
engagement. When the same audit team and audit
managers visit a certain location multiple times over the
years, they will be able to capitalize on their knowledge
pg. 7
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

and understanding of the local activity. They will already

know:

(1) local management, their strengths and

weaknesses,
(2) the local structures and organization,
(3) the value chain and support processes,
(4) the general quality of governance,
(5) risk management and internal control
processes.

In such a case, the understanding of the subject matter

and the preliminary risk assessment can be performed
very efficiently by assessing the major changes since the
last visit.

The CAE will usually have a better

understanding of the higher organizational units,
particularly at the division, corporate and group level.
The CAE maintains his contacts and relations mainly at
the level of senior management, executive management
and the board. Because of the CAE’s deep involvement
in the annual audit planning process, she accumulates a
thorough understanding of the groups and business
divisions strategies, objectives and their key initiatives
and projects.

✓ Understanding the business and company is of

primary importance for the CAE
✓ Audit managers preparing the annual audit plan,
understanding the subject matter is of primary
importance for the audit engagement team (the staff
auditors and the audit supervisor).

Example
When building on the example of the sales process from
the previous chapters, the summary results of
understanding the subject matter might be captured as
follows.

Figure 35 – Example of sales process characteristics

pg. 8
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

MULTIPLE CHOICE QUESTIONS 7. Which of the following does not belong in the group?
a. failing to address the significant risks
1. Broadly defined, the subject matter of any audit b. failing to make sure management understand the
consists of purpose of your review
a. Financial statements c. duplicating efforts or performing work which does
b. Economic data not add value
c. Assertions d. it articulates the coverage of the audit review
d. Operating data and prevent scope creep

2. An audit of financial statements is conducted to 8. The one key approach in process characteristics to
determine if the ensure the audit engagement teams are always able to
identify the appropriate information needed in
a. Organization is operating efficiency and effectively understanding ________________.
b. Auditee is following specific procedures or rules set
down by some higher authority a. Management activities to be audited
c. Overall financial statements are started in b. Process owner/sub-process owner
accordance with the applicable financial c. Results Interpretation
reporting framework d. Scoping
d. Client's internal control is functioning as intended

9. Which of these sources is not belong in identifying the

3. The management activity or transactional process that relevant information?
will be audited. This can be a function, a project, a a. The manager responsible for the subject matter, the
process, an activity, a legal entity, a strategy and so process owner or the sub-process owners.
forth. b. The managers of the 2nd lines of defense.
a. Subject Matter c. The managers of the organizational unit in which
b. Risk Appetite the subject matter is embedded.
c. Reasonable assurance d. The manager responsible for the work
d. Absolute Assurance programme.

4. S1: The audit function customers do not require an 10. A ________ is a person who is given the
absolute assurance. responsibility and authority for managing a particular
process. The person immediate accountable for creating,
S2: The board’s risk appetite has an impact on the audit sustaining and improving a particular process, as well as
tests to be selected. being responsible for the outcomes of the process.
a. Both statements are True a. Project Manager
b. Both statements are False b. Process owner
c. S1 is true; s2 is false c. Auditor
d. S1 is false; s2 is true d. Accountant

5. The primary responsibility of the audit function is to 11. The following are examples of how audit
provide? engagement objectives could be worded for different
a. Subject Matter types of subject matters except:
b. Risk Appetite a. Engagement objective for Annual audit planning
c. Assurance process
d. None of the above b. Engagement objective for Progress reporting
c. Engagement objective for IT security audit
d. Engagement objective for Payroll process audit
6. An (blank) must be clearly determined, formulated
and documented.
a. Objective
b. Engagement objective
c. Engagement standard
d. Audit Engagement Planning

pg. 9
 INTERNAL AUDIT ENGAGEMENTS (2022-2023)

12. It is an IPPF standard where Internal auditors must

develop and document a plan for each engagement,
including the engagement’s objectives, scope, timing,
and resource allocations. The plan must consider the
organization’s strategies, objectives, and risks relevant to
the engagement.
a. 2200 – Engagement Planning
b. 2201 – Planning Considerations
c. 2210 – Engagement Objectives
d. 2220 – Engagement Scope

13. It is the standard where the internal auditor plans and

conducts the engagement, with supervisory review and
approval.
a. IG2200 – Engagement Planning
b. IG2201 – Planning Considerations
c. IG2210 – Engagement Objectives
d. IG2220 – Engagement Scope

14. The following are critical value enabler for

understanding the subject matter in the audit engagement
except;
a. Can increase audit added value, enables
identification of business strategy
b. Drive the focus of audit engagement scope and
work programmed
c. Enables interpretation of audit results with a right
perspective
d. Enables organization structures for lower
organization units in which subject matter is
embedded

15. During the engagement planning phase, the function

of the audit is to ensure the audit focuses on those
aspects of the subject matter that contains
____________.
a. Lower risk of not achieving the local strategies
b. Higher boundary of local strategies
c. Higher risk of not achieving the local strategies
and objectives
d. Higher and lower risk of not achieving the local
strategies and objectives

pg. 10