Chapter 5

Planning the Audit Engagement

A. Purpose for Planning the Engagement

Engagement planning is performed to provide a means for developing an understanding

of the business objectives of the auditee, the methods used to achieve those objectives,
the risks associated with those methods, and the controls implemented by management to
mitigate those risks and provide assurance of achieving the desired objectives. The
understanding developed of the auditee allows the auditor to identify significant audit
objectives and to prepare an audit program that tests significant controls and operations.

The audit planning process should consider the needs of potential report users,
significance of the programs to be audited, the potential for fraud, abuse or significant
violations of legal and regulatory requirement, results of prior audits and the availability
of data that could be used as audit evidence.

B. Determination of Preliminary Audit Objectives and Assignment of Staff

The Internal Auditor and Audit Manager will establish preliminary audit objectives based
on the annual audit plan and any other information available prior to assigning
appropriate staff to the engagement. The preliminary objectives will be discussed with
the Lead Auditor prior to commencing the engagement and will form the basis for the
audit planning effort.

C. Preliminary Planning

Preliminary engagement planning begins shortly before the entrance conference with the
auditee and continues through a review with audit management at which proposed audit
objectives are determined. The primary focus of this phase of planning is completion of
the Risk Matrix presented in Chapter 3. The Risk Matrix supports the identification of
various business objectives with their associated methods, risks and controls which are
necessary to finalize audit objectives.

Prior to the entrance conference the auditor should review the annual budget, semi-annual
reports and prior audits relative to the auditee to get a general idea of the nature of the
operations of the auditee.

Most of the effort in preliminary planning will be on interviewing appropriate officials to

complete the Risk Matrix. The interview should solicit input from each official as to as
many elements of the Risk Matrix as the official can address. They should tell us what
their objectives are, how they accomplish them and what risks and controls they have
identified and implemented. We may need to direct them in this by guiding the
interview. The officials should identify to us what policies, procedures, rules and

Chapter 5 - Page 1 of 5
regulations are applicable to them. This helps us determine criteria for evaluating auditee
performance. At this point in planning we are attempting to establish that there are
criteria in place without studying those criteria.

The auditor will also develop background information relative to the purpose, size and
complexity of the auditee for inclusion in the audit report. This should require little, if
any, documentation other than that described above.

The preliminary planning process ends with a conference with audit management to go
over the completed Risk Matrix and audit objectives proposed by the auditor. During this
conference we will discuss the information gathered and presented in the Risk Matrix,
evaluate the proposed audit objectives, and consider how, if at all, fraud, waste and abuse
may be possible relative to the proposed audit objectives. The result of the conference is
approval of audit objectives and authorization to continue to the detailed planning phase
of the engagement. The planning conference should occur no later than the 4th or 5th day
of in-field work. The Lead Auditor should request a planning conference as soon as
preliminary planning has been completed but not later than the 5th day of in-field work.

Documentation required for the planning conference consists of interview notes and the
completed Risk Matrix. Subsequent to the planning conference the auditor will prepare
and submit a planning memo containing a background narrative, a summary of the
discussion of fraud, waste and abuse, and the agreed upon audit objectives. The planning
memo should be submitted along with the audit program. This documentation will
remain with the audit work papers and will provide evidence of planning as required by
the GAS.

D. Detailed Audit Planning

After approval of the audit objectives resulting from the preliminary planning process,
the Lead Auditor will develop additional information regarding the specific objectives
identifying and evaluating relevant criteria such as policies, procedures, contracts and
regulations; identifying potentially auditable records for availability, nature and volume;
and finally determining specific audit procedures to be used to gather and evaluate
evidence.

The audit program is based on the specific audit objectives approved at the planning
conference. The audit program establishes the work to be done to achieve the stated audit
objectives. Field work on the audit will not begin until the audit program has been
approved by audit management. The approved program may be modified if conditions
warrant subject to approval by audit management.

The audit program will contain the following material:

• Audit Objectives
• Audit Scope
• Audit Methodology (including a sampling plan if some type of audit
sampling is proposed)

Chapter 5 - Page 2 of 5
 • Detailed audit plan
• Audit Time budget
• Milestone dates for completion of key elements of the audit program and
preparation of the discussion draft

Each audit program will be unique in that each audit will have different objectives and
will be conducted in a different environment. Every audit program is similar in that each
audit is focused on gathering evidence to satisfy audit objectives and providing
information to develop audit findings and an audit report.

Audit Objectives are specific statements about some aspect of a particular subject. The
audit objectives must be clearly stated, specific, capable of being evaluated by the
available audit evidence, sufficient to render an audit opinion and likely to result in a
useful audit report.

For example: The overall audit objective will be: Did the Criminal Justice Commission
(CJC) administer the LLEBG grant in accordance with County regulations and Federal
grant requirements? Specifically, did the CJC ensure that:
• Projects proposed to the BCC for funding met eligibility requirements?
• Revisions to project funding were approved by appropriate authority as required
in County-wide procedures?
• Selected expenditures of LLEBG funds were allowable, allocable, and reasonable
as provided in Office of Management and Budget Circular A-87?
• Federal reporting requirements were complied with?
• Project purposes were achieved?

Audit Scope refers to the limits established for the audit such as: a particular period of
time; a specific process, system or organizational unit; whether the audit is financial,
attestation or performance; or other statements conveying an understanding of what was
examined and what was not.

For example:
• Scope statement - AThe scope of our audit will be all construction contracts
awarded during fiscal year 2007.

Audit Methodology refers to the data gathering and analytical methods the auditor plans
to use. There should be a clear relationship between the audit methodology used and the
audit objectives supporting the appropriateness of the selected methodology.

For example:
• To test the reasonableness of M/WBE statistics used in reporting, we will take
statistical samples of data reported to OSBA by Contract Development and
Control (CDC) and the Procurement Department. The statistical sample will be
based on an expected error rate of 2% with a 4% deviation rate for a population of
approximately 5,000 items.

Chapter 5 - Page 3 of 5
 • We will also review all adjustments made to this reported data by OSBA to
determine their appropriateness and accuracy.
• To evaluate OSBA’s compliance effort, we will review a judgmentally selected
sample of 20 project files maintained by OSBA (out of a total of 200 project files)
and test for completeness in compliance with departmental PPMs.
• We will also review a judgmentally selected sample of 20 inspection reports
prepared by OSBA on field visits to contractor sites to determine the quality
control procedures performed.

The Detailed Audit Plan identifies the audit objectives and sub-objectives and the steps
needed to gather and evaluate audit evidence to support conclusions on the audit
objectives. Each step of the audit plan is to be initialed and dated by the auditor who
completes the work. The detailed audit plan is prepared by the Lead Auditor following
approval of the proposed audit objectives at the planning conference. The audit plan is
specific to each engagement and is written to address the established audit objectives.
The audit plan may be revised during the engagement should circumstances warrant
subject to approval by audit management. If a revision to the audit plan is approved a
revision to the audit time budget will also be considered and approved by audit
management if necessary. The auditor is expected to perform only audit work included
in the approved audit program. Any deviation from the approved audit program must be
approved by audit management.

The Audit Time Budget establishes the beginning estimate of the amount of work
necessary to satisfy the audit objectives. Formulation of a reasonable time budget
requires an understanding of the audit objectives, knowledge of the types of data
available, and an understanding of the methods and techniques that can be used to gather
and analyze audit evidence. The auditor Lead Auditor of the engagement is responsible
for preparing the time budget which must be approved by audit management. The time
budget may be modified during the course of the engagement when circumstances
warrant with approval of audit management.

Audit milestone dates establish an expectation of when key aspects of the engagement
will be completed. These dates are established giving consideration to the audit time
budget and expected staff and auditee availabilities. The auditor Lead Auditor of the
engagement is responsible for preparing the milestone dates which must be approved by
audit management. The milestone dates may be modified during the course of the
engagement when circumstances warrant with approval of audit management.

Chapter 5 - Page 4 of 5
 Engagement Planning Audit Program

1. Meet with audit management to discuss preliminary focus and concept for
engagement.
2. Conduct preliminary research to develop introductory familiarization with
auditee.
3. Hold entrance conference with auditee.
4. Conduct interviews with auditee personnel to develop understanding of their
operating environment including: goals and objectives; methods and risks; and
controls being used.
5. Document the understanding from step 4 above by completing the Risk Matrix.
6. Meet with audit management to review results from steps 4 and 5, and determine
specific audit objectives for the engagement.
7. Conduct additional interviews with auditee personnel and review specific
documentation relative to controls and performance to support development of a
specific audit program to answer the specific audit objectives.
8. Document results of step 6 and 7 in a Planning Memo and an Audit Program for
the engagement.
9. Meet with audit management to gain approval of final audit program and planning
memo.

Chapter 5 - Page 5 of 5