Internal Audit Engagement E-Book

Internal Audit Engagement: CIA Certified Internal Auditor

Azhar ul Haque Sario

Copyright

Copyright © 2025 by Azhar ul Haque Sario

All rights reserved. No part of this book may be reproduced in any manner whatsoever without written permission except in the case of brief quotations embodied in critical articles and reviews.

First Printing, 2025

[email protected]

ORCID: https://orcid.org/0009-0004-8629-830X

LinkedIn: https://www.linkedin.com/in/azharulhaquesario/

Disclaimer: This book is free from AI use. The cover was designed in Microsoft PowerPoint.

Disclaimer: This book, "Internal Audit Engagement: CIA Certified Internal Auditor," is an independent publication. The author and publisher are not affiliated with, sponsored by, or endorsed by The Institute of Internal Auditors, Inc. (The IIA). The IIA is the sole owner of the Certified Internal Auditor® (CIA®) and other trademarks. This study guide is independently produced and is intended for educational and review purposes only. All trademarks are used for identification purposes only under the doctrine of nominative fair use.

Contents

Copyright

Section A. Engagement Planning (50%)

Determine engagement objectives and scope

Determine evaluation criteria based on relevant information gathered

Plan the engagement to assess key risks and controls

Determine the appropriate approach for an engagement

Complete a detailed risk assessment of each activity under review

Determine engagement procedures and prepare the engagement work program

Determine the level of resources and skills needed for the engagement

Section B. Information Gathering, Analysis, and Evaluation (40%)

Section C. Engagement Supervision and Communication (10%)

About Author

Section A. Engagement Planning (50%)

Determine engagement objectives and scope

Part A: Applying Topical Requirements in Engagement Planning

When we, as audit, risk, or finance professionals, begin to plan an engagement, we aren't starting with a blank piece of paper. We're stepping into a world that already has rules. Think of "Topical Requirements" as the specific, non-negotiable rules of the road for the area we are about to examine. They are the laws, regulations, industry standards, and critical policies that govern the topic of our engagement.

Recognizing how to apply these requirements is the difference between a high-value, relevant engagement and a superficial exercise that misses the point. If we are auditing the company's new data privacy initiative, the "topic" is data privacy. The "topical requirements" would therefore be regulations like the GDPR in Europe or the CCPA in California. These aren't suggestions; they are the benchmark for success or failure.

So, how do we practically apply them when building our objectives and scope?

First, we must identify them. This is an act of due diligence. We can't just guess. This step involves research and inquiry. We talk to the company's legal counsel. We meet with the compliance department. We read the latest regulatory updates from industry bodies. If we are looking at a bank's lending practices, we need to know the specific requirements of the Equal Credit Opportunity Act (ECOA) or the Truth in Lending Act (TILA). We list these requirements out. They form the primary "criteria" against which we will audit.

Once identified, the next step is to understand their impact. Not all requirements are created equal. A violation of one requirement might result in a minor internal penalty. A violation of another—say, an anti-money laundering (AML) regulation—could result in massive government fines, loss of a banking license, and severe reputational damage. We have to perform a micro-risk assessment on the requirements themselves. Which ones represent the greatest risk to the organization if they fail?

This risk assessment directly shapes our engagement objective. The objective must explicitly reference these critical requirements.

Let's look at a weak objective versus a strong one.

A weak objective might be: "To review the new customer onboarding process."

This is vague. What does "review" mean? What are we looking for?

A strong objective, built by applying topical requirements, would sound like this: "To provide assurance that the customer onboarding process, as redesigned in Q3, is in full compliance with the 'Know Your Customer' (KYC) provisions of the Bank Secrecy Act (BSA) and the bank's internal AML policy."

See the difference? This objective is sharp. It's measurable. It tells everyone—the audit team, management, and the board—exactly what we are testing and why it matters. The topical requirements (BSA, AML policy) are baked directly into the objective statement.

Now, let's talk about scope. The objectives define "what" we want to achieve. The scope defines "how much" and "where" we will look. The topical requirements are the single most important factor in defining a responsible scope.

If our objective is to audit for GDPR compliance, our scope cannot be limited to one office in one country. The GDPR's requirements on data sovereignty and cross-border data transfer force our scope to be global. We must look at how data flows between the EU and the US, or between the EU and data centers in Asia. The requirement itself dictates the boundaries of our work.

Similarly, the requirements define the nature and depth of our testing. A simple internal policy might only require us to interview people and confirm they've read it. A complex financial regulation like Sarbanes-Oxley (SOX) Section 404 is a topical requirement that demands deep, substantive testing. We can't just ask, "Do you perform this control?" We must select a sample of transactions and prove the control was performed effectively, over and over again. The requirement sets the level of evidence we need to obtain.

Applying these requirements also protects the audit function. Management in a business unit might ask for a "quick, high-level review" of their new trading platform. But if our initial research shows that this platform is subject to specific SEC and FINRA regulations (the topical requirements), we must professionally push back. We must explain that a "quick review" is not possible. The requirements demand a more thorough engagement to provide any meaningful assurance. Our scope must be sufficient to answer the question, "Are we compliant with the law?" We cannot, and should not, agree to a scope so limited that it prevents us from testing the most critical requirements.

In essence, topical requirements are our anchor. They ground our engagement in reality. They move our work from the realm of opinion ("I think this process looks okay") to the realm of fact ("This process is non-compliant with regulation X, and here is the evidence"). By identifying, risk-assessing, and embedding these requirements directly into our objectives and scope, we ensure our work is relevant, credible, and provides the exact level of assurance the organization needs to manage its most significant compliance and regulatory risks.

Part B: Elements Considered in Developing Engagement Objectives

Crafting the right engagement objective is an art and a science. It's where we, as assurance and advisory professionals, demonstrate our true understanding of the business. An objective is our mission statement for a specific project. It defines our "why." To get it right, we have to synthesize information from many different sources. The topical requirements we just discussed are the foundation, but they are only one piece of the puzzle. A truly effective objective is shaped by a whole constellation of elements.

Let’s walk through the key elements we must consider, beyond just the regulations.

1. The Organization’s Strategy and Objectives

This is the big one, and it's what separates a modern, value-adding internal audit function from an old-school, "green-eyeshade" compliance checker. We must ask: What is the company trying to achieve? Is the strategy to be a low-cost provider? Is it to innovate rapidly? Is it to expand into new global markets?

Our audit objectives should align with this strategy. If the company's core strategy is "rapid international expansion," a high-value audit objective wouldn't be "to check T&E expense reports for minor policy violations." A much better objective would be: "To assess whether the company's treasury function has the necessary controls, currency hedging strategies, and cash repatriation processes in place to support the planned launch in three new countries, mitigating financial and operational risks." This objective directly connects our work to the organization's primary goal.

2. Governance, Risk Management, and Control Processes

This is our home turf. We need to evaluate the maturity of the company's own "three lines of defense."

Governance: Who is in charge? Is there a clear line of sight from the board and its committees (like the Audit Committee) down to management? If governance is weak, our objective might be to "evaluate the effectiveness of the Risk Management Committee's oversight of key strategic risks."

Risk Management (ERM): Does the company have a good process for identifying its own risks? If their Enterprise Risk Management (ERM) process is mature, our objective might be to "validate the key risks identified by management's ERM process for the supply chain." If it's immature, our objective might be to "independently identify and assess key operational risks in the supply chain" because we can't rely on their work.

Control Processes: This is the traditional "are the controls working?" part. Our objective here is often very direct: "To test the design and operating effectiveness of key automated and manual controls within the procure-to-pay (P2P) process."

3. Risk Appetite and Tolerance

This is the organization's personality. Is it a cautious, conservative utility company or a risk-seeking tech startup? This "flavor" dramatically changes our objectives.

For the conservative utility (low-risk appetite), our objective would be very traditional: "To provide assurance that all key financial controls are operating effectively and in full compliance with policy."

For the tech startup (high-risk appetite), they want to take risks to innovate. An objective focused on stamping out all risk would be useless. A better objective would be: "To assess whether the new product development process has a clear and effective framework for consciously identifying, evaluating, and accepting go-to-market risks, ensuring that decisions are made at the appropriate management level." We aren't auditing for no risk; we are auditing for well-managed risk.

4. Internal Policies

These are the company's own rulebooks. They represent management's intent. A primary function of internal audit is to provide assurance that this intent is being followed in practice. This leads to very common, but important, objectives: "To determine the level of compliance with the company's new remote work and data security policy" or "To assess whether employee expense reports comply with the corporate T&E policy."

5. Previous Audit Reports (and their findings)

We must always look back before we move forward. What did we (or other auditors) find last time? Have the issues been fixed? This is a critical source for objectives. An objective might be: "To perform a follow-up review on all 'High' priority findings from the 2024 Cybersecurity Audit to validate that management's remediation plans have been fully implemented and are effective in mitigating the original risk." This builds accountability and ensures the loop gets closed.

6. Work of Other Assurance Providers

We are not alone. The company has external auditors (like PwC, EY, etc.), perhaps a separate SOX compliance team, and state or federal regulatory examiners. We must be efficient. It is a waste of time and money to re-test the exact same thing our external auditors are already testing for their financial statement audit.

Our objective should be to leverage their work. For example: "To rely on the control testing work performed by the external auditors for key financial controls, and focus our engagement on assessing operational and efficiency risks within the financial close process." This allows us to provide broader, more holistic assurance without duplicating effort.

7. Assurance vs. Advisory Services

This is perhaps the most fundamental element to clarify before we write any objective. We wear two different hats, and the objective must state, unequivocally, which hat we are wearing.

Assurance (an "audit"): This is backward-looking. We are the independent, objective umpire. Our job is to test what has happened and give a formal opinion or rating. The language is "To assess," "To evaluate," "To determine compliance."

Advisory (a "consulting" engagement): This is forward-looking. We are a collaborative partner or coach. Our job is to help management solve a problem or improve a process. We provide recommendations, not a rating. The language is "To assist management in..." "To facilitate a risk assessment of..." "To provide recommendations for improving..."

Our objective must be clear. If management asks for help building a new process (advisory), our objective cannot be "to audit" that process. That would be a conflict. The objective would be, "To advise management on control design best practices to be embedded within the new procurement system." This clarity manages expectations and preserves our independence for future audits.

Ultimately, building the engagement objective is a process of synthesis. We take all these inputs—the strategy, the risks, the regulations, the past findings, and the type of engagement—and we combine them into a single, clear, concise mission statement. This statement becomes our guide, ensuring our work is targeted, relevant, and delivers maximum value to the organization.

Part C: Identifying and Documenting Scope Limitations During Planning

In a perfect world, an audit or assurance engagement would have no boundaries. We would have unlimited time, unlimited budget, and access to every piece of data, every system, and every person in the organization.

We do not live in that perfect world.

The reality of our work is that we are constantly balancing the ideal engagement with the practical one. A "scope limitation" is any constraint, condition, or boundary that prevents us from executing the full, ideal scope required to meet our engagement objective. Identifying and—most importantly—documenting these limitations during the planning phase is not just an administrative task. It is a core professional responsibility that protects the integrity of our work, our team, and our final opinion.

Failure to do this upfront is a critical error. If we don't state a limitation at the beginning, and then we can't get the data we need during the engagement, it doesn't look like a limitation. It looks like an audit failure.

Identifying Scope Limitations

During planning, our job is to be professional skeptics, and that includes being skeptical about our own ability to complete the work. We must proactively hunt for potential limitations. They typically fall into a few key categories:

Resource Constraints: This is the most common. We may have a great objective, but the timeline is too aggressive. The business needs an answer in three weeks, but full, deep testing would require six. Or, the budget for the engagement may not support the travel required to visit all the locations. We may also lack specialized skills, like a niche cybersecurity or data science skill, within our team.

Data and System Access: This is a major technical hurdle. The objective might be to "audit the automated controls in the new HR system." But what if the system is managed by a third-party vendor (like Workday or SAP)? The vendor's contract might prohibit third-party (i.e., our) access to the back-end. Or, the data we need might be on a legacy server that is difficult and costly to access. The data might not even be reliable, which is a limitation in itself.

Geographical or Physical Constraints: Our objective might be to review inventory controls across all major warehouses. But what if one of those warehouses is in a high-risk geopolitical region where our team cannot safely travel? What if a facility is shut down for an extended period?

Legal and Privilege Constraints: We may want to review documentation related to a specific fraud investigation or lawsuit. However, the company's General Counsel may state that those documents are protected by attorney-client privilege and will not be provided to the audit team. This is a significant limitation.

Timing and Availability: The limitation might be one of timing. Perhaps our objective is to audit a new process, but the process has been delayed and won't be in operation for another six months. Or, the key people we need to interview—the system architect, the regional director—are on extended leave.

Documenting Scope Limitations

Once we identify a potential limitation, we cannot just keep it in our back pocket. We must formally document it and, critically, get agreement on it.

This documentation must be clear, precise, and unambiguous. It becomes a non-negotiable part of our official planning documents: the Engagement Letter, the Planning Memo, or the Terms of Reference.

Good documentation has three parts:

The Limitation: A clear statement of the constraint.

Weak: "We might not have enough time."

Strong: "The engagement timeline is fixed at four weeks. This timeframe does not permit for substantive transaction testing from a statistical sample."

The Impact on Scope: What, specifically, will we not be doing as a result?

Strong (continued): "As a result, our testing will be limited to process walk-throughs and interviews with key personnel."

The Impact on the Opinion: This is the most important part. What does this mean for our final conclusion?

Strong (continued): "Therefore, our final report will provide an assessment of the design of the controls, but we will be unable to provide assurance on the operating effectiveness of those controls."

This documentation is, in essence, a contract. We are telling management and the board, "Here is the assurance we can provide, and here is the assurance we cannot provide, based on these agreed-upon constraints."

If the stakeholder—our audit sponsor, for instance—does not like this limitation, the planning phase is the time to negotiate. They may need to give us a bigger budget, a longer timeline, or use their authority to get us the access we need. But if they cannot, they must formally accept the limited scope before we begin our work. This prevents any misunderstandings later and ensures the final report is read in its proper context.

Part D: Evaluating Approaches for Managing and Documenting Stakeholder Requests

One of the signs of a relevant, respected internal audit function is that stakeholders are constantly engaging with us. This engagement often takes the form of special requests. The CEO calls with a concern. A board member reads an article about a new risk. A business unit leader asks for "a quick look" at a new process.

These requests are a double-edged sword. On one hand, they show we are trusted. On the other, if they are not managed, our carefully constructed, risk-based audit plan can be destroyed in a matter of weeks, pulling our team in a dozen different directions.

Having a formal, robust approach for managing and documenting these requests is essential for maintaining our focus, our independence, and our ability to deliver on our primary commitments to the board.

Evaluating Management Approaches

We need a system. A "drive-by" request in the hallway to a staff auditor cannot be the way we do business.

1. The "Single Front Door" Policy: This is the most effective approach. All requests—from a simple data query to a full-blown investigation—must be channeled through a single point: the Chief Audit Executive (CAE) or their designee. This prevents our teams from being pulled off their planned work by well-intentioned, but unauthorized, requests from local managers.

2. The Formal Triage Process: Once a request comes through the "front door," it must be evaluated. We can't just say yes to everything. The CAE and their leadership team must perform a triage, asking key questions:

Strategic Alignment: Does this request align with the organization's strategic risks? Or is it a low-risk, "pet project" for a specific manager?

Materiality and Urgency: Is this a potential "burning platform" (e.g., a fraud allegation, a major compliance breach)? Or is it a "nice to have" process improvement?

Resource Impact (The "Trade-Off"): This is the key question. We have a finite team. If we say "yes" to this new request, what are we saying "no" to? We must clearly identify which planned audit will be delayed, reduced in scope, or canceled.

Audit Mandate: Is this even an audit issue? Is the request truly for assurance or advisory? Or is it a management task, like "please build this process for us," which would impair our independence?

3. The "Yes, but..." and "No, but..." Responses:

"Yes, but...": This is a common and professional response. "Yes, we agree this is a critical risk. We will conduct this review. But this will require us to postpone the planned Q3 IT Audit to next year. We need your (the Audit Committee's) approval of this trade-off."

"No, but...": This is an equally important response. "No, we cannot take on this review right now, as it would jeopardize our ability to complete our high-priority SOX and compliance audits. But we have formally logged it, and we will include it as a high-priority item for consideration in next year's annual audit plan."

Evaluating Documentation Approaches

Documentation is our "book of record." It provides a clear audit trail of our decisions and demonstrates to the board that we are responsive, yet disciplined.

The Stakeholder Request Log: This is the central tool. It should be a formal log (in a spreadsheet, database, or audit management software) that tracks every single request we receive, even the ones we say "no" to.

Key Log Elements: This log should capture:

Date of request.

Requesting stakeholder (who asked).

A detailed description of the request (what they want).

Our triage analysis (our assessment of its risk, alignment, etc.).

The final disposition ("Accepted," "Declined," "Deferred").

The rationale for the decision.

If "Accepted," a note on the impact (e.g., "Replaced planned 'Procure-to-Pay' audit").

This log is not just an admin file. It is a strategic tool. At the end of the year, the CAE can present a summary of this log to the Audit Committee. This summary demonstrates how responsive the audit function has been. It also powerfully justifies the need for more resources. "We received 45 special requests this year. We were only able to accommodate 10. The other 35 represent a significant backlog of unaddressed risk. To address this, we are requesting two additional full-time positions in our budget."

Part E: Identifying Effective Methods for Addressing Changes in Objectives and Scope

The one guarantee in our profession is change. An audit plan is a snapshot in time, based on the risks we knew at that moment. But the business environment is dynamic. A competitor is breached. A new, major regulation is announced. A major fraud is uncovered internally. A global pandemic happens.

Our ability to effectively address these changes to our objectives and scope is what makes us an agile and relevant assurance function. A rigid plan that cannot adapt is useless.

The key is to have methods that allow for agile execution without creating chaos.

1. The Formal Change Control Process

This is the most critical method for assurance work. We cannot and should not be changing our objectives or scope on a whim. We need a process.

The Trigger: A change is triggered by a specific event. This could be a stakeholder request (as discussed above), a new business strategy, a major external event, or—very commonly—new information uncovered during our own audit fieldwork. We start pulling a thread on a simple test, and a massive problem begins to unravel.

The Change Request: The audit team leader must formally document this. "We planned to audit IT access controls. We have found evidence of widespread, systemic failures. We request to change the objective from 'a compliance review' to 'a full-scale fraud and data-loss investigation'."

The Impact Assessment: This is the "thinking" step. The audit leadership must assess the impact of this change.

What new skills do we need right now? (e.g., forensics).

What is the new timeline?

What original objective are we now abandoning?

What is the new, unmitigated risk from the work we are stopping?

2. The Re-Communication and Re-Approval Loop

This is the non-negotiable part. A change is not a change until it is communicated and approved.

Communicate Up: The CAE must immediately take the proposed change and impact assessment to the primary stakeholders, which is almost always the Audit Committee and senior management.

The "No Surprises" Rule: The Audit Committee chair should never be surprised in a meeting. This communication must happen in real-time. "We are formally pausing the three audits we told you we were doing, and here is why. We are pivoting our entire team to this emerging cybersecurity threat. Here is our new plan."

Get Formal Approval: The same authority that approved the original audit plan must approve the material change to that plan. This is often done via a formal memo and approval at the next quarterly Audit Committee meeting. This approval is documented in the committee minutes, giving the audit function the top-cover it needs to pursue the new objective.

3. The "Scope Deferral" Method

Sometimes, the change isn't an add, it's a subtraction. We may find that the business unit we planned to audit has been completely reorganized, or the system we were going to test has been delayed by six months.

We can't audit something that doesn't exist.

The effective method here is to formally document a "Scope Deferral."

We issue a memo stating: "The planned Q3 audit of the 'New ERP System' is formally deferred to Q1 of next year, pending its successful implementation."

This frees up that planned resource time. This time can then be used to pull a high-priority audit from next year's plan into this year, or to address a lower-priority stakeholder request that was previously in the backlog. This creates valuable flexibility.

4. The Agile/Sprint-Based Approach (for Advisory Work)

When we are in an advisory (consulting) role, our methods can be more fluid. We are not providing a final, formal opinion. We are a partner helping management solve a problem.

For these engagements, we can use an "agile" methodology.

We define the overall objective (e.g., "To assist management in designing controls for the new T&E system").

But, we execute the work in two-week "sprints."