State Internal Audit Advisory Board
Internal Auditing Standards and Requirements in the State of Illinois Review Course
Based on 2017 IIA Standards

IIA Performance Standard 2200 – Engagement Planning

2200 – Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.

2201 – Planning Considerations
In planning the engagement, internal auditors must consider:

  • The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance.
  • The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
  • The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model.
  • The opportunities for making significant improvements to the activity’s governance, risk management, and control processes.

2201.A1 – When planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.

2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

2210 – Engagement Objectives
Objectives must be established for each engagement.

2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

2210.A3 – Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.

Interpretation:
Types of criteria may include:

  • Internal (e.g. policies and procedures of the organization).
  • External (e.g. laws and regulations imposed by statutory bodies).
  • Leading practices (e.g. industry and professional guidance).

2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.

2210.C2 – Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives.

2220 – Engagement Scope
The established scope must be sufficient to achieve the objectives of the engagement.

2220.A1 – The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

2220.A2 – If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.

2220.C1 – In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement.

2220.C2 – During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant control issues.

2230 – Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement. Sufficient refers to the quantity of resources needed to accomplish the engagement with due professional care.

2240 – Engagement Work Program
Internal auditors must develop and document work programs that achieve the engagement objectives.

2240.A1 – Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.

2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.

SIAAB Requirements:

In accordance with the IIA’s International Professional Practice Framework (IPPF), internal auditors should consider the following when determining the appropriateness and sufficiency of resources:

  • The number and experience level of the internal audit staff;
  • Knowledge, skills, and other competencies of the internal audit staff when selecting internal auditors for the engagement;
  • Availability of external resources where additional knowledge and competencies are required; and
  • Training needs of internal auditors as each engagement assignment serves as a basis for meeting the internal audit activity’s developmental needs.

The process of collecting, analyzing, interpreting, and documenting information is to be supervised to provide reasonable assurance that engagement objectives are met and that the internal auditor’s objectivity is maintained.

From: The IIA’s International Professional Practices Framework Copyright 2017 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission

Please close this window to return to Ability LMS to take the quiz for this lesson.