Question

According to the IIA the ‘Internal auditor should develop and record a plan for each engagement, including the scope , objectives, timing and resource allocation." The same can be said about the EA (external auditor). Compare and contrast engagement planning for the IA and EA. How does the control environment relate to engagement planning? Also what role does SOX have on the control environment and audit planning?

Answer 1

As per IIA Standard 2200 - "Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations".

The above can also be said in respect of External Auditor but there scope differs and accordingly planning is to be done accordingy.

It may be noted that IA & EA are complentary to each other but at some point both may overlap each other / confused.

IA are normally appointed by Management and scope is defined accoeindly and there is very little chance of external role on process/scope of the same.

Scope of EA is defined by the external authorities / agencies and reporting structure is also more or less defined under statutes.

IA normally do not depend on the work of EA but EA largely depends on the work/scope of IA before finalising it's scope and report.

IA do check internal processes and checks & balances followed by the companies and interacts regularly with management to enhance them. EA do check same but to see if true and fair view is not affected by these.

IA are deemed to be part of management whereas EA are deemed to be working for external stakeholders i.e. shareholders, stock exchanges, regulators etc.

IA covers all the organization's transactions but EA covers only those operations that have a contribution at the financial results and the performances of the organization and have a bearing on true and fair status.

IA normally carried out during the full year covering detailed examination of areas advised by internal management but EA is periodic depending on result declartion and requirment of regulators.

SOX reiterates the importance of ensuring that senior management should not avoid their responsibility to establish and operate an effective internal control environment. Internal audit can review, document and recommend changes in the control environment as well as evaluate whether the changes made ere effective. However, management remains accountable for performing and ensuring the effectiveness of control activities and deciding when it is essential for the control environment to be enhanced.

As per SOX, management has the added responsibility to annually evaluate, test and report on the entity’s internal control over financial reporting. The external auditors are responsible for auditing management’s assertion as to the effectiveness of this internal control and coming to their own, independent conclusions. They must evaluate management’s assessment and perform their own, independent tests of controls, including the control environment.