Stage 1 — Engagement Planning
Preliminary Survey
Before designing audit procedures, conduct a preliminary survey to understand the auditable entity: its objectives, processes, risks, controls, personnel, and recent performance history. Sources include:
- Process walkthroughs with operational management
- Review of policies, procedures, and organizational charts
- Prior audit reports and management letter points
- Regulatory reports and external audit findings
- Key performance indicators and management information reports
Defining Audit Objectives and Scope
Audit objectives define what the engagement will assess — they must be specific, measurable, and directly tied to the identified risks. Audit scope defines what is included and excluded — time period, locations, systems, and activities covered.
Designing the Audit Program
The audit program is the detailed instruction set for the fieldwork — a procedure-by-procedure specification of what will be tested, how it will be tested, the sample size, and what will constitute a satisfactory result.
| Procedure Element | Description |
|---|---|
| Procedure reference | Unique identifier linking to working paper |
| Objective addressed | Which audit objective this procedure tests |
| Risk addressed | Which specific risk this procedure mitigates |
| Test description | Specific steps to be performed |
| Sample size | Number of items to be tested and selection method |
| Expected result | What a passing result looks like |
| Auditor assigned | Who performs this procedure |
Stage 2 — Fieldwork Execution
Types of Audit Procedures
- Inquiry: Obtaining information from knowledgeable persons within or outside the entity — never the sole procedure for any significant assertion
- Observation: Witnessing a process or activity as it occurs — provides evidence for the period of observation only
- Inspection: Examining records, documents, or physical assets — provides direct evidence of what exists in written form
- Recalculation: Independently verifying the mathematical accuracy of financial records or calculations
- Reperformance: Independently executing a control procedure that was supposedly performed by the organization
- Analytical procedures: Evaluating financial or non-financial information through analysis of plausible relationships — identifying anomalies that require investigation
Working Papers — Standards and Structure
Working papers are the documented evidence of audit work performed. They must be:
- Sufficiently complete that another qualified auditor could understand what was done without speaking to the preparer
- Indexed and cross-referenced to the audit program and the audit report
- Reviewed and signed by the audit manager before findings are communicated
- Retained per the organization's document retention policy — typically 7 years minimum
Stage 3 — Communicating Findings
Audit findings must be discussed with management before the report is issued — this is both a professional requirement and a practical quality control. Management may have information that explains an apparent finding, or may accept the finding and commit to remediation. Either way, the conversation must happen before the report is finalized.
The Elements of a Well-Constructed Finding
- Condition: What the auditor found (the fact)
- Criteria: What should exist (the standard, policy, or control objective)
- Cause: Why the gap exists between condition and criteria
- Consequence: The risk or impact of the condition — why it matters
- Recommendation: What management should do to close the gap
Key Takeaway
Audit planning and execution discipline is what separates internal audit functions that find meaningful issues from those that produce predictable, low-impact reports year after year. Invest in the planning phase — a strong audit program, risk-specific procedures, and clear objectives produce findings that management cannot dismiss and boards cannot ignore.
Read: Audit Reporting →