Domain II: Planning the Engagement

• Topic 01

  Understanding the Entity, Process, and Risk Area

  48 questions
• Topic 02

  Preliminary Survey and Risk Assessment

  43 questions
• Topic 03

  Engagement Objectives and Criteria

  28 questions
• Topic 04

  Scope of the Engagement — Inclusions and Exclusions

  35 questions
• Topic 05

  Developing the Work Programme / Audit Programme

  39 questions
• Topic 06

  Resource Allocation and Scheduling

  45 questions

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

1. During an engagement, a senior auditor discovers that a junior team member has completed several work programme steps but has not documented their procedures or findings in the working papers. What does this indicate, and what Standard is most relevant?

   • A
     A proficiency issue under Standard 1210, because a competent auditor would always document their work.
   • B
     Inadequate supervision under Standard 2340; the senior auditor should ensure working papers are completed before the engagement progresses further and review the quality of the work performed.
     Correct answer
   • C
     An ethical violation under the IIA Code of Ethics requiring immediate escalation to the audit committee.
   • D
     A breach of Standard 2240 only, because the work programme itself has not been followed correctly.
   Explanation

   Standard 2340 requires supervision to include reviewing work papers for completeness and accuracy. When a junior auditor fails to document procedures and findings, the supervising senior auditor has failed to provide timely oversight. The correct action is to immediately address the documentation gap and review the quality of the underlying work — not to proceed and leave the gap to a later QAIP review.

2. An internal audit team has been conducting an annual engagement over a manufacturing entity's health and safety compliance process for five years. The team lead proposes that the preliminary survey for this year's engagement consist only of a 30-minute update meeting with the compliance manager and a review of any new regulatory guidance. The prior year's risk assessment, scope, and work programme will be adopted unchanged. A quality reviewer challenges this approach. What is the most complete basis for the quality reviewer's concern?

   • A
     The approach may be insufficient because it relies on management's self-assessment of what has changed and does not independently verify the currency of the risk assessment, scope, or procedures; conditions in a manufacturing health and safety environment can change rapidly and the prior-year risk rating may not reflect the current profile.
     Correct answer
   • B
     The concern is limited to the unchanged work programme — a new programme must always be created even if the risk assessment is current.
   • C
     The concern is that the 30-minute meeting does not satisfy the minimum interview duration required by the IIA Implementation Guidance for Standard 2201.
   • D
     The approach is insufficient only because new regulatory guidance was not reviewed before the 30-minute meeting.
   Explanation

   An abbreviated preliminary survey that relies primarily on the auditee's self-reported update creates multiple risks: (1) the compliance manager has an interest in presenting the function favourably; (2) a 30-minute conversation may not surface material changes in personnel, processes, equipment, or incident history; (3) health and safety conditions in manufacturing can change significantly (new machinery, staff turnover, incident patterns, regulatory enforcement actions) in ways that a brief discussion may not capture; and (4) the unchanged work programme will test the prior year's risk profile, not the current one. The preliminary survey must be sufficient to independently verify that the prior year's understanding remains accurate, using multiple information sources, before planning decisions can be confirmed.

3. An engagement covers the accounts payable process for the current financial year only. During fieldwork, the auditor identifies that a pattern of fraudulent vendor payments began 18 months ago. What scope issue exists, and what action should be taken?

   • A
     The auditor should issue a preliminary finding on the current-year portion and conduct a separate engagement for the prior period.
   • B
     The scope limitation is irrelevant because findings about prior-period fraud can be inferred from current-year evidence.
   • C
     The time period dimension of scope excludes the period when the fraud began; the auditor should inform the CAE, who will determine whether to expand scope to cover the additional period, with appropriate approval and documentation.
     Correct answer
   • D
     The scope issue does not require action — the fraud is a finding that will be reported within the current year's engagement.
   Explanation

   The time period is one of the six dimensions of engagement scope. When evidence suggests that a significant risk — here, fraud — originated outside the current scope period, the auditor faces a scope adequacy question. The current scope may be insufficient to address the identified risk fully. The correct action is to inform the CAE, who must decide whether to expand scope (with additional resources, revised timeline, and documentation of the rationale), conduct a separate engagement, or accept the limitation with appropriate disclosure. The auditor cannot unilaterally expand scope — any changes require approval per Standard 2240.A1 (modifications to the work programme must be approved).