⋆
IA ⋆
]]
AUI3701: The Internal Audit Process
Planning the Engagement
OCT/NOV Examination 2026 Preparation Guide
Covering Past Papers: 2023 – 2025
⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆
Internal Auditing — Department of Auditing, UNISA
Exam Revision Guide
AUI3701
Module Code:
The Internal Audit Process: Planning the En-
Module Name:
gagement
OCT/NOV 2023, OCT/NOV 2024, OCT/NOV
Papers Covered:
2025
OCT/NOV 2026
Target Exam:
100 marks (typical)
Total Marks:
2 hours
Duration:
Study for understanding, not memorisation. Apply the IIA Standards and IPPF to
every scenario.
Exam Revision Notes | AUI3701 | UNISA | 2026
,AUI3701 | Exam Revision Guide Planning the Engagement
PAPER 1: OCT/NOV 2025 EXAMINATION
The Internal Audit Process: Planning the Engagement — AUI3701
Question 1 [25 marks]
(a) [10 marks]
Question: Bluebell Health Care is a large public health-care system operating four hos-
pitals and twenty-five clinics. The organisation recently appointed a new Chief Audit
Executive (CAE). The board’s audit committee has requested that the new CAE review
and update the internal audit charter. The CAE notices that the current charter does not
contain all required elements. Discuss the essential elements that must be included
in an internal audit charter according to the IIA Standards. (10 marks)
Answer:
Key Concept
An internal audit charter is a formal written document that defines the internal
audit activity’s (IAA) purpose, authority, and responsibility within the organisation.
Standard 1000 of the IIA Standards requires the charter to be approved by senior man-
agement and the board.
The essential elements of the internal audit charter are:
1. Purpose/Mission: A clear statement of the reason for the existence of the IAA and
what it aims to achieve — providing independent, objective assurance and consulting ser-
vices.
2. Authority: The charter must grant the CAE unrestricted access to all records, personnel,
and physical properties relevant to audit work (Standard 1000.A1). This authority flows
from the board.
3. Responsibility: The scope of work and the types of engagements (assurance and consult-
ing) the IAA may undertake are defined.
Page 2 of 36
,AUI3701 | Exam Revision Guide Planning the Engagement
4. Organisational position and reporting lines: The charter specifies to whom the CAE
reports functionally (the board/audit committee) and administratively (typically the CEO).
Dual reporting supports independence.
5. Nature of assurance and consulting services: The charter distinguishes the IAA’s
assurance work from consulting engagements.
6. Independence and objectivity provisions: A statement protecting the IAA from in-
terference or undue influence.
7. Conformance with the IIA Standards: The charter must acknowledge adherence to
the International Standards for the Professional Practice of Internal Auditing.
8. Disclosure of impairment: The requirement for the CAE to disclose any impairment to
independence or objectivity to the appropriate parties.
9. Access to the audit committee: The CAE must have direct and unrestricted access to
the board/audit committee.
10. Periodic review: The charter should specify that it will be reviewed and approved peri-
odically (at least annually).
Exam Tip
Examiners award marks for each correctly named and described element. Listing the
name alone (e.g., “purpose”) is rarely sufficient — a one-sentence explanation of why it
is required earns the mark.
(b) [8 marks]
Question: The new CAE discovers that the previous CAE reported directly to the Chief
Financial Officer (CFO). The audit committee chair expresses concern about this ar-
rangement. Referring to the IIA Standards, explain organisational independence and
discuss whether the reporting structure described above threatens the independence of the
IAA.
(8 marks)
Answer:
Page 3 of 36
,AUI3701 | Exam Revision Guide Planning the Engagement
Key Concept
Organisational independence (Standard 1110) requires that the CAE report to a
level within the organisation that allows the IAA to fulfil its responsibilities without
interference. The preferred structure is functional reporting to the board (or audit
committee) and administrative reporting to the CEO.
Threat posed by reporting to the CFO:
• The CFO is responsible for financial management — a primary area of audit scrutiny. Re-
porting to the CFO creates a self-review threat: the IAA may be reluctant to report
findings that embarrass the CFO.
• It compromises independence in appearance: stakeholders and the board may reason-
ably question whether audit conclusions are free from management influence.
• Standard 1110 explicitly states that the CAE should report to a level that allows the IAA
to fulfil its responsibilities free from interference. Administrative reporting to the CFO
means budgetary and operational decisions affecting the IAA are made by a person whose
activities are subject to audit.
• The IIA Standards recommend that functional reporting go directly to the board or
audit committee, who should: approve the internal audit charter, approve the risk-based
internal audit plan, receive communications on results, and approve all decisions regarding
the CAE’s appointment and compensation.
Conclusion: The arrangement is not compliant with Standard 1110 and impairs the organ-
isational independence of the IAA. The CAE must raise this with the audit committee and
recommend restructuring so that functional reporting goes directly to the board/audit com-
mittee.
(c) [7 marks]
Question: The audit committee requests that the CAE prepare a quality assurance
and improvement programme (QAIP) for the IAA. Define a QAIP and explain
the two types of assessments that must be performed as part of the QAIP according to
Standard 1300.
(7 marks)
Page 4 of 36
,AUI3701 | Exam Revision Guide Planning the Engagement
Answer:
Key Concept
A Quality Assurance and Improvement Programme (QAIP) (Standard 1300) is
an ongoing, periodic self-assessment and external review programme designed to evalu-
ate the conformance of the IAA with the IIA Standards and the Code of Ethics, and to
evaluate the efficiency and effectiveness of the IAA in achieving its goals.
Two types of assessments:
1. Internal assessments (Standard 1311):
• Ongoing monitoring of the performance of the IAA — these are continuous, built into
the day-to-day supervision and review of audit work.
• Periodic self-assessments conducted by members of the IAA itself or other persons
within the organisation with sufficient knowledge of internal audit practices. These
provide a more structured review at regular intervals.
2. External assessments (Standard 1312):
• Conducted by a qualified, independent assessor or assessment team from outside the
organisation. The assessor must be independent and not have conflicts of interest.
• Must be performed at least once every five years by a qualified external assessor.
• The board must be involved in the selection and oversight of the external assessor.
• Results are reported to the board/audit committee.
Exam Tip
Always distinguish between the ongoing monitoring aspect of internal assessments and
the periodic self-assessment aspect. Examiners expect both sub-components of internal
assessments to be identified.
Page 5 of 36
, AUI3701 | Exam Revision Guide Planning the Engagement
Question 2 [25 marks]
(a) [12 marks]
Question: Paint Shop (Pty) Ltd is a retail paint manufacturer. The CAE is developing
the risk-based audit plan for the year. The board has asked the CAE to explain the process
followed when developing a risk-based plan of engagements. Describe the steps in de-
veloping a risk-based internal audit plan according to the IIA Standards (Standard
2010). (12 marks)
Answer:
Key Concept
Standard 2010 requires the CAE to establish a risk-based plan to determine the
priorities of the IAA, consistent with the organisation’s goals.
The steps in developing a risk-based audit plan are:
1. Consult with senior management and the board: The CAE discusses the organi-
sation’s strategic objectives, risk appetite, and concerns with senior management and the
board/audit committee. This provides a top-down risk perspective.
2. Understand the organisation and its risk universe: The CAE identifies all auditable
areas (the audit universe) — every process, function, system, and activity that could be
subject to audit. Understanding the organisation’s goals, operations, and controls is essen-
tial.
3. Conduct a risk assessment of the audit universe: Each item in the audit universe is
evaluated for risk using criteria such as:
• Likelihood of risk materialising
• Potential financial or reputational impact
• Adequacy of existing internal controls
• Time since last audit
• Results of prior audits
• Regulatory and compliance requirements
4. Prioritise engagements: Auditable areas are ranked from highest to lowest risk. Higher-
risk areas receive audit priority.
Page 6 of 36
IA ⋆
]]
AUI3701: The Internal Audit Process
Planning the Engagement
OCT/NOV Examination 2026 Preparation Guide
Covering Past Papers: 2023 – 2025
⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆
Internal Auditing — Department of Auditing, UNISA
Exam Revision Guide
AUI3701
Module Code:
The Internal Audit Process: Planning the En-
Module Name:
gagement
OCT/NOV 2023, OCT/NOV 2024, OCT/NOV
Papers Covered:
2025
OCT/NOV 2026
Target Exam:
100 marks (typical)
Total Marks:
2 hours
Duration:
Study for understanding, not memorisation. Apply the IIA Standards and IPPF to
every scenario.
Exam Revision Notes | AUI3701 | UNISA | 2026
,AUI3701 | Exam Revision Guide Planning the Engagement
PAPER 1: OCT/NOV 2025 EXAMINATION
The Internal Audit Process: Planning the Engagement — AUI3701
Question 1 [25 marks]
(a) [10 marks]
Question: Bluebell Health Care is a large public health-care system operating four hos-
pitals and twenty-five clinics. The organisation recently appointed a new Chief Audit
Executive (CAE). The board’s audit committee has requested that the new CAE review
and update the internal audit charter. The CAE notices that the current charter does not
contain all required elements. Discuss the essential elements that must be included
in an internal audit charter according to the IIA Standards. (10 marks)
Answer:
Key Concept
An internal audit charter is a formal written document that defines the internal
audit activity’s (IAA) purpose, authority, and responsibility within the organisation.
Standard 1000 of the IIA Standards requires the charter to be approved by senior man-
agement and the board.
The essential elements of the internal audit charter are:
1. Purpose/Mission: A clear statement of the reason for the existence of the IAA and
what it aims to achieve — providing independent, objective assurance and consulting ser-
vices.
2. Authority: The charter must grant the CAE unrestricted access to all records, personnel,
and physical properties relevant to audit work (Standard 1000.A1). This authority flows
from the board.
3. Responsibility: The scope of work and the types of engagements (assurance and consult-
ing) the IAA may undertake are defined.
Page 2 of 36
,AUI3701 | Exam Revision Guide Planning the Engagement
4. Organisational position and reporting lines: The charter specifies to whom the CAE
reports functionally (the board/audit committee) and administratively (typically the CEO).
Dual reporting supports independence.
5. Nature of assurance and consulting services: The charter distinguishes the IAA’s
assurance work from consulting engagements.
6. Independence and objectivity provisions: A statement protecting the IAA from in-
terference or undue influence.
7. Conformance with the IIA Standards: The charter must acknowledge adherence to
the International Standards for the Professional Practice of Internal Auditing.
8. Disclosure of impairment: The requirement for the CAE to disclose any impairment to
independence or objectivity to the appropriate parties.
9. Access to the audit committee: The CAE must have direct and unrestricted access to
the board/audit committee.
10. Periodic review: The charter should specify that it will be reviewed and approved peri-
odically (at least annually).
Exam Tip
Examiners award marks for each correctly named and described element. Listing the
name alone (e.g., “purpose”) is rarely sufficient — a one-sentence explanation of why it
is required earns the mark.
(b) [8 marks]
Question: The new CAE discovers that the previous CAE reported directly to the Chief
Financial Officer (CFO). The audit committee chair expresses concern about this ar-
rangement. Referring to the IIA Standards, explain organisational independence and
discuss whether the reporting structure described above threatens the independence of the
IAA.
(8 marks)
Answer:
Page 3 of 36
,AUI3701 | Exam Revision Guide Planning the Engagement
Key Concept
Organisational independence (Standard 1110) requires that the CAE report to a
level within the organisation that allows the IAA to fulfil its responsibilities without
interference. The preferred structure is functional reporting to the board (or audit
committee) and administrative reporting to the CEO.
Threat posed by reporting to the CFO:
• The CFO is responsible for financial management — a primary area of audit scrutiny. Re-
porting to the CFO creates a self-review threat: the IAA may be reluctant to report
findings that embarrass the CFO.
• It compromises independence in appearance: stakeholders and the board may reason-
ably question whether audit conclusions are free from management influence.
• Standard 1110 explicitly states that the CAE should report to a level that allows the IAA
to fulfil its responsibilities free from interference. Administrative reporting to the CFO
means budgetary and operational decisions affecting the IAA are made by a person whose
activities are subject to audit.
• The IIA Standards recommend that functional reporting go directly to the board or
audit committee, who should: approve the internal audit charter, approve the risk-based
internal audit plan, receive communications on results, and approve all decisions regarding
the CAE’s appointment and compensation.
Conclusion: The arrangement is not compliant with Standard 1110 and impairs the organ-
isational independence of the IAA. The CAE must raise this with the audit committee and
recommend restructuring so that functional reporting goes directly to the board/audit com-
mittee.
(c) [7 marks]
Question: The audit committee requests that the CAE prepare a quality assurance
and improvement programme (QAIP) for the IAA. Define a QAIP and explain
the two types of assessments that must be performed as part of the QAIP according to
Standard 1300.
(7 marks)
Page 4 of 36
,AUI3701 | Exam Revision Guide Planning the Engagement
Answer:
Key Concept
A Quality Assurance and Improvement Programme (QAIP) (Standard 1300) is
an ongoing, periodic self-assessment and external review programme designed to evalu-
ate the conformance of the IAA with the IIA Standards and the Code of Ethics, and to
evaluate the efficiency and effectiveness of the IAA in achieving its goals.
Two types of assessments:
1. Internal assessments (Standard 1311):
• Ongoing monitoring of the performance of the IAA — these are continuous, built into
the day-to-day supervision and review of audit work.
• Periodic self-assessments conducted by members of the IAA itself or other persons
within the organisation with sufficient knowledge of internal audit practices. These
provide a more structured review at regular intervals.
2. External assessments (Standard 1312):
• Conducted by a qualified, independent assessor or assessment team from outside the
organisation. The assessor must be independent and not have conflicts of interest.
• Must be performed at least once every five years by a qualified external assessor.
• The board must be involved in the selection and oversight of the external assessor.
• Results are reported to the board/audit committee.
Exam Tip
Always distinguish between the ongoing monitoring aspect of internal assessments and
the periodic self-assessment aspect. Examiners expect both sub-components of internal
assessments to be identified.
Page 5 of 36
, AUI3701 | Exam Revision Guide Planning the Engagement
Question 2 [25 marks]
(a) [12 marks]
Question: Paint Shop (Pty) Ltd is a retail paint manufacturer. The CAE is developing
the risk-based audit plan for the year. The board has asked the CAE to explain the process
followed when developing a risk-based plan of engagements. Describe the steps in de-
veloping a risk-based internal audit plan according to the IIA Standards (Standard
2010). (12 marks)
Answer:
Key Concept
Standard 2010 requires the CAE to establish a risk-based plan to determine the
priorities of the IAA, consistent with the organisation’s goals.
The steps in developing a risk-based audit plan are:
1. Consult with senior management and the board: The CAE discusses the organi-
sation’s strategic objectives, risk appetite, and concerns with senior management and the
board/audit committee. This provides a top-down risk perspective.
2. Understand the organisation and its risk universe: The CAE identifies all auditable
areas (the audit universe) — every process, function, system, and activity that could be
subject to audit. Understanding the organisation’s goals, operations, and controls is essen-
tial.
3. Conduct a risk assessment of the audit universe: Each item in the audit universe is
evaluated for risk using criteria such as:
• Likelihood of risk materialising
• Potential financial or reputational impact
• Adequacy of existing internal controls
• Time since last audit
• Results of prior audits
• Regulatory and compliance requirements
4. Prioritise engagements: Auditable areas are ranked from highest to lowest risk. Higher-
risk areas receive audit priority.
Page 6 of 36
