Does the internal auditor understand what an "acceptable level" of risk is, based on management's risk tolerance levels for the process?
Do the key control activities, taken individually or in the aggregate, reduce the corresponding process-level risks to acceptable levels?
Are there additional compensating controls from other processes that further reduce risks to acceptable levels?
Does it appear that the key controls, if operating effectively, will support the achievement of process-level objectives?
To the extent appropriate, does the process design address effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations, and achievement of strategic objectives?
What gaps, if any, exist to improve the effectiveness and efficiency of the process?
What specific gaps exist in the design of the process?
What are the possible outcomes or effects of those gaps?
Why do these gaps exist — that is, what are the root causes?
Key administrative tasks, such as preparation of a planning memorandum, scheduling resources, establishing milestone dates, etc.
Conducting a kick-off meeting with process-level management to discuss the objectives and scope of the engagement, process-level risks, timing of the engagement, information needed from process-level employees, reports or other deliverables, and any expectations management has of the engagement.
Planning tasks, which list each of the tasks discussed in this chapter.
Fieldwork tasks, which list the specific tests that will be conducted.
Wrap-up steps, such as clearing open review notes, conducting a closing meeting with process-level management, finalizing the workpapers, etc.
Reporting tasks, such as preparing a draft engagement communication, soliciting feedback from process-level management, and issuing a final engagement communication (covered more fully in Chapter 14, Communicating Assurance Engagement Outcomes and Performing Follow-up Procedures).