Skip to content
English
  • There are no suggestions because the search field is empty.

210 Work Program

You have completed your planning, including defining objectives and developing your Risk and Control Matrix (RACM). You now need to perform the audit. How do you structure your procedures, capture results, identify exceptions, and formally conclude your work?

The Work Program is where audit planning becomes execution. It provides a structured set of procedures, initially pre-defined but expandable, that guide the auditor in gathering evidence and testing controls. The auditor must tailor these procedures to align with the risks and controls identified in the RACM. Each procedure is evaluated for exceptions, which form the basis for audit findings. Once completed, the work program is formally signed off to confirm adequacy and quality.

Objective

To define, execute, and document audit procedures that address identified risks and controls, ensuring sufficient and appropriate evidence is obtained to support audit conclusions.

Page position

Conducting | 210 Work program can be found within 200 Work program on the Conducting page

Page content

The Work Program consists of two main tabs, namely the Procedures tab and the Guidance tab. The Procedures tab is the primary working area where audit execution takes place, while the Guidance tab provides supporting methodology and context.

Procedures tab

The Procedures tab contains a pre-defined set of audit steps structured into logical groupings, such as data collection. These include activities like reviewing policies and procedures, examining records and reports, assessing compliance documentation, conducting interviews, and performing observations.

Each procedure includes a description of the audit step and allows the auditor to record the outcome by selecting either “Exceptions” or “No exceptions.” The auditor can also add notes to document supporting evidence and observations.

To modify or expand the Work Program, the user must activate edit mode using the edit icon. This enables the addition of new procedures and the creation of new groups to better structure the audit approach based on the specific engagement requirements.

Note: Although the system provides pre-defined procedures, these are not automatically linked to risks or controls. The auditor is responsible for ensuring that all procedures are aligned to the risks and controls identified in the RACM, particularly where control effectiveness is being tested.

As procedures are performed, the auditor evaluates the results and records whether any exceptions were identified. Where no exceptions are noted, this supports the conclusion that the control or process is operating effectively. Where exceptions are identified, these indicate potential control weaknesses or deviations. These exceptions form the basis for audit findings and can be raised directly using the functionality available within the Work Program.

Once all procedures have been completed and all results have been recorded and supported, the Work Program is subject to a formal sign-off process. This includes both preparer and reviewer sign-off, confirming that the work performed is complete, accurate, and meets the required quality standards.

Guidance tab

The Guidance tab explains how the Work Program is derived from the engagement objectives, scope, and risks identified during planning. It also highlights the linkage to the RACM and reinforces alignment to the Global Internal Audit Standards. This section provides clarity on how procedures should support evidence gathering and overall audit conclusions.

How to complete

Review the pre-defined procedures

Toggle Edit mode

Add or refine:

  • Groups
  • Procedures

Ensure all procedures align to:

  • Risks
  • Controls in the RACM

Execute each procedure

Record:

  • Exceptions / No exceptions
  • Supporting notes

Raise findings where exceptions exist

Complete:

  • Preparer sign-off
  • Reviewer sign-off

Important Tips

  • Always align procedures to the RACM — this is not automated
  • Focus on control testing, not just generic procedures
  • Be specific when defining procedures — vague steps weaken audit quality
  • Use notes to clearly support conclusions
  • Exceptions should always be assessed for potential findings
  • Do not sign off until all procedures are properly completed and supported
Page outcomes

Upon completion of the Work Program, the auditor will have executed a structured set of audit procedures aligned to the engagement’s objectives, risks, and controls, with all results clearly documented. Exceptions will have been identified and, where necessary, converted into audit findings, ensuring that conclusions are supported by sufficient and appropriate evidence. The formal sign-off by both the preparer and reviewer confirms that the work performed meets the required quality standards and provides a reliable basis for audit reporting.