210 Work Program
You have completed your planning, including defining objectives and developing your Risk and Control Matrix (RACM). You now need to perform the audit. How do you structure your procedures, capture results, identify exceptions, and formally conclude your work?
The Work Program is where audit planning becomes execution. It provides a structured set of procedures, initially pre-defined but expandable, that guide the auditor in gathering evidence and testing controls. The auditor must tailor these procedures to align with the risks and controls identified in the RACM. Each procedure is evaluated for exceptions, which form the basis for audit findings. Once completed, the work program is formally signed off to confirm adequacy and quality.
ObjectiveTo define, execute, and document audit procedures that address identified risks and controls, ensuring sufficient and appropriate evidence is obtained to support audit conclusions.
Page positionConducting | 210 Work program can be found within 200 Work program on the Conducting page
The Work Program consists of two main tabs, namely the Procedures tab and the Guidance tab. The Procedures tab is the primary working area where audit execution takes place, while the Guidance tab provides supporting methodology and context.
Procedures tab
The Procedures tab contains a pre-defined set of audit steps structured into logical groupings, such as data collection. These include activities like reviewing policies and procedures, examining records and reports, assessing compliance documentation, conducting interviews, and performing observations.
Each procedure includes a description of the audit step and allows the auditor to record the outcome by selecting either “Exceptions” or “No exceptions.” The auditor can also add notes to document supporting evidence and observations.
To modify or expand the Work Program, the user must activate edit mode using the edit icon. This enables the addition of new procedures and the creation of new groups to better structure the audit approach based on the specific engagement requirements.
Note: Although the system provides pre-defined procedures, these are not automatically linked to risks or controls. The auditor is responsible for ensuring that all procedures are aligned to the risks and controls identified in the RACM, particularly where control effectiveness is being tested.
As procedures are performed, the auditor evaluates the results and records whether any exceptions were identified. Where no exceptions are noted, this supports the conclusion that the control or process is operating effectively. Where exceptions are identified, these indicate potential control weaknesses or deviations. These exceptions form the basis for audit findings and can be raised directly using the functionality available within the Work Program.
Once all procedures have been completed and all results have been recorded and supported, the Work Program is subject to a formal sign-off process. This includes both preparer and reviewer sign-off, confirming that the work performed is complete, accurate, and meets the required quality standards.
Guidance tab
The Guidance tab explains how the Work Program is derived from the engagement objectives, scope, and risks identified during planning. It also highlights the linkage to the RACM and reinforces alignment to the Global Internal Audit Standards. This section provides clarity on how procedures should support evidence gathering and overall audit conclusions.
Review the pre-defined procedures
Toggle Edit mode
Add or refine:
- Groups
- Procedures
Ensure all procedures align to:
- Risks
- Controls in the RACM
Execute each procedure
Record:
- Exceptions / No exceptions
- Supporting notes
Raise findings where exceptions exist
Complete:
- Preparer sign-off
- Reviewer sign-off
Important Tips
- Always align procedures to the RACM — this is not automated
- Focus on control testing, not just generic procedures
- Be specific when defining procedures — vague steps weaken audit quality
- Use notes to clearly support conclusions
- Exceptions should always be assessed for potential findings
- Do not sign off until all procedures are properly completed and supported
Upon completion of the Work Program, the auditor will have executed a structured set of audit procedures aligned to the engagement’s objectives, risks, and controls, with all results clearly documented. Exceptions will have been identified and, where necessary, converted into audit findings, ensuring that conclusions are supported by sufficient and appropriate evidence. The formal sign-off by both the preparer and reviewer confirms that the work performed meets the required quality standards and provides a reliable basis for audit reporting.