CIA Engagement Planning: Objectives, Scope & Criteria
Engagement PlanningΒ
Engagement planning is the process by which internal auditors gather information, assess and prioritise risks, establish objectives and scope, identify evaluation criteria, and create a work program β all before fieldwork begins. Governed by GIAS Principle 13, it carries 50% of the CIA Part 2 exam. This guide covers every component with exam-ready definitions, real examples, data tables, and mnemonics.
β‘ Key Takeaways
- Engagement planning is governed by GIAS Standards 13.1β13.6 (Principle 13: Plan Engagements Effectively).
- The three mandatory planning pillars β Objectives, Scope, Criteria β must be approved by the CAE before fieldwork begins.
- For assurance engagements, objectives are determined by the auditor based on risk. For advisory engagements, objectives are agreed collaboratively with stakeholders.
- Evaluation criteria are mandatory for assurance but optional for advisory (unless stakeholders request them).
- Unplanned stakeholder requests are evaluated by the CAE using the VROM framework β Value, Resources, Objectivity, Mandate.
- Scope limitations must first be escalated to management; if unresolved, they escalate to the Board.
GIAS Context: What Principle 13 Requires
GIAS Principle 13 β Plan Engagements Effectively β is the governing standard for all CIA Part 2 Engagement Planning questions. It contains six numbered standards (13.1β13.6) that collectively define what auditors must do before they can execute any engagement. Understanding this hierarchy is the foundation of the 50% Engagement Planning section. For a full picture of how this fits into the updated exam, read our recent post on CIA Part 2 Syllabus Changes 2026.
| GIAS Standard | Requirement | CIA Section Tested |
|---|---|---|
| 13.1 | Communicate with appropriate stakeholders before planning begins | 2114 β Stakeholder requests |
| 13.2 | Conduct a preliminary risk assessment of the activity under review | 2150 β Detailed risk assessment |
| 13.3 | Establish engagement objectives and scope; apply Topical Requirements where relevant | 2110β2115 |
| 13.4 | Identify evaluation criteria to assess the activity under review | 2120β2122 |
| 13.5 | Determine appropriate resources and skills for the engagement | 2170β2174 |
| 13.6 | Develop an engagement work program | 2160β2165 |
Engagement Objectives: Definition, Requirements & What NOT to Consider
Engagement objectives are statements articulating the purpose of an engagement and describing the specific goals to be achieved. They are the "why" of every audit. The CIA exam tests not just the definition, but three nuanced aspects: who sets them, what must be included, and β critically β what must be excluded.
What Must Be Included
| Requirement | Explanation | Source |
|---|---|---|
| Risk-based purpose statement | Developed from the preliminary and detailed risk assessments; describes what the engagement is designed to assess or achieve | GIAS 13.3 |
| Mandated goals | Any objectives required by laws, regulations, or the audit charter must be explicitly included | GIAS 13.3 |
| Topical Requirement applicability | If an IIA Topical Requirement applies (e.g., Cybersecurity), its requirements must be reflected in the objectives | Section 2111 |
Who Is Responsible?
- Internal auditors and supervisors develop and refine objectives during planning.
- The Chief Audit Executive (CAE) holds ultimate responsibility for approving the final objectives β and any changes made during the engagement.
Assurance vs Advisory Objectives
| Engagement Type | Who Determines Objectives? | Basis | Example Objective |
|---|---|---|---|
| Assurance | Internal auditor, based on risk assessment | Risk-driven; auditor has independence to define scope | "Assess whether payroll controls are designed and operating effectively to prevent ghost employees." |
| Advisory | Collaboratively agreed with the requesting stakeholder | Stakeholder-driven; no formal assurance opinion issued | "Provide recommendations on control design for the new ERP implementation before go-live." |
- β The qualifications or preferences of the audit staff assigned
- β The preferences of the auditee β unless risk-justified
- β The intended audience of the final audit report
Engagement Scope: Boundaries, Elements, Limitations & the ALPS-T Mnemonic
The engagement scope establishes the boundaries of the audit β defining exactly what will be examined and to what extent. The scope must be broad enough to achieve the engagement objectives. The CAE must formally approve the scope and any subsequent changes.
Scope Elements: The ALPS-T Mnemonic
| Letter | Element | Definition | Example |
|---|---|---|---|
| A | Activities | Specific functions or tasks to be examined | Payroll processing, invoice approval |
| L | Locations | Physical or organisational sites included | Head office, regional branches, third-party warehouses |
| P | Processes & Systems | Workflows and IT platforms under review | Procurement-to-payment cycle, ERP modules, CRM |
| S | Subsidiaries & Components | Departments, business units, or legal entities included | Finance division, APAC subsidiary, shared services centre |
| T | Time Period | The transaction or activity timeframe to be examined | 1 January 2025 β 31 December 2025 |
Scope Limitations: The Escalation Protocol
- Step 1: Identify the limitation and attempt to resolve it with management.
- Step 2: If unresolved, escalate to the Board or Audit Committee.
- Step 3: Document and disclose the limitation in the engagement communication. If objectives cannot be achieved, the CAE should consider whether the engagement should proceed.
Evaluation Criteria: Types, Adequacy Standards & the SPRAC Mnemonic
Evaluation criteria are benchmarks β the "specifications of the desired state" β used to assess whether processes, controls, and systems are performing as required. Identifying relevant criteria is mandatory for assurance engagements (GIAS 13.4) and optional for advisory services unless agreed with stakeholders. Without clear criteria, the auditor has no basis for forming a conclusion.
Three Types of Evaluation Criteria
| Type | Definition | Examples |
|---|---|---|
| Internal | Organisational policies, procedures, and management expectations | Delegation of authority policy, IT access control policy, procurement manual |
| External | Laws, regulations, and contractual obligations imposed externally | GDPR, Sarbanes-Oxley (SOX), PCI DSS, lease contract terms |
| Leading Practice | Industry standards and professional guidelines, even if not legally mandated | ISO 27001, COSO 2013, NIST CSF, IIA GIAS |
Adequate Criteria: The SPRAC Mnemonic
| Letter | Quality | What It Means in Practice |
|---|---|---|
| S | Specific | Clearly defined β e.g., "invoices approved within 5 business days" not "approved promptly" |
| P | Practical | Measurable and realistic given the organisation's size and available data |
| R | Relevant | Directly related to the risk or process being assessed β not generic benchmarks |
| A | Aligned | Consistent with the organisation's strategic objectives |
| C | Comparable | Produces reliable comparisons over time and across similar organisational units |
Stakeholder Requests: Unplanned Engagements & the VROM Evaluation Framework
The audit plan must be dynamic β updated in response to changes in the organisation's business, risks, or regulatory environment. Stakeholder requests for unplanned engagements are a key trigger. The CAE evaluates every request before committing resources.
Common Triggers for Unplanned Requests
- π΄ Regulatory mandates or new compliance requirements
- π΄ Fraud allegations or whistleblower complaints
- π΄ Leadership changes (mergers, new C-suite, restructuring)
- π΄ System failures or new ERP/technology implementations
- π΄ Significant operational incidents (supply chain disruption, data breach)
The VROM Evaluation Framework
| Letter | Criterion | Key Question the CAE Must Answer |
|---|---|---|
| V | Value | Will this produce measurable improvement in risk, control, or governance? |
| R | Resources | Do we have the staff, time, tools, and budget to execute this adequately? |
| O | Objectivity | Can independence and objectivity be maintained β or does this request create a conflict? |
| M | Mandate | Is this request within the audit charter and the internal audit function's mandate? |
Documenting Stakeholder Requests
- Audit request logs (formal, date-stamped tracking)
- Meeting minutes (with attendees, decisions, and assigned actions)
- Email correspondence (retained as evidence of request and CAE response)
Assurance vs Advisory: Two Worked Planning Examples
The CIA exam frequently presents planning scenarios asking whether the situation is assurance or advisory β and how planning should differ. The following two examples use official IIA terminology and cover the full planning cycle. Understanding both types also supports your study of CIA Part 2 study methodology.
Example 1 β Assurance: Procurement Controls Review
Scenario: Procurement is flagged as high-risk in the annual risk assessment. No management request has been made; the audit team initiates the engagement.
| Objectives | Determine whether controls over the procurement-to-payment cycle are designed and operating effectively to prevent unauthorised purchases and duplicate payments. (Set by auditor β risk-driven.) |
| Scope (ALPS-T) |
A: Purchase requisition, PO creation, GRN, invoice processing, payment approval. L: Head office and two regional distribution centres. P/S: SAP MM module; three-way match process. S: Finance and Procurement departments. T: 1 January β 31 December 2025. |
| Criteria |
Internal: Delegation of Authority Policy. External: COSO 2013; SOX Β§302/404. Leading Practice: COBIT 2019 APO12. |
| Criteria Mandatory? | Yes β assurance engagement. GIAS 13.4. |
Example 2 β Advisory: New ERP Pre-Implementation Review
Scenario: The CFO requests internal audit review the control design plans for a new ERP before go-live. No formal assurance opinion will be issued.
| Objectives | Provide recommendations to strengthen access control and data migration design before go-live. (Agreed collaboratively with the CFO.) |
| Scope (ALPS-T) |
A: User access provisioning, role design, data migration controls, parallel testing. L: IT department and Finance. P/S: Cloud-hosted ERP; legacy data migration scripts. S: IT, Finance, HR (modules in scope). T: Pre-go-live phase β January to March 2026. |
| Criteria | Optional β but agreed with the CFO: ISO/IEC 27001:2022 (access management) and vendor control design guidelines. |
| Criteria Mandatory? | Not by default β advisory engagement. No formal opinion issued. |
All 4 Mnemonics in One Place: Your CIA Part 2 Planning Quick-Reference
In a 120-minute, 100-question exam, mnemonics are speed tools. Commit these four and you can reconstruct the entire planning framework from scratch under pressure.
| Mnemonic | Stands For | What It Covers | Memory Hook |
|---|---|---|---|
| OSC | Objectives Β· Scope Β· Criteria | Three mandatory pillars of GIAS 13.3 and 13.4 | The Oscars β every great engagement wins in all three categories |
| ALPS-T | Activities Β· Locations Β· Processes/Systems Β· Subsidiaries Β· Time Period | Five elements required when defining scope | Climbing the Alps β map every element of the terrain before you set off |
| SPRAC | Specific Β· Practical Β· Relevant Β· Aligned Β· Comparable | Five qualities of adequate evaluation criteria | A SPRAC is your audit measuring stick β if any quality fails, conclusions won't hold |
| VROM | Value Β· Resources Β· Objectivity Β· Mandate | CAE evaluation gate for unplanned stakeholder requests | The engine vroom β check all four before driving into the engagement |
Common CIA Part 2 Exam Traps in Engagement Planning Questions
These are the most frequently tested misconceptions β each is a common wrong-answer trap. For more on how these appear at difficulty level, see our guide on common CIA exam failure patterns.
| Trap | What Candidates Get Wrong | Correct Principle |
|---|---|---|
| Objectives based on auditee preference | Auditor adjusts objectives to match what the auditee wants | Objectives are risk-driven, not auditee-driven (unless risk-justified) |
| Advisory = never any criteria | Assuming advisory engagements never use evaluation criteria | Criteria may be used if agreed with the stakeholder |
| Scope change without CAE approval | Auditor narrows scope due to time pressure without escalating | All scope changes require CAE approval |
| Scope limitation resolved by omission | Auditor excludes inaccessible records and proceeds without disclosure | Escalate β management β Board; always document and disclose |
| Auto-accepting senior requests | Treating all requests from senior leadership as pre-approved | All requests must pass VROM before the CAE commits resources |
| Single-type criteria only | Applying only an industry standard without checking internal policy alignment | Criteria should combine internal, external, and leading practice β all SPRAC-adequate |
Sharpen exam-day execution with our CIA exam day strategy guide and calibrate your MCQ volume with our CIA MCQ practice targets guide.
Why Surgent CIA Review via Eduyush Is the Best Tool for Working Professionals
Engagement planning β with its layered standards, scenario-based questions, and four sub-frameworks β is precisely where generic study approaches break down. Surgent CIA Review, available via Eduyush, is built for candidates who cannot afford to waste study time. Its AI-driven adaptive engine identifies your weakest planning sub-topics and serves targeted MCQs with referenced explanations β closing actual gaps, not re-reading content you already know.
| Feature | Why It Matters for Working Professionals |
|---|---|
| β AI-Adaptive MCQ Engine | Automatically weights more questions toward your weakest sub-sections β no time wasted on topics you have already mastered |
| β GIAS 2026-Aligned Questions | Every question maps to a specific GIAS Standard β you know exactly which standard each scenario tests |
| β Reference Guide Linked to MCQs | Wrong answer? The platform links you directly to the relevant planning section β not a 400-page textbook |
| β Flexible Daily Study Plans | Generates a schedule based on your exam date and weekly hours β ideal for 30β60 min study sessions around work |
| β Short-Form Video Walkthroughs | VROM, ALPS-T, assurance vs advisory β explained with worked examples in concise video format |
Not sure which part to sit first? Read which CIA part to take first or follow our complete CIA study plan for 2026.
Frequently Asked Questions
Q: What is the difference between engagement objectives and scope?
A: Objectives define the why β the purpose and specific goals. Scope defines the what and where β the boundaries of what will be examined, including activities, locations, processes, systems, subsidiaries, and time period (ALPS-T). Objectives drive the scope; the scope must be broad enough to achieve the objectives. Both require CAE approval before fieldwork begins.
Q: Are evaluation criteria required for advisory engagements?
A: No. Evaluation criteria are mandatory only for assurance engagements (GIAS 13.4). For advisory engagements, they are optional unless stakeholders have specifically agreed to use them. When used in an advisory context, they must still meet the SPRAC quality standards: Specific, Practical, Relevant, Aligned, and Comparable.
Q: What should an auditor do when they encounter a scope limitation?
A: Follow the GIAS escalation protocol: (1) attempt to resolve with management; (2) if unresolved, escalate to the Board or Audit Committee; (3) document and disclose the limitation in the engagement communication. If objectives cannot be achieved, the CAE should evaluate whether the engagement should proceed or be suspended.
Q: How does the CAE evaluate unplanned stakeholder requests?
A: Using the VROM framework β Value (does it produce measurable improvement?), Resources (is capacity available?), Objectivity (can independence be maintained?), Mandate (is it within the audit charter?). All four must be satisfied. Documentation methods include audit request logs, meeting minutes, and email records.
Q: Who approves changes to engagement scope during an active engagement?
A: The CAE must approve all changes to scope or objectives β whether the change expands or narrows the original plan. The engagement team cannot independently adjust scope due to time pressure or auditee preferences. Any unapproved adjustment is a GIAS compliance violation and a frequent wrong-answer trap in CIA Part 2 questions.
Q: How much of the CIA Part 2 exam covers engagement planning?
A: Engagement Planning carries 50% of the CIA Part 2 exam β approximately 50 out of 100 questions. It is the heaviest content area by far. Objectives and scope (Sections 2110β2115) and risk assessment (Section 2150) are the most heavily tested sub-topics. For the full syllabus breakdown, read our CIA Part 2 Syllabus Changes 2026 guide.
Vicky Sarin β Operations Manager, Eduyush | CIA & ACCA Study Specialist
Vicky leads course content and product strategy at Eduyush, specialising in CIA, ACCA, and CPA exam preparation for candidates across 20+ countries. She ensures all content is mapped to the latest IIA GIAS-aligned specifications. Connect on LinkedIn β
π Last verified: Against the IIA's GIAS-aligned CIA exam content specifications. Reviewed every 6 months. Always verify at the official IIA CIA page.
Leave a comment