Internal Audit Final
what circumstances could cause impairment of internal audit function independence or internal auditor objectivity? how should an identified impairment be handled?
"Impairment to organizational independence and individual objectivity may include, but isnot limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding" (Interpretationof Standard 1130: Impairment to Independence or Objectivity). "If independence orobjectivity is impaired in fact or appearance, the details of the impairment must be disclosedto appropriate parties. The nature of the disclosure will depend upon the impairment"(Standard 1130: Impairment to Independence or Objectivity).
what information should be included in an internal audit charter?
"The internal audit charter establishes the internal audit activity's position within theorganiza- tion...; authorizes access to records, personnel, and physical properties relevant tothe performance of engagements; and defines the scope of internal audit activities"(Interpretation of IIA Standard 1000: Purpose, Authority, and Responsibility). In addition to specifying the purpose, authority, andresponsi- bility of the internal audit function, the charter should take into considerationassurance and consult- ing services.
purpose of engagements:
-Part of Plan -Compliance requirement -Postmortem -significant changes
reasons for narrative memoranda:
-Simple Process -Complicated Steps -Process Owner Request -More Efficient
Which of the following statements best describes the internal audit function's responsibility for follow-up activities related to a previous engagement?a. Internal auditors should determine if corrective action has been taken and is achieving the desired results or if management has assumed the risk of not taking the corrective action.b. Internal auditors should determine if management has initiated corrective action, but they have no responsibility to determine if the action is achieving the desired results. That determination is management's responsibility.c. The CAE is responsible for scheduling follow-up activities only if directed to do so by senior management or the audit committee. Otherwise, follow-up is entirely discretionary.d. None of the above.
1. A is the best answer. Internal auditors should determine if corrective action has been takenand is achieving the desired results or if management has assumed the risk of not taking thecorrective action. Standard 2500.A1 states that the CAE must establish a follow-up process.It is not dependent on directives of either senior management or the audit committee.
Recommendations should be included in final audit communications to: Select one:a. Provide management with options for addressing audit observations b. Ensure that problems are resolved in the manner suggested by the auditorc. Minimize the amount of time required to correct audit observationsd. Guarantee that audit observations are addressed, regardless of cost
1. A is the best answer. Recommendations represent options that are available to management.Problems must be resolved in the manner deemed appropriate by management, not theinternal audit function. Providing recommendations may enable management to reduce thecosts/time of addressing audit findings, but there is no guarantee of this.
Which of the following does the CAE need to consider when determining the extent of follow up required? I. Significance of the reposrted observation II. Past experience with the manager charged with the corrective action III. Degree of effort and cost needed for the corrective action IV. The experience of the internal audit staff. A. I and III B. I, II, and III C. II, III, and IV. D. I, II, III, and IV
1. A is the best answer. The CAE should consider the significance of the observation and thedegree of effort and cost needed to implement the corrective action when determining theextent of follow-up. Neither the CAE's past experience with the manager charged with thecorrective action nor the experi- ence of the internal audit staff are relevant.
the primary reason for an internal auditor to use statistical sampling rather than non statistical sampling is to: a. allow the auditor to quantify, therefore control, the risk of making an incorrect decision based on sample evidence
1. A is the best answer. The primary benefit of statistical sampling is that it allows the internalauditor to quantify, measure, and control sampling risk. Sampling risk is the risk that theinternal auditor's conclusion based on sample testing may be different than the conclusionreached if the audit proce- dure were applied to all items in the population. 1. A secondary benefit of statistical sampling, because it requires random sampling, is that itprovides greater assurance than nonstatistical sampling that the internalauditorwillobtainasamplethatisrepresentativeofthepopulation.Aninternalauditorusingnonstatisticalsamplingmust,however,selectasamplethatisthoughttoberepresentativeofthepop-ulation,takingintoconsiderationthefactorsthataffectsamplesize.Aninternalauditormustobtaincompetentevidenceregardlessofwhetherheorsheusesstatisticalornonstatisticalsampling
what information should be included in an assurance engagement audit observation description?
1. An assurance engagement audit observation description should include the following information: ■■ ■ Criteria - Standards, measures, expectations, policy, or procedures used in making theevaluation (what should exist). ■■ ■ Condition (facts) - Factual evidence and description of controls as they exist (what is).What was found through testing. ■■ ■ Cause - What allowed or caused the condition to exist (the why). ■■ ■ Effect - Risk or exposure encountered because the condition is not consistent with thecriteria (what could go wrong, both past and possible future impact). Considers both theimpact (financial, reputational, safety, etc.) and the likelihood. ■■ ■ Compensating controls - Other controls in place to mitigate the observation. Includes monitoring. ■■ ■ Conclusion - Detailed analysis, assessment, and justification for evaluation classificationsand final conclusions. ■■ ■ Detailed recommendation - What the internal audit function recommends. Thisrecommendation must reconcile with management's solution as discussed during thepreliminary communication process. ■■ ■ Management solution - What management will do to fix the existing condition or prevent the prob- lem from happening again. ■■ ■ Observation evaluation: ▲■■ ▲■■ ▲■■ COSO category. Classification. Assessment. ■■ ■ Evaluation performed by: ▲■■ ▲■■ ▲■■ Internal audit function. Business unit management.Independent outside auditor. ■■■Workingpaperreference.
what is the difference between "negative assurance" and "positive assurance"?
1. An internal audit function is expressing negative assurance when they conclude that nothinghas come to their attention that indicates, for example, that the auditee's system of internalcontrols is inade- quately designed or is operating ineffectively. Negative assurance also isreferred to as limited assur- ance. An internal audit function is expressing positive assurance when they conclude, for example,that the auditee's control activities are designed adequately and operating effectively. Positive assurance, which also is referred to as reasonable assurance, may take different forms. For example, it may bebinary (sat- isfactory or unsatisfactory; effective or ineffective) or rated using a gradingsystem (red-yellow-green; 1-2-3-4-5). An "unsatisfactory" or "ineffective" evaluation is stillreferred to as positive assurance even though the internal auditor's conclusion is negative. Inaddition, an opinion can be qualified when the auditor wants to express an exception to his orher general conclusion. For example, the auditor might use language such as "satisfactory, withthe exception of . . ."
chapter 11 discussion question 2
1. Audit risk is the risk of reaching invalid audit conclusions and/or providing faulty advicebased on the audit work conducted. Inherent risk is the combination of internal and external risk factors in their pure,uncontrolled state, or, the gross risk that exists, assuming there are no internal controls in place. Control risk is the potential that controls will fail to reduce controllable risk to an acceptable level. Controllable risk is the portion of inherent risk that management can reduce throughday-to-day operations and management activities. Residual risk is the portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk). b. Sampling risk is the risk that the internal auditor's conclusion based on sample testing maybe different than the conclusion reached if the audit procedure was applied to all items inthe popula- tion. Sampling risk varies inversely with sample size and, accordingly, iscontrolled by the size of the sample selected. Thetwoaspectsofsamplingriskthataninternalauditorisconcernedwithwhentestingcontrolsaretheriskofassessingcontrolrisk toolowandtheriskofassessingcontrolrisk toohigh. b. The risk of assessing control risk too low (type II risk, beta risk), also known as therisk of over-reliance, is the risk that the assessed level of control risk based on thesample results is lower than the internal auditor would have found it to be if the population had beentested 100 percent. In other words, it is the risk that the internal auditor will incorrectlyconclude that a specified control is more effective than it really is. Stated another way, it is the risk thatthe internal auditor will overstate the reliance that management can place on the controlto reduce residual risk to an acceptably low level. The risk of assessing control risk too high (type I risk, alpha risk), also known as the risk ofunder- reliance, is the risk that the assessed level of control risk based on the sampleresults is higher than the internal auditor would have found if the population had been tested 100 percent. In other words, it is the risk that the internal auditor will incorrectlyconclude that a specified control is less effective than it really is. Stated another way, it is therisk that the internal auditor will understate the reliance that management can place on thecontrol to reduce residual risk to an acceptably low level.
Which of the following would not be considered a primary objective of a closing or exit conference? A. to resolve conflicts B. To identify concerns for future audit enagements C. To discuss the engagement observations and recommendations D. To identify management's actions and responses to the engagement observations and recommendations
1. B is the best answer. Identifying concerns for future engagements is not a primary objectiveof the closing conference. Resolving conflicts, discussing the engagement observations toreach agreement on the facts, and determining management's action plan and responses areall objectives of the closing conference.
who is ultimately responsible for determining that the objectives for an internal audit engagement have been met? b. The CAE
1. B is the best answer. The CAE is ultimately responsible for determining whether theobjectives of an internal audit engagement have been successfully achieved. The CAE ispivotal to a successful internal audit function. As explained by the interpretation to Standard2000: Managing the Internal Audit Activity, "the internal audit activity is effectivelymanaged when: ■■ ■ It achieves the purpose and responsibility included in the internal audit charter. ■■ ■ It conforms with the Standards. ■■ ■ Its individual members conform with the Code of Ethics and the Standards. ■■■Itconsiderstrendsandemergingissuesthatcouldimpacttheorganization
which of the following is true? b. if a control breakdown is identified through continuous auditing, it should be reported to management on a timely basis
1. B is the best answer. The purpose for continuous auditing is to identify control breakdownssooner so that management can take corrective actions. Continuous monitoring is a management responsibility and internal auditors should encourage management to utilize the results of data analytics to improve controls and processes throughout the organization
chapter 14 discussion question 5
1. Based on the information provided, students' answers should be similar to the following: a. The type of opinion the CAE gives in this situation is positive assurance because thecommuni- cation provided positively states that "internal controls over operations,financial reporting, and compliance are designed adequately and operating effectively."Negative assurance would merely state that nothing had come to the CAE's attentionthat indicates the controls are not designed adequately and operating effectively. b. The opinion presented implies that the CAE is relying on the work completed in the annualinternal audit plan, including the results of the annual risk assessment performed byexecutive management as part of their enterprise risk management process as well as therisk assessments of both the internal audit function and the organization's externalauditors. Additionally, it implies coverage of" internal controls over all three COSOcategories (operations, reporting, and compliance). TheCAEshouldtakeseveralfactorsintoconsiderationbeforetakingonthisresponsibility.Theinternalauditfunctionshouldbedesignatedwiththisresponsibilitybytheauditcommittee,notjusttheauditcommitteechair.Also,thisresponsibilityshouldbeincludedaspartoftheinternalauditfunction'scharterandadequateresourcesshouldbeallocatedtoallowtheinternalauditfunctiontodischargetheseduties.Furthermore,theCAEmustdesigntheannualinternalauditplantoensureitprovidesadequateauditcoveragetoallowfortheindependentvalidationofman-agement'sopiniononthesystemsofinternalcontrol,aswellasprovideadequateauditcoveragetoallowtheCAEtojointlyopineontheentiresystemofinternalcontrols,thatis,allthreeCOSOcat-egories.Finally,theCAEshouldtakestepstoensurethattheinternalauditfunction'sopiniongivenontheoverallsystemofinternalcontrolsisconsistentwiththeinternalauditfunction'saggregateassessmentoftheindividualareasthatcomprisetheorganization'ssystemofinternalcontrols
when and in what ways doe assurance engagement communications occur?
1. Communication is an integral part of any assurance engagement and occurs throughout theengage- ment process. Results are communicated in various ways, including memoranda,outlines, discus- sions, and draft working papers. In conjunction with concluding anengagement, final results are communicated to affected parties. This final engagementcommunication is often referred to as an"auditreport"andistheformalwayaninternalauditfunctioncommunicatestheresultsofanengagementtomanagementandotherappropriatepartiesrelyingontheengagementoutcomes
A formal enagement communication must: A. provide an opportunity for the auditee to respond B. Document the corrective actions required of senior management C. Provide a formal means by which the independent outside auditor assesses potential reliance on the internal audit function D. Report significant observations
1. D is the best answer. A formal communication must report significant observations.Documenting the auditee's response is optional. The corrective actions in a communicationare recommendations and senior management is not required to remediate observationsusing the internal audit function's rec- ommendations. Formal engagement communicationdoes not provide a means by which the indepen- dent outside auditor assesses reliance onthe internal audit function.
The primary reason for having written formal audit reports is to:a. Provide an opportunity for engagement client response.b. Document the corrective actions required of senior management.c. Provide a formal means by which the external auditor assesses potential reliance on the internal audit function.d. Record observations and recommended courses of action.
1. D is the best answer. Audit reports should present the purpose, scope, and results of anengagement. An engagement client should have an opportunity to respond before the report iswritten. Internal auditors make recommendations, they do not submit requirements. Whereappropriate, external audi- tors would review workpapers to accomplish this end.
in which phase(s) of the internal audit engagement can data analytics be used? I. planning the individual engagement II. testing effectiveness and efficiency of controls III. assessing risk to determine which areas of the organization to audit d. I, II, III
1. D is the best answer. Data analytics can be used in all phases of the audit process, althoughmany times it is used for testing the effectiveness and efficiency of controls. Internal auditdata analytics can also be used as part of continuous auditing and can be performedthroughout the year.
Internal audit reports can be structured to motivate management to correct deficienceis. Which of the following report-writing techniques is most likely to be effective? A. State the procedural inadequacies and resulting improprieties in specific terms B. Recommend changes and state the punitive measures that will follow if the recommendations are not implemented C. List the deficiences found so as to provide an easy-to-follow checklist D. Suggest practical improvements to address the identified observations
1. D is the best answer. Suggesting practical improvements to address identified observationswill most likely motivate management to correct deficiencies. The other answers, ifimplemented, are likely to make management defensive rather than motivated.
Reportable internal audit observations emerge by a process of comparing "what should be" with "what is." In determining "what should be" during an audit of a company's treasury function, which of the following would be the least desirable criterion against which to judge current operations? a. Best practices of the treasury function in relevant industries. b. Company policies and procedures delegating authority and assigning responsibilities. c. Performance standards established by senior management. d. The operations of the treasury function as documented during the last audit.
1. D is the best answer. The operations of the treasury function as documented during the lastaudit represent the "what is" condition of the function at that point in time. This would be aninappropri- ate criterion against which to judge current operations unless the internalauditor found no room for improvement in the function during the last audit and there have been no changes in thefunction since then. The other three answers represent appropriate "what should be" criteriafor the internal auditor to use in evaluating current operations.
what steps are involved in evaluating the results of an attribute sampling application?
1. Evaluating the results of an attribute sampling application involves: ■■ ■ Formulating a statistical conclusion. ■■ ■ Making an audit decision based on the quantitative sample results. ■■■Considering qualitative aspects of the sample results
what factors affect probability-proportional-to-size sample sizes?
1. Four factors affect PPS sample sizes: ■■ ■ Monetary book value of the population. ■■ ■ Risk of incorrect acceptance. ■■ ■ Tolerable misstatement. ■■■Anticipated misstatement
what are the different positions within a hierarchically structured internal audit function and what are their primary responsibilities?
1. Hierarchically structured internal audit functions often have a variety of positions, including: ■■ ■ Staff auditor or IT staff auditor. Staff auditors are responsible for performing the fieldworkon financial, operational, compliance, and information system engagements in accordancewith the established audit schedule for the purpose of determining the accuracy offinancial records, effec- tiveness of business practices, and compliance with policies,procedures, laws, and regulations. ■■ ■ Senior auditor or IT senior auditor (sometimes referred to as an in-charge auditor). Inaddition to the responsibilities listed above, senior auditors are responsible for theplanning stages of an engagement, guiding staff auditors in their fieldwork, ensuring that engagement timelinesare met, reviewing the working papers prepared by the staff auditors, assisting in thepreparation of engage- ment communications, performing the wrap-up steps of theengagement, and evaluating the staff auditors' performance. ■■ ■ Audit manager or IT audit manager. Audit managers supervise and administerengagements in accordance with the established audit schedule. Additionally, auditmanagers assist in the develop- ment and maintenance of the annual internal audit planand risk model for assigned areas, issue engagement communications, and supervisesenior auditors. ■■ ■ Audit director or IT audit director. In larger internal audit functions, audit directorpositions may exist. In addition to the responsibilities listed above, audit directors assistwith the development of the overall internal audit strategy and planning, including the presentation and review ofthe internal audit strategy, mission, charter, and plan with the audit committee and seniormanage- ment. Audit directors also supervise audit managers and are responsible forhiring and terminating internal audit associates. ■■ ■ Chief audit executive. The CAE develops, directs, organizes, monitors, plans, and administers the internal audit planand budget, as approved by the audit committee, for the purpose of determining the accuracy of financial records,effectiveness of business practices, and compliance with applica- ble policies, procedures, laws, and regulations. The CAEalso directly supervises the internal audit management team (audit directors and managers), oversees the entire internalaudit function, and approves the hiring and termination of internal auditors
what is the difference between final formal communications and final informal communications and when is each appropriate?
1. Informal communication is considered appropriate only when, during the observationevaluation and escalation process, all observations were assessed to be insignificant with nokey control activities compromised. The informal communication will cover insignificantobservations related to secondary control activities that might be compromised and will onlybe distributed to management representa- tives of the area that was the target of the audit.Formal communications are assurance engagement communications for which the intendedrecipient is senior management, the audit committee, the organization's independent outsideauditor, and/or management to whom the key individuals within the area that is the subjectof the audit report. Formal communications are indicated when the controls evaluated duringan assurance engagement are assessed to be: insignificantly compromised with key controlactivities affected, significantly compromised, or materially compromised. Every assuranceengagement, no matter if there are observations to report or not, must result in a final, formalcommu- nication for the internal audit function to fully discharge its responsibilities asoutlined in the Stan- dards.
discuss the various options for properly positioning an internal audit function within an organization and the related advantages and disadvantages for each identified option. what the primary factors an organization should consider when establishing an effective internal audit function? where should an effective internal audit function be positioned within an organization?
1. Internal audit functions can be placed on an executive and/or senior management level. Thisenables the internal audit function to better maintain independence when evaluatingmanagement's assess- ment of the organization's system of internal control and theorganization's ability to effectively achieve business objectives and manage, monitor, andmitigate risks associated with the achievement of those objectives. Another advantageassociated with placing internal auditors at this level is their ability to act as consultants oninitiatives and projects, taking advantage of the professional expertise possessed by theinternal audit function. The positioning of the internal audit function affects the degree to which it can remain objective. Being positioned on a level with senior and/or executivemanagement with direct access to the board audit committee gives the internal audit functiongreater independence and consequently greater objectivity. Board audit committeeparticipation in the selection, evaluation, and dismissal of the CAE further enhances theCAE's ability to maintain organizational independence and minimizes the possibility of seniorand/or executive management exerting undue influence on a CAE that would impact his or herability to act without bias (individual objectivity). Internal audit functions can also bepositioned lower in the organizational hierarchy. These internal audit functions are oftenasked to perform nonaudit activities such as quality assurance, compliance, operational, and/or other transaction processing activities. Organizations that continue to position the internal audit function to perform primarilyoperational and other nonaudit activities, as previously mentioned, effectively render thefunction unable to pro- vide management with an evaluation of the design adequacy andoperational effectiveness of opera- tional controls (risk management, control, and governanceprocesses) since they lack the objectivity to independently evaluate the organization'soperations and offer impartial suggestions for improvement. When deciding where to placethe internal audit function, ideally, the function will be positioned high enough within theorganization with direct access to the board audit committee to allow conformity with TheIIA's requirements and recommendations.
what two types of services do internal auditors provide? provide three examples of each type of engagement.
1. Internal auditors provide two types of services: assurance services and consultingservices. Three examples of assurance engagements: ■■ ■ Assess the design adequacy and operating effectiveness of business process controls. ■■ ■ Assess the design adequacy and operating effectiveness of information technology (IT) controls. ■■ ■ Directly assess business process performance. Three examples of consulting engagements: ■■ ■ Provide advice to process owners about how they can streamline their processes to gainoperational efficiencies. ■■ ■ Facilitate process owners' assessments of the risks threatening their processes. ■■ ■ Conduct in-house training about fundamental governance, risk management, and control concepts
what are the key advantages of PPS sampling over classical variables sampling? what are the key disadvantages?
1. Key advantages of PPS sampling over classical variables sampling: ■■ ■ Simpler calculations make PPS sampling easier to use. ■■ ■ The sample size calculation does not involve any measure of estimated population variation. ■■ ■ PPS sampling automatically results in a stratified sample because sample items are selectedin proportion to their size. ■■ ■ PPS sample selection automatically identifies any individually significant population items,that is, population items exceeding a predetermined cutoff dollar amount. ■■ ■ PPS sampling generally is more efficient (that is, requires a smaller sample size) when thepopula- tion contains zero or very few misstatements. Key disadvantages of PPS sampling over classical variables sampling: ■■ ■ Special design considerations are required when understatements or audit values of less than zero are expected. ■■ ■ Identification of understatements in the sample requires special evaluation considerations. ■■ ■ PPS sampling produces overly conservative results when errors are detected. This increasesthe risk of incorrect rejection. ■■ ■ The appropriate sample size increases quickly as the number of expected misstatements increases. When more than a few misstatements are expected, PPS sampling may be less efficient.
chapter 14 discussion question 2
1. Management makes one of two choices: either implement changes to address the observationor accept the risk associated with making no changes to the control. If changes areimplemented, the internal audit function must have a process in place to monitor and followup on agreed-upon actions to ensure management has done what they intended, and theactions appropriately addressed the observation. If management chooses to accept the risk,the Standards indicates that the CAE must make a judgment regarding the prudence of thatdecision. Furthermore, "when the chief audit executive believes that senior management hasaccepted a level of residual risk that may be unacceptable to the organization, the chief auditexecutive must discuss the matter with senior management. If the decision regarding residualrisk is not resolved, the chief audit executive must report the matter to the board for resolu-tion" (Standard 2600: Communicating the Acceptance of Risk).
chapter 14 discussion question 4
1. Many internal auditors believe a rating system is valuable as it provides a way formanagement and the audit committee to compare the results of assurance engagementsacross functional areas within an organization, as well as a means to trend audit results for aspecific area over time. Internal auditors typically spend a great deal of time reviewing anarea, and in longer reports it can be difficult for the reader to fully understand the aggregatemagnitude of the observations. A rating helps to provide that perspective. On the other hand,some internal auditors would prefer not to include ratings in engage- ment reports as theybelieve it may result in antagonistic relationships between the internal audit function and therest of the organization if they distribute communications that rate areas or processes as lessthan satisfactory.
what topics are discussed during coordination efforts between the internal audit function and the independent outside auditors?
1. Matters of mutual interest discussed during coordination efforts with independent outsideauditors include: a. Audit coverage. b. Access to each others' audit programs and workpapers. c. Exchange of audit reports and management letters. Commonunderstandingofaudittechniques,methods,andterminology
chapter 14 discussion question 3
1. Observation: Fraud has been perpetrated and covered up by a senior manager who is in aposition to circumvent controls. This observation affects COSO categories "Operations"and "Reporting." The observation is a result of both inadequate design and ineffective operation of the related controls.This operation represents a significant deficiency for the following reasons: The magnitude of afinancial statement misstatement resulting from this deficiency would reasonably be expected tobe more than inconsequential, but less than material, because the year-end adjustment was notmaterial to the company as a whole even though material to the store. As indicated inparagraph 140 of Auditing Stan- dard 2, "Identification of fraud of any magnitude on the part ofsenior management" is automatically a significant deficiency by definition. This significant deficiency must be formally communicated in
chapter 11 discussion question 4
1. PPS sampling is primarily applicable for testing recorded monetary amounts foroverstatement, especially when the expected number of individual overstatements in thepopulation is small.b. PPS sampled should be randomly selected—that is, each item in the defined populationshould have an equal opportunity of being selected. The population in a PPS samplingapplication is the population of individual monetary units contained in the particularaccount being tested. The sampling unit is the individual monetary unit. A systematicsampling approach is used to select every nth monetary unit in the population after arandom start. However, the individual mone- tary units selected are not the items of auditinterest. The items of interest are the "logical units" containing the individual monetaryunits. A logical unit might be, for example, a specific item of inventory recorded in theinventory records. Larger logical units are more apt to be selected for testing than smallerlogical units. c. The following factors affect PPS sample size: ■■ ■ The monetary book value of the population has a direct effect on sample size. ■■ ■ The risk of incorrect acceptance has an inverse effect on sample size. ■■ ■ The tolerable misstatement has an inverse effect on sample size. ■■ ■ The anticipated misstatement has a direct effect on sample size. d. Advantages of PPS sampling relative to classical variables sampling include the following: ■■ ■ Simpler calculations make PPS sampling easier to use. ■■ ■ The sample size calculation does not involve any measure of estimated population variation. ■■ ■ PPS sampling automatically results in a stratified sample because sample items areselected in proportion to their size. ■■ ■ PPS sample selection automatically identifies any individually significant populationitems, that is, population items exceeding a predetermined cutoff dollar amount. ■■ ■ PPS sampling generally is more efficient (that is, requires a smaller sample size) when the popu- lation contains zero or very few misstatements. Disadvantages of PPS sampling relative to classical variables sampling include the following: ■■ ■ Special design considerations are required when understatements or audit values less than zero are expected. ■■ ■ Identification of understatements in the sample requires special evaluation considerations. ■■ ■ PPS sampling produces overly conservative results when errors are detected. Thisincreases the risk of incorrect rejection. ■■ ■ The appropriate sample size increases quickly as the number of expected misstatementsincreases. When more than a few misstatements are expected, PPS sampling may be lesseffi- cient.
what quality characteristics should assurance engagement communication possess? what steps should internal auditors take to ensure that the communications are of high quality?
1. Standard 2420: Quality of Communications states that "communications must be accurate,objec- tive, clear, concise, constructive, complete, and timely." Implementation guidance to theStandards regarding the steps internal auditors should take to ensure communications meet thecriteria of Standard 2420 indicates that internal auditors should: 1. Gather, evaluate, and summarize data and evidence with care and precision. 2. Derive and express observations, conclusions, and recommendations without prejudice,partisan- ship, personal interests, and the undue influence of others. 3. Improve clarity by avoiding unnecessary technical language and providing all significantand relevant information in context. 4. Develop communications with the objective of making each element meaningful but succinct. 5. Adopt a useful, positive, and well-meaning content and tone that focuses on theorganization's objectives. 6. Ensure communication is consistent with the organization's style and culture. Planthetimingofthepresentationofengagementresultstoavoidunduedelay
according to the IIA, how does an internal audit function determine whether risk management processes are effective?
1. The Interpretation of Standard 2120: Risk Management states that "Determining whetherrisk man- agement processes are effective is a judgment resulting from the internal auditor'sassessment that: ■■ ■ Organizational objectives support and align with the organization's mission. ■■ ■ Significant risks are identified and assessed. ■■ ■ Appropriate risk responses are selected that align risks with the organization's risk appetite. ■■ ■ Relevant risk information is captured and communicated in a timely manner across the organiza- tion, enabling staff,management, and the board to carry out their responsibilities
many organizations implement assurance layering strategies to mitigate the risks they face to acceptable levels. one such strategy is the three lines of defense model
1. The first line of defense is management. Management owns and takes responsibility forassessing and mitigating risk and for maintaining effective internal controls. The secondline of defense is the different functions within the organization, other than the internalaudit function, that work together to assist in risk mitigation by facilitating andmonitoring the risk management efforts of the organization and communicating risk-related information. Such functions include, for example, quality assurance, corporateresponsibility, corporate security, and health and safety. b. The internal audit function, which works in partnership with management and the otherfunc- tions involved in risk mitigation, is the third line of defense. The key differencebetween this line of defense and the first two is that the internal audit function isindependent of management. c. Coordination between the three lines of defense vary among organizations. In smaller, lessreg- ulated organizations, coordination efforts can be less formal and, therefore, less costly.In larger, more heavily regulated organizations, coordination can be quite formal andinvolved. These organi- zations typically begin by creating an assurance map that identifieswhere within the organization risk mitigation coverage exists, who is providing thecoverage, what professional standards the different assurance providers adhere to, and thefrequency and timing of the assurance activities provided. The most notable external sources of assurance that organizations use to augment their internal lines of defense are theirindependent outside auditors and applicable regulators
what actions regarding assurance engagement observations must the internal audit function take after the final engagement communication is disseminated?
1. The internal audit function must have a process in place to monitor and follow up on agreed-upon actions to ensure management has done what they intended. If management chooses toaccept the risk associated with making no changes to the control activity, The IIA'sInternational Standards for the Professional Practice of Internal Auditing indicates that the CAEmust make a judgment regarding the prudence of that decision. Furthermore, "when thechief audit executive concludes that management has accepted a level of residual risk that maybe unacceptable to the organization, the chief audit exec- utive must discuss the matter withsenior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to theboard" (Standard 2600). If, on the other hand, management accepts responsibility forimplementing changes to remediate the observations, the internal audit function must monitor the progressmanagement makes relative to the remediation of the observations. Regular follow-upprocedures should ensure that agreed-upon actions are taken on schedule with the timeframe outlined in the final engage- ment communication. Ultimately, it is the CAE'sresponsibility to "establish and maintain a system to monitor the disposition of resultscommunicated to management" (Standard 2500). This system should be delineated in theinternal audit function's written policies and procedures. At a minimum, follow-up actionsshould be documented and retained in the internal audit function's working papers of the next assurance engagement relating to the area that was subject to the original audit.Addition- ally, in the case in which engagement observations were evaluated as significant ormaterial, another audit, commonly referred to as a "follow-up" engagement, is typicallyscheduled with a targeted scope to evaluate and test whether the residual risk of the targetedarea has been reduced to an acceptable level. This engagement should be planned, executed,and reported on in a manner consistent with any other assurance engagement. In terms ofcommunication, the internal audit function has the respon- sibility to communicate theoutcome of the targeted review of residual risk to the same audience that received thecommunication from the original assurance engagement that resulted in the significant ormaterial observations. Additionally, when the controls that were assessed to be significantly ormate- rially compromised in the original assurance engagement communication representinternal control over financial reporting, communication must be provided to other interestedparties as defined by reporting requirements dictated by financial reporting laws in thecountries in which the organization operates.
chapter 14 discussion question 1
1. The observation evaluation and escalation process requires the following: a. An internal audit team must make judgments as they evaluate factors affecting theobservation relative to its impact, likelihood, classification, and the way in which it affects the mitigation of risk. The internal auditors must also determine the cause of theobservation, specifically, whether the control in question is designed inadequately oroperating ineffectively. b. An individual observation, or a group of observations, is considered insignificant if thecontrol in question has a remote likelihood (slight chance) of failing or the impact of itsfailure is insignifi- cant (trivial). An individual observation, or a group of observations, isconsidered significant if the control in question has a more than remote likelihood offailing and the impact of its failure is more than insignificant (that is, significant). Anindividual observation, or a group of observations, is considered material if the control inquestion has a more than remote likelihood of failing and the impact of its failure is notonly more than insignificant, but also exceeds the financial statement materialitythreshold (or other established thresholds for materiality). c. Documentation of the conclusions reached as a result of performing the observationevaluation and escalation process is essential to evidencing that the internal auditfunction has appropriately determined how and to whom to communicate observationsindicated by the test results of the assurance engagement.
how does the purpose of statistical sampling in tests of monetary values differ from the purpose of statistical sampling in tests of controls?
1. The purpose of statistical sampling in tests of monetary values is to obtain direct evidenceabout the correctness of monetary values such as a recorded account balance. The purpose ofstatistical sampling in tests of control activities is to obtain direct evidence about theoperating effectiveness of control activities.
what steps are included in the communication phase of an assurance engagement?
1. The steps included in the communication phase of an assurance engagement are: ■■ ■ Perform observation evaluation and escalation process. ■■ ■ Conduct interim and preliminary engagement communications. ■■ ■ Develop final engagement communications. ■■ ■ Distribute formal and informal final communications. ■■ ■ Perform monitoring and follow-up procedures
what steps are included in the performance phase of an assurance engagement?
1. The steps included in the performance phase of an assurance engagement are: ■■ ■ Conduct tests to gather evidence. ■■ ■ Evaluate evidence gathered and reach conclusions. ■■■Developobservationsandformulaterecommendations
what steps are included in the planning phase of an assurance engagement?
1. The steps included in the planning phase of an assurance engagement are: ■■ ■ Determine engagement objectives and scope. ■■ ■ Understand the auditee, including auditee objectives and assertions. ■■ ■ Identify and assess risks. ■■ ■ Identify key control activities. ■■ ■ Evaluate adequacy of control design. ■■ ■ Create a test plan. ■■ ■ Develop a work program. ■■■Allocate resources to the engagement
what are the steps an internal auditor takes to assess the observations identified during an assurance engagement?
1. The steps to address an observation include: ■■ ■ Determining the Committee of Sponsoring Organizations of the Treadway Commission(COSO) category (operations, reporting, or compliance). ■■ ■ Classifying the observation in terms of assessing the applicable control as ineffectivelyoperating or inadequately designed. ■■ ■ Determining the impact and likelihood of the observation. ■■ ■ Assessing whether the observation is insignificant, significant, or material in importance.
should the CAE opine on the design adequacy and/or operating effectiveness of the system of internal controls regarding: reliability of financial reporting? effectiveness and efficiency of operations? compliance with applicable laws and regulations?
1. There is not a definitive correct answer to this question. a. A "yes" answer should emphasize the following points. The CAE is able and should opine,along with the CEO and chief financial officer (CFO), on adequate design and effectiveoperation of the system of internal controls over financial reporting, effective and efficientoperations, and compli- ance with applicable laws and regulations as part of a properlydesigned and implemented COSO- based internal audit function. However, for this to bepractical and possible, the internal audit function should be designated with thisresponsibility by the board audit committee as part of the internal audit function's charter,along with allocation of adequate resources and authorization to discharge these duties.The CAE must design an internal audit plan to provide adequate audit cov- erage to allowfor the independent validation of management's opinion on the systems of internal control,as well as provide adequate audit coverage to allow the CAE to jointly opine on the systemof internal controls. The results of both, the independent validation of management's opinion and the CAE's independent opinion, should be reported to the audit committee as part of the internal audit function's formal reporting to senior management and the board audit committee. B. A "no" answer should emphasize the following points. The CAE should not opine on the system of internal controlsbecause that is management's responsibility as owner of the controls (both ade- quate design and effective operation).Since the CAE is not an owner, he or she has no responsibility for opining on the adequate design or effective operation ofthe systems of internal control. The internal audit function's role and responsibilities should be strictly limited to anindependent eval- uation of management's opinion. To also opine on the system of internal controls implicitly requires the CAE to assume "ownership" of, or "responsibility" for, the system of internal controls, which creates an inherent conflictof interest with the independent assessment of management's opinion An additional valid point, though a weaker argument in nature, is to site the inability to opine on the system of internalcontrols due to inadequate resources or audit coverage to support providing an independent opinion
what elements do well-written observations include?
1. Well-written audit observations contain the following elements: ■■ ■ Condition — The factual evidence the internal auditor found; the "what is." ■■ ■ Criteria — The standards or expectations used in making an evaluation; the "what should be." ■■ ■ Consequences (or effects) — the real or potential adverse effects (or consequences) of thegap between the existing condition and the criteria. ■■ ■ Causes — The underlying reasons for the gap between the expected and actual condition, which lead to the adverseconsequences
what should an internal auditor do if documents pertinent to tests of controls are missing?
1. What an internal auditor should do if documents pertinent to tests of control activities aremissing will depend on the specific circumstances. ■■ ■ If the auditor cannot find a document supporting a selected sample item, the missing support docu- ment should be considered a control deviation. ■■ ■ If the auditor determines that a selected sample item has been voided and follow-upindicates that nothing is amiss, it would be appropriate to select another item for testingpurposes. ■■ ■ Opinions are mixed as to what an internal auditor should do if a selected sample item ismissing and the auditor is unable to obtain a reasonable explanation for why it ismissing. Some internal auditors believe this situation represents a control deviation.Others believe that another item should be selected for testing purposes. Regardless ofwhether the missing sample item is consid- ered a deviation from the prescribed controlor a different problem that warrants separate consid- eration, the internal auditor shoulddocument the missing item in the working papers and decide whether it is significantenough to be written up as an audit observation.
Per IIA standards, internal audit functions are required to evaluate and contribute to the improvement of their organization's governance. risk management and control processes. a. provide several examples of governance responsibilities an internal audit function can assume b. describe 1. the risk management activities that are appropriate for an internal audit function to perform and 2. the risk management activities an internal audit function should avoid c. internal audit functions are responsible for evaluating the design adequacy and operating effectiveness of controls. discuss the areas of control that fall within the scope of internal auditor's evaluation responsibilities
1. a. IIA Standard 2110: Governance requires the internal audit function to "assess andmake appro- priate recommendations to improve the organization's governanceprocesses..." The internal audit function carries out its governance responsibilitieslargely through the assurance services it provides. The internal audit charter defineswhat role the internal audit function plays in provid- ing assurance relative to thegovernance process and should reflect the expectations of the board. Examples of theinternal audit function's governance responsibilities include: ■■ ■ Evaluating whether the various risk management activities are designed adequately tomanage the risks associated with unacceptable outcomes. ■■ ■ Testing and evaluating whether the various risk management activities are operating asdesigned. ■■ ■ Determining whether the assertions made by the risk owners to senior managementregarding the effectiveness of the risk management activities accurately reflect thecurrent state of risk management effectiveness. ■■ ■ Determining whether the assertions made by senior management to the boardregarding the effectiveness of the risk management activities provide the board withthe information it desires about the current state of risk management effectiveness. ■■ ■ Evaluating whether risk tolerance information is communicated timely and effectivelyfrom the board to senior management, and from senior management to the risk owners. ■■ ■ Assessing whether there are any other risk areas that are currently not included in thegover- nance process, but should be (for example, a risk for which risk tolerance andreporting expecta- tions have not been delegated to a specific risk owner). b. Exhibit 9-5 shows a range of risk management activities that an internal audit functionmight be asked to perform, detailing which activities are appropriate and which shouldbe avoided. Core internal audit risk management activities include: ■■ ■ Giving assurance on the risk management processes. ■■ ■ Giving assurance that risks are correctly evaluated. ■■ ■ Evaluating risk management processes. ■■ ■ Evaluating the reporting of key risks. ■■ ■ Reviewing the management of key risks. Risk management activities that the internal audit function may perform, if appropriatesafeguards are applied to protect its independence and objectivity, include: ■■ ■ Facilitating identification and evaluation of risks. ■■ ■ Coaching management in responding to risk. ■■ ■ Coordinating ERM activities. ■■ ■ Consolidating reporting on risks. ■■ ■ Maintaining and developing the ERM framework. ■■ ■ Championing establishment of ERM. ■■ ■ Developing ERM strategy for board approval. Risk management activities that the internal audit function should avoid include: ■■ ■ Setting the risk appetite. ■■ ■ Imposing risk management processes. ■■ ■ Assuming management's risk management assurance role. ■■ ■ Making decisions on risk responses. ■■ ■ Implementing risk responses on management's behalf. ■■ ■ Assuming accountability for risk management. c. The internal audit function should evaluate "the adequacy and effectiveness of controls inrespond- ing to risks within the organization's governance, operations, and informationsystems regarding the: ■■ ■ Achievement of the organization's strategic objectives. ■■ ■ Reliability and integrity of financial and operational [non-financial] information. ■■ ■ Effectiveness and efficiency of operations and programs. ■■ ■ Safeguarding of assets. ■■ ■ Compliance with laws, regulations, policies, procedures, and contracts." (Standard 2130.A1)
chapter 11 discussion question 1
1. a. In statistical sampling, the internal auditor must specify, using audit judgment,appropriate quantitative values affecting sample size. The sample size is determinedmathematically based on these factors. In nonstatistical sampling, the sample size isbased strictly on the internal auditor's judgment. The internal auditor using nonstatisticalsampling should, however, consider the factors that affect sample size. b. In statistical sampling, the sample must be selected randomly. In nonstatistical sampling,the sam- ple need not be selected randomly. An internal auditor using nonstatisticalsampling must, how- ever, select a sample that is thought to be representative of thepopulation. c. In statistical sampling, the sampling results must be evaluated mathematically based onprobability theory. In nonstatistical sampling, the conclusion about the population fromwhich the sample is drawn is strictly judgmental instead of being based on probabilitytheory.
chapter 12 discussion question 2
1. a. Three potential adverse consequences of an accident at a four-way intersection: ■■ ■ Injuries to drivers, passengers, and/or pedestrians. ■■ ■ Damage to vehicles and/or property. ■■ ■ Lawsuits filed against the city. b. Three inherent risk factors that make an accident more or less probable: ■■ ■ The volume of vehicles and pedestrians at the intersection. ■■ ■ The visibility of the intersection to drivers as they approach it. ■■ ■ The speed at which vehicles are traveling as they approach the intersection. c. 1. The city could avoid the risk of an accident at a four-way intersection by building an overpass. 2. The city could reduce the risk of an accident at a four-way intersection by: ■■ ■ Installing stop signs or stop lights. ■■ ■ Posting reduced speed limit and/or warning signs. ■■ ■ Building speed bumps into the streets.
chapter 12 discussion question 5
2. . The primary purpose of assurance services is to provide independent assessments, based on an objective examination of evidence, of an organization's governance, riskmanagement, and control processes. The primary purpose of consulting services is to provide advice, based on objectiveexamination of evidence, that adds value and improves an organization's governance, risk management, and control processes. b. Consulting engagements also differ from assurance engagements in terms of nature andscope. Whereas the nature and scope of an assurance engagement are determined bythe internal audit function, the nature and scope of a consulting engagement are subjectto agreement with the engagement customer. Consulting engagements are, accordingly,much more discretionary in nature than assurance engagements. Althoughtheconsultingengagementprocessincludesthesamestepsastheassuranceengagementprocess,eachstepmaynotbenecessaryforeveryconsultingengagementandmanyofthestepsmaybeconducteddifferently.However,thethreemajorphasesoftheengagement—planning,perform-ing,andcommunicating—arethesame.
chapter 12 discussion question 3
2. The first statement is true. Determining that controls are designed adequately is necessary, butnot sufficient, for reaching a conclusion regarding their effectiveness. To reach a conclusionregarding their effectiveness, adequately designed controls must be tested to determinewhether they are operating as intended. Thesecondstatementisgenerallytrue.Ittypicallydoesnotmakesensetodeterminewhetherapoorlydesignedcontrolisoperatingasdesigned.Therearecircumstances,however,inwhichinternalauditorsgatheranddocumenterrorsthathaveoccurredasaresultofcontroldeficienciestosupporttheircon-clusionsthatcontrolsareineffective.Additionally,theremaybeinstanceswheninternalauditorswanttomeasuretheimpactofacontroldeficiency
chapter 12 discussion question 4
2. a. Expressing a conclusion known as positive (reasonable) assurance requires the strongestsupport- ing audit evidence. Internal auditors express positive assurance when they concludethat, in their opinion, the auditee's controls are designed adequately and operating effectively.Such a conclu- sion can be expressed only if the internal auditors have gathered and assessedsufficient appro- priate evidence to evaluate the design adequacy and operating effectivenessof all the key controls within the entire system of controls under audit. b. Other factors that the chief audit executive (CAE) should consider when deciding which ofthe three options is the most appropriate for a particular assurance engagement include: ■■ ■ The expectations of the audit committee and senior management, which should be reflected in the internal audit charter. For example, CEOs and chief financialofficers (CFOs) of public companies in the United States that are required under the U.S. Sarbanes-Oxley Actof 2002 to opine on the effectiveness of their companies' systems of internal controlmay want strong support from their internal audit functions. ■■ ■ The relative importance of the auditee's controls to the organization's overall system ofinternal controls. The level of assurance that an internal audit function wants toprovide for particu- lar assurance engagement typically is directly related to theimportance of the controls being assessed to the organization's overall system ofinternal controls.
audit universe
A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks.
what are the six columns included in a completed risk and control matrix?
A completed Risk and Control Matrix includes the following six columns: ■■ ■ Process-Level Risk. ■■ ■ Key Control.■■ ■ Design Adequacy.■■ ■ Testing Approach. ■■ ■ Results of Testing. ■■ ■ Testing Conclusions.
engagement work program
A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.
work program
A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.
control self-assessment
A facilitated process whereby control owners provide a self-assessment of the design adequacy and operating effectiveness of controls for which they are responsible
if all other factors specified in a PPS sampling plan remain constant, changing the specified tolerable misstatement from $200,000 to $100,000 and changing the specified risk of incorrect acceptance from 10 percent to 5 percent would cause the required sample size to: a. increase
A is the best answer. Both the tolerable misstatement and the risk of incorrect acceptance have inverse effects on samplesize. Therefore, decreasing the tolerable misstatement and the risk of incorrect acceptance will cause the sample size toincrease
If an internal auditor's evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to: a. test the operating effectiveness of the controls. b. prepare a flowchart depicting the system of internal controls. c. conclude that residual risk is low d. conclude that control risk is high
A is the best answer. Determining that controls are designed adequately is necessary, but not suffi- cient, for reaching aconclusion regarding their effectiveness. To reach a conclusion regarding their effectiveness, adequately designed controlsmust be tested to determine whether they are operating as intended
comprehensive risk assessment involve analysis of both causes and effects. which of the following statements concerning the analysis of causes and effects is false? a. analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred
A is the best answer. During the planning phase of an engagement, the internal audit team focuses its attention on inherentrisk, that is, the risk to the auditee in the absence of any actions management might take to reduce or otherwise manageidentified risks. Risk assessment involves gauging both the impact of the risk (if it should occur) and the likelihood of therisk occurring. Expressing inherent risks in terms of causes and effects helps the internal auditor assess how big thepotential problem is and how likely it is to occur
organizational independence exists if the CAE reports <List A> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List B> without interference: a. List A: administratively; List B: controls the scope and performance of work and reporting results
A is the best answer. IIA Standard 1110 states that the CAE "must confirm to the board, at least annually, theorganizational independence of the internal audit activity." Organizational independence exists if the CAE reportsfunctionally to the board, has direct and unrestricted access to the board, reports administratively to the CEO or a similarhead of the organization, or reports administratively to some other organizational level so long as the internal auditactivity controls the scope of work, per- formance of the work, and the reporting of results without interference
internal auditors sometimes express opinions in addition to stating observations in their reports. due professional care requires that internal audit opinions be: a. based on sufficient appropriate evidence
A is the best answer. IPPF Implementation Guidance indicates that due professional care calls for the application of thecare and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Tofulfill their due professional care responsibilities, internal audi- tors must base their conclusions on sufficient appropriateevidence
If an auditor's preliminary evaluation of internal controls results in an observation that controls may be inadequate, the next step would be to:a. Expand audit work before the preparation of a final engagement communication.b. Prepare a flowchart depicting the internal control system.c. Note an exception in the engagement final communication if losses have occurred.d. Implement the desired controls.
A is the best answer. If the preliminary evaluation indicates control problems, the auditor usually decides to perform someexpanded testing. If a flowchart were necessary, the auditor would have prepared one during the preliminary evaluation.The auditor is not ready to make a report until more work has been performed. Auditors do not implement controls; that isa management function
Which of the following is not typically a key element of flowcharts or narrative memoranda? a. Overall process objectives. b. Key inputs to the process. c. Key outputs from the process. d. Key risks and controls
A is the best answer. It is important for the internal auditor to understand the overall process objec- tives, but these are not typically documented in flowcharts or narrative memoranda.
an internal auditor is testing cash disbursement transactions. internal control policies require every check request to be accompanied by an approved voucher. the voucher approval is based on a three-way matching of a purchase order, receiving report, and vendor's invoice. to determine whether checks have proper support, the internal auditor should begun her testing procedures by selecting items from the population of: a. check copies
A is the best answer. Selecting a sample of check copies and matching them with approved vouchers involves vouching,the purpose of which is to test validity. In this case, the auditor is testing the validity of cash disbursements. Checks shouldnot be issued without proper documentary support
which of the following statements best describes an internal audit function's responsibility for assurance engagement follow-up activities? a. the internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations
A is the best answer. Standard 2500.A1 states that "The chief audit executive must establish a follow- up process tomonitor and ensure that management actions have been effectively implemented or that senior management has acceptedthe risk of not taking action
which of the following is an element of sampling risk as opposed to an element of non sampling risk? a. determining a sample size that is too small
A is the best answer. Statistical sampling allows the internal auditor to quantify, measure, and control sampling risk
which of the following best describes an auditor's responsibility after noting some indicators of fraud? a. expand activities to determine whether an investigation is warranted
A is the best answer. The auditor should first expand work to determine the existence of fraud before reporting the matterto senior management. At this point, the auditor only has suspicions of fraud given the red flags. More work should beperformed before consulting with management, external legal counsel, or the audit committee
the tasks performed during an internal audit assurance engagement should address the following questions: I. what are the reasons for the results? II. how can performance be improved? III. what results are being achieved? the chronological order in which these questions should be addressed is: a. III, I, II
A is the best answer. The first of the three tasks the internal auditor should complete is to determine the results beingachieved, that is, the "what is" condition of the business process. The next task would be to determine the reasons for, orthe causes of, the observed condition. The third task would be to determine how the performance of the process can be improved. Therecommendations for improve- ment should be directed at remedying the causes of the observed condition
senior management has requested that the internal audit function perform an operational review of the telephone marketing operation of a major division and recommend procedures and policies for improving management control over the operation. the internal audit function should: a. accept the audit engagement because independence would not be impaired
A is the best answer. This engagement would not impair the function's independence. Making rec- ommendations on thedesign or enhancement of internal control activities is a responsibility of the internal audit function. It is management'sresponsibility to implement and own controls
if all other factors specified in an attribute sampling plan remain constant, changing the expected population deviation rate from 1 percent to 2 percent and chasing the tolerable deviation rate from 7 percent to 6 percent would cause the required sample size to : a. increase
A is the best answer. Whereas the expected population deviation rate has a direct effect on sample size, the tolerabledeviation rate has an inverse effect. Therefore, increasing the expected population devia- tion rate and decreasing thetolerable deviation rate will cause the sample size to increase
Once an observation is identified by the internal auditor, it should be: a. Documented in the working papers. b. Discussed with the audit committee. c. Included in the final audit report. d. Scheduled for follow-up
A is the best answer. While each of the other answers may be outcomes from an observation, before adequate follow-up and vetting with management is completed, the only requirement is that the inter- nal auditor document the observation in the working papers.
The primary purpose of issuing an interim report during an internal audit is to: A. Provide auditee management the opportunity to act on certain observations immediately B. Set the stage for the final report C. Promptly inform auditee management and their supervisors of audit procedures performed to date D. Describe the scope of the audit
A is the best answer. While interim communication can set the stage for the final report and keep management informedof the status of the audit, the primary purpose is to provide management the opportunity to act on certain observationsimmediately. Interim communication is not intended to describe the scope of the audit
reasonable assurance
A level of assurance that is supported by generally accepted auditing procedures and judgments
key performance indicator
A metric or other form of measuring whether a process or individual tasks are operating within prescribed tolerances
PPS sampling
A modified form of attribute sampling that is used to reach conclusions regarding monetary amounts rather than rates of occurrence
what is the difference between a process-level risk scenario and a process-level risk?
A process-level risk scenario is any realistic event or situation that could make it difficult to achieve one or more process-level objectives. Each scenario can be thought of as a separate root cause impact- ing those objectives. Process-level risks represent a collection of like scenarios or root causes that have similar characteristics. The reason for grouping risk scenarios in this manner is that typically the simi- lar root causes can be managed in a comparable manner. This classification of scenarios helps simplify risk assessment and risk management
positive assurance
A rating or conclusion by the internal auditor that provides specific assurances about an engagement
negative assurance
A rating or conclusion indicating that nothing negative has come to the internal auditor's attention
there are multiple approaches a CAE can use to create an annual internal audit plan. how is a top-down, risk-based approach conducted?
A risk assessment process completed annually at the beginning of, or prior to, anorganization's fiscal year allows the CAE to align audit resources for the upcoming year withthe conclusions drawn by management during the risk assessment process. Providing the CAEwith a definitive list of audit enti- ties related to the prioritized risks allows for the creation ofan internal audit plan using a top-down, risk-based approach.
chief audit executive
A senior position within the organization responsible for internal audit activities. The term also includes titles such as general auditor, head of internal audit, chief internal auditor, internal audit director, and inspector general
classical variables sampling
A statistical sampling approach based on normal distribution theory
what purposes does a well-written work program serve?
A well-written work program specifically outlines the audit procedures required to accomplish the audit objectives. Overthe course of the engagement, internal auditors sign off on the procedures to indicate that the work has been completed.This in turn enables engagement team supervisors to review the work that has been finished and monitor the work thatremains to be done. At the end of the engagement, the completed program serves as a record of the work completed anddocuments who completed the work as well as when the work was completed
auditee assertions
After-the-fact statements of what was achieved. Reflect the level of performance achieved.
what information should be included in a well-designed final assurance engagement communication?
All final (formal and informal) communications should include the following information: the purpose and scope of theaudit, the time frame of the audit, the observations and recommendations (results) of the audit, the conclusion (opinion orrating, if applicable) of the internal audit function, and manage- ment's response (action plan) to the recommendations
what does allocating resources to the engagement involve?
Allocating resources to the engagement involves determining the audit expertise needed, estimat- ing the time it will taketo complete the engagement, assigning appropriate internal auditors to the engagement, and scheduling the work so that itis completed timely
why is it important for an internal audit function to have an effective quality assurance and improvement program? what aspects of an internal audit function should a quality program assessment cover?
An effective quality assurance and improvement program ensures that an internal audit function operates in accordancewith established professional standards. Standard 1300: Quality Assurance and Improvement Program states that "thechief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects ofthe internal audit activity." The inter- pretation for this standard explains that "a quality assurance and improvementprogram is designed to enable an evaluation of the internal audit activity's conformance with Standards and anevaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effec-tiveness of the internal audit activity and identifies opportunities for improvement.
assurance engagement
An engagement involving an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.
what distinguishes a significant observation from an insignificant observation? what distinguishes a material observation from a significant deficiency?
An individual observation, or a group of observations, is considered insignificant if the control in question has a remotelikelihood (slight chance) of failing or the impact of its failure is insignificant (trivial). An individual observation, or a groupof observations, is considered significant if the control in question has a more than remote likelihood of failing and the impactof its failure is more than insignificant (that is, significant). An individual observation, or a group of observations, is consid-ered material if the control in question has a more than remote likelihood of failing and the impact of its failure is not onlymore than insignificant, but also exceeds the financial statement materiality threshold (or other established thresholds formateriality)
what information should an internal audit engagement budget include?
An internal audit engagement budget should include a reasonable estimate of the number of hours needed to complete the engagement, as well as other costs that may be required such as travel, tech- nology, and supplies
why might an internal auditor perform CAATs during the engagement planning process?
An internal auditor might perform data analysis using CAATs during the engagement planning pro- cess to obtain information about the population of transactions that could prove useful when deter- mining the internal audit approach. Obtaining information about a population during the planning phase can help the internal auditor design tests that more effectively address the inherent risks in the process
quality assurance and improvement program
An ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the internal audit function
internal audit plan
An outline of the specific assurance and consulting engagements scheduled for a period of time (typically one year) based on an assessment of the organization's risks.
individual objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made.
chapter 13 discussion question 2
As indicated in the chapter, the internal auditor needs to approach the process as a component of the organization as a whole and, thus, certain process-level objectives can be considered strategic in nature. It is important for the internal audit function to understand which of the process objectives align directly with the organization's strategic objectives. This will make it easier to associate the process objectives with entitywide risks. Also, by viewing certain process objectives as strategic, the internal auditor will gain an appreciation for the internal customers' expectations of the process and, as a result, consider those expectations when designing the audit approach
what are the key questions that must be answered when evaluating the design adequacy of controls?
Asindicatedinthechapter,thefollowingarethekeyquestionstobeconsideredwhenevaluatingthe adequacy of process design. Does the internal auditor understand what an "acceptable level" of risk is, based on management's risk tolerance levels for the process? Do the key control activities, taken individually or in the aggregate, reduce the corresponding process-level risks to acceptable levels? Are there additional compensating controls from other processes that further reduce risks to acceptable levels? Does it appear that the key controls, if operating effectively, will support the achievement of process-level objectives? To the extent appropriate, does the process design address effectiveness and efficiency of oper- ations, reliability of financial reporting, compliance with applicable laws and regulations, and achievement of strategic objectives? What gaps, if any, exist to improve the effectiveness and efficiency of the process? 1. Whatspecificgapsexistinthedesignoftheprocess?2. What are the possible outcomes or effects of those gaps?3. Why do these gaps exist—that is, what are the root causes
design adequacy
Assessment of whether management has planned and organized the controls in a manner that provides reasonable assurance that the related risks can be managed to an acceptable level
how are internal audit assurance engagements related to senior management's assertions regarding the organizations system of internal control?
Assurance engagements, in part, evidence the internal audit function's independent assessments of how effectively theorganization's risks are mitigated. These individual assessments, when taken in the aggregate, help corroborate and supportsenior management's assertions regarding the design adequacy and operating effectiveness of the organization's overallsystem of internal controls
what is attribute sampling? what are the three variations of attribute sampling described in this chapter?
Attribute sampling is a statistical sampling approach based on binomial distribution theory that enables the user to reach aconclusion about a population in terms of a rate of occurrence. The three variations of attribute sampling described in thechapter are stratified attribute sampling, stop-or-go sampling, and discovery sampling
How is "audit sampling" defined in this chapter?
Audit sampling is the application of an audit procedure to less than 100 percent of the items in a popu- lation for thepurpose of drawing an inference about the entire population
which of the following statements does not illustrate the concept of inherent risk? b. a broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter
B is the best answer. A broken lock on a security gate is an example of a control deficiency. The potential that controls will failto reduce a risk to an acceptable level is referred to as control risk, not inherent risk
which of the following is not a responsibility of the CAE? b. to oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes
B is the best answer. All are responsibilities of the CAE as defined by the Standards except for oversee- ing theestablishment, administration, and assessment of the organization's system of internal controls and risk managementprocesses, which is management's responsibility
when assessing the risk associated with an activity, an internal auditor should: b. provide assurance on the management of the risk
B is the best answer. Assurance services involve the internal auditor's objective assessment of man- agement's riskmanagement activities and the degree to which they are effective. The other choices are activities typically carried out bymanagement
which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence? b. product development team leader
B is the best answer. In some circumstances, such as a product development team, the role of team leader or member mayconflict with the independence attribute of the internal audit function. The auditor can participate as a consultant to theteam but should not participate as a team leader. The risk management consultant does not conflict with the independenceof the internal audit function. To improve the ethical climate, the internal auditor should assume the role of ethicsadvocate, which therefore does not conflict with the independence of the internal audit function. External audit liaisondoes not conflict with the independence of the internal audit function as the internal and external audit functions bothshare information and work collaboratively outside the influence of management
an internal auditor selects a sample of sales invoices and matches them to shipping documents. this procedure most directly addresses which of the following assertions? b. all billed sales are for goods shipped to customers
B is the best answer. Selecting a sample of sales invoices and matching them with shipping documents involves vouching,the purpose of which is to test validity. In this case, the auditor is testing the validity of billed sales. Customers should notbe billed if goods were not shipped to them
Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities?a. The external auditor.b. The CAE.c. The CEO.d. Each assurance and consulting function.
B is the best answer. The CAE should provide the audit committee with information on the coordi- nation with andoversight of other control and monitoring functions. The responsibility for ensuring that the internal audit activity'sprofessional and organizational responsibilities maximize the benefits that can be achieved from coordination with otherassurance consulting activities lies with the CAE, according to Standard 2050. Comments on this should be reported bythe CAE to the audit committee. The CEO would not normally be responsible for planning, work, and coordinationrelated to internal audit assurance and consulting engagements or coordination with other assurance and consultingactivities. Not all other assurance and consulting activities are organizationally responsible to the audit committee for theirwork, and they may not have the opportunity to report information directly to the audit committee
Which of the following is not likely to be an assurance engagement objective? a. Evaluate the design adequacy of the payroll input process. b. Guarantee the accuracy of recorded inventory balances. c. Assess compliance with health and safety laws and regulations. d. Determine the operating effectiveness of fixed asset controls.
B is the best answer. The internal auditor does not guarantee anything. Internal audits provide only reasonable assurance. Each of the other three responses could be a way to phrase an assurance engage- ment objective
Which of the following controls is not likely to be an entity-level control? a. All employees must receive ongoing training to ensure they maintain their competence. b. All cash disbursement transactions must be approved before they are paid. c. All employees must comply with the Code of Ethics and Business Conduct. d. An organizationwide risk assessment is conducted annually.
B is the best answer. The other three are examples of entity-level controls, while B is an example of a process-level control.
a specific objective of an audit of an organization's expenditure cycle is to determine if all goods paid for have been received and charged to the correct account. this objective would address which of the following primary objectives identified in the IIA's international standards for the professional practice of internal auditing? I. reliability and integrity of financial and operational information II. compliance with laws, regulations, and contracts III. effectiveness and efficiency of operations IV. safeguarding of assets b. I, IV
B is the best answer. The specific engagement objective of determining if goods are charged to the appropriate account would address the objectives regarding the reliability and integrity of information and safeguarding of assets
when conducting a consulting engagement to improve efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. faced with this scope limitation, the CAE should: b. discuss the problem with the customer and tougher evaluate whether the engagement should be continued
B is the best answer. When planning and performing a consulting engagement, the scope andengage- ment objectives are defined and agreed upon with the customer. As a result, the CAEshould discuss the scope limitation with the customer and together evaluate whether theengagement should con- tinue. For an assurance engagement, the scope limitation would needto be evaluated for impact on the internal audit function's ability to achieve the definedengagement objective. If it is concluded that the problem makes the assurance engagementobjectives unachievable, the engagement should be termi- nated and the scope limitationshould be communicated to both management and the audit commit- tee.
in deciding whether to schedule the purchasing or the personnel department for an audit engagement, which of the following would be the least important factor? b. the audit staff has recently added an individual with expertise in one of the areas
B is the best answer. While auditor skills should be considered in the planning process, audit needs— not auditor skillavailability—should drive engagement work schedules in a risk-based audit plan
Which of the following controls is likely to be least relevant when evaluating the design adequacy of a cash collections process? a. Calculating the amount of cash received. b. Documenting the rationale for selecting the bank account into which the deposit will be made. c. Matching the total deposits to the amounts credited to customers' accounts receivable balances. d. Segregating the preparation of deposit slips from the adjustment of customer account balances.
B is the best answer. While there may be treasury reasons to direct the deposit to certain accounts, overall this control will likely have little impact on safeguarding of assets or financial reporting objec- tives. Each of the others could be key controls.
An internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level. Which of the following should the internal auditor do next? a. Write the audit report. There's no reason to test the operating effectiveness of controls that are not designed adequately. b. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to an acceptable level. c. Test the existing key controls anyway to prove that, despite the design inadequacy, the process is still meeting the process objectives. d. Postpone the engagement until the design inadequacy has been rectified.
Bisthebestanswer.Despitethedesigninadequacy,thereisstillapossibilitythatcompensatingcon- trols in other (adjacent) processes (either upstream or downstream) will mitigate the design inade- quacy, resulting in no need to change the process design. Note that some students may argue that such controls should be considered as part of the process. However, the scope of many engagements will not necessarily consider all upstream and downstream controls. The other three options may not be effec- tive or efficient in determining whether the process-level objectives have been achieved.
what is the relationship between business objectives and business assertions?
Business objectives indicate what the auditee is striving to achieve. Assertions are after-the-fact state- ments of what wasachieved
which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity? I. proper supervision II. proper training III. internal assessments IV. external assessments c. I, III, and IV only
C is the best answer, I, III, and IV only. Quality assurance and improvement programs are designed to provide feedbackon the effectiveness of an internal audit activity. A quality assurance and improve- ment program should includesupervision, which provides day-to-day feedback. Proper training is important, but it does not provide feedback. A qualityassurance and improvement program should also include internal assessments and external assessments
An excerpt from an internal audit observation indicates that travel advances exceeded prescribed maximum amounts. Company policy provides travel funds to authorized employees for travel. Advances are not exceed 45 days of anticipated expenses. Company procedures do not require justiication for large travel advances. In this audit observation, the element of an audit finding known as "effect" is: A. Advances are not to exceed estimated expenses for 45 days. B. Travel advances exceed prescribed maximum amounts. C. Employees accumulate large, unneeded advances D. Unauthorized employees are given travel advances
C is the best answer. "Employees accumulate large, unneeded advances, resulting in unnecessary allocation of capital" is the effect in the excerpt from the observation. "Advances are not to exceed estimated expenses for 45 days" represents thecriteria. "Travel advances exceed prescribed maximum amounts" represents the condition. The excerpt of the observationdoes not mention unauthorized employees given travel advances
internal auditors perform both assurance engagements and consulting engagements. which of the following would be classified as a consulting engagement? c. facilitating senior management's assessment of risks threatening the organization
C is the best answer. Consulting services are defined in the Glossary to the Standards as "Advisory and related clientservice activities, the nature and scope of which are agreed with the client, are intended to add value and improve anorganization's governance, risk management, and control processes without the internal auditor assuming managementresponsibility. Examples include counsel, advice, facilitation, and training
which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan? c. to ensure that the internal audit plan supports the overall business objectives
C is the best answer. Even though the other choices have merit, the primary reason for theinternal audit function to consider the organization's strategic plan when developing theannual audit plan is to ensure that internal audit efforts align with and support the overallbusiness objectives of the organi- zation.
which of the following is not typically a barrier to internal auditors using data analytics in achieving the engagement objective? c. data analytic software is limited by the number of records it can process
C is the best answer. Generalized data analytic software, along with audit specific software, can handle any number ofrecords. As data sizes increase, depending on the technology, the processing times may increase; however, the softwarecan handle any volume of data
According to the IPPF, which of the following are part of the minimum requirements for an engagement final communication? I. Background information II. Purpose of the enagement III. Engagement scope IV. Results of the engagement V. Summaries A. I, II, an IV B. I, III, and V C. II, III, and IV D. II, IV, and V
C is the best answer. Implementation guidance to the Standards indicates that final engagement communications should contain, ata minimum, the purpose, scope, and results of the engagement. Background information and summaries are not requiredelements of a final engagement communica- tion.
The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement? a. Holding a meeting between the CAE and the independent outside audit firm's partner to discuss the upcoming audit of the financial statements. b. Providing the independent outside auditor with access to the working papers for an audit of third-party contractors. c. Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit. d. Requesting that the internal audit function receive a copy of the independent outside auditor's management letter.
C is the best answer. It is appropriate for the CAE to request a copy of the external audit plan for con- ducting the financialstatement audit to assist in planning the annual internal audit plan, but it is not appropriate for the CAE to approve theexternal audit plan. That could impair the independence and objectivity of the independent outside auditor's work
a performance audit engagement typically involves: c. appraisal of the environment and comparison against established criteria
C is the best answer. Performance audit engagements involve review of performance against set crite- ria
which of the following is the most significant to the internal audit client in providing information related to the future direction and actions that can improve the operation of the organization? c. predictive
C is the best answer. Routines that take transaction data and predict future outcomes are of most ben- efit to management.It allows for management to take proactive measures on situations that may occur in the future. Although all of thesoftware measures are of benefit to management, predictive software provides information related to future direction andactions
The achieved upper deviation limit is 7 percent and the risk of assessing control risk too low is 5 percent. How should the internal auditor interpret this attribute sampling outcome? a. There is a 7 percent chance that the deviation rate in the population is less than or equal to 5 percent. b. There is a 5 percent chance that the deviation rate in the population is less than 7 percent. c. There is a 5 percent chance that the deviation rate in the population exceeds 7 percent. d. There is a 95 percent chance that the deviation rate in the population equals 7 percent.
C is the best answer. Saying there is a 5% risk that the deviation rate in the population exceeds 7% is equivalent to saying,with 95% confidence, that the deviation rate in the population is less than or equal to 7%
Per IIA Standards, internal audit functions must establish: a. internal quality assurance and improvement program assessments b. external quality assurance and improvement program assessments c. both internal and external quality assurance and improvement program assessments d. neither internal nor external quality assurance and improvement program assessments
C is the best answer. Standard 1300: Quality Assurance and Improvement Program states that "the chief audit executivemust develop and maintain a quality assurance and improvement program that covers all aspects of the internal auditactivity." Standard 1310: Requirements of the Quality Assur- ance and Improvement Program, Standard 1311: InternalAssessments, and Standard 1312: External Assessments detail the specific requirements for IIA Standard 1300 byspecifying that internal audit functions must establish both internal assessment and external assessment procedures
internal auditors obtain an understanding of controls and perform tests of controls to: c. evaluate the design adequacy and operating effectiveness of controls
C is the best answer. The internal audit team must determine whether identified key controls are designed adequately toreduce risks, both individually and collectively, to acceptable levels, assuming that the controls have been placed inoperation and are operating as intended. If the key controls are assessed as being adequately designed, the internal auditorsmust then test the controls to determine whether they are in fact operating effectively as intended
Duing a review of purchasing operations, an internal auditor found that procedures in use did not agree with stated company procedures. However, audit tests revealed that the procedures used represented an increase in efficiency and a decrease in processing time, without a discernible decrease in control. The internal auditor should: A. Report the lack of adherence to documented procedures as an operational deficiency B. Develop a flowchart of the new procedures and include it in the report to management. C. Report the change and suggest that the change in procedures be documented D. Suspend the completion of the engagement cliet documents the new procedures
C is the best answer. This represents a change in process that should be brought to the attention of management anddocumented. The procedures in answer A do not represent a deficiency since effi- ciency has improved withoutdiminishing control. The flowchart in answer B is not the best form of documentation because it does not addressefficiency. Answer D is incorrect because the engagement should be completed
Which of the following auditee-prepared documents will likely be of greatest assistance to the internal auditor in their assessment of process design adequacy? a. Policies and procedures manual. b. Organization charts and job descriptions. c. Detailed flowcharts depicting the flow of the process. d. Narrative memoranda listing key tasks for portions of the process.
C is the best answer. While policies and procedures manuals, organization charts and job descriptions, and memoranda listing key tasks will all be helpful, only detailed flowcharts provide the internal audi- tor with a start-to-finish view of how the process operates, including key risks and controls.
which of the following is/are barriers to widespread use of data analytics by internal audit functions? I the scope of the intended use of data and analytics is not well defined II. the amount of time required to clean and prepare data for analysis III. the extensive programming skills required to perform data analytics IV. not understanding the data to be analyzed c. I, II, IV
C is the best answer. With the advancement of audit software, along with tools such as Excel and analytics softwareavailable from audit management vendors, significant programming skills are not required
Which of the following is an appropriate conclusion that can be drawn when the internal auditor identifies an observation from testing controls? a. The process objectives cannot be achieved. b. The area may be vulnerable to fraud. c. Certain risks are not effectively mitigated. d. Overall, the process is not operating effectively.
Cisthebestanswer.Withoutevaluatingtheresultsoftestingforthewholeprocess,theinternalaudi- tor cannot come to any conclusions regarding the achievement of objectives, the existence of fraud, or the overall effectiveness of internal control activities. An observation is an indication that one or more risks have not been mitigated, although the internal auditor may need to evaluate compensating con- trol activities before finalizing his or her conclusion.
Which of the nine examples of common control types typically occur before a transaction is completed?
Common controls that typically operate before a transaction is completed include approving, examin- ing, matching, and, potentially, supervising
quality communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
what three steps are generally involved in conducting a process-level risk assessment?
Conducting a process-level risk assessment generally involves the following three steps: ■■ ■ Determine the impact of various outcomes associated with each risk.■■ ■ Estimate the likelihood that each risk impact will occur.■■ ■ Combine the assessment of impact and likelihood into a single risk assessment
According to the IPPF, internal auditors should possess which of the following skills? I. internal auditors should understand human relations and be skilled in dealing with people II. internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices iii. internal auditors should be experts on subjects such as economics, commercial law, taxation, finance and IT IV. internal auditors should be skilled in oral and written communication d. I, II, IV only
D is the best answer, I, II, and IV only. Internal auditors are expected to be able to recognize good business practices,understand human relations, and be skilled in oral and written communications. Internal auditors are not expected to beexperts in a wide variety of fields related to their audit respon- sibilities
According to the IPPF, the independence of the internal audit activity is achieved through: d organizational status and objectivity
D is the best answer. According to the Standards, organizational status and objectivity permit mem- bers of the internalaudit activity to render the impartial and unbiased judgments essential to the proper conduct of engagements. Staffing andsupervision relate to the professional proficiency of the internal audit activity. Continuing professional development anddue professional care relate to the professional proficiency of the internal auditor. Human relations and communicationsrelate to the professional proficiency of the internal auditor
Analytical procedures can be applied during which phase( s) of an assurance engagement? a. Plan phase.b. Perform phase. c. Communicate phase. d. Plan and perform phases.
D is the best answer. Analytical procedures can be used during planning to reveal process activities that may warrant closer attention and, accordingly, more detailed testing. Analytical procedures also can be used when performing an engagement to identify anomalies that may indicate 1) a control is not operating effectively or 2) a potential fraud or irregularity.
for which of the following would an internal auditor most likely use attribute sampling? d. inspecting employee time cards for proper approval
D is the best answer. Attribute sampling enables the user to reach a conclusion about a population in terms of a rate ofoccurrence. The most common use of attribute sampling in auditing is to evaluate the effectiveness of a particular control.The internal auditor tests the rate of deviation from a prescribed control to determine whether the occurrence rate is"acceptable" and, accordingly, whether reliance on that control is appropriate
The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement? a. A small internal audit function may be managed informally through close supervision and written memos. b. Formal administrative and technical audit manuals may not be needed by all internal audit functions. c. The CAE should establish the function's policies and procedures. d. All internal audit functions should have a detailed policies and procedures manual.
D is the best answer. It is important for the internal audit function to establish policies and procedures to guide the internalaudit staff. However, substance is much more important than form. As a result, it is not necessary for these policies andprocedures to be codified into a formal manual, but it is import- ant for them to be established and effectivelycommunicated to the staff in a way that is consistent with the size and complexity of the internal audit function
while planning an assurance engagement, the internal auditor obtains knowledge about the audit's operations to, among other things: d. develop an understanding of the audit's objectives, risks, and controls
D is the best answer. It is virtually impossible to audit effectively something that is not sufficiently understood. The success ofany engagement ultimately depends largely on how well the internal audit team understands the auditee. The first thing theinternal auditors must understand is the auditee's business objectives and assertions. The internal audit team also must identifyand assess the business risks that threaten the achievement of the auditee's objectives, identify the controls that are mostcritical to reducing business risks to acceptable levels, and determine whether the identified key controls are designedadequately to reduce risks, both individually and collectively, to acceptable levels
If an internal auditor identifies an exception while testing, which of the following may be appropriate? a. Test additional items to determine whether the exception is an isolated occurrence or indicative of a control deficiency. b. Gain an understanding of the root cause, that is, the reason the exception occurred. c. Draft an observation for the audit report. d. All of the above.
D is the best answer. Some testing exceptions may indicate that a potential exception condition was not adequately contemplated when preparing the test plan and additional testing is required to determine whether a control deficiency exists. In other instances, it is clear that a control deficiency exists, but until the root cause is understood, the nature of a relevant recommendation may not be clear. Finally, some testing exceptions are clear indications of a control deficiency and no additional analysis is neces- sary, so the internal auditor can begin drafting the observation for the report.
A process objective stating "All contracts must be approved by an officer of the company before being consummated" is an example of what type of objective? a. Strategic. b. Operations. c. Reporting. d. Compliance.
D is the best answer. The approval is required by policy and, as such, the objective is a compliance objective. It is important to note that if students follow the COSO definitions, they may answer B since COSO more narrowly defines compliance as relating to laws and regulations. However, the authors prefer the broader definition of compliance objectives, as provided by The IIA, which includes compli- ance with outside laws and regulations as well as compliance with internal policies and contracts.
Reported internal audit observation emerge as a result of comparing" what should be" with "what is". In determining" what should be" during an internal audit engagement, which of the following would be the least appropriate criterion against which to assess current controls?a. Industry best practicesb. Control policies and procedures prescribed by senior management.c. A standard of control effectiveness determined by the internal audit function.d. The controls documented as being in place during the last audit.
D is the best answer. The controls documented as being in place during the last audit represent the "what is" condition atthat point in time. They do not represent an appropriate "what should be" criterion against which the current "what is"controls should be compared. Each of the other answers represents an appropriate criterion against which current controlscan be assessed
Which of the following groups' risk tolerance levels are least relevant when conducting an assurance engagement? a. Senior management. b. Process-level management. c. The internal audit function. d. Vendors and customers.
D is the best answer. The first two choices (senior management and process-level management) should be obvious from the chapter. It is important to remember that the internal audit function's risk toler- ance level is also important. While the tolerance levels of the others must be understood, the internal audit function still has a fiduciary responsibility to all stakeholders and, thus, should not subordinate its own tolerance levels to those of others. The tolerance levels of vendors and customers, while of some interest, do not really have much bearing on the focus of an assurance engagement.
audit committees are most likely to participate in the approval of: d. the appointment of the CAE
D is the best answer. The independence of the internal audit activity is enhanced when the audit committee participates innaming the CAE. The company's CAE is responsible for staff promotions. The company's CAE is also responsible forapproving internal audit reports. Audit work schedules are a part of the internal audit activity's planning function
Which of the following external risks is least likely to impact the accuracy of financial reporting? a. The standard-setting body in the organization's country issues a new financial accounting standard. b. A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable outcome. c. Changes in standard industry contracts now allow for netting of payables and receivables. d. Competitor pressures cause the organization to pursue new sales channels.
D is the best answer. The other three choices likely would have some impact on financial reporting, but the pursuit of a new sales channel likely will not have a financial reporting impact.
an internal auditor should consider the qualitative aspects of deviations found in a sample in addition to evaluating the number of deviations. for which of the following situations should the internal auditor be most concerned? d. the deviations found may have been caused intentionally
D is the best answer. The possibility that the deviations might be a result of fraud is of particularimportance to the internal auditor. Evidence that deviations from the control found in the sample were caused by fraudmight very well offset the quantitative results and prompt the internal auditor to conclude that the control is not effective(that is, it cannot be relied upon to reduce residual risk to an acceptably low level). The internal auditor also must considerwhat, if any, impact the discovery of fraud might have on other aspects of the engagement.
in an assurance engagement of treasury operations, an internal auditor is required to consider all of the following issues except: d. the external auditors have indicated some difficulties in obtaining account confirmations
D is the best answer. This is the responsibility of the external auditors and should not change what should be considered by the internal auditor.
an internal auditor wants to test customers' accounts receivable balances for overstatement on a sample basis. which of the following would be the least valid reason for deciding to use PPS sampling rather than classical variable sampling? d. using PPS sampling eliminates the need for professional judgement in determining the appropriate sample size and evaluating the sample results
D is the best answer. Using PPS sampling, or any other statistical sampling approach, does not elimi- nate the need forprofessional judgment in determining the appropriate sample size and evaluating the sample results
A follow-up review found that a significant internal control weakness had not been corrected. The CAE discussed this matter with senior management and was informed of management's willingness to accept the risk. The CAE should:a. Do nothing further because management is responsible for deciding the appropriate action to be taken in response to reported engagement observations and recommendations.b. Initiate a fraud investigation to determine if employees had taken advantage of the internal control weakness.c. Inform senior management that the weakness must be corrected and schedule another follow-up review.d. Assess the reasons that senior management decided to accept the risk and inform the board of senior management's decision.
D is the correct answer. Senior management may decide to accept the risk due to cost or other con- siderations. The CAEneeds to assess senior management's rationale and then inform the board of management's decision
what are some of the key areas to which internal auditors can apply the use of data analytics?
Data analytics can be used to evaluate data in any business unit. Areas that are typical include: accounts payable,procurement, travel and entertainment expenses, inventory, payroll, accounting entries, sales, and expense transactions
How are assurance engagement observations identified?
During an assurance engagement, the internal audit function tests controls to ensure that they are designed adequately and are operating effectively to meetspecific control assertions (objectives). An observation is indicated if, during testing, the internal audit function concludes that any of the con- trolsidentified in the engagement are not designed adequately or operating effectively (as intended)
why is establishing engagement objectives important?
Engagement objectives articulate specifically what the engagement is trying to accomplish. Without the establishment of formal engagement objectives, the internal audit team may not be aligned with the reasons for the engagement and, consequently, may conduct inadequate or unnecessary tasks
Why must an internal auditor understand how entity-level controls may influence the performance of a process before auditing that process?
Entity-level controls are, by definition, pervasive and, therefore, may influence controls across the organization. Weaknesses in entity-level controls can make it easier to circumvent controls within a process that are otherwise well designed. The existence of entity-level control weaknesses may cause the internal auditor to apply more direct and substantive tests of controls with potentially larger sam- ple sizes to satisfy audit objectives and provide reasonable assurance that the entity-level weaknesses did not cause the process-level controls to operate ineffectively
why is it useful for an internal auditor to express risks in terms of causes and effects?
Expressing risks in terms of causes and effects helps the auditor assess how big and how likely the potential outcomes are.Analyzing the potential effects of a risk helps the internal auditor judge the size of the potential outcomes and whetherfurther attention to the risk is warranted. Analyzing the potential cause(s) of a risk, together with the underlying reasonsfor the potential cause(s), helps the internal auditor judge the likelihood of the risk becoming a reality
chapter 13 discussion question 4
Failure to identify all of the key risks inherent within a process being reviewed may result in the inter- nal auditor: a. Inappropriately concluding that the process design is adequate.b. Not testing enough key controls to evaluate whether the controls are operating effectively.c. Failingtoidentifyactualorpotentialindicationsoffraud.d. Neglecting to test and consider the impact of compensating controls that reside in other processes. Determining that certain risks are key when they are not may result in unnecessarily testing controls, causing suboptimal deployment of valuable internal audit resources.
what is the difference between a flat organization structure and a hierarchical organization structure in an internal audit function and what are the advantages and disadvantages of each?
Flat organization structures consist of internal auditors who all have more or less the same level of skills, experience, andseniority. Internal audit functions employing flat structures tend to be stable, highly knowledgeable, and verycollaborative, however, they also tend to result in a higher cost base due to the higher salaries necessary to retain auditorswho all have a high degree of knowledge and experience. Hierarchically structured organizations, on the other hand,include internal auditors with varying degrees of knowledge and experience. In these internal audit functions, internalauditors with less knowledge and experience report to internal auditors who have more knowledge and experience. Theseinternal audit functions can be more dynamic than flat functions due to the fact that positions are often rotating, withinternal auditors promoting into higher positions as those in higher positions move up in the function or into positionsoutside the function. Due to their dynamic nature, however, hierarchically organized functions can experience frequentchange that, if not managed, can threaten the efficient achievement of the internal audit plan.
chapter 13 discussion question 5
Following are examples of some, but not all, of the other possible risk outcomes: Reputational damage (for example, negative publicity in national newspapers). Harm to a person's health and safety (for example, employees, vendors, customers, or other visitors are injured while on company property). Environmentalcontamination(forexample,alocalwatersupplyispollutedbecauseofaspillfrom the company's plant). Lost assets (for example, assets are stolen by employees or outsiders; the financial impact of the event can be easily recorded, but the loss may not be recovered). Convictions(forexample,failuretoperformtheirfiduciarydutiesresultsinofficersofthecompany being convicted and sentenced to jail terms). Customer dissatisfaction (for example, selling flawed products may cause customers to look to other suppliers of the goods). Employee dissatisfaction (for example, a poor relationship with management causes a high percent- age of employees to seek employment elsewhere). Liquidity impairment (for example, failing to comply with debt covenants results in all debt becom- ing currently payable).
chapter 13 discussion question 6
Following are possible answers: Potential business risks associated with each scenario are: Title to the materials may have passed to the company and thus these represent unrecorded inventory and liability to pay. Also, failure to inspect the materials may result in acceptance of defective materials or materials that were not ordered. The spare parts may be damaged or otherwise unusable. Additionally, there may be an excessive amount of certain parts that will realistically never be used. In both instances, inventory balances may be overstated or overvalued. The barrels could leak or there may be other events associated with the escape of the haz- ardous chemicals that could create environmental incidents resulting in fines, penalties, health issues, and social issues should the chemicals leak into local water supplies. Understanding the risks above will help the internal auditors design their procedures to focus on activities related to: The receipt of materials, particularly right before a period end or inventory count. Procedures to assess whether parts and supplies are excessive, obsolete, or damaged. Procedures to manage environmental and safety risks associated with the hazardous chem- icals.
chapter 13 discussion question 7
Following are possible answers: a. In terms of assurance engagement appropriateness: i. Security of assets, including information, is very appropriate for an assurance engagement. The audit committee is looking for assurance related to the safeguarding of such assets, which is an integral part of an effective system of internal controls as covered in COSO's Internal Control - Integrated Framework. Compliance with applicable laws and company policies is also an appropriate engagement. Compliance objectives are covered in COSO's Internal Control - Integrated Framework. Reliability of financial records is also an appropriate engagement. Reporting objectives are covered in COSO's Internal Control - Integrated Framework. Effectiveness of performing assigned responsibilities may or may not be appropriate, depending on the audit committee's specific expectations. It is appropriate to evaluate whether designed responsibilities are being performed effectively. However, if the audit committee was looking for input on whether the responsibilities are appropriate, this may require the internal audit function to conduct a consulting engagement (discussed in chap- ter 15, "The Consulting Engagement." Valuation of the spare parts inventory may or may not be appropriate, depending on the audit committee's specific expectations. It is management's responsibility to determine the appro- priate valuation of the spare parts inventory. However, the internal audit function can provide assurance that management has designed an adequate process for determining that valua- tion, and the procedures to ensure an accurate valuation have been effectively performed. Students may list the three areas covered under part c, all of which are appropriate answers. In addi- tion, students may mention monitoring spare parts availability, accuracy and timeliness of providing information to customers (for example, product information, operating and maintenance informa- tion), customers' overall perception of customer service, timeliness of providing information to other AVF departments for follow-up or resolution, and effectiveness of key computer system functionality. Thefollowingarepotentialaudittaskstoaddresstheseresponsibilities.Notethatsomeofthetasks may provide consulting benefits as well as assurance benefits: Customer training courses — Understand how the content of such courses was developed and review it for reasonableness; determine whether qualified people are conducting the training; assess how effectively feedback from the conduct of courses is addressed; and survey a sample of customers who have taken the course to determine its relevance and effectiveness. Customer complaints and service calls — Review documentation supporting how com- plaints were dealt with; contact a sample of customers to determine whether they were sat- isfied with the service; analyze trending of complaints to determine whether the root causes are being addressed; and analyze the cost effectiveness of trying to address customer issues over the phone versus dispatching a service technician. Warranty claims — Test a sample of both processed and rejected warranty claims to determine whether the claims should have been covered by warranty and whether they were handled properly; analyze trends in warranty claims to identify potential issues in the production process; and evaluate the process that management follows to estimate a reserve for unprocessed warranty claims.
what are the key tasks covered in the typical work program?
Followingarethetaskscoveredinthetypicalworkprogram: Key administrative tasks, such as preparation of a planning memorandum, scheduling resources, establishing milestone dates, etc. Conducting a kick-off meeting with process-level management to discuss the objectives and scope of the engagement, process-level risks, timing of the engagement, information needed from pro- cess-level employees, reports or other deliverables, and any expectations management has of the engagement. Planning tasks, which list each of the tasks discussed in this chapter. Fieldwork tasks, which list the specific tests that will be conducted. Wrap-up steps, such as clearing open review notes, conducting a closing meeting with process-level management, finalizing the workpapers, etc. Reporting tasks, such as preparing a draft engagement communication, soliciting feedback from process-level management, and issuing a final engagement communication (covered more fully in chapter 14, "Communicating Assurance Engagement Outcomes and Performing Follow-up Proce- dures").
How is "haphazard sampling" defined in this chapter?
Haphazard sampling is a nonrandom selection technique that is used by internal auditors to select a sample that isexpected to be representative of the population. Haphazard, in this context, does not mean careless or reckless. It meansthat the internal auditor selects the sample without deliberately deciding to include or exclude certain items
what information must final assurance engagement communication include>
IPPF implementation guidance related to communication criteria indicates that all final engagement communicationsshould contain, at a minimum, the purpose, scope, and results of the engagement. The purpose represents the engagementobjectives, that is, why the engagement was conducted and what it was expected to achieve. The scope defines theactivities included in the engagement, the nature and extent of work performed, and the time period covered. The scopealso may identify related activities not included in the engagement, if necessary, to delineate the boundaries of theengagement. Results include observations, conclusions, opinions, recommendations, and action plans. The finalengagement communications also may contain the auditee's responses to the internal audit team's conclusions, opinions,and recommendations
chapter 12 discussion question 1
Inherent risk is the combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk thatexists, assuming there are no internal controls in place. Analyzing the poten- tial effects of an inherent risk helps theinternal auditor judge the size of the potential problem and whether further attention to the risk is warranted. Analyzingthe potential causes helps the internal auditor judge the likelihood of the risk becoming a reality The internal audit team also must weigh the assessed risk levels against management's risktolerance thresholds and decide whether risks are being managed appropriately. Risksassessed at levels within management's risk tolerance thresholds may be accepted at theirassessed levels. Risks that exceed management's tolerance thresholds must be mitigated toan acceptable level. Response options to mit- igate risks include avoiding risks by disbandingthe activities that give rise to them, sharing risks by transferring a portion of them to thirdparties (for example, an insurance company), or reducing risks by implementing controlsdesigned to lower their impact, likelihood, or both.
what does "inherent risk" mean?
Inherent risk is the combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk, thatexists assuming there are no internal controls in place
Why is interim and preliminary communication important in an assurance engagement?
Interim and preliminary communication is important because the auditee must be made aware, throughout theengagement, of any observations that the internal audit function has identified so that he or she can respond as to the accuracy of the facts related to the observation as well as the best course for remediation. Additionally, interimcommunication allows the auditee to address identified observations as soon as they are known, as opposed to waiting forthe final communication
what is internal audit data analytics?
Internal audit data analytics is the use of software to retrieve data from various sources and filtering the data to look foranomalies. Internal auditors can use data analytics to review large volumes of data and create the ability to review onlythose data items that are significant and potential issues
describe the challenges that internal audit functions encounter when implementing a successful data analytics program
Internal audit groups typically have not dedicated sufficient staffing to complete the work required to provide dataanalytics. Also, it is difficult to recruit staff with the necessary analytical and technical skills required to perform thesteps in data analytics. One of the biggest challenges that still remains is the ability to get the data. As discussed in thechapter, the volume of data, velocity, variety, and veracity of data all present challenges to performing internal audit dataanalytics
due professional care
Internal auditors must apply the care and skill expected of a reasonably prudent internal auditor, however, internal auditors are not expected to be infallible
chapter 13 discussion question 8
Invoice 248: This is a deviation. Each recorded shipment and sales invoice should be supported by a sales order. Verbal authorization is not a valid substitute for written authorization. Invoice 333: This is a deviation. If the control policy specifies that verification be documented, and evidence thereof is lacking, a deviation has occurred whether or not quantities and prices are correct. Invoice 377: This is a deviation. If the control policy specifies that verification be documented, and evidence thereof is lacking, a deviation has occurred whether or not quantities and prices are correct. Invoice 617: This is a deviation. Evidence of approval is not relevant if it is obvious from reperformance that the approval was not performed as prescribed (operating effectiveness versus design adequacy).
rating definitions
It is important to ensure readers of an audit communication understand what the ratings used by the internal audit function mean.
what key elements are taken into consideration when determining how to manage resources in an internal audit function?
Key elements taken into consideration when determining how to manage the internal audit function resources include theorganizational structure and staffing strategy, financial budget, the internal audit schedule and annual internal audit plan,the staffing plan, hiring practices, training and mentor- ing goals, career planning and professional developmentinitiatives, and strategic sourcing and right- sizing philosophies.
chapter 13 discussion question 3
Management is responsible for optimizing the return on assets. This requires a consistent focus on reducing residual risk and taking advantage of opportunities. To do this, management ensures they have developed good strategic direction and policies, hired and developed the right people to carry out that direction, and enabled those people with tools and information to carry out that direction effec- tively and efficiently. They empower people and then assume those people will do their jobs, subject to oversight and monitoring. Therefore, their focus is on managing risks to an acceptable level. Internal auditors, on the other hand, cannot assume people will do their jobs consistently, policies make sense, and enabling tools and information will achieve the desired result. While consideration of resid- ual risk is still relevant, internal auditors also must consider the possibility that the above assumptions are not correct and, as a result, conduct engagements to provide assurance about the design adequacy and operating effectiveness of control activities.
what are the characteristics of meaningful recommendations?
Meaningful recommendations for corrective actions address the causes of the gap between the criteria and condition,provide long-term solutions rather than short-term fixes, and are economically feasi- ble. Recommendations that addresssymptoms of problems rather than root causes tend to be of little value
factors affecting PPS sample sizes:
Monetary book value of the population. Risk of incorrect acceptance. Tolerable misstatement. Anticipated misstatement.
What six categories of information should narrative memoranda generally include?
Narrativememorandagenerallyincludethefollowingsixcategoriesofinformation: ■■ ■ Overall description of the process. ■■ ■ Key inputs.■■ ■ Key steps in the process.■■ ■ Key outputs. ■■ ■ Risks that threaten the process. ■■ ■ Key controls
how does non sampling risk differ from sampling risk?
Nonsampling risk, unlike sampling risk, is not associated with testing less than 100 percentof the items in a population. Instead, nonsampling risk occurs when an internal auditorfails to perform his or her work correctly. For example, performing inappropriate auditingprocedures, misapplying an appropriate procedure (such as failure on the part of theinternal auditor to recognize a control devi- ation or a dollar error), or misinterpretingsampling results may cause a nonsampling error. Nonsam- pling risk refers to the possibilityof making such errors.
why do internal auditors sometimes choose to use non statistical sampling instead of statistical sampling?
Nonstatistical sampling allows the internal auditor more latitude regarding sample selection and eval- uation
nonconformance with the standards
Occurs when the internal audit function is found to be deficient to the point that it impacts the overall scope or operation of the internal audit function. Nonconformance must be disclosed.
which type of process objective is the most common and why?
Operational objectives are the most common process objectives. This is due to the fact that most audit- able processes are created to support an important but nonstrategic aspect of the business. Such objec- tives tend to be task oriented, which lend themselves to auditing. Reporting and compliance objectives are frequently embedded in or produced as a byproduct of operational processes. Strategic processes tend to be less task-oriented and more subject to the judgments and efforts of individuals
factors affecting classical variable sample sizes:
Population size Estimated population standard deviation Risk of incorrect acceptance Risk of incorrect rejection Tolerable misstatement
what are the advantages of positioning the CAE on a senior management level within the organization?
Positioning the chief audit executive (CAE) on a senior management level within theorganization gives the internal audit function the visibility, authority, and responsibility toindependently evaluate man- agement's assessment of the organization's system of internalcontrols and assess the organization's ability to achieve business objectives and manage,monitor, and mitigate the risks associated with those objectives.
independent outside auditor
Registered public accounting firm, hired by the organization's board or executive management, to perform a financial statement audit providing assurance for which the firm issues a written attestation report that expresses an opinion about whether the financial statements are fairly presented in accordance with applicable Generally Accepted Accounting Principles.
What are the CAE's responsibilities when reporting to the audit committee?
Responsibilities when reporting to the board audit committee include the internal audit function's purpose, authority,responsibility, and performance relative to its annual internal audit plan. Report- ing also should include identifiedsignificant risk exposures and control issues, corporate governance issues, and other matters needed or requested by theboard and senior management
analytical procedures
Reviewing and evaluating existing information, which may be financial or nonfinancial, to determine whether it is consistent with predetermined expectations High-level assessments-> may reveal process activities that warrant closer attention and, accordingly, more detailed testing -> effectiveness of processes Examples: Benchmarking financials Ratio analysis Budget vs. Actual
what is the difference between risk mitigation and risk management?
Risk mitigation specifically refers to the tactical efforts undertaken by line management and oper- ational employees toeither reduce risk exposures or exploit competitive opportunities (advantages) that manifest themselves in day-to-dayoperations. Risk management, on the other hand, refers to the administration and oversight processes typically performedby senior management to monitor efforts to minimize risk exposures or steps taken to exploit competitive advantages.These administrative procedures are designed to help establish a common language for use when considering possible riskevents or scenarios. More concisely, risk management is a participatory process designed to identify, document, evaluate,communicate, and monitor the most significant risk events facing an organization requiring risk mitigation to achievebusiness objectives
what are management's risk response options?
Risks assessed at levels within management's risk tolerance thresholds may be accepted at their assessed levels. Risks thatexceed management's tolerance thresholds must be mitigated to an accept- able level. Response options to mitigate risksinclude avoiding risks by disbanding the activities that give rise to them, sharing risks by transferring a portion of them to third parties (for example, an insurance company), or reducing risks by implementing controls designed to lower theirimpact, likeli- hood, or both
how is "sampling risk" defined in this chapter? what are the two aspects of sampling risk that an internal auditor considers when performing tests of control?
Sampling risk is the risk that the internal auditor's conclusion based on sample testing may be different than the conclusionreached if the audit procedure was applied to all items in the population. In per- forming tests of controls, the internalauditor is concerned with two aspects of sampling risk: the risk of assessing control risk too low (type II risk, beta risk)and the risk of assessing control risk too high (type I risk, alpha risk).
internal audit engagements must be performed with proficiency and due professional care. what do proficiency and due professional care mean?
Standard 1210: Proficiency states that "internal auditors must possess the knowledge, skills, and other competenciesneeded to perform their individual responsibilities. The internal audit activity collec- tively must possess or obtain theknowledge, skills, and other competencies needed to perform its responsibilities." Standard 1220: Due Professional Carestates that "internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.Due professional care does not imply infallibility."
according to the interpretation of standard 2000, the CAE has four specific management responsibilities. what are they?
Standard 2000: Managing the Internal Audit Activity, states that "the chief audit executivemust effectively manage the internal audit activity to ensure it adds value to theorganization." Recogniz- ing that the CAE is pivotal to a successful internal audit function,the interpretation to this standard outlines the role and responsibilities of the CAE, statingthat "The internal audit activity is effectively managed when: ■■ ■ It achieves the purpose and responsibility included in the internal audit charter. ■■ ■ It conforms with the Standards. ■■ ■ Its individual members conform with the Code of Ethics and the Standards. ■■ ■ It considers trends and emerging issues that could impact the organization."
the CAE is required to present the internal audit plan to senior management and the board for approval. what specific information should be communicated to senior management and the board?
Standard 2020: Communication and Approval indicates that "the chief audit executivemust com- municate the internal audit activity's plans and resource requirements,including significant interim changes, to senior management and the board for review andapproval." Additional IPPF guidance recommends that the communication include asummary of the internal audit plan, work schedule, staffing plan, and financial budget.
What are the CAE's and the internal audit function's responsibilities regarding governance?
Standard 2110: Governance states that the internal audit function "must assess and makeappropriate recommendations to improve the organization's governance processes for: ■■ ■ Making strategic and operational decisions. ■■ ■ Overseeing risk management and control. ■■ ■ Promoting appropriate ethics and values within the organization. ■■ ■ Ensuring effective organizational performance management and accountability. ■■ ■ Communicating risk and control information to appropriate areas of the organization. ■■ ■ Coordinating the activities of, and communicating information among, the board, external and internal auditors, otherassurance providers, and management
how does the internal audit function assist the organization in maintaining effective controls?
Standard 2130: Control states that "the internal audit activity must assist the organizationin main- taining effective controls by evaluating their effectiveness and efficiency and bypromoting continuous improvement."
strategic sourcing
Supplements the in-house internal audit function through the use of third-party vendor services for the purposes of gaining subject matter expertise for a specific engagement or filling a gap in needed resources to complete the internal audit plan
what are the differences between organizational independence and individual objectivity?
The CAE should report to a level within the organization that allows the internal auditfunction to fulfill its responsibilities (Organizational Independence). In contrast, internalauditors should have an impartial, unbiased attitude and avoid conflicts of interest(Individual Objectivity).
how do the IIA's quality assurance improvement program professional standards (standard 1300) apply to a fully outsourced internal audit function? specifically discuss the applicability of, and compliance requirements with, the external assessment procedures (standard 1312)
The IIA's Quality Assurance professional standards (Section 1300) apply to a fully outsourced internal audit function(service provider) in exactly the same form and content as an internal audit function that is contained in-house. How theboard audit committee chooses to staff the internal audit function is not relevant when considering applicability of this orany other IIA professional standard. However, there could be various approaches taken by a service provider to evidencecompliance with the Quality Assurance standards. As a result, the service provider must be subjected to the external assessment procedures of Standard 1312: External Assessments with the results of such assessment provided to theorganization's audit committee
risk tolerance
The acceptable levels of risk size and variation relative to the achievement of objectives, which must align with the organization's risk appetite
what questions need to be answered when allocating Human Resources to an engagement?
The allocation of human resources involves answering the following questions: ■■ ■ ■■ ■ ■■ ■ ■■ ■ ■■ ■ ■■ ■ What types of skills are needed on this engagement? What previous experience will be required on the engagement (for example, knowledge about the area or previous experience with similar engagements)? Who in the department has the skills and experience to meet these needs? Is there a need for any specialty skills that do not exist within the internal audit function (for example, derivatives expertise and environmental expertise)? If so, where can these skills be obtained at a reasonable cost? Are there professional development considerations that might impact the allocation of resources to this engagement? For example, do certain internal auditors need a particular type of experi- ence to help them learn and grow professionally? Are there any other unique departmental considerations that may impact which internal auditors should be assigned to the engagement?
risk appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
rating system
The assignation of a numeric or descriptive appraisal of engagement results for the purpose of comparing or trending them with other engagement results.
organizational independence
The chief audit executive's line of reporting within the organization that allows the internal audit function to fulfill its responsibilities free from interference.
what is the purpose of a closing conference?
The closing conference (also referred to as an exit conference) allows the internal audit function to confirm thepreliminary facts relative to any observations indicated by testing done during the assur- ance engagement with theappropriate management representatives of the area that was audited prior to distribution of the final engagementcommunication. It also allows all parties to review the form and content of what is anticipated to be included in the final(formal and informal) audit engagement communications and provides an opportunity for any misunderstandings to beresolved. Additionally, it provides management of the targeted functional areas a way to present their thoughts andplanned actions regarding the items to be covered in the final engagement communication and to give feedback regardinghow well the engagement team executed the assurance engagement. Management's action plan to address and resolvecontrol weaknesses identified during the assurance engagement is also agreed upon in the closing conference. Thisprovides another check point on the completeness and accuracy of the draft final communication prior to distribution tomanagement representatives of the area that was subject to the assurance engagement
inherent risk
The combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk, that exists assuming there are no internal controls in place
governance
The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
what are the lines of defense in the assurance layering strategy referred to as the three lines of defense model?
The first line of defense is management, who owns and takes responsibility for assessing and miti- gating risk and formaintaining effective internal controls. The second line of defense is the different non-independent areas within theorganization that work together to assist in risk mitigation by facilitating and monitoring the organization's riskmanagement efforts. The third line of defense is the independent internal audit function
what are the key steps involved when the internal audit function performs data analytics?
The first step is to determine the problem that the internal auditor is trying to answer. The next step is to determine whereto find the data and how to go about obtaining it. Many times obtaining the data can be difficult and the internal auditormust work closely with the technology group to ensure the correct data is being extracted and used for the analysis. Oncethe data is extracted, it must be nor- malized to deal with organizing the data along with issues such as duplicate data.Also, to clean up the data where possible prior to running the software analysis against the data. As part of the audit workthe internal auditor can then perform the analysis of the results and review the anomalies. Internal auditors may need toreview the details of the results with the business partner. The last phase is the communication of the results, which cantake on many forms including summary of the results in a graphic format to narrative in an audit report
what are the five typical exceptions that may be identified during testing in an engagement?
The five types of exceptions are: ■■ ■ Financial statement errors or misclassifications. ■■ ■ Control deficiencies.■■ ■ Shortfalls in objective achievement.■■ ■ Inefficiencies. ■■ ■ Out-of-compliance situations.
what types of information may process owners have available that will help an internal auditor understand the process?
The following are potential sources of useful process information from process owners: Policies relating to the process. Procedures manuals. Organizational charts or similar information outlining the number of employees and key reporting relationships. Job descriptions for people involved in the process. Process maps or flowcharts depicting the overall flow of the process. Narrative descriptions of key tasks or portions of the process. Copies of key contracts with customers, vendors, outsourcing partners, etc. Relevant information regarding laws and regulations affecting the process. Other documentation that may have been developed to support required reporting on the effective- ness of the system of internal controls
what three key steps should an internal auditor follow when gaining an understanding of management's risk tolerance levels?
The following are the three primary steps that should be followed when gaining an understanding of management's risk tolerance levels: a. Identify Possible Risk Outcomes. By definition, risks represent a range of possible outcomes. While such outcomes typically are measured in financial terms, there may be other risk outcomes that either do not lend themselves to financial measurement or are more severe than the financial impact. For example, the safety of employees may be more severe than potential fines or penalties due to safety violations. Similarly, the impact of failure to protect the privacy of customer data may be more severe than the cost to recover or protect such data. b Understand Established Tolerance Levels. Once the different risk outcomes are determined, discussions can be held with process management to identify tolerance levels that they have already established. Such levels may be reflected in documentation of key performance measures, individ- ual performance goals, or in other communications. c. Assess Tolerance Levels for Outcomes that Have Not Been Established. To the extent that established tolerance levels do not comprehensively address all possible risk outcomes, discussions should be held with process management to determine appropriate tolerance levels. Questions to facilitate this discussion include: ■■ ■ How much variability can you or senior management tolerate relative to the achievement of process objectives? ■■ ■ What types of outcomes would you consider to be unacceptable? ■■ ■ What types of risk scenarios would you be uncomfortable dealing with?
what are five types of scope statements?
The following are typical scope statements: ■■ ■ Boundaries of the process.■■ ■ In-scope versus out-of-scope locations. ■■ ■ Subprocesses.■■ ■ Components.■■ ■ Time frame limitations.
what four elements are included in a well-written audit observation?
The four key elements of a well-written observation are the condition, criteria, cause, and effect.
what are the four reasons for conducting an assurance engagement?
The four reasons why an assurance engagement might be conducted are as follows: The engagement was identified in the annual internal audit plan because of inherent risks identi- fied during the business risk assessment process, risks detected the last time the area was audited, and other relevant factors. For these engagements, the internal auditor must understand what underlying business risks caused the engagement to be included in the plan, and then design the engagement plan to provide the appropriate assurance regarding the design adequacy and operat- ing effectiveness of controls implemented to mitigate those risks. The engagement is part of an annual requirement to evaluate the organization's system of internal controls for external reporting purposes, such as the U.S. Sarbanes-Oxley Act of 2002 Section 404 requirements in the United States and similar financial reporting laws in other countries. For these engagements, the internal auditor must ensure that the engagement is designed to test the areas covered by the underlying regulations (for example, provide assurance regarding the design ade- quacy and operating effectiveness of internal control over financial reporting). Arecentevent(forexample,naturaldisaster,fraud,orcustomerbankruptcy)hastestedtheprocess under unusual circumstances, and management desires a "post mortem" to determine where the process was effective and where it was not. For these engagements, the internal auditor must tailor the testing and evaluation around the specific event that occurred. Changes in the business or industry require immediate modifications to the process, and manage- ment desires a quick validation that these modifications appear to be designed appropriately to address the changes. For these engagements, the internal auditor may perform a full controls- focused audit or they may scope it to focus only on the controls that changed.
what is the difference between providing positive assurance versus negative assurance in an audit report?
The internal audit function's assessment of controls that is included in the final engagement commu- nication can be statedeither positively or negatively. If an internal audit function chooses to state that the controls are designed adequately andoperating effectively, it has given positive assurance. If, on the other hand, the internal audit function chooses tocommunicate that nothing has come to their attention that leads them to believe that the controls are not designedadequately and operating effec- tively, it has given negative assurance
what four questions must be answered to evaluate the evidence gathered from audit testing?
The internal auditor must consider the following questions when evaluating evidence gathered from audit testing: Are the key controls designed adequately? Are the key controls operating effectively, that is, as they are designed to operate? Aretheunderlyingrisksbeingmitigatedtoanacceptablelevel? Overall, do the design and operation of the key controls support achievement of the objectives for the process or area under review?
what is the key advantage of statistical sampling over non statistical sampling?
The key advantage of statistical sampling over nonstatistical sampling is that it allows the internal auditor to quantify,measure, and control sampling risk
what are the key quality characteristic of internal audit engagement communications?
The key quality characteristics of internal audit communications are accuracy, objectivity, clarity, con- ciseness,constructiveness, completeness, and timeliness
proficiency
The knowledge, skills, and other competencies needed to fulfill internal audit responsibilities.
what factors should an internal auditor consider when determining which controls to test?
The primary focus of testing is to determine whether the key controls are operating effectively enough to ensure process-level risks are managed sufficiently. While this may be accomplished by simply testing all of the identified key controls, there are other factors the internal auditor must consider when determining which controls to test: ■■ ■ Are there higher-level controls that might, by themselves, provide reasonable assurance that the relevant risks are managed sufficiently? ■■ ■ Are there other compensating controls that address multiple risks? ■■ ■ Was the design of controls assessed as being adequate?■■ ■ When do the key controls operate, and, based on the period within scope for the engagement, is it practical to test certain key controls? ■■ ■ Have there been changes in the process during the period that result in certain key controls operating for only a portion of the period within scope?
how does a detailed flowchart differ from a high-level flowchart?
The purpose of a high-level flowchart is to depict broad inputs, tasks, workflows, and outputs. A high-level flowchart helps reviewers understand the overall activities, systems, reports, and inter- faces with other processes or subprocesses. This understanding will provide a frame of reference for identifying key subprocesses and systems that may be considered for the scope of the engagement. While the high-level flowchart is an important starting point, it does not provide the depth and level of detail needed to support the internal auditor's judgments regarding the design of the process. A detailed flowchart documents the more specific inputs, tasks, actions, systems, decisions, and out- puts. In addition to providing a more detailed depiction of the process flow, detailed flowcharts pro- vide additional information that enhances the understanding of the process.
non sampling risk
The risk that occurs when an internal auditor fails to perform his or her work correctly
sampling risk
The risk that the internal auditor's conclusion based on sample testing may be different than the conclusion reached if the audit procedure was applied to all items in the population
auditee
The subsidiary, business unit, department, group, or other established subdivision of an organization that is the subject of an assurance engagement.
what are the three phases of the assurance engagement process?
The three phases of the assurance engagement process are planning, performing, and communicating
what are the two general types of audit sampling?
The two general types of audit sampling are statistical sampling and nonstatistical sampling
final communication
The vehicle through which the internal audit function informs interested parties of engagement outcomes
in what ways can technology be used to increase internal audit process productivity and efficiency?
The ways in which technology can be used to increase internal audit process productivityand effi- ciency include the following: ■■ ■ Voting technology can be used to facilitate management's risk and control self-assessments. ■■ ■ Data analysis software such as ACL and CaseWare IDEA can be used to examine largecomput- er-based data files. ■■ ■ Automated monitoring tools facilitate continuous auditing. ■■ ■ Automated working papers such as TeamMate serve as an efficient medium fordocumenting, stor- ing, and retrieving information supporting audit work performed. ■■ ■ Automated tools can be used for internal audit administration and management activities such as evaluating staff, tracking of time and expenses, and scheduling audit engagements. ■■ ■ The internet can be used to do research and connect internal auditors with audit tools andresources.
what four items should be considered when scheduling an engagement?
Thefollowingfouritemsshouldbeconsideredwhenschedulinganengagement: a. Availability of key process personnel. b. Availability of engagement resources. c. Availability of outside resources. d. Availability of key reviewers.
what factors affect the size of an attribute sample?
There are three factors that affect the size of an attribute sample: ■■ ■ The acceptable risk of assessing control risk too low. The risk that the internal auditor willincor- rectly conclude that a specified control is more effective than it really is. ■■ ■ The tolerable deviation rate. The maximum rate of deviations the internal auditor is willingto accept and still conclude that the control is acceptably effective. ■■■Theexpectedpopulationdeviation rate. Theinternalauditor'sbestestimateoftheactualdeviationrateinthepopulationofitemsbeingexamined.
why is it important for internal auditors to identify and understand key performance indicators for a process?
There are two key reasons internal auditors must identify and understand process-level key perfor- mance indicators (KPIs). First, it tells the auditor how process-level control activities are monitored, which aids in the evaluation of both the design adequacy and operating effectiveness of the process. Second, KPIs give an indication of management's tolerance levels surrounding the process. This pro- vides the internal auditor with insights as to how to evaluate the significance of testing exceptions or observations
chapter 13 discussion question 9
This is a question that many internal audit functions are currently struggling with. Inability to manage strategic risks is by far the largest cause of significant company failures. However, the nature of most strategic risks is that they are not easily managed by processes or systems, and instead are heavily dependent on either decisions management makes or external events over which an organization has little control. Therefore, most strategic risks do not lend themselves to traditional assurance engage- ments. However, internal auditors can add value by considering audits focused on: The governance process, which includes the strategic oversight provided by the board of directors and the board's delegation of authority to manage strategic risks. The enterprise risk assessment process to assess whether all key strategic risks have been identified, appropriately assessed, and assigned to members of management. Management'sprocessesformonitoringriskindicatorsrelatedtoexternalrisks. Effectiveness of communicating key risk indicators and pertinent risk information so that decisions can be made as appropriate. Reportsthatsupportkeymanagementdecisions. Management information systems that provide management with timely information upon which strategic decisions can be made. Validity of other information that management relies on to support key decisions.
why might an internal auditor perform analytical procedures during the engagement planning process?
Understanding the tasks in a process is an important step in planning an engagement. However, these tasks describe the way a process is designed to perform, but provide little indication regarding how effectively they are carried out. Performing analytical procedures is one way internal auditors conduct high-level assessments that may reveal process activities that warrant closer attention and, accord- ingly, more detailed testing
continuous auditing
Using computerized techniques to perpetually audit the processing of business transactions
auditee objectives
What the auditee is striving to achieve
Why might the inherent likelihood of a risk increases if there is the potential for fraud?
When an individual intends to commit a fraud or there is collusion among multiple individuals, the inherent likelihood of a given risk may be greater. The likelihood of a risk is commonly assessed assuming individuals are honest and intend to do the right thing.
when developing a testing approach, what decisions must be made about the tests to be performed?
When developing a testing approach, an internal auditor must consider the nature, extent, and timing of tests to be performed
how do internal audit consulting engagements differ from assurance engagements?
Whereas the nature and scope of an assurance engagement are determined by the internal audit function, the nature andscope of a consulting engagement are subject to agreement with the engage- ment customer. Consulting engagements are, accordingly, much morediscretionary in nature than assurance engagements. As indicated in the Glossary to the Standards, consulting services include "counsel, advice,facilitation, and training.
chapter 13 discussion question 1
While the underlying objectives of an assurance engagement may be similar, the outcomes and deliv- erables can vary widely, depending on those objectives and the audience receiving the deliverables. Specifically: a. By being able to anticipate the outcomes of an engagement, the internal auditor can plan the appro- priate tests to provide reasonable assurance that potential discrepancies will be detected. This may also reduce the amount of additional testing that would need to be performed to evaluate the extent and magnitude of detected discrepancies because the auditor's expectations can be built into the original engagement testing plan. b. By understanding the nature, extent, and format of the deliverables, the internal auditor can focus on ensuring that all necessary information is gathered and documented to support the key areas of the deliverables.
subprocess
a discrete and recognizable portion or component of a process
observation
a finding, determination, or judgement derived from the internal auditor's test results
internal audit charter
a formal, written document that defines the purpose, authority, and responsibilities of the internal audit function within the organization. is subordinate to the audit committee's charter
haphazard sampling
a nonrandom selection technique that is used by internal auditors to select a sample that is expected to be representative of the population
risk management
a process that identifies loss exposures faced by an organization and selects the most appropriate techniques for treating such exposures
attribute sampling
a statistical sampling approach that enables the user to reach a conclusion about a population in terms of a rate of occurrence
factors affecting attribute sample sizes
acceptable risk of assessing control risk too low, tolerable deviation rate, expected population deviation rate
technology
advancements in data visualization tools have made information come to life for management presentations. every internal auditor should be well-versed in the capabilities and use of data analytics tools
key control
an activity designed to reduce risk associated with a critical business objective
final communication error
an unintentional misstatement or omission by the internal audit function of significant information in the final engagement communication
control
any action taken be management, the board , and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved
operating effectiveness
assessment of whether management has executed (operated) the controls in a manner that provides reasonable assurance that risks have been managed effectively and that the goals and objectives will be achieved efficiently and economically
people
audit groups are evolving to add a data scientist as a key member of the staff
computer-assisted audit techniques
automated audit techniques, such as generalized audit software, utility software, test data, application software tracing and mapping, and audit expert systems, that help the internal auditor directly test controls built into computerized information systems and data contained in computer files.
informal communication
communication regarding insignificant observations related to secondary controls that might be compromised
entity-level controls
controls that operate across an entire entity and, as such, are not bound by, or associated with, individual processes
elements of an observation:
criteria, condition, cause, effects
process map
depicts the broad inputs, activities, workflows, and interactions with other processes and outputs
random sampling
each item in the defined population has an equal opportunity of being selected
flowchart
expands on a process map to include computer systems and applications, document flows, detailed risks and controls, manual versus automated steps, elapsed time, and owners of key steps
controls-focused engagements
focus on the design adequacy and operating effectiveness of controls implemented to provide reasonable assurance that performance objectives are met
what are the three most common ways of documenting a process flow?
high-level flowcharts, detailed flowcharts, and narrative memoranda.
board
highest-level governing body
significant
indicates that a control has a more than remote likelihood of failing and that the impact of its failure is more than trivial
material
indicates that a control has a more then remote likelihood of failing and that the impact of its failure exceeds the materiality threshold
insignificant
indicates that a control has a remote likelihood of failing or failing or that the impact of its failure is trivial
gather information about:
inputs, processing, output
engagement resources:
internal auditors, other people, travel, technology, other
processes
it is imperative that data analytics be integrated into the annual planning process at the early stages of every audit
COSO internal control objectives
operations, reporting, compliance
recommendation
suggested corrective actions to correct the condition
effect
the consequence of the difference between what should exist and what does exists
Achieved Allowance for Sampling Risk
the difference between the sample deviation rate and the achieved upper deviation limit
monitoring progress
the follow-up process established by the CAE to ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action
risk assessment
the identification and analysis of the risks that threaten the achievement of organizational objectives
conclusion
the internal audit function's assessment of the design adequacy and operating effectiveness of the controls subject to audit
expected population deviation rate
the internal auditor's best estimate of the actual deviation rate in the population of items being examined
tolerable deviation rate
the maximum rate of deviation from a prescribed procedure the auditor will tolerate without modifying planned reliance on internal control
quality assurance
the process of assuring that an internal audit function operates according to a set of standards defining the specific elements that must be present to ensure that the findings of the internal audit function are legitimate
audit risk
the risk of reaching invalid audit conclusions and/or providing faulty advice based on the audit work conducted
risk of assessing control risk too low
the risk that the internal auditor will incorrectly conclude that a specified control is more effective than it really is
data analytics
use of data analytics allows internal auditors to analyze the total population of information and scrutinize exceptions more closely
condition
what does exist
engagement objectives
what internal auditors intend to achieve through the audit
scope
what is or is not included within an engagement
criteria
what should exist
cause
why theres a difference between what should exist and what does exist
what are the nine steps involved in attribute sampling?
■■ ■ Identify a specific internal control objective and the prescribed control(s) aimed atachieving that objective. ■■ ■ Define what is meant by a control deviation. ■■ ■ Define the population and sampling unit. ■■ ■ Determine the appropriate values of the parameters affecting sample size. ■■ ■ Determine the appropriate sample size. ■■ ■ Randomly select the sample. ■■ ■ Audit the sample items selected and count the number of deviations from the prescribed control. ■■ ■ Determine the achieved upper deviation limit. ■■■Evaluate the sample results