2Exam - 1
Factors leading to unethical behavior
"A fish rots from the head down" Pressure to improve short-run performance Strict chain of command authority Work-group loyalties Committee decisions Competitive pressures Advantage obtained Cultural differences
Core internal audit roles
(1) giving assurance on the risk management process, (2) giving assurance that risks are correctly evaluated, (3) evaluating the risk management process, (4) evaluating the reporting of key risks, and (5) reviewing the management.
Unit-price contracts
Accurate measurement of work performed
Internal audit must evaluate risk exposures in relation to:
Achievement of objectives Reliability of financial / operational information. Effectiveness / Efficiency of operations / programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts.
Compliance
Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
Organizational development (OD) is one of the major approaches to proactive management of change in organizations. One of the major objectives of OD is to
Align the organization's and the employees' goals. (1) deepen the sense of organizational purpose and align individuals with it; (2) promote interpersonal trust, communication, cooperation, and support; (3) encourage a problem-solving approach; (4) develop a satisfying work experience; (5) supplement formal authority with authority based on expertise; (6) increase personal responsibility; and (7) encourage willingness to change.
Co-Optation
Allowing some participation but without meaningful input
Objective-based format.
An objective-based format focuses on the best way to accomplish a business objective. The workshop begins by identifying the controls presently in place to support the objective and then determines the residual risk remaining.
In which type of assurance engagement should an auditor focus on organizational objectives?
Answer (D) is correct. In a performance audit engagement, auditors perform efficient and cost-effective audits by focusing on achievement of organizational objectives, that is, key performance indicators.
A basic principle of governance is
Assessment of the governance process by an independent internal audit activity. NOT: holding the board, senior management, and the internal audit activity accountable for its effectiveness. This is because internal audit is not accountable for the process.
The minimum internal audit activity role is...
Assessor of the ethical climate and the effectiveness of processes to achieve legal and ethical compliance.
Participative Auditing
Collaboration between internal auditor, management, during auditing process to minimize conflict and build shared interest in engagement.
When an assessment (QAIP) discovers a significant degree of nonconformance...
Senior management and the board must be informed.
Kurt Lewin's process model consists of three stages, which are
(1) unfreezing, or the diagnosis stage; (2) change, which is the intervention in the status quo; and (3) refreezing, which makes the change relatively permanent so that old habits will not reassert themselves.
3 common approaches with a CSA (Control Self Assessment)
1) Facilitation, 2) Survey/Questionnaire, 3) Self-certification All self-assessment programs assume that managers and members of the work team understand risk and control concepts and use them in communications. If the auditor or the responder is unskilled, then risks may not be identified.
Lump-sum contract risks
1) Progress payments ,incentives, an escalator clause, adjustments for labor costs, and change orders.
Best practice governance activities
1) Support the board in enterprise-wide risk assessment 2) Monitor compliance with the corporate code of conduct 3) Discuss areas of significant risks NOT: Ensure timely implementation of audit recommendations. Implementation is management's job.
Assurance map components
1) identity of the assurance providers 2) Risk 3) Level of assurance 4) Urgency or importance of the issue 5) Action to be taken
Discipline of employees may be limited by:
1) whislteblower laws, 2) exceptions to the at-will doctrine, 3) employee or Union contracts, 4) discrimination, etc.
Internal Control Training
1/5 consulting engagements that are OK - train mgmt on controls
Business process mapping
2/5 consulting engagements that are OK - redesigning how the company does processes
Control-based format.
A control-based format focuses on how well the controls in place are working. Unlike the approach in the objective-based and risk-based formats, the facilitator identifies the key risks and controls before the beginning of the workshop. During the workshop, the work team assesses how well the controls mitigate risks and promote the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work. The aim of a control-based format is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.
By comparing job descriptions with the qualifications and duties of the individuals currently holding those jobs, a manager can
A job description summarizes the duties and qualifications required for a job. It is prepared based on a job analysis, which is a systematic procedure for observing work and determining what tasks should be accomplished to achieve organizational goals. By comparing the job description with the actual employees and their qualifications, a manager can determine whether the organization has placed appropriate individuals in jobs best suited to their abilities.
Program Results audit
A program-results engagement addresses accomplishment of program objectives and not necessarily whether costs were minimized.
Quality audit
A quality audit engagement provides assurance that the approved quality structures are in place, and quality processes are functioning as intended.
Risk-based format.
A risk-based format focuses on listing the risks to achieving an objective. The workshop begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective and, then, examining the control procedures to determine if they are sufficient to manage the key risks. The aim of the workshop is to determine significant residual risks. This format takes the work team through the entire objective-risks-controls formula. The aim of a risk-based format is to determine significant residual risks.
Which of the following is the most important provision for an internal auditor to recommend for inclusion in a contract for the purchase of a business application system from a small start-up company?
A source code escrow clause requires the application source code to be held in escrow by a trusted third party. The third party releases the source code to the purchaser, or licensee, on the occurrence of an event, or events, specified in the clause.
A performance audit is...
A strategic analysis of the organization's key components that are essential to the organization's success. an auditor should focus on organizational objectives.
Elements of a CSA
According to The IIA, an element of CSA is the gathering of a group of people into a same-time/same-place meeting, typically involving a facilitation seating arrangement (U-shaped table) and a meeting facilitator. The participants are 'process owners', i.e., management and staff who are involved with the particular issues under examination, who know them best, and who are critical to the implementation of appropriate process controls
To test whether debits to accounts receivable represent valid transactions, the internal auditor should trace entries from the
Accounts receivable ledger to sales documentation. The auditor wants to verify that recorded amounts are properly supported by originating events. This is accomplished through vouching. Only the two choices that involve tracking ledger entries back to a journal or source document describe a vouching procedure. A debit to accounts receivable is properly supported by a credit sale to a customer.
Objective-based format.
An objective-based format focuses on the best way to accomplish a business objective. The workshop begins by identifying the procedures presently in place to support the objective and then determines the residual risks remaining. The aim of the workshop is to decide whether the procedures are working effectively and are resulting in residual risks within an acceptable level. An objective-based format focuses on the best way to accomplish a business objective. The workshop begins by identifying the procedures presently in place to support the objective and then determines the residual risks remaining. The aim of the workshop is to decide whether the procedures are working effectively and are resulting in residual risks within an acceptable level.
Operational audit
An operational audit engagement allows internal auditors to assess the efficiency and effectiveness of an organization's operations. An operational engagement (audit) assesses the efficiency and effectiveness of an organization's operations. A comparison of actual and standard costs addresses efficiency and effectiveness. One objective is to assess cost savings
Control
Any action taken to manage risk, increase likelihood that objectives and goals will be achieved.
Assessments of the work of external auditors may be made by the chief audit executive
As part of the evaluation of the coordination between the internal and external auditors
Criteria for evaluation
Ask questions to define an ethical issue Can be influenced by: Life experiences, friendship groups, organizational pressures.
Audit risk AICPA model
Audit risk = ris kof material misstatement x detectionrisk Audit risk = inherent risk X control risk X detection risk AR: wrong opinion Inherent: risk before controls Control risk: Risk that control fails Deteciton risk: risk that auditor won't find it
Cash receipts should be deposited on the day of receipt or the following business day. Select the most appropriate engagement procedure to determine that cash is promptly deposited.
Compare the daily cash receipts totals with the bank deposits. Answer (B) is correct. A standard control over the cash receipts function is to require that daily cash receipts be deposited promptly and intact. Thus, the total of cash receipts for a day should equal the bank deposit because no cash disbursements are made from the daily receipts. To determine whether cash receipts are promptly deposited, the internal auditor should compare the daily cash receipts totals with bank deposits.
The CAE is responsible for ___ the internal / external activities, the Board is responsible for ___.
Coordinating Overseeing
Which of the following are responsibilities of the chief audit executive (CAE)?
Coordinating activities with other providers of assurance and consulting services. Understanding the work of external auditors. Providing sufficient information to the external auditors to permit them to understand the internal auditors' work.
Three categories - IIA position papers - Compare to Us?
Core internal audit roles in regard to the ERM Legitimate internal audit roles with safeguards Roles the internal audit activity should not undertake Core: Give assurance, evaluate, review. Legitimate: Facilitate, coach, coordinate, consolidate, maintain, develop strategies. Not: Setting risk appetite, impose risk management processes, management assurance, making decisions on risk responses, etc. CLR
An express opinion from an external audit in a QAIP...
Could be about conformance with the standards and an assessment for each standard. An external assessment also includes, as appropriate, recommendations (corrective action plans) for improvement.
An organization is changing to a quality assurance program that incorporates a mindset of "quality throughout the process." This is very different from its years of dependence on quality control at the end of the process. This type of change is a
Cultural change -- a change in mindset or attitude. NOT a structural change - a change to systems and structures.
Organizational development approach with change management
Deepen sense of organizational purpose and values, promote interpersonal trust, encourage a problem-solving approach, develop a satisfying work experience, supplement formal authority with authority based on expertise, increase personal responsibility, and encourage willingness to change.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the effectiveness of risk management processes, internal audits most likely should...
Determine that the organization's objectives align with its mission.
Compliance programs most directly assist organizations by doing...
Determining director and officer liability. They can help prove insurance claims, determine director and officer liability, create or enhance corporate identity, and decide the appropriateness of punitive damages.
PERT Networks
Developed to control large-scale complex projects. Free form networks showing connections between steps. The critical path is the longest path through the network--because if anything is delayed, the whole project is delayed. Anything not on the critical path has slack time, which can be divereted to the critical path.
Code of Ethics
Established general value system organization wishes to apply to its members' activities. Organizations benefit from code of ethics that effectively communicates acceptable values to all interested parties.'' Usually says no COI,
The internal audit activity most directly contributes to an organization's governance process by:
Evaluating the design of ethics-related activities.
Which phrase best describes the control-based approach of the control self-assessment process?
Examining how well controls are working in managing key risks. A control-based format focuses on how well the controls in place are working. This format is different than the others because the facilitator identifies the key risks and controls before the beginning of the workshop. During the workshop, the work team assesses how well the controls mitigate risks and promote the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.
3 types of assurance services
Financial, compliance ,and operational
Balanced scorecard criteria
Financial, customer, internal, learning / growth / innovation profitability; customer satisfaction; innovation; and efficiency, quality, and time
Operations manual
For larger firms: includes purposes, responsibilities, compliance with mandatory guidance, and independence of activity, objectivity of internal auditors.
Definitions: Governance Risk Management Control
G: The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. RM: A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives. C: Any action taken by management, the board, an other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Issues in business ethics
General business understanding of ethical issues Compliance with laws External financial reporting Conflicts of interest Entertainment and gift expenses Relations with customer sand suppliers Social responsibility
CSA
In its purest form, CSA integrates business objectives and risks with control processes. Control self-assessment is a process that involves employees in assessing the adequacy of controls and identifying opportunities for improvement within an organization.
IIA's Three Lines of Defense Model
Internal audit is the third line of defense. The first line is internal controls / management controls, the second is compliance, security, risk management, etc.
An ombudsperson is most effective when the individual
Is on-site, and reports to the CEO or the Board
The purpose of the internal audit activity's evaluation of the effectiveness of existing risk management processes is to determine that...
Management directs processes so as to provide reasonable assurance of achieving objectives.
Cost-plus contracts risks
Maximum csts, incentives for early completion
As a part of a quality program, internal assessment teams most likely will examine which of the following to evaluate the quality of engagement planning and documentation for individual engagements?
Measures of project budgets and audit plan completion.
Organizational and procedural changes are often resisted by the individuals and groups affected.
Methods of coping with employee resistance include prevention through education and communication, facilitation and support through training and counseling, manipulation of information or events, and coercion.
Audt committee
No member may be an employee At least one must be a financial expert
Consulting activities
No opinion is provided: auditor provdies information / commentary. Includes trainings.
Physical inventory will not uncover...
Nonexistent inventory
Micro and Macro level opinions
One is for individual audits, one is for the entire organization based on multiple audits.
Controls should be designed to provide reasonable assurance that:
Organizational objectives will be achieved economically and efficiently.
Productivity Ratio Productivity Index Operating Ratio Resource Utilization Rate
PR: Measures output relative to input. PI: Measures production potential. OR: Measures operational efficiency. RUR: Resource usage relative to available resources.
An internal auditor traces individual time tickets to the payroll cost distribution and also traces totals from the payroll cost distribution to the various work-in-process accounts. If no exceptions are found, this procedure constitutes information indicating that
Payroll costs have been accurately distributed to work-in-process accounts. The process described begins with a triggering event and determines whether the proper results took place, i.e., tracing. If no exceptions are found, the auditor can conclude that payroll costs (the source data) have been properly distributed to the destination ledger.
Control by management is the result of
Planning, organizing, and directing of organizational activities.
In the contracting process, auditors should...
Procecures for bidding, cost estimation and control. Budgets and ifnancial forecasts The contractors's information and control systems The contractor's financial position Funding and tax matters Progress of the project and costs incurred
Risk management
Process to identify, assess, manage, control events to provide assurance regarding achievement of objectives.
Governance
Processes and structures implemented to inform, direct, manage, monitor activities towards achievement of objectives. Includes making strategic and operational decisions, overseeing risk management and control, promoting appropriate ethics and values within the organization, ensuring effective organizational performance management and accountability, communicating risk and control information to appropriate areas of the organization, and coordinating the activities of, and communicating information among, the board ,external and internal auditors, other assurance providers, and management.
TQM begins with...
QM emphasizes the supplier's relationship with the customer. Thus, TQM begins with external customer requirements, identifies internal customer-supplier relationships and requirements, and establishes requirements for external suppliers. TQM concepts also are applicable to the operations of the internal audit activity itself. For example, periodic internal assessments of those operations may include benchmarking of the internal audit activity's practices and performance metrics against relevant best practices of the internal audit profession. TQM is the continuous pursuit of quality in every aspect of organizational activities through (1) a philosophy of doing it right the first time, (2) employee training and empowerment, (3) promotion of teamwork, (4) improvement of processes, and (5) attention to satisfaction of customers, both internal and external.
To control daily operating costs, an organization decreased the number of times a messenger service was used each day. Despite those measures, the monthly bill continued to increase. What procedure should the internal auditor use to detect whether improper services were being billed?
Reconcile a sample of messenger invoices to pickup receipts. Answer (D) is correct. When the amount charged for a service increases as an entity reduces its use of the service, the possibility exists that the entity is being charged for service not received. The internal auditor should reconcile a sample of messenger invoices to pickup receipts. By multiplying the number of trips authorized by the charge per trip, any discrepancy can be identified.
An audit committee is concerned that management is not addressing all internal audit observations and recommendations. What should the audit committee do to address this situation?
Require the chief audit executive to establish procedures to monitor progress. Answer (C) is correct. The CAE must establish and maintain a system to monitor the disposition of results communicated to management (Perf. Std. 2500).
When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor is the internal auditor's knowledge of
Risk management processes
Role of the audit committee
Selecting / removing CAE Approving audit charter Reviewing, approving work plan Ensuring sufficient resources Communicating with CAE Reviewing work product Ensuring results are given due consideration Overseeing corrective action Inquiring about scope/budgetary limitations.
Role of audit committee with external firm
Selecting audit firm and fee Overseeing, reviewing work Resolving disputes between external auditor and mgmt Reviewing external auditor's reports
Effective interviews
Structured interviews eliminated individual bias. Situational, job knowledge, job situation, worker requirements Behavioral interviews: how have they handled past situations
The chief compliance officer should report to...
The CEO. It is not enough for an organization to create the position of chief compliance officer and to select the rest of the compliance unit. The organization should also ensure that these personnel are appropriately empowered and supplied with the resources necessary for carrying out their mission. Furthermore, compliance personnel should have adequate access to senior management. A reporting structure in which the chief compliance officer reports directly to the chief executive officer is optimal.
Process-based
The aim of a process-based format is to evaluate, update, validate, improve, and even streamline the whole process and its component activities.
Review of a compliance program
The audit plan should include a review of the compliance program and its procedures. The review should determine whether (1) written materials are effective, (2) communications have been received by employees, (3) detected violations have been appropriately handled, (4) discipline has been even-handed, (5) whistleblowers have been protected, and (6) the compliance unit has fulfilled its responsibilities. The auditors should review the compliance program to determine whether it can be improved and should solicit employee input. Moreover, organizations should screen applicants for employment at all levels and inquire as to past criminal convictions, taking care not to infringe upon employees' and applicants' privacy rights. However, a review of the performance of full background checks is not included in an audit plan as part of the review of an organization's compliance program.
Self-certification
The form of self-assessment is based on management-produced analyses to produce information about selected business processes, risk management activities, and control procedures. The internal auditor may synthesize this analysis with other information to enhance the understanding about controls and to share the knowledge with managers in business or functional units as part of the organization's CSA program.
Scanning
The use of professional judgement to review accounting data to identify significant or unusual items to test.
Internal auditors' role with quality management
To audit the entire quality process. A key component of a TQM is to make the right product first, with as few defects as possible.
Main reason for audit reports?
To document the observations / recommendations.
Ethics: major issues
Understanding of ethical issues Compliance with laws External financial reporting Conflcits of interest Entertainment / gift exp Relationship with customers, suppliers Social responsibility
Kurt Lwein's Proces Model - 3 stages
Unfreezing Change Refreezing
Risk register
Used to identify and nalyze risks.
Critical Path Method
Uses determinitistic method. Also incorporates cost amount beyond PERT. Calculates the total time and total cost for each critical path. It then calculates a "crash" time, which is if all resources are divereted to that path. A ratio is created to determine which step is the most cost effective to "crash" and assign all resources to. When you crash one, you have to consider its effects on all of the others as well.
With fraud, be careful. Reviewing prior periods might not work out because...
We don't know how long the fraud has been goin gon.
For high risk obsevations, what does internal audit do?
We monitor the corrective action and ensure it occurred.
Why should you use the survey approach in a CSA?
When the organizational culture does not encourage openness, and you want to reduce the cost.
Consider ethics in terms of...
Who I am, who I care about, what the company cares about.
Engagement work program
Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. They (1) state the engagement objectives; (2) identify technical requirements, risks, processes, and transactions to be examined; (3) state the nature and extent of testing; (4) document the procedures performed; and (5) are modified during the engagement with the approval of the CAE. When an overall opinion is expressed, it must consider the expectations of stakeholders and be supported by sufficient, reliable, relevant, and useful information. Accordingly, *a preliminary opinion is not expressed because no opinion should be expressed until evidence gathering is complete.*