Professional Documents
Culture Documents
MU1 Module 6 Notes
MU1 Module 6 Notes
Course Modules
Exam Preparation
Resources
Learning objectives
6.1 Interviewing skills Explain the importance of effective interviewing skills in internal auditing, and describe the recommended approach to managing conflict during an audit. (Level 2) Purpose and objectives of internal audit reporting Identify the purpose and the objectives of internal audit reporting. (Level 1) Standards for internal audit reports State the IIA Standards and guidelines for internal audit reports. (Level 1) Contents of the internal audit report Develop the information that should be included in an internal audit report, including the main factors the internal auditor considers in developing recommendations, and explain why the report (including recommendations) should be reviewed with management before its release. (Level 1) Presentation of the internal audit report Draft an internal audit report. (Levels 1 and 2) Monitoring recommendations Explain why it is important for internal auditors to monitor the implementation of their recommendations, and determine the steps in a monitoring program. (Level 1) Internal audit reporting Case study Report audit findings from the information provided in a case study. (Level 2) Module summary Print this module
6.2
6.3
6.4
6.5
6.6
6.7
Course Schedule
Course Modules
Exam Preparation
Resources
2. Which of the following is an element of the scope of an internal audit? a. b. c. d. The The The The auditors observations time period covered by the audit objectives of the audit criteria against which the observations are compared
3. Which of the following is another term for the statement of condition in the audit findings? a. b. c. d. Cause Audit opinion Observation Criteria
4. What should the auditor do if, during an interview, she is given an answer she believes to be incorrect? a. b. c. d. Ask the auditee to repeat or restate the answer. Ask the auditee if he or she is sure that the answer is correct. Note the reply, but do not query the auditee further. Tell the auditee what the auditor believes to be the correct answer and seek the auditees agreement.
5. Which of the following contributes to audit effectiveness? a. b. c. d. Adhering to the audit time budget Preparing weekly time reports and reconciling them to the time budget Having scope changes approved by the manager of the unit being audited Conducting an exit interview to discuss the audit observations and recommendations with the manager of the unit being audited
6. What action should the internal auditor take if informed by the management of the unit audited that they do not intend to take any corrective action to address a weakness or risk identified during the course of an internal audit? a. Evaluate that decision, including the level at which it was taken. b. Accept the decision because whether or not to take action is managements responsibility, not the auditors. c. Report managements decision to the audit committee of the board of directors. d. Report managements decision to the organizations external auditors. 7. According to the IIA Standards, to whom must the chief audit executive include in distributing the audit results? a. The manager of the unit being audited b. The audit committee of the board of directors
c. The chief operating officer of the organization d. The external auditors 8. How should an auditor respond when management has already taken action to address an identified weakness before completion of the audit? a. Omit the weakness from the audit report as it no longer poses any risk to the organization. b. Include the weakness in the report, but indicate that management has already taken corrective action. c. Include the weakness in the report, stating that managements corrective action was taken only as a result of the audit identifying the weakness. d. Include the weakness in the report, making no reference to the corrective action taken. Solutions
Course Schedule
Course Modules
Exam Preparation
Resources
3.
4.
5.
6.
7.
sufficient for the audit committee to receive a summary of the reports issued. c. Incorrect. Not all audit reports necessarily go to the chief operating officer; he or she may receive a summary. d. Incorrect. Although the external auditors are often copied on audit reports, this is not required by the IIA Standards. 8. a. Incorrect. Internal auditors have a responsibility to report both the weakness and the corrective action taken by management. b. Correct. The weakness should be identified and management given credit for addressing it promptly. c. Incorrect. This would be self-serving on the auditors part; the credit should be given to management, not the auditor. d. Incorrect. Reporting the weakness without reporting the corrective action would not present a balanced or accurate picture to the reader.
Course Schedule
Course Modules
Exam Preparation
Resources
Explain the importance of effective interviewing skills in internal auditing, and describe the recommended approach to managing conflict during an audit. (Level 2)
No required reading LEVEL 2
Internal auditors must be effective interviewers. Because most internal audits depend on interviews with operating personnel and others as a prime means of obtaining audit evidence, the audit interview is the primary means of gathering facts, opinions, and ideas. While evidence obtained from interviews will usually require substantiation from other sources, interviews remain a valuable source of audit evidence and often determine the direction that the audit will take. There are generally four types of audit interviews: preliminary, fact-gathering, follow-up, and exit. In practice, these interviews are often combined because of time considerations and logistics. The quality of the information gathered from interviews is largely determined by how the auditor begins the interview. The auditor must ask questions in the correct manner to gain the trust of the interviewee. The auditor must avoid overly assertive or accusatory questions, especially at the beginning, and must create a tone of tact and diplomacy to encourage cooperation and to ensure that the questioning produces useful and correct information. The following points are important to the interview process:
Plan thoroughly for interviews. This planning should include a review of background information and decisions about the areas to cover, specific questions to ask, and the most appropriate audit staff to ask the questions. Ask open-ended questions . These generally elicit useful details and anecdotal information, which may not be revealed with specific questions. Tell me about is a good way to start an openended question. The auditor can guide the interviewee back to specific topics as necessary. Listen effectively to ensure you understand the information . Taking notes and repeating paraphrased information back to the interviewee help confirm the main points of the conversation. Recording devices should generally be avoided, as these can be intimidating for the client. Tell the interviewee that their cooperation is appreciated, and that the information is very useful . This will conclude the interview on a positive note. It is good practice to provide contact information in case of any forgotten details.
When interviews are conducted to obtain audit evidence, the same standards of documentation apply as for other types of evidence. Adequate notes should be taken and then compiled in a memorandum covering the key points of the interview. The accuracy, completeness, and timeliness of this process are critical to ensuring the quality of the evidence supporting positive and/or negative audit observations. This is particularly true if there is any possibility that the subject of the interview may later be the cause of a court action, as is often the case for interviews conducted as part of a fraud examination.
auditors findings and recommendations could elicit hostile responses from auditees and/or management. In such cases, the auditors chances of negotiating a resolution will be enhanced by concentrating on four basic areas: Management of people issues Identification of interests Development of alternative options Establishment of objective criteria When dealing with conflict, it is useful to determine whether the conflict is perceived or real, distinguish what is the actual cause of the conflict, separate emotion from the context of the conflict, consider other points of view to the conflict, and look for mutual gain as an outcome. The facts will often determine the severity of the conflict, and direction can be sought from the IIA standards and/or company policies and procedures.
Course Schedule
Course Modules
Exam Preparation
Resources
Identify the purpose and the objectives of internal audit reporting. (Level 1)
No required reading LEVEL 1
The end-product of an internal audit is the audit report. Developing, obtaining approvals for, and issuing this report are the most important phases of the internal audit process. No matter how well the auditor has planned and conducted the audit, how significant the observations, or how much the organizations effectiveness and efficiency could be improved by implementing the auditors recommendations, the audit will not serve its purpose if the report is of substandard professional quality and fails to motivate management to correct the noted deficiencies. The effectiveness of the internal audit department is judged largely on the value of its audit reports. In practice, this value has been measured by the quantity and perceived quality of reports issued. There is a new trend, however, toward measuring the effectiveness of the department by the number of recommendations that are implemented. The quality of the audit report depends on the quality of the audit work done, but even good audit work can be rendered ineffective by poor reporting practices. An internal audit report should accomplish five important objectives: 1. Document the results of audit work . The report should summarize the scope, nature, and extent of the audit work performed, the evidence obtained, and the auditors observations, conclusions, and recommendations. In effect, it should summarize the audit work done and the auditors findings. 2. Provide a framework for management action . The audit report is often viewed as an evaluation of current operational practices and the performance of various organizational units or functions. It shows which areas are operating well and which need improvement, identifying causes and effects of deficiencies. It also recommends actions that management should take. It should motivate management to take action, or satisfy senior management and the board of directors that no action is required, and why. 3. Present the auditees views . Usually, managers of audited units agree with the auditor on all important points in the report. However, auditees sometimes want to mention mitigating circumstances or clarify an issue. If the auditee disagrees with the auditors observations or recommendations, the auditee should be allowed to express opposing views, stating his or her reasons. This method helps senior management by providing a basis for deciding what actions to take. It indicates that the audit reporting process is fair and unbiased. 4. Provide a basis for follow-up . The report provides a basis for following up on audit recommendations to determine whether management has adequately considered the auditors recommendations and implemented appropriate corrective action. 5. Express an opinion on the adequacy of governance, risk management, and control within the organization .
In the next topic, Online reading 6.3-1, an IIA practice guide on formulating and expressing internal audit opinions, states that internal auditors are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organizations operations (micro-level opinion).
Course Schedule
Course Modules
Exam Preparation
Resources
State the IIA Standards and guidelines for internal audit reports. (Level 1)
Required reading
Reading 2-1, Performance Standards 2400 to 2450 (Level 1) Online reading 6.3-1, IPPF Practice Guide: Formulating and Expressing Internal Audit Opinions (Level 1)
LEVEL 1
The Institute of Internal Auditors recognized the importance of audit reporting by making it the subject of one of its earliest pronouncements. The Statement on Internal Auditing Standards (SIAS) No. 2 , Communicating Results, issued in 1983, has been updated and now appears as Performance Standard 2400 and in the related practice advisories, several of which are required reading in the following topics. The standard now includes specific communication requirements to be followed when the internal auditors express overall opinions on an organization. Here are some of the guidelines that provide a framework for the reports issued by internal auditors: 1. A signed, written report should be issued when the audit examination is complete. 2. The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports. 3. Reports should be accurate, objective, clear, concise, constructive, complete, and timely. 4. Reports should present the purpose, scope, and results of the audit, and where appropriate, an expression of the auditors opinion. These opinions are usually in relation to controls around a specific process, risk, or business unit. IIA Standard 2410.A 1 indicates that internal audit opinions could be expressed as conclusions, ratings, or other descriptions of the results of the audit. When opinions are expressed, they must consider the expectations of senior management, the board, and other stakeholders. The opinions must be supported by sufficient, reliable, relevant, and useful information. Occasionally internal auditors may issue an opinion on risks and controls for the overall organization. IIA Standard 2450 specifically refers to overall opinions, and requires the internal auditor to consider the expectations of senior management, the board, and other stakeholders. This standard also requires the overall opinion to include the following: the scope, including the relevant time period, and any scope limitations consideration of all related audit projects and any reliance on other assurance providers the risk or control framework or other criteria used by the auditor as a basis for the overall opinion the reasons for an unfavorable opinion, if applicable 5. Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action. 6. The auditees views about audit conclusions and recommendations may be included in the audit report to demonstrate fairness and respect for the auditee.
7. The chief audit executive should review and approve the final audit report before it is issued and decide to whom it will be distributed. When the chief audit executive delegates these duties, he or she retains overall responsibility. The IPPF Practice Guide, Formulating and Expressing Internal Audit Opinions, provides guidance to internal auditors on how to form and express an opinion on some or all of an organizations governance risk management and internal control systems.
Course Schedule
Course Modules
Exam Preparation
Resources
Develop the information that should be included in an internal audit report, including the main factors the internal auditor considers in developing recommendations, and explain why the report (including recommendations) should be reviewed with management before its release. (Level 1)
Required reading
Practice Advisory 2410-1: Communication Criteria (Level 1) Effective Report Writing? (Level 1) Structure and content of an audit report (Level 1) Practice Advisory 2440-1: Disseminating Results (Level 1)
A standard format for an internal audit report is not always practical or desirable. Format varies according to the organization and circumstances, and often changes over time. Reading 6-1 provides general guidelines for the communication of engagement results, while Reading 6-2 offers some useful ideas for effective report writing.
Reading 6-3 describes the structure and content of an audit report in detail.
to each different operational manager. Copies of all sections would be sent to senior management. Further guidance is provided in Reading 6-4, Practice Advisory 2440-1: Disseminating Results.
Course Schedule
Course Modules
Exam Preparation
Resources
Practice Advisory 2420-1: Quality of Communications (Level 1) Characteristics of a good audit report (Level 1) The Information Guardians (Level 1) Audit reporting 101 (Level 1) ERM-based Audit Reports (Level 2)
As stated in the previous topic, unlike external auditing, there is no standard format, wording, or length for internal audit reports. Internal audit reports can range from a single page to 40 pages or more and can be formatted as tables or as formal narrative reports. However, by following some basic principles, you can increase the likelihood that your report will persuade management to take corrective action based on your audit observations. These principles are covered in the following readings: Reading 6-5, Practice Advisory 2420-1, describes the quality of communications. Reading 6-6 expands on the coverage and explains the important characteristics that go into a good internal audit report: Accurate reports Objective reports Clear reports Concise reports Constructive reports Complete reports Timely reports Reading 6-7, The Information Guardians, explains a reporting model which considers the three parties involved: reporter, reportee, and report users. The article emphasizes the important role of internal auditors as information guardians, who must maintain technological competence and professional character to report trustworthy information. Reading 6-8, Audit reporting 101, relates the current standards to the new risk-based audit approach while addressing the conventional five-attribute report of an audit observation. Reading 6-9, ERM-based Audit Reports, considers how to align audit reporting with the organizations enterprise risk management processes.
LEVEL 2
The following example illustrates the importance of good communication skills in internal auditing, and emphasizes the need for the auditor to be able to resolve conflicts with management in connection with the audit reporting phase. It points out a number of steps the auditor can take to gain managements support of the final audit report.
Example 6.5-1: Effective audit reports
Earlier today, you sent a 50-page audit report to the vice-president of production with a copy to the president. The report was critical of wastage of production materials and excessive inventory levels. The phone rings. An angry vice-president wants you in his office at once. He confronts you with the report, saying that this is the first time he has heard about the audit. He says you simply do not understand the production process and that the sales people are constantly demanding instant deliveries. The president has called the VP and asked what he intends to do to rectify the problems. You know the report is accurate. The observations and recommendations are well documented and valid. Some of the observations were even discussed with the production supervisor. You are confident that the facts are correct. You realize the report is long, but the issues are complex and need thorough explanation. The recommendations are clear if the reader takes the time to study the observations.
Required
Assume that you were able to pacify the vice-president about the report. What would you do differently to prevent a recurrence of such an angry outburst? How does an auditor enlist the support of management, especially when significant changes to operations are needed? Solution
Course Schedule
Course Modules
Exam Preparation
Resources
Note : The following solution is one way to deal with the situation. Other valid approaches could also resolve the problem. If you have valid reasons for choosing an approach different from the one described, your method may be equally useful. To avoid such an unsatisfactory response in the future, the internal auditor should go back to the planning phase. In that phase, the auditor should define the scope of the audit, indicate the objectives to be achieved, and state criteria against which results will be assessed. The auditor should then meet with the vice-president or senior executive responsible for the audited area and share the preliminary plans. With the VPs approval, the auditor could then conduct a survey to identify the control areas and plan the detailed audit work. Management should be kept informed by periodic progress reports. This provides an opportunity to test ideas for change and obtain managements views. If the area being reviewed is complex, the use of interim reports can divide the audit into more manageable units. Observations and recommendations must be discussed thoroughly with production management before issuing the draft report. Depending on the organization, it may be appropriate to hold part of the audit discussion with all the key players present. This technique is useful if the recommendations affect more than one division of the organization. Obtaining consensus of all parties before the final report is issued helps to ensure implementation of recommendations, especially when significant changes to operations are needed. The last step is preparing the final report incorporating managements comments and recommendations. An executive summary is suggested if the report is long and complex. The audit scope, objectives, and conclusions should be included in the executive summary, along with the significant observations, recommendations, and managements proposed corrective action. Some senior managers may only receive the executive summary while others should receive both the summary and the detailed report.
Course Schedule
Course Modules
Exam Preparation
Resources
Explain why it is important for internal auditors to monitor the implementation of their recommendations, and determine the steps in a monitoring program. (Level 1)
Required reading
Reading 2-1, Performance Standards 2500 to 2600 (Level 1) Reading 6-10, Practice Advisory 2500-1: Monitoring Progress (Level 1) Reading 6-11, Practice Advisory 2500.A1-1: Follow-up Process (Level 1) Online reading 6.6-1, Interview with Frieda Muller (Level 1)
LEVEL 1
Performance Standard 2500 in Reading 2-1 states that the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. The Implementation Standard for assurance engagements goes on to state that the chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. Follow-up consists of the following steps: A systematic review of action taken by management on recommendations made by auditors An assessment of whether the action taken has corrected the problems identified by the audit A report of results of follow-up reviews to senior management and to the audit committee as appropriate Follow-up begins at the end of the audit when management provides an action plan, including planned action and deadlines. The auditor considers the matters requiring correction, their importance and complexity, and the associated risks. The auditor then ranks the audit findings and recommendations in terms of the importance of following up to ensure that corrective action has been taken. Where there is a high risk of loss through error, fraud, or lack of action, follow-up must be prompt. For example, if the auditor finds that controls over the companys handling of cash are seriously inadequate, these must be acted on by management and followed up by the auditors immediately. There is no standard time period for follow-up on other, less urgent audit observations and recommendations. Management needs enough time to take action, but should not delay unduly. The nature and timing of the auditors follow-up depends on the significance of the audit observation, the size of the operation, and the companys policy on follow-up. The time required to implement changes can range from a month or less to several years. If the recommendations are relatively easy to implement, the auditor may follow up in three months. If, however, the recommendations require management to undertake a study or develop a new system, a longer follow-up period is likely appropriate. Auditors should follow up on a periodic basis and report on the progress in the implementation of the recommendations to senior management and the audit committee. Follow-up enables the auditor to inform senior managemnt whether managers are taking appropriate steps within a reasonable period of time to improve control of their operations. The auditor can also evaluate whether previously reported deficiencies are being adequately dealt with. Management is responsible for taking corrective action, but the auditor is responsible for assessing the extent to which appropriate corrective action has been taken. Such an assessment can also help to determine the nature, extent, and timing of future audit work. Follow-up clarifies managements responsibility and
Reading 6-10, Practice Advisory 2500-1, and Reading 6-11, Practice Advisory 2500.A1-1, provide suggestions on how to monitor the disposition of results communicated to management and how to institute a longer-term follow-up process. Management is responsible for deciding the appropriate action (if any) to be taken in response to internal audit observations and recommendations. The chief audit executive is responsible for assessing such action and the extent to which it will address the identified weakness. Senior management may decide, because of cost or other reasons, to accept the risk of not correcting the reported condition. Standard 2600 states, When the chief audit executive concludes that senior management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board for resolution.
A:
Q: A:
Q: A:
Q: A:
Q: A:
Course Schedule
Course Modules
Exam Preparation
Resources
Report audit findings from the information provided in a case study. (Level 2)
No required reading LEVEL 2
tested by an independent laboratory and a copy of the report sent to the customer. (The customer would not accept delivery of these products without such a report.) The company kept records of customer complaints concerning their products. There was the same proportion of complaints recorded concerning products blended by toll manufacturers as those blended by the companys own plants. 7. The companys lawyers confirmed that the companys formulations were patented in both Canada and the United States. The companys marketing department kept records of the chemicals sold by the other companies in the industry and stated that they would have been aware of any patent infringement and there was no evidence of any to date. 8. Production management stated that there were no formal contingency plans for the supply of product to customers in the event that a toll manufacturer was unable to fill the order. Should the situation arise, products would be obtained from either the closest alternative toll manufacturer or the companys own plants. 9. Once the toll manufacturers were appointed, there was no process to review them. The production managers stated that they did consider whether to build new facilities each year when preparing the annual budget and three-year company plan, and that volumes did not yet justify this. The auditors discussed this in some detail with production management and reviewed the budget working papers, agreeing that appropriate consideration had been given to the matter and the conclusion was appropriate.
Required
Draft the specific audit observations that you would include in your draft audit report for discussion with production management at the conclusion of this audit. Do not prepare the entire report only the specific observations that you would mention. For each of the issues, state the observation, criteria, cause (if known), effect, and recommendation. Suggested solution
Course Schedule
Course Modules
Exam Preparation
Resources
Toll manufacturers are appointed for indefinite periods, and no formal periodic review of performance, financial stability, and so on, is carried out once they are appointed [observation ]. The company could be at risk of loss of its inventories if there was financial deterioration on the part of toll manufacturers and might miss the opportunity to obtain better terms through periodic tendering of such contracts [effect ]. For these reasons, it would be a better business practice to establish contracts for specified periods of time and establish a procedure for reviewing the performance, stability, and so on, of toll manufacturers [criteria ]. Consideration should be given to fixed-term contracts for toll manufacturing. If this is not adopted, a process should be established for formal periodic review of the performance, pricing, and financial stability of the toll manufacturers used by the company [recommendation ].
Insurance coverage
The companys insurance coverage for its inventories located at off-site locations requires that the insurer be informed of such locations when the inventory site is established [criteria ]. Due to the oversight of the production supervisor [cause], this was not done for inventories located at Texarkana Tolling Inc. [observation ]. Failing to inform the insurer could result in the insurance company refusing to pay for any losses occurring at that site [effect ].
Contingency plans
Production management does not prepare contingency plans for supplying chemicals to customers should strikes, natural disasters, or other causes prevent the toll manufacturers from being able to do so [observation ]. While this has happened infrequently in the past, increased use of toll manufacturers by the company in recent years has increased its exposure in this regard [effect ]. The company is responsible for the security of supply to its customers and should take all prudent steps to ensure that the supply is not interrupted [criteria ]. Production management should consider preparing contingency plans in advance so that there will be minimum disruption of supply to customers in the event of a work stoppage at a toll manufacturers site [recommendation ].
Course Schedule
Course Modules
Exam Preparation
Resources
Module 6 summary
Internal audit communications and reporting
Module 6 begins by demonstrating the importance of interviewing skills in internal auditing. The module goes on to consider audit reporting and follow-up. The purpose of internal auditing is to help strengthen risk management, control and governance. Communicating audit results to management is the bridge between the audit and managements implementation of recommendations for improvement. Communication of independent and objective information to the board improves governance.
Explain the importance of effective interviewing skills in internal auditing, and describe the recommended approach to managing conflict during an audit.
In most internal audits, interviews with operating personnel and others play an important role as a prime means of gathering audit evidence. The audit interview is the primary means of gathering facts, opinions, and ideas. While evidence obtained from interviews will usually require substantiation from other sources, interviews remain a valuable source of audit evidence and often determine the direction that the audit will take. Interviews are used throughout the internal audit process: At the planning stage, to gather background information to assist in planning the nature, extent, and timing of the testing to be carried out During the main part of the evidence-gathering stage, to provide evidence as to the actual conditions in existence At the end of the evidence-gathering phase, to confirm the auditors understanding of the situation and obtain clarification of issues At the end of the audit (exit conference), to discuss issues, recommendations, and the audit report with the auditee manager
State the IIA Standards and guidelines for internal audit reports.
The IIA Performance Standards 2400 to 2450 and their related advisories cover the IIAs prescriptions regarding audit performance standards. There are eight guidelines: 1. A signed, written report should be issued when the audit examination is complete. 2. The internal auditor should discuss conclusions and recommendations with appropriate levels of management before issuing the final report. 3. Reports should be accurate, objective, clear, concise, constructive, complete, and timely. 4. Reports should present the purpose, scope, and results of the audit and, where appropriate, an
5.
6. 7. 8.
expression of the auditors opinion. Opinions must consider the expectations of senior management and the board. The opinions must be supported by sufficient, reliable, relevant, and useful information. If an opinion is expressed on the organization as a whole, the auditor must consider the expectations of senior management and the board. The overall opinion must include the following: The scope and time period Consideration of related audit projects The risk or control framework used as a basis for the opinion The reasons for an unfavorable opinion Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action. The auditees views about audit conclusions and recommendations may be included in the report. The chief audit executive should review the final audit report before it is issued and decide to whom it will be distributed. When the chief audit executive delegates these duties, he or she retains overall responsibility.
Develop the information that should be included in an internal audit report, including the main factors the internal auditor considers in developing recommendations, and explain why the report (including recommendations) should be reviewed with management before its release.
Typically, audit reports contain the following information, presented in this order: Background information Purpose and scope of the examination Summary of major observations Detailed observations and recommendations Management comments Conclusions (may not appear as a separate section) Acknowledgment There are five elements to an individual audit observation: Nature of the observation (What actually happens?) Criteria used to assess performance (What should happen?) Cause of negative observations (Why does performance not meet the standard?) Effect of negative observations on operations (What risk does it pose to the organization achieving its objectives?) Auditors recommendations (What can be done to improve the situation?) In presenting audit observations and developing recommendations for improvement, the auditor considers the following factors: Circumstances that help or hinder the organization in meeting criteria Alternative courses of corrective action Specific effects, both positive and negative, that may arise if the recommendations are adopted Feasibility and the cost-benefit ratio of adopting a recommendation The report (including recommendations) should be reviewed with management before its release. The main reason is to ensure that it contains no errors or misrepresentations. Errors of fact in audit reports do a great deal of damage to the credibility of the auditor and the audit department. Reviewing the report also provides an opportunity to determine if there are any differences of opinion with management concerning the significance of any of the observations so that an effort can be made to come to a mutual agreement before the report is issued. It also creates goodwill because the auditee manager will be aware of the audit observations and
be able to prepare a response before higher management has received the report.
Explain why it is important for internal auditors to monitor the implementation of their recommendations, and determine the steps in a monitoring program.
The purpose of the audit is to identify risks and weaknesses in order to make management aware of the need for action to mitigate the risks and correct the weaknesses. If the internal auditor does not monitor managements actions, senior management and the board will not know whether management has carefully considered the audit observations and recommendations and, where appropriate, taken corrective action to reduce the level of risk to which the organization is exposed. The six-step process of an effective follow-up program is as follows: 1. 2. 3. 4. 5. 6. Determine the scope of the follow-up. Prepare the follow-up program. Carry out the follow-up program. Assess the extent of corrective action taken and progress made. Review follow-up files. Report results of the follow-up.
Course Schedule
Course Modules
Exam Preparation
Resources
Module 6: Self-test
1. Multiple choice a. Internal auditors can usually achieve better relations with the management of the units they audit if they do which of the following? 1. 2. 3. 4. Emphasize their roles as management advisors. Concentrate on errors made by lower-level employees. Concentrate on uncovering frauds and embezzlements. Emphasize their role as an insurance policy in protecting managers against potential frauds and embezzlements.
b. An internal audit resulted in a finding regarding efficiency of operations. Which of the following is most likely to help gain the auditees cooperation in this situation? 1. Allow the auditee to participate in the development of recommendations. 2. Emphasize the personal responsibility of auditee management. 3. Document adverse findings with a complete list of all deficiencies. 4. Submit a draft copy of the audit report to higher-level management. c. The recommendation in the detailed audit report should address which other element of the finding? 1. 2. 3. 4. Observation or statement of condition Criteria used for evaluation Cause of the deficiency or weakness Effect, risk, or impact of the deficiency or weakness
d. In planning an audit, the internal auditor notes that a weakness identified in the previous audit of the unit had not been addressed by management. Which of the following actions by the internal auditor would be appropriate? 1. Do nothing; management had the right to decide not to address the issue. 2. Immediately raise the issue with the audit committee of the board of directors. 3. Include the issue in the current audit, to see if it still poses a significant and relevant risk to the business. 4. Instruct management to address the issue before the audit begins. e. An audit of a companys accounts payable processes identified several control weaknesses. To whom would the report be of greatest use when setting out the weaknesses? 1. 2. 3. 4. Corporate treasurer Accounts payable manager Companys external auditors Companys chief financial officer
f. Which of the following best describes the principal purpose of an exit interview at the end of an internal audit? 1. To present the final audit report to the management of the unit
audited 2. To review the performance of the audit staff at the conclusion of the audit 3. To document managements proposed action plans in response to the audit findings 4. To review the draft audit report for accuracy and appropriateness Solution 2. Internal audit reports must be professionally written. This question highlights the importance of proper form and report writing style. A junior internal auditor has drafted the following short audit report on the payroll systems and procedures in a small remote branch of the company. The CAE has asked you, as audit supervisor, to rewrite the draft report in good form and professional writing style, which will serve as a good training exercise for the junior auditor. Internal Audit Report Division A Payroll July 20X0 Purpose To look at the payroll systems and procedures through discussion with staff and checking various documents at random. Scope We wanted to ensure that adequate internal controls were in existence and functioning effectively for March to May 20X0. We audited these three months in 20X0, checked the payroll register, timesheets, and hiring and termination forms, and spoke with Janet Millborne, who was promoted to payroll supervisor in January 20X0. Janet has a reputation for honesty, which is an important consideration in the payroll area. The audit looked at all processing of payroll, including hiring, timesheet and salary payroll procedures, computer security and backup procedures, and termination. Observations and recommendations Overall controls over payroll are quite good in this branch. People are trying hard to comply with proper procedures, and we found no serious weaknesses. Documents and records are in good order; filing is excellent. We appreciated the cooperation of all staff. We have made two recommendations to assist management, as follows: a. Timesheets I was informed by the payroll supervisor that hourly timesheets are sometimes given back to the employees, after approval, to send to accounting since they are more likely to ensure that the timesheets meet the deadline when they know their pay depends on it. This shows a careless disregard for internal control for the sake of efficiency. Recommendation: I recommend that timesheets be sent directly to accounting after approval. b. Payroll reconciliation My audit sample revealed that the monthly total payroll per the payroll register is not reconciled to the monthly budget for payroll, due to the payroll supervisor deciding this is not a high-priority procedure. This is a good control to check for payroll errors.
Recommendation: As per company policy P32, the payroll register must be reconciled each month to the approved payroll budget. Thank you for your assistance during this audit. A written reply to each of the deficiencies reported is required. Replies must be received by August 23, 20X0.
Required
Rewrite the draft report section, using good reporting form and style. Your writing should demonstrate all the characteristics of professional internal audit reporting. Solution 3. CASE STUDY T6-1: Dorway Company Ltd. You are an internal auditor with Dorway Company Ltd. The following audit criteria have been established for an audit of production activities of the corporation: a. Inventory management The need for raw material and finished goods inventories should be well-defined and related to approved objectives for sales and production. b. Safeguarding of inventories Procedures should be in place to ensure adequate security and custody of raw materials and finished products. c. Production control Appropriate standards for the use of raw material, direct labour, and equipment should be established for each product manufactured. Actual use of raw material, direct labour, and equipment should be recorded and monitored. Variances from established standards should be identified and analyzed, and corrective measures should be taken within a reasonable period of time. Your audit work on the production activities of the company has revealed the following: 1. Inventory level targets for finished products are not based on sales forecasts. Fixed inventory levels have been established, whereas sales fluctuate significantly from month to month. The role and responsibilities of the marketing, production, and finance departments regarding inventory management have not been defined. 2. Security procedures over raw material and finished products inventories are fully satisfactory. 3. There are no standards for use of labour, and labour performance is not measured. The vice-president of production does not believe in measuring labour productivity. 4. Analysis of variances from standards for raw material and use of equipment is not performed on time. Explanations for variances are often superficial and do not call for any specific action from management.
Required
Write the section on detailed observations and recommendations for the internal audit report. Your report should adhere to the characteristics of a good audit report. For this question, do not include a section on management comments. Solution 4. CASE STUDY T6-2: Wingstar Company Ltd.
You are an audit supervisor in the internal audit department of Wingstar Company Ltd. One of your colleagues, Gabrielle Raunet, has been the victim of a car accident and will be absent from work for three months. Before her accident, Gabrielle had drafted an audit report for Division A of the company (see Exhibit S6-1) but did not have time to complete it. Your audit manager reviewed the draft prepared by Gabrielle and is very unhappy about it. He indicated to you that the draft is of poor quality and that Gabrielle will require some training in writing reports upon her return.
Required
Your manager asks you to do the following: a. Review the report and note any weaknesses in the form, content, and style that should be brought to Gabrielles attention as part of her training. b. Rewrite the report so that it can be presented to the management of Division A. Note : For the Background Information section and the Objective(s) and Scope of Examination section of the report, it is sufficient to describe the requirements of these sections in general terms only.
EXHIBIT S6-1: Draft Audit Report for Wingstar Company Ltd. Division A
Gerry McNall General Manager Division A Wingstar Company Ltd. Any City, Canada Dear Gerry, Please find enclosed my comments and recommendations following an audit of your division that I performed last summer. As agreed previously, the audit covered the management of cash and accounts receivable. I had a very tight schedule to complete this audit and did not have the opportunity to discuss these observations and recommendations with the people responsible for managing these activities. I am confident that they would agree with the report anyway. I would appreciate receiving your written response to each observation and recommendation so that I can forward a final copy of the report to the president, the vice-president of finance, and the chairman of the audit committee by the end of next month. If you have any questions concerning the report, feel free to contact me at head office. 1. Cash management Observation Cash forecasts prepared by the treasury manager are of poor quality. He did not give me the impression, during the audit, that he knew exactly what he was doing. There is no specific methodology in use to do these forecasts, and important revenue and expenditures elements were missing from the forecasts. I do not think they are very useful to managing cash flows. Recommendation The treasury manager should receive training in the preparation of cash forecasts. Observation My audit revealed that excess funds were sitting idle in bank accounts for long periods of time. This situation is completely unacceptable, since the corporation is losing interest on this money.
Recommendation Money should be invested to earn interest. 2. Management of accounts receivable Observation Many accounts are overdue. I do not think that the accounts receivable personnel make reasonable efforts to collect them. The aging of accounts receivable is not well done and included many errors. Recommendations Better efforts should be made to collect past due accounts. Accounts receivable aging should be done correctly. Observation Credit notes to customers accounts are not authorized by the credit manager. Accounts receivable clerks can then commit fraud by appropriating funds and adjusting customers accounts accordingly. Recommendation All credit notes to customers accounts should be properly authorized. I also suggest that you keep a close eye on the style of living of your accounts receivable clerk. Solution 5. The following comments are taken from the auditors working papers after completion of an internal audit of the accounts receivable function. They are in no particular order or grouping, and all must be included in preparing the draft audit report for this engagement. a. Our audit focused on an evaluation of key internal controls. b. The accounts receivable department is staffed by 15 employees and one supervisor. c. In 60% of the sample items selected, customers did not take advantage of the prompt payment discount offered. d. On average, 75,000 invoices are processed by this department each month. e. Review and approval of bad debt write-offs are inadequate. f. This review covered the processing of regular customer accounts, and did not include non-trade receivables. g. The audit was requested by the vice-president of finance as a direct result of comments made by the previous accounts receivable supervisor at the time of her resignation. h. Of 675 customer payments reviewed, 10% were not deposited on a timely basis. i. The audit was structured to review the effectiveness and efficiency of accounts receivable activities. j. The procedures manual has not been updated in over five years, and does not include the recent computer software changes.
Required
For each of these comments, indicate the section of the audit report to which it belongs: background information, objectives, scope, observations, or conclusions. Solution
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 6 Solution 1
a. 1. Correct. Auditors should emphasize their roles as management advisors. 2. Incorrect. This will not help gain the support of the managers to whom the lowerlevel employees report. 3. Incorrect. Managers will resent that they (or their staff) are being suspected as crooks. 4. Incorrect. Auditors cannot prevent or detect all frauds; in any case, this is managements responsibility. b. 1. Correct. Involving the manager in seeking a solution will convey respect for the managers position. 2. Incorrect. This will cause the manager to become defensive. 3. Incorrect. Although all deficiencies should be appropriately documented, this will not help gain the support of the manager. 4. Incorrect. This will lead the manager to think that the auditor is undermining him/her. c. 1. 2. 3. 4. Incorrect. The observation or condition is compared with the criteria. Incorrect. The observation or condition is compared with the criteria. Correct. The recommendation must address the cause of the deficiency. Incorrect. The risk or impact relates to the importance of the weakness, not the recommendation for addressing it.
d. 1. Incorrect. At a minimum, the decision must be reviewed. 2. Incorrect. If the auditor believes that there is still a relevant and significant risk, the matter should be included in the new audit and reported again. 3. Correct. Managements decision may have been appropriate. 4. Incorrect. The auditor lacks the authority to do this and, in any case, managements judgment may have been appropriate. e. 1. Incorrect. The treasurer does not have operating responsibility for accounts payable. 2. Correct. The accounts payable manager should be the one to implement the changes necessary to improve the controls. 3. Incorrect. Although the auditors will be interested in the findings, it is not their responsibility to effect changes to address the weaknesses. 4. Incorrect. The chief financial officer is not the level of manager responsible for implementing corrective action, although the CFO would be interested in the auditors findings. f. 1. Incorrect. The exit interview should be held before the final report is written. 2. Incorrect. This is internal to the audit department and not the purpose of an exit interview. 3. Incorrect. This is not the main purpose of the exit interview; this might be done only after management has had time to consider the draft report (therefore, after the exit interview). 4. Correct. The main purpose of the exit interview is to ensure that there are no errors in the audit report when issued.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 6 Solution 2
The report provided in the question contains numerous errors and weaknesses in form, content, and style. You should take care to rewrite the report in a manner similar to the following suggested solution. Your answer may differ in the wording used, but the general style should be similar, and the reports should only include the following material: Internal Audit Report Division A Payroll July 20X0 Purpose To look at the payroll systems and procedures through discussion with staff and checking various documents at random. Scope The audit focused on payroll procedures from March to May of 20X0. All payroll procedures were reviewed, including hiring, hourly and monthly pay processing, terminations, and computer security. The audit evidence was obtained by reviewing payroll documents and discussions with staff. Conclusions Overall we found the internal controls to be good. Controls are both in existence and functioning adequately. Company policies are generally being complied with. In addition, we noted that payroll records and files are well organized. We have made two recommendations for management where we believe controls should be strengthened. Observations and recommendations a. Timesheets Observation: The audit found that hourly timesheets are occasionally returned to employees after approval, to be sent to accounting by the employee. Criterion: Proper internal control over payroll requires that timesheets be sent directly to payroll after approval. Cause: This appears to have been done with the intent of ensuring that timesheets are sent to payroll in time to meet deadlines, to ensure that payroll is timely. Effect: There is a risk that a dishonest employee could alter the timesheets after approval, and that employees could be paid for work not done. Recommendation: All timesheets should be sent directly to payroll by the supervisors after approval. b. Payroll reconciliation Observation: The monthly total payroll is not currently being reconciled to the approved payroll budget for this branch.
Criterion: As a check on the overall accuracy of the payroll, Policy P32 requires that the monthly payroll be agreed to the approved budget. Cause: Supervisory staff was not aware of the significance and importance of this control check and, because of the heavy workload, they had not given this procedure high priority. Effect: Significant payroll errors may go undetected by management. During the course of the audit, the payroll supervisor completed all payroll reconciliations and no errors were found. Recommendation: These reconciliations should be completed on a timely basis each month. The supervisory review should be evidenced by an initial.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 6 Solution 3
CASE STUDY T6-1: Dorway Company Ltd.
You should use the following format for writing the detailed observations and recommendations section of the internal audit report: 1. 2. 3. 4. 5. Nature of the observation (finding) Criteria used Cause of the weakness Effect on operations Recommendation(s)
You should reflect the following characteristics of good audit reports: Accuracy Objectivity Clarity Conciseness Constructiveness Completeness Following is an example of an acceptable report. a. Inventory management Audit observation : Inventory level targets for finished products are not based on sales forecasts. Fixed inventory levels have been established, whereas sales fluctuate significantly from month to month. Audit criteria: The need for raw material and finished goods inventories should be well-defined and related to approved objectives for sales and production. Cause : No specific function is responsible for the determination and management of finished products inventories. Effect on operations: Savings can result from better management of inventory levels. Recommendation : Inventory levels for finished products should be based on sales forecasts. Optimal inventory levels should be determined through a joint effort of the marketing, production, and finance functions. The role and responsibilities of each group should be clearly defined. Note : You may also respond that the roles of marketing, production, and finance regarding inventory management have not been defined. This could be presented as a separate finding. b. Safeguarding of inventories Audit observation : Security procedures over raw material and finished products inventories were reviewed and found fully satisfactory. Audit criteria: Procedures should be in place to ensure adequate security and custody of raw materials and finished products.
c. Production control Audit observation : There are no standards for use of labour. Audit criteria: Appropriate standards for the use of raw material, direct labour, and equipment should be established for each product manufactured. Actual use of raw material, direct labour, and equipment should be recorded and monitored. Cause: No emphasis is placed on measuring labour productivity. Effect on operations: There is no means of ensuring that labour is used with due regard for economy and efficiency. Recommendation : Labour standards should be developed by the production department, and labour performance should be formally measured. Audit observation : Analysis of variances from standards for raw material and use of equipment is not performed on time. Explanations for variances are often superficial and do not call for any specific action from management. Audit Criteria: Variances from established standards should be identified and analyzed, and corrective measures should be taken within a reasonable period of time. Cause: No emphasis is placed on variance analysis. Cost performance is not a key factor in evaluating overall management performance. Effect on operations: There is no means of ensuring that raw materials and equipment are used with due regard for economy and efficiency. Recommendations : Variances for raw material and use of equipment should be properly analyzed within a reasonable period of time. Variance information should be used to improve the economy and efficiency of operations.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 6 Solution 4
CASE STUDY T6-2: Wingstar Company Ltd.
a. Weaknesses in form, content, and style Transmittal letter: The letter is not dated. Observations and recommendations should have been discussed with management; time is not an excuse. The report does not treat auditees fairly since they are not offered a chance to explain their position and respond to specific criticisms. The auditor should consider addressing her letter to management of the activities audited to obtain their comments before communicating them to the general manager. The style is very familiar and should not be used unless the auditor knows the auditee very well. The transmittal letter should acknowledge the cooperation of the auditees personnel during the audit (if they did cooperate). The letter is not signed. The specific dates of the audit are not mentioned. Draft report: The report does not provide the following details: Background information on activities audited The objective(s) and scope of the examination Summary of major observations The overall style is aggressive and very negative. Expressions such as poor quality, did not know what he was doing, completely unacceptable, and poor management should not be used. The style will put management on the defensive and will certainly not create an environment for change. The report should be constructive. Some observations and recommendations address the competence of individuals. The auditee will not react favourably to them. Whenever possible, recommendations should focus on systems and practices and not on individuals responsible for applying them. The remark about keeping an eye on the style of living of the accounts receivable clerk suggests an unwarranted invasion of privacy, especially since there is no indication of fraud. Some recommendations do not address the causes of problems (for example, recommendations on cash management). Investing in short-term deposits is only one of many means of investing short-term cash surpluses. Management responses should be included within the body of the report to provide the auditee with an opportunity to present their views to senior management for each observation and recommendation.
b. Revised report You should correct the previously noted weaknesses in the revised report. You also need to include the General Manager/Director of Finance Division A in the list of people in the body of the letter who would get a copy once the errors are corrected. The exhibit below is an illustration of an acceptable report. Draft Audit Report for Wingstar Company Ltd. Division A General Manager Division A Wingstar Company Ltd. Any City, Canada October 15, 20X1 Dear Mr. McNall: Please find enclosed our draft comments and recommendations following the audit of your division that was completed at the end of August, 20X1. Once you have had an opportunity to review the report, please submit your written comments on each finding and recommendation. Once we have corrected any errors and resolved any outstanding items relating to the report, we will forward a copy to the president, the vice-president of finance, and to the chair of the audit committee. Please advise me if you think we need to meet to discuss your comments. I would like to take this opportunity to thank you and your staff for the excellent cooperation we received during the audit. Gabrielle Raunet Background information
This section should provide general information on the operational activity reviewed and describe its main features. The purpose of this section of the report is to provide enough information to allow the reader to understand the general environment in which the audit was performed.
Objectives and scope of examination Our audit focused on an evaluation of key controls over cash and accounts receivable for the period ended August 20X1.
[This section should describe the objective(s) and scope of the audit assignment and the period covered by the review. The auditor must specifically identify in this section what has been reviewed and what has been excluded.]
Detailed observations and recommendations 1. Cash management 1.1 Cash forecasting Observation: There is no formal methodology in use for cash forecasting. Our review of a sample of cash forecasts revealed that in some cases, important revenue and expenditures elements were missing from the forecasts.
Effect: The usefulness of cash forecasts in managing cash flows is reduced. Recommendation : A formal methodology for cash forecasting should be established and documented. 1.2 Investment of cash surpluses Observation: Our review of bank balances revealed that excess funds were left sitting idle in bank accounts for long periods of time. Effect: This practice is not advantageous to the corporation since interest is lost on funds that are not invested. Recommendation : Controls should be put in place to ensure that excess funds are identified and invested in short-term instruments. 2. Management of accounts receivable 2.1 Collection of accounts receivable Observation: Our review of a sample of aged accounts receivable revealed various errors. Also, many accounts receivable were overdue. Effect: There is no control over past due accounts. Recommendations : Controls should be put in place to ensure the accuracy of the aging of accounts receivable. Better efforts should be made to collect past due accounts. 2.2 Authorization of credit notes Observation: We noted that some credit notes to customers accounts were not authorized by the credit manager. Proper authorization of credit notes is an important control in the prevention of fraud. Effect: There is a lack of control over allowable and unauthorized/fraudulent credit terms to customers. Recommendation Proper authorization of credit notes is an important control in the prevention of fraud. All credit notes to customers accounts should be properly authorized by the credit manager.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 6 Solution 5
The comments should be included in the following sections of the report: a. Scope b. Background information c. Observations d. Background information e. Conclusions f. Scope g. Background information h. Observations i. Objectives j. Observations