Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 1: Introduction to internal auditing

Overview
The first module in this course sets the stage for your study of internal auditing. You consider the definition, role, development, and scope of internal auditing. You also consider the business environment and identify and analyze its accompanying risks. The various types of internal audits and the relationship between internal auditing, external auditing, and performance measurement are explained. Finally, you study the role of professional ethical standards in internal auditing and review case analysis, a technique used frequently throughout this course.

Test your knowledge

Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.

Learning objectives
1.1 Definition ofinternal auditing Define internal auditing and explain the key terms used in the definition. (Level 1)

1.2

Scope of internal auditing Describe the three elements that determine the scope of internal auditing. (Level 1)

1.3

Functions of management Explain the main functions of management and how they relate to achieving control. (Level 2)

1.4

Enterprise risk Define risk and enterprise risk, and explain how they are related to the concept of control. (Level 1)

1.5

Role of the internal auditor Explain the role of internal auditors in their organization, and compare it with the role of the organizations external auditors. (Level 1)

1.6

Types of internal audit assignments Describe the types of audits carried out by internal auditors. (Level1)

1.7

Performance measurement Compare internal auditing and performance measurement. (Level2)

1.8

The ethical climate Outline the role of the internal auditor in promoting ethical culture and standards in an organization. (Level 1)

1.9

Ethical considerations Apply ethical judgments in the context of the internal auditors work. (Level 1)

1.10 Introduction to case analysis Prepare a case analysis report from information provided on an internal auditing issue. (Level 1)

Module summary

Print this module

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 1: Test your knowledge

1. Which of the following is included in the elements of scope (nature of work) in the current IIA standards? a. b. c. d. Assessing Assessing Assessing Assessing internal controls the competence of management the reliability of the companys annual financial statements the extent to which corporate objectives are achieved

2. Which of the following is the best description of the purpose of the internal auditors review of internal controls for effectiveness? a. To verify that the controls ensure the organizations risks are contained within the tolerances established by its risk management processes b. To test whether the controls in place are operating efficiently c. To establish that assets are properly safeguarded d. To verify that financial reports are reliable 3. Which of the following represents the most important benefit of an internal auditing department to an organizations management? a. b. c. d. Assurance Assurance Assurance Assurance that that that that published financial statements are accurate frauds will be detected the company is complying with all laws and regulations management has reasonable control over operations

4. Which of the following is outside the scope of internal auditing? a. b. c. d. Assessing the organizations effectiveness Verifying compliance with laws and regulations Safeguarding the organizations assets Reviewing the processes involved in producing internal financial reports

5. Internal auditing is a dynamic profession. Which of the following best describes the scope of internal auditing as it has developed in the last 50 years? a. Internal auditing involves assessing effectiveness and efficiency. b. Internal auditing involves assessing compliance with laws, regulations, policies, and procedures. c. Internal auditing involves assessing the existence of assets and the means used to safeguard them. d. The focus of internal audit has shifted over time from a financial focus to more of an operational focus. 6. Which type of audit would be conducted in response to a request from the president of a company that the internal auditors review the purchasing process to assess whether the company was getting maximum value for its purchasing dollars? a. b. c. d. Compliance audit Financial audit Operational audit Full-scope audit

7. The IIA Rules of Conduct require which of the following combinations of qualities of IIA members

in the performance of internal auditing activities? a. b. c. d. Solutions Honesty, objectivity, and due professional care Timeliness, clarity, and good judgment Appropriate knowledge, skills, and experience Loyalty, punctuality, and confidentiality

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 1: Test your knowledge solutions

1. a. Correct. The assessment or evaluation and improvement of controls is one of the three elements. The others are the assessment and improvement of the risk management process and the organizations governance. b. Incorrect. This is not one of the elements. c. Incorrect. This is not one of the elements and is the responsibility of the external auditor. d. Incorrect. This is not one of the elements, although the purposes of internal control include the promotion of organizational effectiveness. The auditor should assess this when assessing internal controls. 2. a. b. c. d. Correct. This is what is meant by effectiveness of controls. Incorrect. Efficiency is not the same as effectiveness. Incorrect. This is only a part of the assessment of controls. Incorrect. This is only a part of the assessment of controls.

3.

a. Incorrect. This is a purpose of external auditing. b. Incorrect. Internal audit cannot guarantee that all frauds will be detected. c. Incorrect. Although internal auditors can verify this, it is not the most important benefit. d. Correct. This is the most important benefit of internal auditing. a. Incorrect. This is one of the purposes of the controls that the internal auditor should evaluate. b. Incorrect. This is a purpose of the controls that the internal audit evaluates. c. Correct. Internal auditing assesses the actions taken by management to safeguard assets; internal auditing is not responsible for actually safeguarding the assets. d. Incorrect. This is a purpose of the controls that the auditor evaluates. a. b. c. d. Incorrect. This is only part of the scope of internal auditing. Incorrect. This is only part of the scope of internal auditing. Incorrect. This is only part of the scope of internal auditing. Correct. This indicates how the scope has changed in recent years.

4.

5.

6.

a. Incorrect. The answers to the presidents request are not related to compliance. b. Incorrect. The answers to the presidents request are not found only in the accounting system. c. Correct. The president is interested in the effectiveness, efficiency, and economy of the purchasing processes. d. Incorrect. A full-scope audit is much wider than needed to meet the request. a. Incorrect. Due professional care is a requirement of the International Standards for the Professional Practice of Internal Auditing, not a requirement of the Rules of Conduct. b. Incorrect. These are qualities of audit reporting, not related to the Rules of Conduct. c. Correct. This is in the Rules of Conduct of the Code of Ethics (paragraph 4.1). d. Incorrect. Loyalty and punctuality are not mentioned in the Rules of Conduct.

7.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.1 Definition ofinternal auditing

Learning objective

Define internal auditing and explain the key terms used in the definition. (Level 1)
Required reading

Reading 1-1, CBOK 2010: The State of the Profession (Level 1) Reading 1-2, Raising the Stature of Internal Auditing (Level 1)
LEVEL 1

Auditing terminology
The terms management auditing and operational auditing are sometimes used to refer to internal auditing. The term management auditing is sometimes used to stress that the scope of internal auditing extends into all areas of management. Management auditing will not be discussed further in this course. Operational auditing refers to the auditing of attributes related specifically to effectiveness, efficiency, and economy. This will be discussed in a later module.

Internal auditing defined

In June 1999, the Institute of Internal Auditors (IIA) the international professional association for internal auditors revised its definition of internal auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.1 Consider the meaning of some of the terms found in these definitions: 2 Independence is freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Assurance is an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. (Assurance services are generally characterized by three-party reporting the auditor reports to the board about management.) Consulting includes advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organizations governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. (Consulting services are generally characterized by two-party reporting the auditor reports to management.)

Adding value to the organization (and its stakeholders) is when the audit provides objective and relevant assurance and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Helping the organization refers to the focus on the overall organizational objectives and how those objectives are achieved at operational levels. This represents a change in auditor perspective, from fault finding to helping management achieve objectives. Risk management processes identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organizations objectives. Control processes are the policies, procedures, and activities that are part of a control framework, established by management to achieve objectives and to ensure that risks are contained within the risk tolerances established by the risk management process. Governance consists of the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. In 2006, the Institute of Internal Auditors Research Foundation conducted a broad-reaching study to assess the current state of the profession. Reading 1-1 summarizes the results of a more comprehensive survey of the internal auditing profession, the 2010 Common Body of Knowledge (CBOK) Global Internal Audit Survey, which the foundation completed in 2010. The reading shows the changes since 2006, the growth of the profession, and future trends. Note in particular the section on reporting relationships, which shows the improvement in communication between internal auditors and the audit committee. Reading 1-2 outlines how internal auditors can best raise the stature of their profession, continue to provide value, and contribute to achieving organizational goals.

Internal auditing professional associations

Internal auditors are governed by The Institute of Internal Auditors (IIA). The Information Systems Audit and Control Association (ISACA) provides guidance to internal information technology auditors, whereas the Association of Certified Fraud Examiners (ACFE) provides guidance on fraud investigations. Many internal auditors also hold professional accounting designations. They receive professional development from all these organizations and must comply with relevant standards.
IIA

The IIA is an international professional body, established in 1941, with a global membership (as of 2012) of more than 175,000 members in internal auditing and related fields. Although its head office is in Florida, it has national, regional, and local chapters, and members in more than 165 countries and territories. The first chapters in Canada those in Montreal, Toronto, and Vancouver were established in the late 1940s and have celebrated their 60th anniversaries. The IIA provides internal auditors, executive managers, boards of directors, and audit committees with standards, guidance, and information on the best practices for internal auditing. It conducts examinations leading to certification as a Certified Internal Auditor (CIA), an internationally recognized professional designation for internal auditors. The IIA also offers other certifications such as a Certified Government Auditing Professional (CGAP), Certified Financial Services Auditor (CFSA), Certification in Control Self-Assessment (CCSA), and Certification in Risk Management Assurance (CRMA). CIAs are required to meet continuing professional development requirements on an annual basis to retain their CIA designation. For more information about the CIA designation, visit the IIA website.
ISACA

ISACA is an international professional body with more than 95,000 members practising information systems

auditing. While information technology (IT) also known as information systems (IS) audit activities are not restricted to internal auditing, many IT auditors are involved in internal auditing. ISACA is dedicated to education, certification, and standard-setting for IT auditing, offering accountants and IT professionals the Certified Information Systems Auditor (CISA) designation. CISAs are also required to meet continuing education requirements on an annual basis. For more information on this designation, visit the ISACA website.
ACFE

The ACFE is a member-based global association dedicated to providing anti-fraud education and training. Together with its members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity of the profession. It offers a certification program leading to the designation of Certified Fraud Examiner (CFE) . For more information on the ACFE, visit the ACFE website. Indeed, some CGAs may also have CIA, CISA and CFE designations.

International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors (Altamonte Springs: Florida, 2012).
2 These definitions are based on the glossary accompanying the

1 This definition is taken from the glossary accompanying the

International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors (Altamonte Springs: Florida, 2012).

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.2 Scope of internal auditing

Learning objective

Describe the three elements that determine the scope of internal auditing. (Level 1)
No required reading LEVEL 1

Old standards (pre-1999)

By 1947, the IIAs Statement of Responsibilities of Internal Auditing recognized that internal auditors may not only assess financial information and compliance with policies and procedures but may also deal with operational matters such as the effectiveness, efficiency, and economy of operations. When the statement was revised a decade later, it included the five elements of scope contained in the previous Standards for the Professional Practice of Internal Auditing. In particular, Section 300 of the old IIA Standards stated that internal auditors should do the following: Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information. Review the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports and should determine whether the organization is in compliance. Review the means of safeguarding assets and, as appropriate, verify the existence of such assets. Appraise the economy and efficiency with which resources are employed. Review operations or programs to ascertain whether results are consistent with established objectives and goals, and whether the operations or programs are being carried out as planned.

Revised standards (post-1999)

Following the adoption of the current definition of internal auditing in 1999, the IIA significantly revised its Standards for the Professional Practice of Internal Auditing, which are now called the International Standards for the Professional Practice of Internal Auditing. (These Standards are reproduced in Reading 2-1.) Both the definition of internal auditing and Standard 2100 on Nature of Work state that the internal audit activity must evaluate and contribute to the improvement of governance , risk management , and control processes using a systematic and disciplined approach. These are the three elements of internal auditing, and they will be revisited in Standards 2110, 2120, and 2130 of Reading 2-1. Standards 2120.A1 and 2130.A1 state that the internal audit activity must evaluate risk exposures and the adequacy and effectiveness of controls in responding to risks relating to the organizations governance, operations, and information systems in the following areas: Achievement of the organization's strategic objectives Reliability and integrity of financial and operational information Effectiveness and efficiency of operations and programs Safeguarding of assets Compliance with laws, regulations, policies, procedures, and contracts

Although the terminology has changed and the scope of internal auditing has broadened over the years, all the elements of the older definition remain within the current scope of the internal auditing activity. Note: This course makes reference to a number of Standards and Practice Advisories that are included in your readings book and can also be found online at the IIA website. (Knowledge of this material is essential from an exams perspective.)

Video presentation
Watch the Internal Auditing in the Spotlight video presentation on the IIA website to learn more about the internal audit profession from chief audit executives around the world .

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.3 Functions of management

Learning objective

Explain the main functions of management and how they relate to achieving control. (Level 2)
Required reading

Reading 1-3, The Rotational Route (Level 2)

LEVEL 2

To be effective, internal auditors must understand the management process and the main functions of managers. If you have studied organizational behaviour, you will already be aware of the main functions of management. Because one of the purposes of internal auditing is to help managers better manage the business risks in the areas of their responsibility, it is imperative that internal auditors have a good understanding of management principles. In addition, an appreciation of the roles and functions of management makes it easier for internal auditors to convince managers to take action to address any issues identified during audits. There are four main functions of management: Planning Organizing Directing Controlling As you take a closer look at these functions, consider how they contribute to the management process and how internal auditing can support these functions. Internal auditors need to be aware of the responsibility relationships that are important in organizations and can affect the functions of management. To be effective, the internal auditor should be aware that the auditors role will be somewhat different when management operates under different management theories, for example, Theory X and Theory Y. 1 These different styles of employer-employee relationships will affect the moral relationships between senior management, the auditors, and those whose activities they audit.

Planning
Planning is the first function of management and entails developing a clear idea of the purpose, long-term objectives, and short-term goals of an organization. Planning is fundamental to management because it links current and projected positions of the organization. Effective planning includes a number of management activities: Setting objectives and goals Defining strategies to meet objectives Formulating principles, policies, and procedures Adhering to rules and standards Formulating programs and premises Preparing budgets Making decisions In planning audits, internal auditors consider risks, the expectations of senior management and the board, and compliance with policies, procedures, and rules. Since budgets are the plans translated into dollars, auditors

must also review the companys budgets and performance reports. Reading 1-3 describes advantages and disadvantages of implementing an internal audit rotational program, which provides an opportunity for future business managers to gain broad knowledge of the companys operations by working on term assignments as internal auditors.

Organizing
Organizing entails establishing a rule structure and appropriate reporting relationships to help achieve the goals of the organization. Organizing implies that the organization has a structure, with authority being delegated to various levels of the hierarchy in a way that allows the achievement of the organizations goals. For effective delegation of authority, five conditions must be in place: There must be a clear statement of responsibilities. Individuals at each level must understand their area of discretion. Individuals at each level must clearly understand the types of decisions they can make. Information needed to make decisions must be available. There must be a control system to monitor the exercising of delegated authority. These conditions are important to the internal auditor because they form the basis of accountability relationships. Accountability in an organization is essential to ensure effectiveness, efficiency, and economy of operations.

Directing
Directing is the process of inducing members of an organization to perform their roles successfully. Two of the main components of directing are communicating organizational goals and motivating staff to help achieve these goals. Understanding human relations and the needs and feelings of the staff of the audited unit or organization is a key aspect of the internal auditors function (particularly when presenting the results of the audit) and one that is emphasized throughout this course.

Controlling
Controlling is the comparison of actual performance with predetermined standards, plans, or objectives. Control is essential to ensure that corporate objectives are being met. Depending on the case, control can be established in a preventive manner (before the facts) or in a detective manner (after the facts). There are six steps in achieving effective control: 1. 2. 3. 4. 5. 6. Establish standards. Measure performance. Compare performance with standards. Evaluate deviations. Correct deviations. Follow up on corrective actions

The following basic requirements for adequate controls are also worth noting: Control systems must fit the needs and the management style of the managers they serve and reflect the organization pattern. Control systems must focus on exceptions and critical points so that managers can devote their attention to these areas. Control systems must be flexible to accommodate changing plans and operations. Control systems must be cost-effective.

1 Theory X and Theory Y are theories of human motivation created and developed by Douglas McGregor at

the MIT Sloan School of Management in the 1960s that have been used in human resource management, organizational behaviour, and organizational development. They describe two very different attitudes toward workforce motivation. McGregor felt that companies followed either one or the other approach. (Source: http://en.wikipedia.org/wiki/Theory_X_and_Theory_Y)

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.4 Enterprise risk

Learning objective

Define risk and enterprise risk, and explain how they are related to the concept of control. (Level 1)
No required reading LEVEL 1

The IIA Standards define risk as the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.1 Enterprise risk (also known as business risk ) can therefore be defined as the possibility of an event or action occurring that, if it occurred, could reduce the likelihood of an organization achieving its objectives. The task of management is to lead the organization in accomplishing its objectives. Because risk reduces the likelihood of achieving objectives, management must endeavour to reduce risk to an acceptable or tolerable level. Risk is all-encompassing and includes not only internal events and circumstances over which the organization has control, but also risks external to the organization, over which it has little or no control. No hard line can be drawn between risks that are controllable and those that are not; rather, there is a continuum of risks, ranging from the weather (over which the company has no control) to the quality of its products (over which it has significant control). See Example 1.4-1.

Example 1.4-1: Identifying enterprise risk

Large public utilities face a number of risks. Some of these would be catastrophic, such as the failure of a large hydro-electric dam. (Breach of the W.A.C. Bennett Dam on the Peace River in northern British Columbia, for example, would release such an enormous amount of water that the towns immediately below the dam would be 60 metres under water and the ecological effects would still be felt a century from now.) Further deregulation of the industrial, commercial, and residential electricity markets is another risk faced by public utilities. The impact of complete deregulation of the distribution of electricity would have a major impact on the operation of a utility. Inability to meet customer demand (on the coldest day of the year) is yet another risk that is faced by public utilities.

Finally, like all businesses, public utilities also face general risks such as bad debts, debt and interest rate exposure, management and employee fraud, labour disputes, labour strikes, and so on. Increasingly, management is undertaking formal processes to identify risks facing businesses. A number of risk assessment frameworks have been developed that provide a basis for the systematic review of a wide range of potential risks. Many of the large accounting/consultancy firms have developed generic models that can be adapted to different industries. Use of a risk assessment framework reduces the likelihood that a significant risk will be overlooked.

Relationship between risk and control

The IIA Standards define control as any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that
1

objectives and goals will be achieved. The primary objectives of internal control are to ensure The reliability and integrity of financial and operational information The effectiveness and efficiency of operations and programs The safeguarding of assets Compliance with laws, regulations, policies, procedures, and contracts The COSO framework (discussed in Module 3) indicates there are five necessary components to good internal control in an organization: control environment, risk assessment, control activities, information and communication, and monitoring. Managements view of controls is likely to be similar to the definition of control used by the CICAs Criteria of Control Board (CoCo) (discussed in Module 3). In its publication Guidance on Control , CoCo has defined control as those elements of an organization that, taken together, support people in the achievement of the organizations objectives. Control is effective to the extent that it provides reasonable assurance that the organization will achieve its objectives. Or, stated another way, control is effective to the extent that the remaining (uncontrolled) risks of the organization failing to achieve its objectives are deemed acceptable. Control therefore includes the identification and mitigation of risks. Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 2 It consists of identifying those risks faced by the organization, establishing acceptable tolerance limits for those risks, and putting controls in place to reduce the risks to within the entitys risk tolerances.

1 The Institute of Internal Auditors,

International Standards for the Professional Practice of Internal Auditing

(Altamonte Springs: Florida, 2012).

2

Enterprise Risk Management Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2004.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.5 Role of the internal auditor

Learning objective

Explain the role of internal auditors in their organization and compare it with the role of the organizations external auditors. (Level 1)
Required reading

Reading 1-4, In support of the bottom line (Level 1) Reading 1-5, Equipped for Governance (Level 1)
LEVEL 1

How the internal auditor fits in

Internal auditors are independent assurance providers that act as consultants both to senior management and to the board of directors. Internal auditors must not only be proficient in controls, they must also be familiar with all functions and principles of management in order to ensure that controls are appropriate. To assess the quality of management systems and controls in an organization, an internal audit requires close cooperation between the auditor and the auditee. The contribution of internal auditors to the business is measured in their ability to assist the board and managers in executing their responsibilities. This is done through objectively identifying risks, evaluating the design and implementation of managements control systems, and making recommendations for improvement. In a general sense, the role of internal auditors is to observe operations with the point of view of senior management. Internal auditing aids the organization by helping managers manage better by bringing to managements attention opportunities for improvement. Direct assistance to the board is provided in the form of audit reports, which provide objective information to the board with respect to those processes found to be working appropriately and assurance that management is aware of any identified opportunities for improvement. Internal auditors should report objectively to the board on the effectiveness of the design and implementation of managements control systems, which are intended to support the accomplishment of the organizations goals and objectives. The role of consultant to the board cannot be effectively carried out without independence from, communication with, and the trust of management, and adherence by the auditors to the highest ethical standards. Reading 1-4 explains how internal auditors can contribute to a companys revenue and profit. The auditors analytical skills and experience can help managers assess revenue risks in areas such as investments and capital project management. Reading 1-5 describes the increasingly important role of internal auditing in strategic financial and nonfinancial issues and decisions at the highest levels of the company.

Internal auditing contrasted with external auditing

In External Auditing [AU1] (or your introductory auditing course), you learned about the assurance or attest audits of financial statements carried out by external auditors. You also learned that the sole objective of an external audit is to issue an opinion, to the shareholders, as to whether the financial statements of an organization as prepared by management are presented fairly in all material respects in accordance with generally accepted accounting principles (GAAP). External auditors obtain only the audit evidence necessary to support this opinion. They may choose, for

example, not to test the operating effectiveness of internal controls and rely almost exclusively on substantive testing of transactions and balances. External auditors are concerned with matters related to financial statements such as the completeness, accuracy, and authorization of financial transactions. Internal auditors, however, are more concerned with the efficiency and effectiveness of the wide range of activities defined under the scope of internal auditing. External auditors tend to focus on balances at a point in time; internal auditors are more concerned with the appropriate design and effective implementation of management processes. Although some of the techniques used by internal auditors are similar to those used by external auditors, the two types of auditing are very different. Internal auditors perform audits of internal operations, specifically risk management, internal controls, and financial governance. The internal auditors primary responsibilities are to the board and management, whereas the external auditors primary responsibilities are to shareholders, creditors, and the general public (that is, the users of the audited financial statements). Although the internal auditors may assist with the external audit, the scope of the internal auditors work does not directly include the financial statements.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.6 Types of internal audit assignments

Learning objective

Describe the types of audits carried out by internal auditors. (Level1)

Required reading

Reading 1-6, A sharper focus (Level 1)

LEVEL 1

Audit types
A number of different types of audit assignments make up the full range of internal audits. Audit assignments can be classified as either assurance or consulting engagements. They can also be classified according to the scope of work carried out and/or activities performed by the auditor. The following types of audits are described in this topic: Compliance audit Internal financial audit Operational audit Comprehensive audit IT and integrated audit Fraud audit Environmental audit These types of audits would usually be assurance engagements; however, if they were carried out at the request of the responsible manager for the purposes of improving performance without providing a formal assessment or evaluation, they would be consulting engagements. Reading 1-6 explains an approach to these types of internal audits that is shifting from transaction testing to more forward-looking types of auditing.

Compliance audits
The earliest internal audits focused almost entirely on the system of internal controls. The auditor was provided with documentation on the controls that were supposed to be in place and then set out to verify that these controls were operating as intended. Such compliance audits did not evaluate the appropriateness of the controls because the audit was usually conducted at the branch level and the branch management had no authority to change the controls established by the head office. Reports were restricted to evaluating compliance with the head office requirements. Compliance audits review both controls and transactions and include an evaluation of compliance with laws and regulations that are external to the enterprise and/or with plans, policies, and procedures that are internal to the enterprise. Although internal auditors have performed compliance audits for many years, they still are an important type of audit. Management and the board value the assurance provided by internal auditors about the functioning of controls. An example of a compliance audit related to external requirements is where an internal audit is undertaken to evaluate the extent to which a company is meeting the legislative requirements related to the collection and remittance of sales taxes or withholding taxes. Such an engagement does not consider the appropriateness of the legislation, but rather focuses on compliance with the legislation as it exists. See Example 1.6-1.

Example 1.6-1: Compliance auditing

This example demonstrates how compliance audits of a companys branch offices examine whether the branch

offices practices agree with the policies and procedures issued by the companys head office. The auditors are then able to use the information gathered during the branch audits to examine the appropriateness of the policies and recommend improvements to the companys internal controls to increase their efficiency. The internal auditors of a large provincial electrical contractor carried out compliance audits at the contractors locations throughout Newfoundland and Labrador. One requirement regarding issuing materials from the stores for various work orders was that the bill of materials must be approved by a supervisor or manager before the materials could be issued. Audits at several branches revealed that this practice was not followed. Management of the branches stated that since a bill of materials was only generated for approved work orders, and the approval of the work order logically included approval of the bill of materials, it was unnecessary to have the supervisor or manager who had approved the work order also sign the bill of materials. In smaller offices, the supervisor was often not available to approve the bill of materials on a timely basis and work would be unnecessarily delayed while awaiting this approval of the bill of materials. In their audit reports on the branches, the internal auditors identified the compliance deviation and reported the reasons advanced by management as to why this was happening. The auditors then established a separate audit engagement to review the approval process and the existing requirement that the bill of materials be separately approved. That audit examined the processes for the creation and approval of work orders and bills of materials, determining that it was possible to print a proforma bill of materials for an unapproved work order. This proforma bill of materials was identical to those produced for approved work orders. The auditors recommended that the system be modified so that proforma bills of materials were clearly labelled as such and printed with a notation that the work order had not been approved. Thus, both the work order and proforma bill of materials could be approved simultaneously. When this modification was completed, the requirement that the bill of materials needed a separate approval was eliminated, reducing time and effort. In addition, branch managers were no longer in a position where they felt that the controls were impractical and could justifiably be ignored.

Internal financial audits

Internal financial audits focus on the accounting system and its output. Unlike external audits (which focus on the financial statements at a specific balance sheet date), internal financial audits consider the processes used to generate all the financial information used by management to manage the business. With the implementation of the Sarbanes-Oxley Act of 2002 in the United States (and similar regulations or legislation in other countries, including Canada), a further role has developed for internal auditors. The principal operating and financial officers of companies whose securities are traded on exchanges in the United States are required to attest to their belief in the integrity of financial reports filed with the regulatory agencies. In many organizations, internal auditors participate in the quarterly financial reports and disclosures review process with the audit committee, external auditors, and senior management.

Operational audits
Operational auditing is a systematic process of evaluating an organizations effectiveness, efficiency, and economy of operations under managements control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement. Its objectives are to provide a means for evaluating an organizations performance and to enhance performance by making recommendations for improvement (from IIAs Operational Auditing Handbook: Auditing Business & IT Processses). Effectiveness is the attainment of organizational goals and objectives. Efficiency measures the relationship between the resources used and the outputs or accomplishments of the users of resources. Economy measures the relative long-term cost of the resources used.

Comprehensive audits
Comprehensive audits consist of a combination of financial audits, compliance audits, performance audits (which are a form of operational auditing), and audits of accountability. They are mainly carried out by the

Offices of the Auditors General for Canada, the provinces, and some municipalities. Comprehensive audits will be explained in more detail in Module 10.

IT audits and integrated audits

When businesses first began to use electronic data processing (EDP) in their operations, a new area of auditing developed. Managers were concerned about the risks and controls over their computer systems and began to implement information technology (IT) audits . Because internal auditors seldom had the training necessary to conduct these audits, special IT auditors were used for this work. Today, the use of computers is universal and all auditors receive training in the necessary controls for computer systems. As a result, there has been a trend toward including the audit of computer systems within other types of internal audits. When this is done, it is sometimes referred to as integrated auditing .

Fraud audits
Internal auditors may also be involved in carrying out fraud audits , also known as forensic audits. If management has detected or suspects a fraud, it may request that a special investigation be carried out to determine the existence and/or extent of the fraud. Although this can be done by the companys security personnel or outside forensic accountants or auditors, management normally asks the internal audit department to lead or participate in any fraud investigations. As fraud is always a significant business risk, internal audit departments often include fraud testing as part of their annual audit program. If the internal auditors detect fraud, or the indications of potential fraud, they will carry out a fraud audit to determine the extent of loss, and to identify any control system changes necessary to prevent such future lapses. The internal auditors report will be given to management for any necessary actions related to employees who are involved.

Environmental audits
Environmental audits are usually compliance-type audits to establish the extent to which the organization complies with legislative and regulatory requirements on environmental matters. In some organizations, these are carried out by the internal auditing department; however, due to the specialized knowledge required, in most organizations there is a separate unit responsible for environmental auditing. External consultants may also be engaged to perform the audit.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.7 Performance measurement

Learning objective

Compare internal auditing and performance measurement. (Level2)

No required reading LEVEL 2

The essence of auditing is evaluating and reporting on the degree of correspondence between actual performance and established criteria. A systematic process is used to gather sufficient, appropriate evidence to understand actual performance. In the case of external auditing, the criterion for evaluation is generally accepted accounting principles (GAAP) and international financial reporting standards (IFRS), which in Canada normally means the recommendations contained in the accounting volumes of the CICA Handbook. In regulatory compliance auditing, such as that carried out by income tax and sales tax auditors, the criterion for evaluation is found in the relevant tax laws and regulations. Internal auditing requires that the auditor identify appropriate criteria for evaluation and, where possible, obtain agreement from those being audited on the criteria to be used. Criteria must be explicitly set out before the examination begins. The development of measurable criteria, therefore, becomes one of the first steps in internal auditing. More and more companies have recognized that organizational performance, for which management is accountable, can be measured; consequently, they have developed performance measurement standards. The purpose of performance measurement is to provide objective standards against which to assess performance and report. Performance measurement is based on identifying those measures critical to an organizations success and setting specific, measurable targets for them. Note that this topic is merely an introduction to a large and rapidly expanding subject. Both commercial and non-commercial organizations are reviewing a range of categories of information considered relevant to overall organizational performance and are designing performance measurement indicators within these various categories. Two widely used approaches to designing sets of relevant performance information are the Balanced Scorecard approach and the approach developed by the CCAF/FCVI Inc. (formerly called the Canadian Comprehensive Auditing Foundation). Operational auditing and performance measurement both begin by identifying the goals of the enterprise. They next evaluate the extent to which plans are related to the attainment of those goals and agree on criteria for evaluating whether reasonable effort is being made to achieve the targets set out in the plans. Such measurements need not be carried out only by auditors. Many companies have developed key performance indicators (KPIs) , which are reported to senior management on a monthly or quarterly basis. The reported KPIs are compared with the previously established performance standards, and managements attention is focused on addressing significant deviations. Indeed, management remuneration can be tied to the achievement of the KPIs. Typical KPIs include inventory turnover, accounts receivable collection periods, cycle time reduction, production defect reduction, customer service response time, and so forth. A broader interpretation of KPIs could also include "qualitative" indicators.

Continuous monitoring
Peter Osterio, founder of Osterio, Inc., a Georgia-based internal audit consulting practice, is the developer of an audit approach known as risk-based integrated auditing. In conjunction with that approach, Osterio developed a process of continuous monitoring of key performance indicators by internal auditors. In traditional auditing, by far the greatest amount of time is spent looking at processes that are functioning appropriately. With the general availability of computerized analytic tools, monitoring of many processes can be

done electronically, using relatively simple models developed by the internal audit department. See Example 1.7-1 for an illustration.

Example 1.7-1: Continuous monitoring

An example of continuous monitoring was developed by an organization in which each branch entered its purchases and receipts of goods and services into the companys purchasing and payables system, and invoices were paid from about 10 regional centres. The audit department designed a model to track payment timing (time between invoice date and payment) and payment profiles (volumes in each dollar range) for each regional centre monthly. This enabled the auditors to identify unusual behaviour or changes in pattern on a timely basis. Audit activity would always include an investigation of these unusual occurrences.

Two recent surveys (one conducted by PricewaterhouseCoopers and the other by ACL Services Ltd. and the IIA) indicate that most internal auditing departments have either introduced continuous monitoring or plan to do so. Technological advances, the need for greater efficiency, and increasing demands on internal auditors are converging to drive the growth of continuous auditing. The audit committee and management expect internal auditing to keep the organization from having any surprises. Continuous auditing is one way internal auditing can cut down on those surprises. 1 In the In My Opinion column of the Internal Auditor magazine , Lawrence Sawyer, a frequent contributor, suggested that Perhaps its time that the term internal auditing be replaced by one that conveys the comprehensive examination of all activities within the enterprise. A more apt title might be performance evaluation, which could mean that internal auditors would be referred to as performance evaluators. Letters to the editor in subsequent issues were unanimous in recognizing the expanded role of internal auditing. While continuous monitoring is generally viewed as a cost-effective addition to an internal auditing departments activities, it cannot replace the need to verify that processes that appear to be under control are, in fact, under control.

1 Richard Chambers, a managing partner with PricewaterhouseCoopers

(http://www.aclchina.com/solution/Continuous%20Auditing.pdf)

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.8 The ethical climate

Learning objective

Outline the role of the internal auditor in promoting ethical culture and standards in an organization. (Level 1)
Required reading

Online reading 1.8-1, Ethics Readings Handbook (ERH) , Unit B1, A Menu of Moral Issues: One Week in the Life of the Wall Street Journal (available under the Resources tab) (Level 1) Online reading 1.8-2, The IIA Code of Ethics (Level 1) Online reading 1.8-3, Ethics Readings Handbook (ERH) , Unit C3, CGA Canada Independence Standard and Code of Ethical Principles and Rules of Conduct (CEPROC) (Level 1)
LEVEL 1

Internal auditors who are members of the IIA are required to act in accordance with The Institute of Internal Auditors Code of Ethics. Certified General Accountants (and students) are also required to act in accordance with the CGA-Canada Independence Standard and Code of Ethical Principles and Rules of Conduct. Some organizations have a corporate mission statement, also sometimes referred to as the mission, vision and values which reinforces the importance placed on ethics by the senior management. Such statements of ethical standards for professionals serve two purposes. First, they provide guidance for professionals in the form of principles, goals, and standards that may be used to assess members conduct. Second, they provide members of the public and others (the users of the services provided by the professionals) with a reasonable expectation of the behaviour that they can expect from the members of the profession. Internal auditors have a primary responsibility to the management of the entity for which they work. This is akin to a principal-agent relationship, where the internal auditor is an agent for management. Internal auditors are expected to follow instructions from senior management and use their best judgment when given discretion with respect to their actions. However, in doing so, internal auditors must act within an ethical framework, and this limits their loyalty to management. The ethical framework consists of both general boundaries set by widely accepted standards of public morality (including, for example, refraining from violence and fraud, honouring agreements, and not endangering public safety) as well as specific boundaries that are part of being a professional accountant and internal auditor. The IIAs Code of Ethics consists of a statement of the principles relevant to the profession and practice of internal auditing and some specific rules (or standards) of conduct developed from these principles. Within an organization, internal auditors should act as ethics advocates. They should take an active role in supporting the organizations ethical culture because they possess a high level of trust and integrity and have the competence to appeal to the organizations management and other employees to comply with its legal, ethical and societal responsibilities. Surveys show that most managers, particularly senior managers and boards of directors, are increasingly concerned about ethical problems and their potential impact on the business. This is due, in large part, to widespread public and regulatory concerns about the ability of business and governmental organizations to meet their ethical responsibilities to stakeholders (consumers, suppliers, investors, taxpayers, and so on). As you read through the material in this course, consider how ethical considerations could affect the internal auditor in carrying out his or her work. Online reading 1.8-1, A Menu of Moral Issues: One Week in the Life of the Wall Street Journal from the Ethics Readings Handbook (ERH) provides a moral background for your ethical considerations.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.9 Ethical considerations

Learning objective

Apply ethical judgments in the context of the internal auditors work. (Level 1)
Required reading

Reading 1-7, The state of control (Level 1)

LEVEL 1

The following are situations that require internal auditors to make ethical judgments: Internal auditors are responsible for monitoring compliance and enforcement of all the organizations policies, including ethical policies such as a corporate conflict of interest policy. Internal auditors may carry out fraud investigation assignments; these are directly concerned with ethics. Internal auditors have an obligation to report to management not only illegal actions, but also those that would generally be viewed as unethical, since these actions could have a significant impact on the organization. Internal auditors exist to help the organization function better. Ethical business practices encourage loyal customers and result in increased sales, and also foster relationships with ethical suppliers and employees, all of which help to give the company the benefits of a good business reputation. Internal auditors have unrestricted access to most information in the organization and must follow the ethical principle of respecting the confidentiality of financial, operational, and personal information. Internal auditors may be asked by employees and management for their understanding and interpretation of relevant ethical standards, such as conflict of interest rules, as well as corporate and professional codes of ethics. Strong adherence to an ethical code increases the reputation and effectiveness of the auditors work. Internal auditors may encounter examples of unethical (and sometimes illegal) actions taken by management or employees of the organizations for which they work. Examples of such unethical practices include the following: An employee bypassing a control by taking a shortcut in the work procedures A manager overstating operating results through accounting choices, such as not accruing expenses An accounts payable supervisor incorrectly dating cheques to take advantage of a supplier payment discount Purchasing employees accepting commissions or other benefits from suppliers for favouritism in business

Employees borrowing from petty cash or other company assets, or making unauthorized copies of company-owned software The controller changing accounting principles used, such as amortization methods, to improve financial results A manager ignoring a conflict of interest and making a decision that results in personal gain, at the employers expense A sales manager charging personal entertainment to the employer as a business expense The internal auditor will also be called on to audit the organizations ethics and compliance programs. In planning its audit work, the internal audit department should include periodic assessments of the state of the ethical climate of the organization and the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired level of legal and ethical compliance.1 Internal auditors should evaluate the following features of an enhanced, highly effective ethical culture:
(a) Formal Code of Conduct, which is clear and understandable, and related statements, policies (including procedures covering fraud and corruption), and other expressions of aspiration. Frequent communications and demonstrations of expected ethical attitudes and behaviour by the influential leaders of the organization. Explicit strategies to support and enhance the ethical culture with regular programs to update and renew the organizations commitment to an ethical culture.

(b)

(c)

(d)

Several easily accessible ways for people to confidentially report alleged violations of the Code, policies, and other acts of misconduct. Current best practice is for organizations to have a "Whistleblower Policy" for individuals to report concerns about improper activity, and to protect the reporting individual from retribution. Regular declarations by employees, suppliers, and customers that they are aware of the requirements for ethical behaviour in transacting the organizations affairs. Clear delegation of responsibilities to ensure that ethical consequences are evaluated, confidential counseling is provided, allegations of misconduct are investigated, and case findings are properly reported. Easy access to learning opportunities to enable all employees to be ethics advocates. Positive personnel practices that encourage every employee to contribute to the ethical climate of the organization. Regular surveys of employees, suppliers, and customers to determine the state of the ethical climate in the organization. Regular reviews of the formal and informal processes within the organization that could potentially create pressures and biases that would undermine the ethical culture. Regular reference and background checks as part of hiring procedures, including integrity tests and similar measures.

(e)

(f)

(g) (h)

(i)

(j)

(k)

Reading 1-7 discusses how internal auditors can contribute to managements evaluation of corporate risks that can have a major impact on the environment and the community, and which therefore involve ethical considerations.
1 The Institute of Internal Auditors, Practice Advisory 1230-1: Role of the Internal Audit Activity and Internal

Auditor in the Ethical Culture of an Organization, issued in 2001 and withdrawn on January 1, 2009.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

1.10 Introduction to case analysis

Learning objective

Prepare a case analysis report from information provided on an internal auditing issue. (Level1)
No required reading LEVEL 1

Throughout your advanced courses in accounting and auditing as well as in your working career, you will be required to conduct business case analysis and write business cases. You may have been introduced to case analysis in a previous course. If you need a refresher on how to approach case analysis, go to Analyze a case under Resources/How to.

Case study 1-1: Comstock Industries 1

This case study deals with issues that arose in the audit of a division of Comstock Industries Avil Division. It simulates the type of situation an auditor may experience in practice and requires you to perform the following steps: 1. Read the facts and requirements of the case. 2. Test your understanding of the case facts by completing the quiz. 3. Analyze the case; use the judgment call to help you through the analytical process. 4. Write the case report (see required under facts and requirements above). 5. Compare your report to the suggested solution.

1 Adapted from Dittenhofer and Roy, Comstock Industries, Case 37 in

Case Studies in Internal Auditing, Volume2, compiled and issued by The Institute of Internal Auditors, March 1994.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Comstock Industries Case facts and requirements

Mark Hobson, a CGA and CIA, is an internal auditor employed by Comstock Industries. He is just completing an audit of the Avil Division conducted during the first five weeks of the year. The Avil Division is one of three manufacturing divisions in Comstock and manufactures inventories to supply about 50% of Comstocks sales. In addition to the manufacturing divisions, Comstock has two marketing divisions (domestic and international) and a technical service division that offers world-wide technical support. Each customer is assigned to the most suitable manufacturing division which functions as the supplier for that customer. The manufacturing division then approves the customers credit, ships against orders obtained by the sales representatives, and collects the customer receivables when due. This allows order-to-order monitoring of customer credit limits against customer orders received.
Findings

Two items that came to his attention during the audit concern Mark: There is a material dollar amount of inventory of part number A2 that is still carried on the Avil books, despite the fact that the Fast-tac machining component in which part A2 was used is now considered first generation and is no longer manufactured. Company policy requires an immediate write-off of all obsolete inventory items. Some accounts receivable still carried as collectible were over 180 days old. All receivables are due in 30 days, which is standard for the industry. Mark believes that many of these old accounts are uncollectible. The division managers administrative assistant, Brenda Wilson, performed the aging of accounts receivable, rather than the division accountant, as is standard practice. (The division accountant refused to discuss the circumstances of Brendas actions or either of the issues which arose during the audit.)
The auditees comments

Mark scheduled a meeting with Brenda and discussed the above concerns. Well, Mark, Brenda responded, I know that policy requires that obsolete inventories be written off, but that part A2 is just not being used at present. We might start to make those Fast-tac components again. Who knows? Wide ties are coming back again, arent they? Fast-tac could too. There are plenty of customers, especially in developing nations, who are finding those newer generation machines pretty expensive to maintain. I mean, there is a policy that states obsolete inventories should be written off, but there is no policy defining an obsolete part. And as for those receivables, Brenda continued, that is certainly a judgment call, too. Who knows if those receivables will be collected? Were in a slight recession now. When things pick up, well probably collect a few. There isnt even a policy in this division on writing off receivables I checked: nothing says I have to write them off. So who are you to say I have to? Mark argued: Brenda, you know those parts will never be used. And you know those receivables are bad. Look, Mark, Brenda finally bargained, its only a few weeks from the close of the year. Lets leave these items as they are until after the close so that everyone gets their bonuses. Then, I promise Ill take a fresh look at both inventories and receivables. Ill write them down after year end, after the financial reports are issued. No one will know. And, after all, whos to be hurt?
The division managers comments

Mark continued his audit, drafted his report containing findings related to the inventory and receivables, and reviewed the draft report with the division manager, Hal Wright. Hal was visibly disturbed. Gee, Mark, this couldnt have come at a more awkward time. Our figures just got audited by the external auditors there was a guy out here for our inventory count in November and Brenda sent her aging of the year-end receivables to corporate headquarters. No one up there, in our group or on the external audit team, was the least bit critical. If you go raising problems particularly now, the external auditors will catch us writing off inventory and receivables. Theyll adjust profit and there will be hell to pay, for all of us. And, Mark, this is no clear-cut issue, either. I mean, I can see how you can write a report calling for clearer policy, but never one calling for specific write-downs. Thats way out of your jurisdiction. But still, I promise, well look at all this after our statements are accepted. Right now, I feel the managers of this division have worked their hearts out and I intend to fight to protect what little bonuses they have coming. If we write down as you suggest, those bonuses will go and the stockholders will lose too. Earnings per share will drop like a rock. They might even close this division. Now you dont want that, do you? Well, Hal, I could word my findings as they are in the draft but include your response. Hal was suddenly angry. What? And let the audit committee decide the issue? They have nothing to do with this. They accepted the external auditors report. If you want to make the audit committee happy, youll accept it too and leave this adjustment stuff alone.
The internal audit director

Concerned, Mark delayed finalizing his report and discussed the draft with Gail Wu, director of internal audit. Gail was not trained as an auditor and was promoted to director of internal audit from the treasury division of corporate finance so that she might develop a better understanding of operating relationships. Still, Gail is very smart and Mark has always respected her opinion. The discussion was by telephone, with Mark still at the Avil Division headquarters and Gail at the corporate office. Mark, Hal is right. If you blow the whistle on management bonuses this year, we can forget all the goodwill that Ive been struggling to build for our department. It will all go out the window. Mark responded, I know youve been trying to put us on a better footing with management, Gail, but Hal is intractable. As far as he is concerned, the only finding he will accept in the report is that of deficient policy, with nothing mentioned about the inventory or receivables needing adjusting. Well, do what you have to do, Gail ended the discussion. But I insist that you submit a report that Hal agrees to and has signed. I dont want to upset anyone, then have to try to explain my report to the board when everyone is complaining about the effect on the results and the bonuses.
Required

Assume the role of Mark Hobson. Using the case analysis format found in Analyze a case, prepare a report, identifying and analyzing the following: a. b. c. d. What What What What are the ethical issues involved? are the identified control weaknesses? are the possible courses of action? is your recommendation?

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Comstock Quiz
Question 1
What are the main problems or issues for the auditor? a. b. c. d. The administrative assistant is performing the aging of the report, not the accountant. Obsolete inventory is not being written off. Uncollectible accounts and obsolete inventory are not being written off. The audit procedures of the external auditors may be inadequate.

Question 2
In applying standards of conduct from either the CGA or IIA Code of Ethics, how should Mark, who is a member of both organizations, conduct himself? a. b. c. d. Be guided by his director (employer) in the application of the ethical requirement. Use his discretion in deciding whether to comply with the ethical requirements. Exercise his judgment in applying the ethics standards to specific situations. Be guided by the division managers comments.

Questions 3 to 7 deal with ethical issues that Mark is facing. Determine which one is true. (Reference: Online reading 1.8-2, The IIA Code of Ethics)

Question 3
In this scenario, Mark can be knowingly a party to improper or illegal activity. True/False

Question 4
Mark may not have the necessary knowledge or skills to define what is an obsolete part. True/False

Question 5
If no disclosure/adjustment is made, shareholders could face losses. True/False

Question 6
Mark is obligated to report the situation within (and possibly outside) the company. True/False

Question 7
He may have unknowingly disclosed sensitive information to the administrative assistant. True/False
For questions 8 to 15, determine which internal control weaknesses apply to Comstock

Industries.

Question 8
The company failed to plan inventory and procurement processes properly. Weakness/Not a weakness

Question 9
The internal audit director is not a member of the IIA. Weakness/Not a weakness

Question 10
External auditors procedures may be inadequate. Weakness/Not a weakness

Question 11
Accounting policies for obsolete inventories are inadequate. Weakness/Not a weakness

Question 12
The company has no business continuity plans. Weakness/Not a weakness

Question 13
Accounting policies for uncollectible accounts are inadequate. Weakness/Not a weakness

Question 14
The internal auditor is reporting to the division manager. Weakness/Not a weakness

Question 15
There are weaknesses in credit-granting policies Weakness/Not a weakness Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Comstock quiz - solution Question 1

a. b. c. d. Incorrect. This is an internal control weakness issue but is not the main issue. Incorrect. This is only one of the main issues. Correct. Both are the main issues for the report. Incorrect. This may be a weakness of the external process but is not the main issue.

Question 2
a. Incorrect. The internal auditor is personally accountable for meeting the requirements of both sets of standards. b. Incorrect. Compliance with the Code of ethics is not optional for members of either organization. c. Correct. While compliance is not optional, judgment is required in applying the ethical standards to specific situations. d. Incorrect. The auditor must not subordinate his or her judgment on ethical matters to that of the auditee, but must be independent in assessing ethical situations.

Question 3
True.
Question 4

False: This is an accusation by the administrative assistant. Mark has performed his due diligence to determine that part #A2 is obsolete.

Question 5
True.

Question 6
True.

Question 7
False.

Question 8
Weakness.

Question 9
Not a weakness.

Question 10
Weakness.

Question 11
Weakness.

Question 12
Not a weakness.

Question 13
Weakness.

Question 14
Not a weakness.

Question 15
Weakness.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Comstock Judgment Call

The purpose of this exercise is to help you organize your thought process prior to writing your report. You will do this by analyzing and selecting the options Mark has. Select the option that you think is most appropriate, and then read the explanation.
Analyze each of Marks options and choose the one that you feel is most appropriate:

Option A Limit the report findings to a lack of adequate policy guidelines on obsolete inventory and uncollectible receivables. Option B Attempt to resolve the issue within the department. Report the matter to the audit committee. Option C Attempt to resolve the issue within the department. Report the matter to the external auditors. Option D Attempt to resolve the issue within the department. Draft the report indicating the necessity of the adjustments and let the internal audit director decide. Option E Attempt to resolve the issue within the department. Resign from his assignment. Option F Seek advice from the CGA, the IIA, and/or legal counsel before making a decision. Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Judgment call solution

Option A This option ignores the specific issues of the inventory and receivables and violates professional ethics of protecting the interests of the shareholders. Option B There is theoretical support for this position, but Mark has no obligations to do this. Option C He has no obligation to do this and it could be a violation of confidentiality. Option D If the director chooses to rewrite the report, then it is beyond Marks authority. Option E This action may be appropriate if the audit assignment issues cannot be satisfactorily resolved. His letter of resignation should state his position and the reason for his resignation. Option F Whichever options Mark selects, he should seek proper advice.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Suggested solution
Background information

During the course of an internal audit of the Avil Division of Comstock Industries, Mark Hobson has concluded that obsolete inventory and uncollectible receivables have not been written off. The main motivation is the desire to achieve bonuses for the management of the division. These items have already been reviewed by the external auditors, who have raised no concerns. The division manager has no objection to a reference in the audit report to a lack of definitive standards as to when inventory should be declared obsolete or receivables considered uncollectible but he does not want any specific reference to any need to provide for or write off the present amounts. He has promised to review the situation (and increase the provisions) as soon as the financial statements have been finalized. The internal audit directors main concern is protecting the reputation of the department with the companys management. She has directed that Mark find a resolution that is acceptable to the manager of the division.
a. Ethical issues

The ethical issues that face Mark include the following: As a professional accountant (CGA) and auditor, he may not knowingly be party to any illegal act or improper activity, nor may he allow himself to be associated with misleading information. If no adjustment is made, the shareholders will face two possible losses: first, the company will be paying out bonuses that are not warranted, and second, the results of the companys activities will be overstated in the current year and presumably understated in the future, when these costs will have to be recognized. Shareholders and others could make detrimental decisions based on this misinformation. Mark must determine what obligation, if any, he has to report the situation within (and possibly outside) the company.
b. Identified control weaknesses

1. Policies with respect to accounting for obsolete inventories and uncollectible accounts receivable are inadequate. 2. Allowing Brenda to override the divisional accountant suggests inadequate separation of duties. 3. There appears to be a failure in the inventory planning and procurement process leading to the accumulation of excess inventories of a component part of an obsolete product. 4. There may be weaknesses in credit granting and/or collections practices leading to the high value of old accounts receivable. 5. The audit procedures of the external auditors may be inadequate.
c. Possible courses of action

Marks choices include these: He could limit the report findings to a lack of adequate policy guidelines for deciding when inventory becomes obsolete or receivables become uncollectible. This, however, ignores the specific issues in Avils inventory and receivables, and thus would be a violation of professional ethics and would be contrary to the interests of the shareholders. He could attempt to resolve the issue within the department. This would not likely be successful, leading to further choices: He could report the matter to the audit committee. There is theoretical support for this position, but Mark certainly has no obligation to do this. He could report the matter to the external auditors. He has no obligation to do this

and most would argue that this would be a violation of confidentiality. He could draft up the report indicating the necessity of adjustments and forward it to the internal audit director. If she chose to rewrite the report, this would be beyond Marks control. He could resign from his assignment. This would probably be the most appropriate action if the matter cannot be satisfactorily resolved. His letter (addressed to the internal audit director) should state his position and the reason for resigning from this assignment. In case the organization does not support Mark, he should consider finding a new job or organization with higher ethical standards. Whichever option he selects, he should seek advice from the CGA association, the IIA, and/or legal counsel before making his decision.
d. Recommended course of action

Mark cannot ethically be associated with the misinformation that would result from failing to disclose his true findings. He should attempt to resolve the matter within the internal audit department, and if unsuccessful, should either report the matter to the audit committee or resign, stating his reason for doing so in his letter. In all cases, he should carefully document his actions.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 1 summary
Introduction to internal auditing
The first module in this course sets the stage for your study of internal auditing. You consider the definition, role, development, and scope of internal auditing, as well as evaluate and consult on the organizations assurance needs. You also consider the business environment and identify and analyze its accompanying risks. The various types of internal audits and the relationship between internal auditing, external auditing, and performance measurement are explained. Finally, you study the role of professional ethical standards in internal auditing and review case analysis, a technique used frequently throughout this course.

Define internal auditing, and explain the key terms used in the definition.
Internal auditing is defined by the Institute of Internal Auditors as an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Independence is freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Assurance is a service that provides an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes. Consulting refers to services that are advisory and are intended to add value and improve an organizations governance, risk management, and control processes. Adding value to the organization (and its stakeholders) is when the audit provides objective and relevant assurance and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Helping the organization refers to the focus on the overall organizational objectives and how those objectives are achieved at operational levels. This represents a change in auditor perspective, from fault finding to helping management achieve objectives. Risk management processes identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organizations objectives. Control processes are the policies, procedures, and activities that are part of a control framework, established by management to achieve objectives and ensure that risks are contained within the risk tolerances established by the risk management process. Governance consists of the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

Describe the three elements that determine the scope of internal auditing.

Risk management : Identify and evaluate significant exposures to risk and contribute to the improvement of risk management and control systems. Control : Maintain effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Governance : Assess and make appropriate recommendations for improving the governance process in the accomplishment of the organizations objectives.

Explain the main functions of management and how they relate to achieving control.
Planning is the development of a clear purpose, long-term objectives, and short-term goals of an organization. Organizing entails establishing a rule structure to help achieve the goals of the organization. Directing is the process of inducing members of an organization to perform their roles successfully. Controlling is the comparison of actual performance with pre-determined standards, plans, or objectives. The main purpose of control is to ensure that the enterprises objectives are met effectively, efficiently, and economically. The basic requirements for achieving adequate controls are as follows: Controls must fit the needs and the management style of the managers and reflect the organization pattern. Controls must focus on exceptions and critical points. Controls must be flexible to accommodate change. Controls must be economical and cost-effective.

Define risk and enterprise risk, and explain how they are related to the concept of control.
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Enterprise risk , therefore, is the possibility of an event occurring that may reduce the likelihood of an organization achieving its objectives. Effective control provides reasonable assurance that the organization will achieve its objectives reliably (by reducing uncontrolled risk to an acceptable level) and therefore includes the identification and mitigation of risk.

Explain the role of internal auditors in their organization, and compare it with the role of the organization's external auditors.
The role of internal auditors is to act as consultants to both the board of directors and management in assessing and improving the effectiveness and efficiency of the organizations risk management, control, and governance processes. Internal auditing aids the organization by helping the board and management better fulfil their responsibilities.

The internal auditor must cooperate closely with the management of the activities being audited, but must maintain independence and objectivity while carrying out audit activities. In performing consulting activities, the internal auditor will report directly to the management of the unit or activity being reviewed. The internal auditor must have a direct reporting relationship to the board or its audit committee in order to perform assurance functions. Internal auditors are responsible to the board and management of the organization; external auditors are responsible to the shareholders. Internal auditors are independent of the functions that they audit, but are not independent of the organization itself; external auditors must be independent of the organizations that they audit. The purpose of internal auditing is to improve organizational performance; the purpose of external auditing is to express an opinion on the financial statements. The scope of internal auditing extends to all activities of the organization; the scope of external auditing is limited to financial areas impacting the financial statements. Internal auditing focuses on the appropriate design and effective implementation of management processes; external auditing focuses on balances at a point in time.

Describe the types of audits carried out by internal auditors.

Compliance audits focus on reviewing compliance with established policies, procedures, laws, and so on. Internal financial audits focus on the reliability and integrity of the accounting system and its output. Operational audits review an organizations effectiveness, efficiency, and economy of operations, and recommend improvements. Comprehensive audits (mainly in the public sector) focus on financial verification, compliance, performance assessments, and accountability mechanisms. Information technology (IT) audits focus on the controls in computerized environments. Integrated audits are conducted when IT auditing is included with other types of internal auditing. Fraud audits can be carried out by internal auditors when management or auditors detect or suspect the existence of a fraud. Environmental audits assess the extent to which the organization is in compliance with regulatory requirements on environmental matters.

Compare internal auditing and performance measurement.

Internal auditing evaluates and reports on the degree of correspondence between performance and appropriate agreed-on criteria. Performance measurement is based on identifying those measures critical to an organizations success and setting specific, measurable targets for them. Performance is compared with these targets in order to assess organizational performance.

Internal auditing increasingly focuses on the evaluation of organizational effectiveness and efficiency, and requires that measurable criteria be established against which to assess performance. Performance measurement has the advantage of being a continuous process; internal auditing of particular activities is usually intermittent.

Outline the role of the internal auditor in promoting ethical culture and standards in an organization.
Internal auditors should use their position of trust and integrity to be advocates of ethical conduct. They should work towards increased compliance with legal, ethical, and societal responsibilities. Internal auditors should periodically assess the state of the ethical climate and evaluate the extent to which the organization fulfils its ethical responsibilities.

Apply ethical judgments in the context of the internal auditors work.

Adherence to an ethical code increases the reputation and effectiveness of the work of the internal auditor. Internal auditors are responsible for assessing compliance with policies including those related to the companys code of ethics. Unethical actions can pose a significant risk to an organization and should be reported to the board and senior management. Internal auditors have access to confidential and sensitive information and must respect the principle of confidentiality. Internal auditors may become involved in fraud investigations, which directly relate to illegal and/or unethical actions. Internal auditors must comply with the ethical standards of the professional organizations of which they are members (for example, CGA-Canadas Code of Ethical Principles and Rules of Conduct). The IIA Code of Ethics is based on the principles of integrity, objectivity, confidentiality, and competency, and consists of Rules of Conduct describing expected behavioural norms for its members.

Prepare a case analysis report from information provided on an internal auditing issue.
Internal auditors are required to collect evidence, synthesize the pertinent issues, report their observations to management and the board, and make recommendations to improve operations to best achieve the organizations objectives. By learning a systematic approach to case analysis, you will be better prepared to fulfil your role as internal auditor for your organization.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 1: Self-test
1. Multiple choice a. The internal auditor randomly selects participants in the job retraining program for the past year to verify that they had met all the eligibility requirements. This type of audit is best referred to as which of the following? 1. 2. 3. 4. Compliance audit Operational audit Economy and efficiency audit Program audit

Source: Questions and answer explanations from Gleims CIA Review text are reprinted with permission from Gleim Publications, Inc. Please visit www.gleim.com or call (800) 874-5346/(352)375-0772 for more information about Gleim Publications, Inc. or the Certified Internal Auditor (CIA) Exam. b. Which of the following types of audit has the widest scope? 1. 2. 3. 4. External audit of financial statements Regulatory compliance auditing Internal auditing Operational auditing

c. Which of the following terms is used in internal auditing literature to refer to the accomplishment of an enterprises objectives? 1. 2. 3. 4. Efficiency Effectiveness Economy Control

d. Which of the following falls outside of the scope of internal auditing? 1. 2. 3. 4. Evaluating Evaluating Evaluating Evaluating managements efforts to minimize fraud the goals and objectives of the enterprise compliance with environmental legislation the efficiency of a companys manufacturing operations

e. In the definition of internal auditing, which of the following statements about assurance activities is true ? 1. They are characterized by two-party reporting. 2. They refer only to the activities of the external auditor reporting on the annual financial statements. 3. They include reporting on managements fulfillment of its governance responsibilities. 4. They consist mainly of providing advice to management. f. In applying standards of conduct from either the CGA-Canada or IIA codes of ethics, how should an internal auditor who is a member of both organizations conduct himself or herself? 1. Be guided by his or her employer in the application of the ethical

requirements. 2. Use his or her discretion in deciding whether to comply with the ethical requirements. 3. Exercise his or her judgment in applying the ethics standards to specific situations. 4. Be guided by the management of the unit being audited for each engagement. g. Which of the following is the most important benefit to management of the establishment of an internal auditing department? 1. Deterrence and detection of fraud 2. Reduction in the cost of the annual external audit 3. Increased confidence in the organizations risk management, control, and governance processes 4. Increased confidence that the organization is complying with all laws and regulations Solution 2. a. What is the purpose of the IIAs Code of Ethics? b. An internal auditor has dual responsibilities to his or her employer and to the professional organization(s) of which he or she is a member. How should the internal auditor balance these two sets of responsibilities? Solution

3. CASE STUDY T1-1: Usefulness of the internal audit function During the management seminar that you attended recently, you heard the following comments made by Nadia Howerchuk, the president of a major company: I do not quite understand what this whole army of internal auditors is doing in the private sector. They are certainly useful in the public sector, where they must make sure that a whole multitude of laws, regulations, and directives are followed to the letter. But the situation is quite different in private business, where profit is an important source of motivation. After having given it considerable thought, I do not quite see what positive contribution a group of internal auditors could make to our company, or what management could expect from this function. I do not see how internal auditing could contribute to improving the quality of management in our company. We already spend a fortune on the annual audit of our financial statements, and our external auditors are very competent; furthermore, in contrast to internal auditors, they are independent from management. In any event, the work done by our external auditors gives us assurance that everything is well managed in our company and that we are well protected against fraud. Otherwise, they would not be able to give an unqualified opinion on our financial statements year after year.
Required

Comment on Nadias statement and identify arguments that could convince her of the usefulness of the internal audit function in a large organization. Solution 4. Why must internal auditors be conversant with all the functions and principles of management?

Solution

5. CASE STUDY T1-2: GQC Ltd. As you perused the GQC Ltd. Annual Report on the plane ride home from a sales conference in Calgary, you reflected that 20X1 has been a relatively good year in poor economic times, everything considered. The financial results for the year showed net income of $14 million on sales of $151 million and 1,275 employees in four plants in three provinces. However, net income had grown by only 2% while sales had grown by almost 10%. Employment had actually declined by 3% compared to the previous year, and there were rumours of possible future layoffs. Moreover, the forecast for the year 20X2 was not optimistic. Inevitably, in such circumstances, corporate support services of all kinds were under pressure, and as assistant vice-president of internal audit, you enjoyed no exemption. Indeed the vice-presidents of the five major operating divisions seemed to view your department of 20 (10 accountants, six engineers, and four support staff) as an unnecessary frill, and even a bureaucratic obstacle to innovation and autonomy. The company was monitoring the operating divisions performance using performance measurement, but the vice-presidents were aware that your department had not established performance standards to measure its own performance. You reflected that 75% of the work of your department in the last year had been devoted to financial audits, with much of the remainder devoted to compliance auditing. Your department has been reactive in nature. You sit down at your computer to draft a presentation to the departments staff for early next week. You have decided that it is time to become more proactive. You think that in your presentation, you will allocate about 10 minutes to a vision statement for a new, proactive department, building that statement on considerations such as What business are we in? and Who are our customers? You will then go on for 10 minutes to consider how to establish, promote, plan, perform, and report your activities. You will spend the final 15 minutes discussing how to staff your team and evaluate its performance. This last part of the talk will include the identification of key success factors for the internal auditing department.
Required

Draft the presentation using the suggested structure and relative emphasis. Solution

6. Internal auditing has been broadly defined as the process by which a competent, independent person accumulates and evaluates evidence about the systems in place to mitigate the risks faced by a specific entity and/or quantifiable information related to that specific entity to determine and report on the degree of correspondence between the systems and information of the entity and established criteria. With reference to the range of internal audit assignments referred to in Topic 1.6, outline the sources of established criteria available to the internal auditor in carrying out the various types of assignments. Solution 7. CASE STUDY T1-3: Colser Ltd. You have just assumed your duties as chief audit executive of Colser Ltd., a large Canadian manufacturing firm. During a meeting on October 10, 20X2, with the president of the company, William Chong, you are informed that there is no official mandate governing the function of internal auditing in the company. William is considering establishing such a mandate, making it a priority to ensure the effectiveness of your service. Consequently, he asks you to prepare a brief memo for the audit committee, listing the reasons why such a mandate is important and identifying and describing its major components.

Required

Prepare the memo requested by William Chong, president of Colser Ltd. Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 1
a. 1. Correct. The auditor is checking to verify that participants in the job retraining program comply with the eligibility requirements. 2. Incorrect. An operational audit is a comprehensive review of the overall job retraining program. 3. Incorrect. An economy and efficiency audit considers the cost of the program compared with objectives achieved. 4. Incorrect. A program audit attempts to measure accomplishments and relative success of the program. b. 1. 2. 3. 4. c. 1. Incorrect. This refers to the relationship between resources used and what they produce. 2. Correct. Effectiveness refers to attainment of organizational objectives. 3. Incorrect. Economy refers to the prices paid for resources. 4. Incorrect. Control is only a means to achieving organizational objectives. d. 1. Incorrect. Internal auditing will include evaluating managements efforts to safeguard assets from fraud. 2. Correct. It is not the role of the internal auditor to evaluate the goals and objectives themselves but only the processes used to seek to achieve those goals and objectives. 3. Incorrect. Environmental auditing can be part of internal auditing (although some companies have a separate department of environmental auditing). 4. Incorrect. This certainly falls within operational auditing, which is a part of internal auditing. e. 1. Incorrect. This is true of consulting activities, not assurance activities. 2. Incorrect. While this is assurance work, it is not related to internal auditing. 3. Correct. This is one of the areas upon which an opinion may be expressed. 4. Incorrect. This is more characteristic of consulting activities than of assurance work. f. 1. Incorrect. The internal auditor is personally accountable for meeting the requirements of both sets of standards. 2. Incorrect. Compliance with the Code of Ethics is not optional for members of either organization. 3. Correct. While compliance is not optional, judgment is required in applying the ethical standards to specific situations. 4. Incorrect. The auditor must not subordinate his or her judgment on ethical matters to that of the auditee, but must be independent in assessing ethical situations. g. 1. Incorrect. This may happen, but it is not the principal benefit of an internal auditing department. 2. Incorrect. This may also happen, but it is not the main benefit. 3. Correct. This is the main purpose served by an internal audit department and the main benefit that it provides to the organization. 4. Incorrect. While this may also occur, it is not the main benefit. Incorrect. The scope is limited to those matters affecting the financial statements. Incorrect. The scope is limited to ascertaining compliance with laws and regulations. Correct. Internal auditing includes financial, compliance, and operational auditing. Incorrect. Operational auditing is only one part of internal auditing.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 2
a. The purpose of The Institutes Code of Ethics is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The Institutes Code of Ethics extends beyond the definition of internal auditing to include two essential components: 1. Principles that are relevant to the profession and practice of internal auditing; 2. Rules of conduct that describe behaviour norms expected of internal auditors. These rules are an aid to interpreting the principles into practical applications and are intended to guide the ethical conduct of internal auditors. The Code of Ethics, together with The Institutes International Professional Practices Framework (introduced in Topic 2.1) and other relevant Institute pronouncements, provide guidance to internal auditors serving others. Internal auditors refers to Institute members, recipients of or candidates for IIA professional certifications, and those who provide internal auditing services within the definition of internal auditing. b. Internal auditors are expected to follow directions from their employers unless those directions violate the standards applicable to their profession. If an employer instructs an internal auditor to take an action that is in violation of the code of ethics or professional standards of the professional organization(s) of which the internal auditor is a member, the auditor is constrained, in following directions from his or her employer, not to do anything that contravenes those ethical and professional standards. In other words, the ethics and standards of the profession provide limits within which the internal auditor should follow the directions of his or her employer. If asked to do something that may be contrary to either general or professional ethics or standards, the internal auditor must use his or her professional judgment in deciding what response is appropriate in the circumstances, seeking advice from his or her professional association(s) where necessary.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 3
CASE STUDY T1-1: Usefulness of the internal audit function You should comment on the three main points made by Nadia Howerchuk and present arguments to convince her of the usefulness of an internal audit function in a large organization. a. Possible contribution of internal auditors and managements expectations of the function: The key objective of internal auditors is to assist all members of the organization (management at all levels and members of the board of directors) in achieving the organizations objectives. Internal auditors can contribute to the organization by reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, clarify, and report such information reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports and determining whether the organization is in compliance reviewing the means of safeguarding assets and, as appropriate, verifying the existence of such assets appraising the economy and efficiency with which resources are employed reviewing operations or programs to determine whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned evaluating and improving risk management processes evaluating and improving governance processes providing consultation, advice, audit reports, or other products to assist management in meeting its objectives b. Independence of internal auditors: Nadia believes that internal auditors cannot be independent. Internal auditors can be independent if the proper setting is provided and if they are managed by and directly responsible to the auditing committee. c. Role of external audits: The president does not have an adequate understanding of the nature and objective of an audit of financial statements. The objective of external auditors is to determine whether financial statements are presented fairly in accordance with generally accepted accounting principles. An audit of financial statements does not provide assurance that operations are well managed because auditors do not review controls aimed at ensuring effectiveness, efficiency, and economy of operations, nor do they examine risk management and governance processes. External auditors do not have the responsibility to detect immaterial fraud. An external audit does not provide full assurance that a material fraud will be discovered. When external auditors adopt a substantive testing approach to their audit, they do not test the functioning of internal control systems. The work performed by internal auditors can provide better assurance that operations are well managed and that the organization is well protected against fraud.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 4
Internal auditors must be conversant with all functions and principles of management because their role is often one of management consultant. If internal auditors are to counsel managers, internal auditors must be knowledgeable about all functions of management planning, organizing, directing, and controlling. Their understanding of these functions permits them to identify the basic management principles violated, rather than addressing only the surface cause, which would not solve the problem permanently. When internal auditors are conversant with the functions and principles of management, the underlying causes of control weaknesses and other deficiencies can be readily identified, and appropriate corrective action can be developed to address those underlying causes.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 5
CASE STUDY 1-2: GQC Ltd. Vision statement In answering the question, What business are we in? you may begin with the current IIA definition of internal auditing, but should go on to reflect on the range of audits and products suggested under the scope of internal auditing. You should argue that these products should be customer-driven, reflecting the general and specific needs of the departments customers. In answering, Who are our customers? you should reflect on direct customers operational managers, the vice-presidents, the audit committee, and the board as well as indirect customers such as the customers of GQC. The vision should clearly address a move from reactive financial and compliance auditing to proactive operational auditing. Promotion, planning, performance, and reporting Although it is early in the course, and you will develop greater knowledge in these areas after a few more modules, the answer should deal with the following areas: Promotion means selling the department to its customers. This can be accomplished through a presentation to the audit committee, one-on-one meetings with operational managers, or seeking customers input on the services that will add value. Planning will need to include revising the audit plan to focus on proactive areas. It will need to address training requirements for such new work. Performance would be more interactive with management and would require obtaining agreement on evaluation criteria for operational audits. The audit reports will need to be redesigned to reflect the new approach, with probably less emphasis on control deficiencies and greater emphasis on the solutions to problems. Key success factors The internal auditing department should identify its key success factors and develop performance measurements to monitor their achievement. Key concerns will be obtaining buy-in from operational management effective communication throughout the audit process developing the additional skills necessary for operational auditing recruitment of auditors with operational knowledge maintaining a short audit cycle time (that is, the time required to conduct audits of all auditable units in the organization) during the period of innovation percentage of recommendations implemented by management A number of these (for example, the last two items) lend themselves to quantitative performance measurement monitoring.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 6
Compliance auditing uses internally and externally generated policies, plans, procedures, laws, and regulations. Internal financial auditing uses internal accounting policy manuals, ensuring that the financial reporting meets managements needs and conforms with generally accepted financial accounting principles found in the CICA Handbook Accounting. Operational auditing relies upon standards agreed between the auditor and the manager of the unit being audited to measure that units effectiveness, efficiency, and economy. Reliance will be placed on mission statements, the objectives fixed by management, budgets, and any other document that allows for better historical performance auditing of the unit under consideration. Comprehensive audits are concerned with compliance, financial reporting, and performance audits, and are generally carried out in the public sector. They rely upon legislative and other government regulations, and public sector accounting guidelines. In measuring performance, they look at legislative mandates and the provision of value for money to the organizations stakeholders. Information technology audits must rely on the most up-to-date information available with respect to information security, integrity, and efficiency of computer systems. Those working in this area must stay current with developments, as the standards and published audit technology guides are continually being updated. Fraud audits depend mainly upon the companys own policies and procedures, and the general legal environment in which the company operates. Environmental audits will usually be conducted to assess compliance with external environmental laws and regulations, but may also include assessing compliance with internal policies and procedures.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 1 Solution 7
CASE STUDY T1-3: Colser Ltd. You should prepare a document identifying the reasons why it is important to establish a mandate or charter for the internal audit function and the major elements that this mandate should include. MEMORANDUM DATE:October 10, 20X2 TO: William Chong, President FROM: Chief Audit Executive RE: Internal Audit Mandate

As requested, I have prepared the following outline identifying the importance of an internal audit mandate and the major components it should include. Please review this so that we can discuss the issues prior to circulating to the audit committee. a. Reasons for the establishment of a mandate: To define and communicate the role, responsibilities, and authority of the internal audit function within the organization To demonstrate the importance of and the support of top management to the internal audit function to all members of the organization To establish the rules governing relations between management and the internal audit functions To attain compliance with the International Standards for the Professional Practice of Internal Auditing b. Major components that should be included in the mandate: Organizational status and independence of the function Objectives of the function: Measure and evaluate the effectiveness of risk management, control, and governance systems within the organization. Provide assurance and consulting services to management. Authority of the function: Access to information Access to assets Access to personnel Freedom to examine any type of activity or operation Nature of engagements to perform: Evaluation of the design and functioning of accounting systems Evaluation of compliance with policies, plans, and procedures Evaluation of controls over protection of assets Audits of financial information and reliability of management information Audits of effectiveness, efficiency, and economy of operations Evaluation of risk management processes and systems Evaluation of governance processes and systems Special investigations such as fraud audits, if and when required Consulting activities at the request of management

Other audits at the request of senior management or the audit committee Responsibilities of the internal audit activity: Adhere to the IIA International Standards for the Professional Practice of Internal Auditing and the IIA Code of Ethics and Rules of Conduct. Prepare audit plans and obtain approval from management and the audit committee. Communicate observations and recommendations to management and the audit committee. Bear no responsibility or authority over operational areas subject to audit.