Raleigh, NC CIA Review Course 2020 “New Exam Format” Part II Practice of Internal Auditing Garland Granger, CPA, CIA, CFE Professional Accounting Seminars, Inc. 5406 Garden Lake Drive 2H Greensboro, NC 27410 336.681.7397Parti Practice of Internal Auditing Table of Contents Summary of Part 2. Guidance for Multiple-Choice Questions. Guidance for Exam Preparation... ‘Study Unit 1 — Internal Audit Operations. Study Unit 2 Assurance and Compliance Engagements..... Study Unit 3 - Financial, Environmental, and Consulting Engagements...... 22 Study Unit 4 ~ The Internal Audit Pla: 32 Study Unit § - Engagement Planning... 1. 38 Study Unit 6 - Information Gathering... 46 ‘Study Unit 7 - Sampling and Statistical Quality Control. - 63 Study Unit 8 - Analysis, Evaluation, Documentation, and Supervision....... 62 Study Unit 9 - Communicating Results and Monitor Outcomes... .73Summary of Part 2 1. The CIA exam for Part 2 includes 100 multiple-choice questions and you have 2 hours to take the exam. 2. Content specifications — A significant portion of tehse topics are tested at the proficiency level. However, many of these topics are tested at the basic level. Refer to the IIA content specification to determine the areas testes for these requirements. Percentage Study Tested Units Managing the internal Audit Activity 20% 1-4 Planning the Engagement 20% 5 Performing the Engagement 40% 6-8 ‘Communicating Engagement Results and Monitoring 20% 9 Preparatory Information The material in this manual comes from Gleim's CIA Review book. There are 9 study Units in his book. There are 9 corresponding study units in these notes. The notes are intended to highlight the key information that you should know in order to pass the exam. You should go through the outlines in this manual prior to reading the study units in Gleim’s book. Once you have read both portions, you should then answer the questions at the end of the study units in Gleim You should also note that the sentences in this manual that come directly from the Standards will be in bold letters. Key words or phrases will also be in bold letters because they are important to know. Instructor Contact Information You can contact Garland at his email address ~ gg:aniger2,@triad.c¢.com or call him at 336.681.7397 if you have any questions or recommendations for improvement in the review course.Guidance for Multiple-Choice Questions Muitiple-Choice Questions Techniques There are several techniques used to prepare a multiple-choice question for the exam. It is important to be able to recognize the type of question being asked. The following list contains several of these techniques. A B. Cc. Warnings and Advi A Asstraight knowledge question. There are no tricks to answering these questions. You need to know the material to get them right. Application questions require that one apply the concepts in a given situation. These are the more difficult questions. A true or false question. “Which of the following answers is false with fespect to .............. (Orit could be which is true)’. Remember that if the question asks for a false answer, three of the answers are true and if they ask for a true answer, three of the answers are false. The use of NOT or EXCEPT FOR within the question. “All of the following answers are correct except for... The use of the words “primary, objective, or primary objective”. The answer generally will be the broadest answer. Normally, when you see this type of question, you will have one answer that is the objective and three answers with an application of the concept with a procedure. A procedure is not an objective. One type of question will require that you know that three of the answers are incorrect more than knowing that the fourth answer is correct. The question was not written so that you knew the correct answer but that you recognized that the other three are will not work. An incomplete answer is not necessarily a wrong answer. For example, the objective of internal audit is to add value and improve operations. If the answer to a question regarding the objective of IA only listed one of the two objectives and no other answer listed both, then the one listed objective would be the correct, but incomplete, answer. Avoid answers with the words All, Always, and Only. They are too limiting since there are often options in everything we do in internal audit. Rarely are those words used in a correct answer. For long questions, read the last sentence from the body of the question first to determine the content of the question. Then read the information after reading the last sentence looking for the purpose of the question For really long questions, | recommend that you skip them until you have completed all of the shorter questions because they can use up too much time. Do the long questions last. Rank the questions as a 1, 2, or 3. A"1" question is defined as one when you know the correct answer. Answer that question immediately. A "2" is any question when you have eliminated one or two answers but arenot sure of the correct answer. On a sheet of paper, write down the number of the question and the possible correct answers. Skip it until you have completely answered all of your 1s. A “3" is any question that is extremely long or for which you have no idea about the answer. Mark it as a 3 and do those questions last. Never leave them blank and try to determine if any answers might be eliminated because of certain words such as all, only, or always in an answer. Warning: Once you answer a question, NEVER change the answer unless you are 100% certain that your first answer was wrong. Too often we change from the correct answer to an incorrect one. Your gut feel for an answer is usually right. This approach will help you focus first on the questions that you know. Then you can focus on the questions when you have eliminated one or two answers. By the time you review these questions, the nerves will be gone and your mind will be clearer. Also, by working the questions you know first, you may remember the information needed to answer a 2 question. You are on your own with a 3 but you should think about the question and examine the answers to determine if you can eliminate an answer or two. You do not want to waste time on these questions. Remember that before you work a 3 you should work the long questions that you skipped earlier if you think you can solve the question.Guidance for Exam Preparation How to Prepare for the Exam A My manual is an outline of the main points from the Gleim study units (7) that one must know to pass the exam. You must realize that there is a difference between understanding and learning. My only objective is to help you understand the material that could be tested. Your goal is to then leam the material sufficiently to pass the exam. Leaming involves studying the material and working additional questions until you feel comfortable that you know the material. My approach is to lecture on the material in a study unit followed by working selected multiple-choice questions to reinforce your understanding of the material. After we finish the course, your responsibilty is to learn the material we have covered together. The question most often asked of me is “How much time should | spend preparing for the exam?” My answer is very simple. The best way to determine the amount of time you might need to study will be dictated by the percentage of questions you answer correctly during the course. If you get a high percentage of the questions correct that we work together, you probably have a good understanding of the material. You will only Need to reinforce this material by studying the notes and working additional questions until you feel comfortable with your knowledge base. If, on the other hand, you miss a high percentage of the questions we work together, you probably do not have a good understanding of the material. As we discuss the questions during the class, your goal is to make sure you understand why you missed the question. In my estimation, you will need to spend more time on that subject studying the notes and working many more questions to reinforce the learning process. I cannot easily give you a number of hours that you should prepare because it will be based upon the information in B above. However, to be on the safe side, | would attempt to spend about 3 hours per study unit outside of this course. You may find that on some study units, you will Need less time and on others you will need more time. Study until you feel comfortable with the entire 2body of information tested. Try not to have any weaknesses in any subject area. However, one must realize that one does not need to know 100% of the material included in Gleim. It is very important that you know all of the material in the notes of this course since they represent about 92 — 96% of what is normally tested. Assuming you are using the Gleim manuals, | always recommend that you read the answers to each multiple-choice question even if you get the answer correct. By learning why three of the answers are incorrect, you are also learning the material so that you will not miss that question in the future. Always read Gleim's answers. Within the body of my notes, any complete sentence in bold italics would come directly from the Standards.Study Unit 4 Internal Audit Operations Introduction to Internal Audit A. The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and contro! processes using a systematic and disciplined approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. B. Nature of work 1. Governance — processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization to help it achieve its objectives. 2. Risk management — helps identify, assess, manage, and control potential negative events to provide reasonable assurance that objectives will be achieved 3. Control — any action taken by management, the board, and other parties to manage risk and increase the likelihood objectives will be achieved. C. Reasonable assurance -- most cost-effective measures taken La Effective — one accomplishes objectives in an accurate and timely manner. 2. Efficient - uses minimal resources for the size of the risk. 3. Reasonable assurance — when cost-effective procedures are utilized in both the design and implementation of good controls so that they reduce risk to a tolerable level. D. Basic types of engagements 1. Assurance services ~ the purpose is to provide an independent assessment of the organization 2. Consulting services — advisory and related client services. intended to add value and improve governance, risk assessment, and controls. We can give advice, training, assistance, and counsel. E. Reporting 1. Report to the Board and senior management some assurance regarding controls, risk assessment, and governance. Internal Audit Administrative Activities A. The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. B. The chief audit executive must establish policies and procedures to guide the internal audit activity. ll The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.The CAE is responsible for managing internal audit resources to make sure IA has the resources to accomplish the audit plan approved by management and the board. 1. The CAE presents a budget for IA to the Audit Committee for approval. D. Human Resources and the CAE should make sure they hire new internal auditors who have the education, experience, skills, etc. to fulfil their responsibility as internal auditors. 1. The CAE must make sure that the department collectively possesses the skills to accomplish the audit plan for the year. 2. HR may use both structured interviews (job-related) and behavioral interviews (how individual handled situations in the past). IN, Stakeholder Relationships A. The Board of Directors has the responsibility to represent the shareholders as monitors and evaluators of senior management. B. The Audit Committee is a sub-committee of the Board. 1. The Audit Committee should be made up of directors who are not part of management of the company to enhance independence. However, some of these members could be close friends of senior management and attempt to protect them. 2. Atleast one member of the Audit Committee must be a financial expert. C. Role of the Audit Committee 1. The Audit Committee acts as a liaison between the internal auditors and the Board. The internal auditor should bring any control issues to the Audit Committee for discussion that involves senior management. 2. The Audit Committee also follows up on recommendations by internal auditors on control deficiencies to determine if the control weaknesses have been corrected 3. They hire, fire, and agree on the salary of the CAE 4. They hire the outside auditor. 5. They make sure disputes are settled properly. D. Internal auditors must perform their responsibilities and maintain a good working relationship with management when solving problems involving internal controls. A participative auditing style should be achieved. IV. _ Internal Audit Resource Requirements A The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. 1 Resources include the people needed to perform internal audits as. far as their skills and competencies are concerned. a Resources also include the finances to support the IA department.The chief audit executive (CAE) is required to discuss staffing and resource needs with senior management and the board to make sure the resources are adequate. ‘The CAE should conduct periodic skill assessments of the staff to ensure that the activity has the ability to perform the audits properly. 4. There should be a job description with a list of duties and qualifications required for the position available for hire. 2. Continued training of staff is vital in developing the proper resources with the staff. ‘When selecting the audit staff, the CAE must consider the following factors: (These steps are included in sections 5 - 9 for 80% of the exam) 1. Complexity of the engagement 2 Experience levels of the audit staff 3. Training needs of the staff. 4. Available resources. If there is an opening in the management of the internal audit staff and no current staff member is prepared to fill that position, the CAE should consider going outside to hire for that position Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 1. This standard falls on the internal auditor, not the CAE. Staff schedules should be used to achieve the effective use of time for the audit staff. They are a form of budgetary controls on the audit. 1. They are used to control any project to help avoid overruns of time. 2, Adjustments to the budget must be justified and approved by higher level supervisor. When an external service provider serves as the internal audit activity, the provider must make the organization aware that the ‘organization has the responsibility for maintaining an effective internal audit activity. Coordination A The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts. The chief audit executive is responsible for the following areas when other internal or external service providers or agencies are involved with an audit: 1 Coordination activities with other providers of assurance and consulting services. 2. Understanding the work of the external auditors.3. Providing sufficient information to the external auditors to permit them to understand the internal auditor's work as it relates to the extemal audit. Whenever outside providers are used within the organization such as the outside audit, the CAE is responsible for the coordination between the outside auditors and the internal auditors. if the outside audit is coordinated with the internal auditors, the intemal auditors can rely upon the work of the outside auditors. ‘Some of the other types of coordination can be with the SEC, OSHA, EPA, IRS, etc. which are regulatory in natureStudy Unit 1 Internal Au 4. intemal auditing is an assurance ans consuiting tivity. An example of an assurance service is ah) Advisory engagement. Facilitation engagement ‘raising engagement. Compliance engagement, goe> Operations Questions 2. Wich ofthe following potential are subject tothe internal auditors’ evaluations? 1. The human resources function ‘The purchasing process. ‘The manufactunng anc production database system, 4 only. 2ony, 1,2, and 3 None of the answers are correct, vee 43. What is the most accurate torm for the procedures Used By the board to oversee activiies performed to achieva organizational abjectves? Govemance Contro. Risk management. Monitoring. gop 4. A basi principle of governance is ‘A. Assessment of the governance process by an indapendent intemal audit activity. B. Holding the board, senior management, and the internal audit actinly accountable forts effectivaness. Exclusive use of external auditors to provide assurance about the governanes process, ._ Separation of the govemance process from promoting an ethical cutturein the organization. 9° 10 '5, Which ofthe folowing is most essential for guiding the internal auch sta? Quality program assessments. Position descriotions, Performance appraisals, Policies and procedures oop> 68. The key factor in the success of an internal audit ‘activty’s human resources program is A. Aninformal program for developing and ‘counseling staf B. Acompensation plan based on years of ‘experience. C. Awelt-developed set of selection criteria D. A program for recognizing the special interests of individual staff members, 7. Written policies and procedures relative to ‘managing the internal audit activity should A. Ensure compliance with its performance standards, B. Give consideration to its structure and the complexity ofthe work performed ©. Result in consistent job performance. D. Prescrite the format and distribution of ‘engagement communications and the classification of observations. 8. An audit committee should be designed to enhance the independence of both the internal and extemal ‘Bucifing functions and to insulate these functions from tindue management pressures. Using this cterion, ‘audit commnitees should be composed of : A. rotating subcommittee of the board of dlrectors or its equivalent 8. Only members from the relevant outside regulatory agencies. CC. _Mambers from all important constituencies, specifeally including representatives fom banking, labor, -egulatory agencies, Shareholders, and officers D. Only extoenal members of the boars of dectors oF is equivalent‘9. Audit committees have been identified as a major factor in promoting the indepandence of bath internal and external auditors. Which ofthe felowing fs he ‘most important Imitation an the effectiveness of audit A. Aucit committees may be composed of independent directors. However, those. directors may have close personal and ‘professional friendships vath management B. Audit committee members are compensated by the organizaton and thus favor an owner's vow ©. Audit committees devote most of their efforts to ‘external aud’ concer and do not pay much attention to te intemal audit activity andthe overall contro! environment. D. Audit cornmittee members do not normally have dogres inte accouning or ucting fields 40. The audit committee strengthens the contro! processes of an organization by A. Assigning the internal audit activity responsibly for interaction with governmental agencies, B. Using the chief audit executive as @ major resource in selecting the external aucitors. ©. Following up on recommendations made by the chief audit executvs. . Approving internal aucit activity policies 44. Johnny Hager, Chief Audit Executive, is. deigrmining the suficiency of his resource allocation Mr, Hagert must consider all ofthe folowing except A. Communication received from management and the board ‘The aucit universe. Knowiedge of the internal aucit staf. Consequences of not completing the ‘engagement on me gos 412, Gator Financial Service 's considering outsourcing its intemal audit activity. Gator Financial Service A. Cannot outsqurce the aotivity because it will impair the effectiveness of the engagement B. Can outsource the services 2s long as it places responsbilty for maintaining effective interns! Sontrols in the hands of the extarmal auditor. C. Must outsource all internal audit activity 10 maintain indapendence. D. Can outsouree the services as ong as Gator Financial Service continues to have the responsibly for maintaining effective internal controls, 413, Which ofthe following partes is (are) primary responsible for resource management in an internal ‘auditing engagement? 1. The chief audit executive 2. Senior management 3. The board of grsctors A. 8 © D. and? 2and 3. 1 only tana. 44, Which ofthe following statements about the chiot Audit execuive's responsibilies for internal aucit resources is most accurate? A The CAE Is responsible for ensuring that audit coverage is based on the skils ofthe interna’ ‘audit acti, The CAE is responsible for resenting a detailed summary of audit resources to management The CAE is responsible fr the effective deployment of resources to achive the approved audit pian ‘The CAE is responsible for administering the organization's compensation program. 45, Internal audit resources should be appropriate, sufficient, and effectively deployed. Consequenty, A 8 ©. ©. Resource planning should be limited to expected actvilies, ‘The chief audit executive should perform 2 periodic sklls assessment ‘Only members ofthe internal audit staff shouts porform internal audit activites, ‘The chief audit executive utimataly must ‘ensure the adequacy of resources. 416. When determining the number and experience: level of an intornal audit aff io be assigned to Fa en A 8 ©. ©. Complexity of the engagement. {Length of the engagement ‘Available internal audi activity resources. Lapsed time since the last engagement 4 and 2 only 2and 3 only. 1 and 3 only 1.2, 8,0nd 4417. Exchange of engagement communications and ‘management letters by internal and extemal auditors ‘A. Consistent withthe coordination responsibliias ofthe chief audi executive B_ Not consistent with the independence guidelines of the Standards. ©. Aviolation of the Code of Ethics. D. Not addressed by the Standards. 18. Coordination of internal and extemal auditing can reduce the overall costs. Who is responsible for actual Coordination of internal and extemal auditing efforts? ‘The chief audit executive. “The external auditor. “The board. Management. poOp> 19, Which of the following are responsibiltes of the chief aueit executive (CAE)? 1. Coordinating activities with other providers of ‘assurance and consulting services. 2. Understanding the work of external auditors. Providing sufficient information to the external ‘auditors fo permit them to understand the internal ‘auditors’ work A. and 2 only. B. 2and3 only ©. Vand 3 only. D. 4,2,and3. 20. Whiah of the following is responsible for ‘coordination of internal and extemal auc work? ‘The board. ‘The chief audit executive Internal auditors. Extoinal auditors. gop 21, Coordinating internal and external aust actvily Can increase efficiency by using which of the following? 4, Simitar techniques: 2. Similar methods 3. Similar terminology ‘only. 4 and 3 only 4 and 2 only 1,2, ang. 2 poe.PSO PNMAAWNS 28 ‘Study Unit 4 Internal Audit Operations Answers 12. 13. 14, 15. 17. 18. 19. 20. 21. BO>TUDOT>>OO a onU>>ODNNTStudy Unit 2 Assurance and Compliance Engagements |. Assurance Engagements A Types of assurance services — the internal auditor performs an objective examination and renders an assessment, independent opinion, or conclusion regarding governance, risk management, or controls. 1, Financial audits — reports on the financial records and reporting of the organization. 2. Compliance audits — evaluates the financial and operating controls to determine if the organization complied with laws, regulations, contracts, policies and procedures of the organization. 3. Operational audits — reviews the way things get accomplished within the organization for: a, Effectiveness — does the function work the way it was designed? b. Efficiency and economy — is the function cost beneficial. 4. IT audits — audit to check the integrity of the IT department, processes, and data. 5. Full scope audit — evaluates all of the above aspects of an organization. Assurance mapping 1. Assurance mapping is a pictorial representation of the balance between risk and assurance. The matrix chart lists risks on the vertical axis as low, moderate, and high. The horizontal axis lists assurance needs as low, moderate, and high. 2. One must determine the combination of the two in order to determine the level of work needed based upon the combination of risks and assurance level requirements. IL Risk and Control Self-Assessment (CSA) A A function of Total Quality Management involves all personnel as part of the control function to examine and evaluate intemal controls within the organization. There are five elements of CSA. 1. Front-end planning of what is to be accomplished. 2. Gathering employees in the same place at the same time in a U- shape to discuss controls and take ownership of the system. 3. Awell-structured agenda with specific models of controls for discussion by the group. 4. The presence of a scribe who records the discussion 5. Reporting and developing an action plan. The role of intemal audit in a CSA program is to act as an advisor in the process and provide support for implementation by management.The result of a CSA program is to get buy-in from the employees who helped develop the controls and to properly see that employees are trained to help implement the program. ‘There are four ways the program can begin. 1. Facilitation a. Objective-based format — looks at the best ways for the business to accomplish its objectives. b. Risk-based format — looks at the risks that could prevent the achievement of objectives. ¢. _ Control-based format — looks at the controls that could be used to achieve goals. d. _ Process-based format - looks at the chain of controls that are connected to achieve the goals. 2. Surveys — “yes or no” questionnaires. These can often be used when the culture is very closed and employees do not feel comfortable sharing their ideas in public. 3. Self-certification — management- produced analysis about business processes, risk management, and proper internal controls. Workshops are often used to help bring about the CSA program by working with employees to develop the necessary controls. Il, Audits of Third Parties and Contract Auditing A. External business relationships (EBR) for internal audit can include ‘companies such as service providers, distributors, licensees, software companies, etc. 1. The internal audit staff can perform audits of these companies if requested. 1A should follow the steps listed below: 1. Understand the company, its environment, its processes, and the nature of the company. 2. Assessing the risks and controls. 3. Performing the audit. 4. Reporting on the audit. 5. Monitoring progress. Contract audits can include the following: 1. Lump-sum contracts ~ a fixed amount. 2. Cost-plus contracts — deals with uncertainties in the contract. 3. Unit-price contracts — used when one has a measuring device such as square footage or pounds evaluated for billing. IV. Quality Auditing A Used by IA to provide assurance that the approved quality structures are in place and the processes are working as intended.Total Quality Management (TOM) TOM is the continuous pursuit of quality in every aspect of the organization's activities through: A philosophy of doing it right the first time. Employee training and empowerment. Promotion of teamwork. Improvement of processes. . Attention to satisfaction of internal and external customers. This approach seeks to increase the value of the goods or services to customers while reducing cost and increasing revenues. The goal is to make it correctly the first time — zero defects. poge V. Seeurty and Privacy Audits eon There are several areas where security and privacy are vital to a company. 1. Personal data privacy - the physical side 2. Privacy of space — avoiding surveillance 3. Communication — avoiding monitoring 4, __ Information privacy — security of data, collection, use, disclosure. Senior management is responsible for security and privacy. The internal auditor could perform an audit of any of these areas to make sure that controls are in place and working properly. 1. The internat auditor must always consider risks associated with IT security. But also the auditor must protect the personally identifiable information examined during the audit for the sake of privacy of that information 2. The auditor must be prudent with the use of personal information. VI. Performance Auditing A Performance auditing provides assurance about an organization's key performance indicators to determine how well the company is performing. 1. The balanced scorecard is a method that connects critical success factors determined in a strategic analysis to financial and nonfinancial measures of the elements of performance vital to future success. One identifies critical success factors to use as a benchmark. There are four measures used. a. Financial b. Customer - their needs and satisfaction c. Internal — business drivers, quality, etc. d. Learning, growth, and innovation — people and infrastructure. Vil. Operational Auditing A Operational audits evaluate the efficiency and effectiveness of organization's operations. It seeks to help improve work flow and make the company more profitable1. Process or functional engagements follow a process crossing ‘organizational lines, service units, and geographical locations. 2. Program-results engagements obtain information about costs, outputs, benefits, and effects of certain programs. Vill. Compliance Audits A. Compliance audits seek to determine whether the organization is following company policies and procedures, laws and regulations, contracts, etc. It audits the rules of a process or program to make sure the organization is complying with each of these items. Non-compliance must be reported to senior management and the Board. There are several major areas where compliance auditing can be applied 1. Programs - this area makes sure employees are not violating laws and regulations. 2. Organizational policies and procedures 3. Responsibility — assuring that senior management has the resources and ability to complete the job. 4. Applicant screening — make sure the hiring process is legal. 5. Communication ~ ethical use of information within an organization. 6. Monitoring and reporting — systems to make sure illegal and unethical acts are detected and communicated to make sure they are controlled. Generally, employees do not trust attorneys in this case. Two examples are a. Hotlines - an off-site, independent company where employees can report issues anonymously. b. Ombudsperson — an on-site official who investigates complaints. This person should report directly to the chief compliance officer under a non-retaliatory policy by management c. The disciplining of employees for any serious non- compliance may be limited by the following: (1) Whistleblowing laws. (2) Exceptions to the at-will employment laws for some states (3) Union contracts covering employees. (4) Discrimination laws.Study Unit 2 Assurance and Compliance Engagements Questions 4. What isthe best description of information technology (IT) assurance? A. Review of controis that focus on an ‘organization's ability to comply with ‘established labor laws and policies. 8. Review and testing of IT to assure the integrity of information ©. Determining that year-to-year growth in sales is measurable using accounting methods D. Reviewing credit policies to determine whether ‘only qualified customers are being granted favorable credit terms. 2. The primary diference between operational engagements and financial engagements that, the latter, the internal auditors ‘A. Are not concemmed with whether the client tentty is generating information in compliance with financial accounting standards. B. Are soaking to help management use ‘resources in the most effective manner possible. . Can use analytical skis and tools that are not necessary in financial engagements, 1D. Start with the financial statements of the Client entity and work backward to the basic processes involved in producing them. 3. Which group is charged with overseeing the establishment, adminstration, and evaluation of the processes of isk management and contro!? ‘A. Operating managers, B. intemal aucitors ©. Extemal auditors. D._ Senior management 4, Which of the following statements about contrat ‘solf-assessment (CSA) is false? A. CSA's usually an informal and undocumented process. B._Inits purest form, CSA integrates business objectives and risks with control processes. ©. CSAis also known as controlirisk selt- assessment D._ Most implementad CSA programs share some key features and goals. ‘5. Which forms of control salfassessment assume that managers and members of work teams possess ‘an understanding of risk and control concapis and Use those concepts in communications? A. The sett-certfication approach. 5. The seit-certication approach and facilitated approach, C. The solt-cortifcation approach and questionnaire approach, D. Allseltassessment programs, 8. Why should an organization use the survey form of control self-assessment (CSA)? : Few respondents ar quire to respond Respondents sre not widely dopersoc No ime constraint is vaved PO w> ‘The organizational culture does not encourage openness 7m reviewing 2 cost-alus constructon contract for 2 row catalog showroom, the internal auditor should be Cognizant ofthe risk that A. The contractor could be charging forthe use of ‘equipment not used in the corstruction. B. Income taxes related to construction equipment depreciation may have been caletlated erroneously . Contractor cash budgets could have been inappropriately compiled, D. Payroll taxes may have been inappropriately ‘omitted from bilings. 48, Which of tne folowing coos the intbrnai auditor of a contracting company not have fo review 3s thoroughly ina lump-sum contract? Progressive payments Adjustments to labor costs Work completed in accordance with the contract, Incentives associated with the contract, opp2, Whlen of he folowing statements about TOM is A. This approach can increase revenues anct decrease costs sigificanty, 8. TQM is @ comprehensive approach to quailty ©. TOM begins with internal suppliers requirements. D. TQM concepts are applicable to the operations of the intemal auct activity ise 10. TQM is the continuous pursult of quality in every aspect of organizational activites through a number ‘of goals, Which ofthe following is not one of these goais? A philosophy of doin Promation of individual work, Employee training and empowerment. Improvernent of processes, Fight the frst time, 414, The reliability and integrity of al critical information of an organization, regardless of the media in which the information Is stored. is the responsibilty of ‘Shareholders, IT dopartment Management. All empioyees. com> 412, Freedom from monitoring best defines Personal privacy. Privacy of space Privacy of communication. Privacy of information. oom 418, Using the balanced scorecard approach, an carganizaiion evaluates managerial performance based on A. Asingle ultimate measure of operating resuts, Such as residual income. ‘Mutipiefinanelal and nonfinancial measures oe ‘Multiple nonfinancial measures only Multiple financial measures only. 2 14. A pertormance audit engagement typically involves ‘A. Review of financial statement information, including the appropriateness of various ‘accounting treatments B. Tests of compliance with policies. procedures, laws, and regulations. C. Asstrategic analysis of the organization's key componants that are essential to the ‘organization's success. D. An evaluation of the board of directors'role in the operations of the organization. 415. Which type of engagement focuses on operations and how effectively and efficiently ihe organczational Units atfected will cooperate? Programesults engagement. Process engagement Privacy engagement. Compliance engagement com> 416. An operational assurance engagement may include an assessment ofall of the following except A. Accuracy of financial reporting 8. Development and effectiveness of the ‘budgeting process. ©. Quantity of output D. Disposal of scrap, 41. Compliance rogans mos rect ait Mosrtabore 6 Soha wn ote elon? 41. Developing a plan for business continuity management. 2. Datocmining director and officer liability 3 Planning for disaster recovery. only Zoniy. A 8 ©. Vand 2 only D. 1,2,and3, , 18. Discipine of employees may be limited by all of the following except A. Whistleblower laws B. A roquirement to report cortain employee \olalions to a governmental entity ©. Union contracts. D. Exceptions tothe employee-at-wil doctrine49. An organization establishes compliance standaris and procedures and devalops a written business code (of conduct tobe followed by its employees. Which Of the folowing Is ue concerning business codes of ‘conduct and the compliance standards? ‘A. Complance standards should be Straightforviard and reasonably capable of reducing the prospect of criminal conduct ‘The compliance standards should be codied In the charter of the audit committee. ‘Companies with international operations ‘should institute various compliance programs, based on selective geographic locations, that Teflect appropriate local regulations. In order to prevent future legat ability, the ‘code should consist of legal terms and sefintions, 20, Emoloyees have the most confidence in a hotine ‘monitored by which of the folowing? A 8. ‘An exper from the legal department, backed by a nonretalation policy. {An in-house representative, backed by @ retaliation policy [An on-site ombudsperson, backed by 3 ‘onretaiation policy. ‘An off-site atiomey who can better protect attorney-client prvlege.Study Unit 2 Assurance and Compliance Engagements Answers 11. 12. 13 14. 15. 16. 417. 18. 19. 20. NOORhWHa DOO>OOFOOND oO>auD>rDmaDIOD 2 OM BesFinan A. ‘Study Unit 3 Financial, Environmental, and Consulting Engagements Engagements Internal control is a process affected by an entity's board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, (c) compliance with applicable laws and regulations, and (d) safeguarding of assets. Control Defined — Any action taken by management, the Board and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Achievement of these goals is accomplished through the following five components: 1. Control environment sets the tone for an organization and influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. It is the responsibility of management. 2, Risk assessment is the entity's identification and analysis of relevant risks to achieve its objectives and forming a basis for deterring how the risks should be managed 3. Control activities are the policies and procedures that help ensure that management directives are carried out. 4. Information and communication are the identification, capture, and exchange of information in a form and time frame that enable peopie to carry out their responsibilities 5. Monitoring is a process that assesses the quality of internal control performance over time. Limitations of any entity's internal control system 1. Management's responsibility — controls are influenced and designed by management and as such will only be as effective as management desires. 2, Reasonable assurance- the cost of internal contro! should not exceed the benefits to be derived by the structure — cost/benefit felationship. 3. Inherent limitations - all contro! structures have the following inherent limitations bom into any organizations controls. a. Controls can be circumvented by collusion of employees. b. Management can override any system of controls. ¢. No system can prevent errors arising from human error and poor judgment.Reporting on the Effectiveness of Internal Controls 1. The CAE is responsible for assessing the effectiveness of the Controls and management is responsible for maintaining adequate and effective controls, a. Controls are effective if they provide reasonable assurance that objectives are achieved b. Controls are adequate if they are designed to provide reasonable assurance that risks are managed and objectives are achieved effectively. 2. The Board needs an evaluation of the following questions: a. Is the ethical environment and culture strong? b. How does the organization identify and manage risks? c. Is the control system effective? d. Is monitoring strong? The role of the internal auditor is to provide management and the Board with regard to the external auditors: 1. Relevant information to appoint the extemal auditor. 2. Coordinate the planning and execution of the external audit. 3. Share results with the external auditors. 4. Communicate observations with the auditors. 5. Review the work and quality of the report. Transaction Cycles and internal Controls 1. Internal Controls in the Sales Cycle. a. Sales department takes the order and prepares a Sales Orde b. The Sales Order is sent to the Credit Department for authorization, ¢. The Approved Sales Order is sent to the Warehouse where the order is filled d. The Approved Sales Order and merchandise is sent to the Shipping Department to be shipped. The Shipping Department checks the order, then prepares a Bill of Lading for shipping and logs in the shipment. e. The Billing Department receives all the documents and Prepares the Sales Invoice to send to the customer. They then record the sale in the general ledger. f. The Accounts Receivable Department checks the bill for proper billing and records the transaction in the AR subsidiary ledger. 9. All authorizations for bad debts should be done by the Treasurer. h. Any returns should not be sent to any of the above parties but have a separate department for returns and credit approval, B2, Internal Controls in the Purchasing Cycle. a. Warehouse personnel fill out a Purchase Requisition and have it approved by management for purchases of merchandise. b. The Requisition is sent to the Purchasing Department. Their job is to buy the merchandise requested at the best price. They prepared a Purchase Order with a copy going to the Receiving Department. c. Receiving takes in the merchandise, counts it, completes a receiving report, and sends the documents to the accounting department. d. Accounting gets the Approved Purchase Request, Purchase Order, Receiving Report, and the Invoice in the mail. They reconcile the documents and record the transaction 3. Personnel Cycle a. A separate Human Resources Department has the responsibility to hire and fire employees and keep records on each employee. b. Each pay period, the supervisor approves the time cards, etc. cc. Payroll Accounting receives the time reports and prepares the payroll information, prints the checks, and sends them to the Treasurer for signing, d. Treasurer reviews the payroll, signs the checks and distributes the checks or may use direct deposit. Unclaimed checks remain with the Treasurer until claimed, 4. Cash Cycle - Treasury function a. For cash receipts, one employee opens the mail, makes a list of ali checks received, stamps “For Deposit Only” on each check. They send the checks to the Treasurer and the report to Accounting. The treasurer then deposits the checks and sends the authenticated deposit ticket to accounting for reconciliation to the list of checks. b. For cash disbursements, all checks must have approved documents before the checks are signed. Documents should be cancelled after payment and checks should be mailed independently of accounting. Mh Environmental Auditing A. Internal audit evaluates the risks of environmental, health, and safety issues across the organization. B. The environmental audit function involves evaluating whether the risks depend greatly on the environmental audit function or not. 1, The CAE and the environmental audit executive are functionally separate and can coordinate their activities. The CAE is responsible for auditing environmental issues. 24Research findings — indicated some of the problems 1. Auwritten audit report can be distributed no higher in the ‘organization than to senior management environmental executives. 2. It can be classified as part of attomey-client privilege information, secret and confidential, or if not confidential, closely held by management. Role of the CAE 1. Ifthe environmental function reports to someone other than the CAE, the CAE is responsible for maintaining good communications. The CAE schedules a quality assurance review of this function. The audit can be either: a. Compliance-focused — did they follow the environmental procedures and laws. b. Management systems - focused — audits of the compliance function by management. Environmental auditing involves reviewing the adequacy and effectiveness of the controls over hazardous waste. There are seven types of environmental audits. 1. Compliance audits - tests the degree of non-compliance. a. Site-specific audits of the operational areas. b. Review possible contamination of air, water, land, and wastewater. ©. Can include lab tests, testing details, and testing installation of water monitoring, 2. Environmental management systems audits — are systems in place and working to manage future risks. 3. Transactional audits — tests risks and possible liability of land or facilities prior to property purchase or sale 4. Treatment, storage, and disposal facility (TSDF) audits — involves the tracking of waste for creation or purchase to disposal through proper documentation 5. Pollution prevention audits — audits how waste can be minimized and pollution be eliminated at the source. 6. Environmental liability accrual audits - examines whether liabilities are probable, measurable, and estimable for possible accrual, 7 Product audits - are products environmentally friendly to users and chemical restrictions adhered to. 2. 3. lll. Consulting Engagements - Overview of Standards A B. c. The nature of consulting must be defined in the internal audit charter. Both assurance and consulting services can be performed and they are not mutually exclusive. There are several categories that include: 1. Formal consulting — planned and subject to a final written report. 2. Informal consulting — routine type activities with a limited task. 28G. 3. Special consulting - mergers and acquisition type work. 4. Emergency consulting ~ relates to disaster recovery or some type of extraordinary event. The CAE should consider accepting proposed consulting engagements based on the engagement's potential to improve the management of risks, add value, and improve the organization's’ operations. Accepted ‘engagements must be included in the plan CAE is responsible for communicating to the appropriate levels of management the results of the engagement. if there are very serious problems, the communication would go to management, audit committee, and the Board In a consulting engagement, the internal auditors are advocates for management and therefore are not required to be independent in thought. The internal auditors may not provide assurance services after the consulting engagement for one year from the date of the consulting work. Consulting Engagements — Internal Auditor A Independence and objectivity 1. Internal auditors may provide consulting services relating to operations for which they had previous responsibilities, 2. _Ifinternal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement. Due care 1. The CAE must deciine the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Scope of work 1 Internal auditors must establish an understanding with the client about the objectives, score of work, and performance of the audit. 2. Work programs must document the work on the consulting engagement. Communicating results 1. Communication of the progress and results will vary in form. 2 The CAE is responsible for communicating the final results. Documentation 1 CAE must have policies for documentation and maintaining those documents that support the work of 1A. Monitoring 1 The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client. %6V. Consulting Engagements - Benchmarking A. Vi. Consulting Engagements A. Benchmarking involves the use of best practices as a means to evaluate the activities of the organization. Itis always about best practices. It involves: 1. Prioritizing and selecting benchmarking projects. 2. Organizing the team 3. Researching the best-in-class methods. 4. Data analysis identifying gaps and the reasons for them. 5. Making final recommendations. There are several types of benchmarking that can be used. 1. Strategic - looks for good long-term strategies. 2. Internal — looks at best practices from one department within the organization compared to other departments 3. Process ~ looks at best practices in operations compared to similar businesses in any industry. 4. Competitive — looks at best practices in companies in the same industry. 5. Generic - looks at best practices in one department and compares it to best practices in another company. ther Types Internal control training — assisting management in its responsibilities to implement and maintain good controls. Due Diligence Auditing 1. Sometimes a company seeks to purchase another company. Both the internal and external auditors might be asked to perform a due diligence audit of the proposed purchase. The purpose of the audit is to make sure there are no hidden issues that could negatively affect the buyer. The audit generally involves the financial statements but can include other things such as the culture, product quality, etc. 2. tthe conclusion of the audit, the internal auditor provides a report on their findings to senior management and the Board. Business process mapping - this involves innovative processes and core processes that need to be redesigned with an emphasis on simplifying and eliminating non-value-added functions. 1. Work measurement involves analyzing the activities with an emphasis on cost controls. System development reviews work when a company is utilizing the systems development life cycle approach to updating systems.Study Unit 3 Financial, Environmental, and Consulting Engagements Questions 41. Controls should be designed to ensure that A. Operations are performed efficiently. 5. Managements plans have not been circumvented by worker collusion. ©The internal audit activty’s guidance and oversight of management's performance is ‘accomplished ecotomicaly and afciensy. D. Management's planning, organizing, and directing procasses are properly evaluated. 2. The chiet aucit executive's responsibilty for assessing and repoing on conolprocerees includes ‘A. Communicating to senior management and the board an annual judgmet about intemal contol B. Overseeing the establishment of internal control processes, C. Maintaining the organization's governance processes, 1D. Antving ata single assessment based solely fon the work of the internal audit activity, 3. An internal aucitor fais te discover an employee fraud during an assurance engagement The ondiscovery is most likely to suggest a violation of the International Professional Practicas Framework if itwas the result of a ‘A. Failure to perform a detalied review ofall, transactions in the area B. Determination that any possible fraud in the ‘area would not involve a material amount ©. Determination that the cost of extending Procedures in the area would exceed the potential benefits, D. Presumption that the intemal controls in the ‘ea wore adequale and effective 4. in any organization wido risk management ascassment, the CAE should include fake associated tea which ofthe folowing actives? ‘A. Environmental Health, © Sately, 3. Allof the answers are corect. 28 5. Internal auctors are increasingly called on to perform audits related to an organizations ‘environmental stewardship. Which of the folowing ‘does not describe the objectives ofa type of ‘environmental audit? A. Determine whether environmental management systems are In place and ‘operaiing properly fo manage future environmental risks B. Determine whether environmental issues are Considered as part of economic decisions, C._ Determine whether the organization's current actions are in compliance with existing laws, D. Determine whether the organization is focusing fefforts on ensuring that Is products are ‘environmentally frendly, and confirm that Product and chemical restrictions are met. 6, What type of audit assesses the environmental "sks and Labilties of land or facilities prior to a ‘property transaction? olution prevention audit Complianes aust, Transactional audit Product audi. some smith ce Pant (Si) i weatsd onthe Msissipo ivan Sip Fao. hstry of waking polutrts no re fssssiog! Among Sw flowing ereorenta sk Sroosstee, wile ane does SP nt heve fo aveluate Sear ois organiston:nge envroemortl Sk ‘anagemon assessren” Histary of financial distress. Likeiihood of water pollution fies. History of employee injures. Likelthoos of loss of public reputation pope4, Which ofthe folowing s tue about the interaction of ta internal ua funekon and the environmana suai function? A. Ifthe environmental audit function reports to ‘Someone other than the CAE, the CAE should Rot offer to review the audi pian sins (s)he ‘was not consulted 10 49 S0, 8. Itis not advantagaous for the intemal auelt function to conduct environmental audits since itis too busy with Rs curent responsibilities C._ The CAE should evaluate whether the fenvironmental aucltors are conforming to recognized professional auditing standards and a recognized code of ethics. ©. The CAE should not evaluate the organizational placement and independence ofthe environmental audit function since the internat function has no control over @ seperate ‘environmental audit function, 9. Internal auditors may provide consulting services: ‘Mat add value and improve an organization's operations, The performance of these services A. Imgairs internal auditors’ objectivity with respect to an assurance service involving the same engagement client. B, Pracludes generation of assurance from a consulting engagement ©. Should be consistent with the internal auc activity’ empowerment reflected in the charter D. imposes no responsibilly to communicate information other than to the engagement lent. 10, Which of the following statements is false? A. Adsciplined, systematic evaluation ‘methodology is incorporated in each intemal audit activity. The lst of services can generally be incorporated into two broad categories of assurance and consulting, 8. Assurance and consulting are mutually ‘exclusive and do preclude other auditing services such as investigations and onauiting roles. . Many audit services wi nave both an ‘assurance and consultative role, D,Intemal audit consulting enriches value-adding internal auditing 411, Sonior management of an entity has requested that the internal aucit acy assist the purchasing function's switeh from a manwial erry inventory system to a fully automated inventary system. This Service is best performed in ain) Forma! consulting engagement agreement, Informal consulting engagement agreement, Special consulting engagement agreement Emergency consulting engagement ‘agreement Pom 12. An internal auditor performed a formal consuiting engagement for XYZ Corporation on June 1. Year When is the earliest time the auditor can perform laseurance services for XYZ Goeporation ard 80 considered independent and objective? Soa@>y January 1, Year 2 June 1, Year 2 July 4, Year 1 June 2, Year + 13. Internal auditors should design the scope of work in a consulting engagement to ensure that al of the following will pooE ‘maintained except Independence. Intageiy Creatilty Professionalism 14, Whien ofthe following is not criteal step in the ‘researching and idenbtying bestin-cless performance phase? go@> Sotting up databases Choosing information-gathering methods Formatting questionnaires Empoyee training and empowarment, 15. Which of the folloning statements regarding benchmarking is false? A, Benchmarking involves continuously evaluating the practices of best in-class organizations and adapting company processes o incorporate ihe best of these practices. ‘Benchmarking, in practice, usually involves a ‘company's formation of benchmarking teams, Benchmarking is an ongoing process that entails quantitatve and qualitative ‘Measurement ofthe difference between the ‘company’s performance of ap activiy and the performance by the best in tHe world or the bestin the industry The benchmarking organization against waich a firm comparing itself must be a direct competitor. 16, What is tho Fist phase in the benchmarking process? A 8 c Organize benchmarking teams, Select and prioritize benchmarking projects Researching and identifying best.in-ciass performance. Data analysis17. Wien of e foning bet describes process (Rinton} benchmarking? ‘ Studying an organization in the same industry. 8. Comparing a process in one operation with a Similar process but in a diferent industry ©. Studying operations of organizations with Similar processes regardless of industry. D. Applying best practices in one part of he ‘organization to is other pads, 418, Monitoring is an important component of interna! control, Which of the folowing items would not be an ‘example of monitoring? ‘A. Managemen regu compares divisional performance with budgets for the division, B. Data processing management regularly generates exception reports for unusual transactions or volumes of transactions and fellows up with investigation as to causes. C._ Data processing management regularly reconciles batch control totals for items processed with batch controls for tems Submitted, D. Management has asked internal auditing to perform regular audits of the controls over ash processing 48, Which of the following is an example of business process reengineering? A. Adding a new machine to the existing production ine to speed up production. 8. Redesigning the production line to speed up production ©. Repairing a machine on the process tine 10 ‘speed up production. . Updating the computor systems invotved on the production Ine to speed up production, 20. Which of the folowing is an example of a soft control? Passwords, Ethical cuture. Sagregation of duties. ‘Authorization signatures. SomPr 30Study Unit 3 Financial, Environmental, and Consulting Engagements Answers NOMRWNA DBOOFAOTWOOYY aa DDONQBWVOFDWO =O - 31Study Unit 4 The Internal Audit Plan |. Risk-Based Audit Plan ‘A. Risk is defined as any event that could keep a company from achieving its objectives. B. The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals. 1. [A activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. C. The internal audit activity’s audit plan is based on: 1. The audit universe (all possible areas of audit) which must be assessed annually. 2. __ Input from senior management and the board, and 3. Assessed risk and exposure. D. Work schedules are based on the assessment of the risk priorities and exposure to build a risk model which includes factors to be considered. ll. Risk Modeling A. Audit risk model and the components of risk 1. Audit risk ~ the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. 2. Inherent risk - the susceptibility of an assertion to a misstatement that could be material before consideration of internal controls. 3. Control risk - the risk that a misstatement could occur in an assertion and that could be material will not be prevented, or detected, and corrected by the entity's internal controls. 4. Detection risk ~ the risk that the procedures performed by the auditor to reduce risk will not detect a material misstatement that exists and that could be material, B. The following chart Is an picture of the relationship between evidence gathered and detection risk for the internal auditor: Evidence 0%, 100% 100% 5% Detection Risk fone gathers 0% evidence, detection risk is 100%. However, the way to reduce detection risk is by gather enough eveidence to reduce detection risk to an acceptable level. C. The auditor must then respond to the level of risk based upon the four types of risk above. 32D. The CAE can prepare a matrix for risk by mapping the impact of the risks as critical, major, or minor and the likelihood of the risks occurring as likely, possible, or remote. ll Communicating and Reporting to Senior Management and the Board A. The chief audit executive must communicate the internal audit activity's plans and resource requirements, including significant internal changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. B. The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board. C. The response by the CAE should include such things as: The organizational independence of IA. Plans and resources required. The results of the audit. intemal control issues that were significant Content of the report. Overall effectiveness of internal controls. ParonsStudy Unit 4 The Internal Audit Plan Questions 4,A chief audit executive may use risk analysis in ‘preparing work schedules. Which ofthe folowing is. not considered in performing a isk analysis? ‘A. lssues relating to organizational governance. B._Skils available on the intemal audit stat ©. Results of prior engagements. D._ Major operating charges. 2, The term “isk” is best defined as the possiblity that A. Anintomal auditor wil fai to detect ‘material misstalement that causes financial Statements or internal reports to be misstated ormisleading, 8. Anevent could ocour affecting the achiavement of objectives. 6. Management wil, either knowingly oF ‘unknowingly, make decisions that increase the potential lability of the organization D. Financial statements or internal records wil contain material misstatements 3. Risk modeling or risk analysis is often used in conjunction with davelopment of long-range ‘engagement wark schedules. The kay input in the valuation of risk is Previous engagement results. Management concerns and preferences, ‘ager Specific requirements of professional standards. Judgment of the internal auctor. o> 3 4. The chiet audit executive of a manufacturer is Updating the long-range engagement work schedule, ‘There aro several possible assignments that can fila given time spot. Information on potential ‘monetary exposure and key intemal controls has bbeen gathered. Based on perceived risk, select the assignment of greatest ment A. Presious metals inventory ~ carrying amount, US $1,000,000: separately stored, but access not restricted. B. Branch office petty cash ~ ledger amount, US $50,000, 10 branch offices, equal amounts, replenishment of accounts requires tree separate approvals C._ Sales force travel expenses ~ budget US $1,000,000: 50 sales people; al expenditures over US $25 must be receipted . Expendable tools inventory ~ carrying amount, (US $500,000; issued by tool crib attendant upon receipt of authorization form, 5. Risk assessment is a systematic process for assessing and integrating professional judgments bout probable adverse conditions or events. Which Of the folowing statements refiects the appropriate faction forthe chiel audit executive to take? 'A. The CAE should generally assign engagement prionties to activities with higher risks. B. The GAE shoul resirit the number of sources of information used in the risk assessment process. C. Work schedule priorities should be established ta [ead the CAE in the risk assessment process. D._ The risk assessment process should be conducted at least every 310 5 years. 66. When developing the internal aucit plan, the Chief audit executive must consider the following expectations oF 4. Department managers 2. Stakeholders 3. Human resource managers. A. ‘only. B. 2only. ©. Sony D. 2and37. The internal auditing activity of Rivers Financia Group is developing a plan for the currant year. Which ff the following should net be emphasized in the audit plan? A. All control systems. 8. Areas where inherent risk is very high ©. Control systems on which the organization is ‘most reliant. D. Unacceptable current risks that require management action, 8. The internal audit actvty’s audit pian is based on ali of he following except The audit universe. The cost of the engagement, Input trom senior management and the board gompr 9, Risk managements critical to the sound ‘governance Gf which ofthe following? A. Financial actvties of the organization, B, Manufacturing activities of the organization. C. Alt organization activities that produce more than 10% of ravenve, D. All organizational activites, regardless of revenue, 10, An organization has no formal isk management framework, In daveroping a riskbased plan t0 determine the prorites ofthe internal audit activity, the chief audit executive (CAE) should A. Use the same risk-vased plan developed for aather clients 8. Not establish a risk-based plan because one is not necessary. CC. Consutt with senior management and the oard and use the best judgment of risks, D. Limit the scope of the engagement. 44. The chief audit executive (CAE) performs a risk assessment before developing the annual audit plan \Winisn of tho folowing Is most likely to increase the assessment of an wentiied n3K? A. An immaterial, anticipated drop in cash ow ‘after plant closings B.A request from senior management to review the strategic pian. ‘An unexpected, significant increase in receivabies not related to an increase in sales. D. Acritical activity had not been subject te a ‘compliance audit dure the past year 35 ° 42, Which internal audit planning tool's general in raiure and is used fo ensure adequate engagement ‘coverage over time? ‘The aucit plan, ‘The engagement work program. ‘The intemal audit activit’s budget The internal audit activity’s charter gop 13. Which of the following actions by the internal ‘audit activity i (are) appropriate in response to a risk assessment? 1. Although input of senior management and the board should be obtained, the chief audit ‘executive does not need to consider it when ‘eveloping the internal aucit activtys plan of. engagements 2. The high-risk areas should be integrated into an audit pian along withthe high-priority requests of management and the audit commitee 3, The risk analysis should be used in deterring ‘an avait plan. Thus. i shoutd be performed only fon an annval basis. A. tony. B. 2ony ©. and 3only D. tand 2 only 14. Which of the following comments is (are) true regarding the assessment of risk associated with two brojects tat are competing for imteditemalauct 1. Industry knowledge should be used to identity the project with the higher prioity 2, Activities with higher financial budgets always. should be considered higher risk than tnase with Tower financial budgets. 3. Activities that are requested by the board always ‘should be considered higher nck than those. requested by management 4. Senior management's evaluations ofthe risk ‘associated with each project must be considered, . 2and 4 only. 2and3 only. 4 and. ony. 1nd 3 only cog,15. The intemal auditors of Smother Corp. are cconsiderng lower-risk audits 2s a part of their ait plan. They should A. Include the lawer-isk audits to give tham Coverage and confirm that their isks have not changed. B._ Not include the lower-isk audits in the audit plan since thay are not risky C. Include only half ofthe lower-isk audits to 8¢0 ifthe risks have changed ©. Include the fower-rsk audits only with senior management approval 46. In the AICPA's aut rsk model. the risk that an auditor wil express an inaporopriate audit ‘pinion when the financial statements are materially misstated is, A. Audit risk. B. Inherent risk. ©. Controt risk D. Detection risk 17. On the basis of audit evidence gathered and valuated, an auditar decides to decrease the level of Sotection risk from thet onginaly planned. Assuming the same planned audit risk leve, the change m the planned detection risk most likely resulted from a(n) Decrease in the assessed control risk Increase in materiality levels, Decrease in the assessed Inherent risk pow, Increase in the assessed contol risk 18, Who reviews and approves a summary of the intemal audit plan? Senior management and the board The audit committee and the board Senior management only ‘The chief audit executive (CAE) only, COp> 19. As the chief audit executive, you nave determined thatthe acquisition of some expensive, siate-olthe- at software for paperiess working paper files will be Useful. Identfy the preferred method for presenting your request to senior manager. The effect of nat obtaining the software. Statement of need, Comparison with other internal audit activities, Evaluation of te software's technical specifications, com> 20. Bobby Fitz, CAE, believes that he intemal ‘controls over cash disbursements need major roviione, Mr Fiz discussed ts matter wih ‘senior management and was very alarmed at theit ‘acceptance of this serious risk What action should Mr Fitz take next? ‘A. Report the matter tothe board immediately B._ Understand management's basis for accepting the risk. . Determine whether management has the authority fo accept the risk. ©. Further attempt to resove the disagreement 21. What should the CAE do ifthe scope of the intemal audit pian is insufficient to permit expression (of an opinion about risk management and control? A. Design more procedures to ensure the aucit plan becomes sufficient. 8 The CAE should inform senior management ‘and the board about gaps in audit coverage C. Make the decision to outsource the internal auait function 60 the scope of the audit pian ‘ean be sufficient D. Hire more internal auditors to increase the seope of the engagementONDARY QOUD>HOYr>ronD =a© on Study Unit 4 The Internal Audit Plan Answers 12. 13. 14. 15. 16 17. 18. 19. DOr>rOrrowny 21.Study Unit 5 Engagement Planning Engagement Planning and Risk Assessment A ronmm Engagement objectives 1. An engagement objective is a “specific internal audit assignment, task, or review activity, such as an internal audit, control self- assessment, fraud examination, or consultancy. An engagement may include muttiple tasks or activities designed to accomplish a specific set of related objectives.” Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization's Strategies, objectives, and risks relevant to the engagement. In planning the engagement, auditors must consider: 1. The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance. 2. The significant risks of the activity's objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. 3. The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model. 4. The opportunities for making significant improvements to the activity’s governance, risk management, and control processes. The formality and plan for documentation will depend upon the organization being audited. Such factors should be considered as: 1. Will the work be used or relied upon by others? 2. The size of the activity and experience of the auditors. 3. Staffing of the audit by those both inside and outside the activity. 4. The complexity and scope of the audit. 5. The use of the documentation in future audits. One must determine the period covered by the audit, completion date, and the format of the final communication. The CAE is responsible for determining how, when, and to whom engagement results will be communicated. There should be a pre-engagement meeting to discuss the objectives, personnel needs, and time frame for the engagement. Preliminary survey should be completed to get to know the following: 1. The activities, risks, and controls in order to determine priorities in the audit 2. Discuss issues with the auditee and invite their comments. Tools to complete the preliminary survey 1. Questionnaires im Control flowcharts 38Pane Interviews Analytical procedures Process mapping Checklists J. Risk Identification is used to find areas of significant risk so the auditor will know where to investigate during the internal audit. K. The internal auditor considers management's assessment of risk, its reliability, the process for addressing risk, the risk appetite, and risks in activities as part of the preliminary survey. L. Asummary of the results is prepared for review of all issues discovered and an evaluation of the controls and risk ll. Engagement Objectives, Scope, and Criteria A. Objectives must be established for each engagement. 4. 4 ‘Objectives help: a. Determine procedures that need to be performed and areas to test. b. Identify key risks for the area audited c. Preliminary objectives are based on the plan, past results, management feedback, and the auditee’s objectives. An engagement consists of: a. Planning b. Performing procedures cc. Communicating results d. Monitoring progress Engagement objectives are broad statements developed by internal auditors that define intended engagement accomplishments a. They establish the risks associated with the audit. b. _ Risk assessment is used to further determine audit objectives. c. After determining risks, one determines the procedures that must be performed in light of the risks. Performance standards must be developed and documented for each engagement B. The established scope must be sufficient to achieve the objectives of the engagement. c. Criteria are measurements of the effectiveness of internal controls. 1. 2. Management or the Board is responsible for establishing objectives and goals to maintain good controls, Internal audit ascertains whether indeed they have accomplished this goal.I. Engagement Staff and Resources Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 1. This requirement falls upon the internal auditor instead of the CAE. 2. Resources must be allocated based upon; a. The number and experience of the staff. b. The knowledge, skills, and competencies of the staff. ¢. Training needs. d._Ifextemal resources will be necessary. Audit schedules or time budgets are necessary to help the auditor use time for efficiently. The budget should be approved by the CAE. Any changes due to unusual events during the audit should be discussed with the CAE, IV, Engagement Procedures A. There are three basic procedures used to gather evidence. 4 Observation is useful to observe internal controls as they work and to determine that certain assets actually exist. 2. __ Interviewing helps gain an understanding of control procedures through the use of questionnaires. a. Internal Controt Questionnaires (ICQ) help identify controls that are supposed to be in place. b. They help to make sure that the auditor does not inadvertently omit an important area of concern, 3. _ Examining records is most often used as a means of verifying transactions. Confirmations are letters sent to third parties to validate information that the auditor already knows or the acknowledgement of information the auditor may not be aware of that exists. 1. Positive confirmations demand a reply and are used when controls are weak and/or the dollar values are high, 2. Negative confirmations only ask for a reply when the respondent does not agree with the data. They are used when controls are strong and the dollar values are low. Tracing and vouching 1. Tracing begins with the source document and traces in through the accounting process to the general ledger. It proves that everything that belongs in that account is there. 2. Vouching begins with the general ledger and is vouched backwards to the source document. It proves that every entry that is in the general ledger belongs there. Reperformance is simply recalculating amounts that the company has previously calculated. Items such as bad debts, depreciation, etc. 40