CIA P2 Text A4 Aug13

advertisement
CIA Part 2
Internal Audit Practice
HOCK international books are licensed only for individual use and may not be
lent, copied, sold, or otherwise distributed without permission directly from
HOCK international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete,
accurate and up-to-date materials. Books from unauthorized sources are likely outdated
and will not include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized
training center should have an individually numbered orange hologram with the
HOCK globe logo on a color cover. If your book does not have a color cover or does
not have this hologram, it is not a genuine HOCK book.
Fourth Edition
CIA
Preparatory Program
Part 2
Internal Audit Practice
Brian Hock, CIA, CMA
and
Carl Burch, CIA, CMA
HOCK international, LLC
P.O. Box 204
Oxford, Ohio 45056
(866) 807-HOCK or (866) 807-4625
(281) 652-5768
www.hockinternational.com
[email protected]
Published August 2013
Acknowledgements
Acknowledgement is due to the Institute of Internal Auditors for permission to use
copyrighted questions and problems from the Certified Internal Auditor Examinations by
The Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, Florida
32701 USA. Reprinted with permission.
The authors would also like to thank the Institute of Certified Management Accountants
for permission to use questions and problems from past CMA Exams. The questions and
unofficial answers are copyrighted by the Certified Institute of Management Accountants
and have been used here with their permission.
The authors also wish to thank the IT Governance Institute for permission to make use
of concepts from the publication Control Objectives for Information and related
Technology (COBIT) 3rd Edition, © 2000, IT Governance Institute, www.itgi.org.
Reproduction without permission is not permitted.
© 2013 HOCK international, LLC
No part of this work may be used, transmitted, reproduced or sold in any form or by any
means without prior written permission from HOCK international, LLC.
ISBN: 978-1-934494-85-1
Thanks
The authors would like to thank the following people for their assistance in the
production of this material:






Kekoa Kaluhiokalani for his assistance with copyediting the material,
Lynn Roden, CMA for her assistance in the technical elements of the material,
Kevin Hock for his work in the formatting and layout of the material,
All of the staff of HOCK Training and HOCK international for their patience in the
multiple revisions of the material,
The students of HOCK Training in all of our classrooms and the students of HOCK
international in our Distance Learning Program who have made suggestions,
comments and recommendations for the material,
Most importantly, to our families and spouses, for their patience in the long hours
and travel that have gone into these materials.
Editorial Notes
Throughout these materials, we have chosen particular language, spellings, structures
and grammar in order to be consistent and comprehensible for all readers. HOCK study
materials are used by candidates from countries throughout the world, and for many,
English is a second language. We are aware that our choices may not always adhere to
“formal” standards, but our efforts are focused on making the study process easy for all
of our candidates. Nonetheless, we continue to welcome your meaningful corrections and
ideas for creating better materials.
This material is designed exclusively to assist people in their exam preparation. No
information in the material should be construed as authoritative business, accounting or
consulting advice. Appropriate professionals should be consulted for such advice and
consulting.
Dear Future CIA:
Welcome to HOCK international! You have made a wonderful commitment to yourself
and your profession by choosing to pursue this prestigious credential. The process of
certification is an important one that demonstrates your skills, knowledge and commitment to your work.
We are honored that you have chosen HOCK as your partner in this process. We know
that this is a great responsibility, and it is our goal to make this process as painless and
efficient as possible for you. To do so, HOCK has developed the following tools for your
use:






A Study Plan that guides you, week by week, through the study process. You
can also create a personalized study plan online to adapt the plan to fit your
schedule. Your personalized plan can also be emailed to you at the beginning of
each week.
The Textbook that you are currently reading. This is your main study source and
contains all of the information necessary to pass the exam. This textbook follows
the exam contents and provides all necessary background information so that you
don’t need to purchase or read other books.
The Flash Cards include short summaries of main topics, key formulas and
concepts. You can use them to review whenever you have a few minutes, but
don’t want to take your textbook along.
ExamSuccess contains original questions and questions from past exams that
are relevant to the current syllabus. Answer explanations for the correct and incorrect answers are also included for each question.
Teacher Support via our online student forum, e-mail, and telephone throughout your studies to answer any questions that may arise.
A Mock Exam for each part of the exam enables you to make final preparations
using questions that you have not seen before.
We understand the commitment that you have made to the exams, and we will match
that commitment in our efforts to help you. Furthermore, we understand that your time
is too valuable to study for an exam twice, so we will do everything possible to make
sure that you pass the first time.
I wish you success in your studies, and if there is anything I can do to assist you, please
contact me directly at [email protected]
Sincerely,
Brian Hock, CIA, CMA
President and CEO
CIA Part 2
Table of Contents
Table of Contents
Exam Introduction ............................................................................................................. 1
Section A – Managing the Internal Audit Function – Introduction ................................ 3
Managing the Internal Audit Function ............................................................................. 5
Strategic Role of Internal Auditing ................................................................................... 5
Changing Business Environment
Developing an Internal Audit Strategic Plan
5
6
Coordinating Activities ..................................................................................................... 7
Assurance Mapping
Coordination with External Auditor
Coordinate with Regulatory Bodies
Coordinate with Other Internal Assurance Functions
7
8
10
11
Role of Internal Audit in Governance............................................................................. 12
Ethics Advocates
12
Operational Role of Internal Audit.................................................................................. 15
Planning ........................................................................................................................... 15
Setting the Goals of the Internal Audit Activity
Developing the Engagement Work Schedules
15
16
Establishing Risk-Based Plans ...................................................................................... 16
Communicating Plans & Resource Requirements ....................................................... 20
Managing Resources....................................................................................................... 20
Developing Policies and Procedures ............................................................................. 23
Reporting Results to Senior Management and Board .................................................. 24
Activity Reports
Significant Engagement Observations
Relationship with Audit Committee
24
24
25
Responsibility for External Service Providers .............................................................. 28
Role of Internal Audit in the Risk Management Process .............................................. 29
Assessing the Adequacy of Risk Management Processes
Assessing the Adequacy of Risk Management Processes for Formal Consulting Services
29
31
Managing the Risk of the Internal Audit Activity .......................................................... 32
Types of Internal Audit Engagements ........................................................................... 34
Assurance Services......................................................................................................... 34
Financial Audit Engagements......................................................................................... 35
Documents and Individuals in the Transaction Cycles
35
Compliance Audit Engagements .................................................................................... 43
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
i
Table of Contents
Environmental Auditing
CIA Part 2
43
Operational (Performance) Audit Engagements ........................................................... 46
Economy and Efficiency
Program-Result
46
47
Other types of Operational Engagements ..................................................................... 47
E-Commerce Engagements
Due Diligence Engagements
Business Continuity Planning Engagements
47
51
52
Quality Engagements ...................................................................................................... 54
Benchmarking
ISO 9000 Quality Standards Audits
Physical Security Audit Engagements
Audits of Third Parties
Contract Auditing
Privacy Audit Engagements
55
57
58
59
60
62
Consulting Services ........................................................................................................ 65
Principles Guiding the Performance of Consulting Activities of Internal Auditors
Considerations for Formal Consulting Engagements
Due Professional Care in Consulting Engagements
Internal Control Testing Consulting Engagements
Business Process Review/Reengineering Consulting Engagements
66
67
68
70
71
Control Self-Assessment ................................................................................................ 72
CSA Approaches
Role of the Internal Auditor in a CSA Program
72
74
Section B – Introduction ................................................................................................. 76
Planning the Engagement .............................................................................................. 77
The Engagement Planning Process
Planning Considerations
Engagement Objectives
Risk Assessment in Engagement Planning
77
78
78
79
The Preliminary Survey................................................................................................... 80
Documentation of the Preliminary Survey
83
Engagement Scope ......................................................................................................... 84
Engagement Resource Allocation ................................................................................. 84
Engagement Work Program ........................................................................................... 84
Engagement Procedures ................................................................................................ 85
Sufficiency of Evidence
Reliability of Evidence
Relevant Evidence
ii
86
86
86
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 2
Table of Contents
Useful Evidence
Sources of Evidence
Selected Engagement Procedures
Tracing and Vouching
86
87
87
88
Supervising the Engagement ......................................................................................... 91
Review of Working Papers
Complete Engagement Staff Performance Appraisals
92
92
Communicate Engagement Results............................................................................... 94
Criteria for Communicating
Contents of the Final Report
Quality of Communications
Errors and Omissions
Disseminating Results
Whistleblowing
Oral Communications
Progress (Interim) Communications
94
95
98
99
101
102
103
103
Monitor Engagement Outcomes................................................................................... 105
Resolution of Senior Management’s Acceptance of Risks
106
Section C – Introduction ............................................................................................... 108
Fraud Risks and Controls ............................................................................................. 109
Types of Fraud
Committing Fraud
Responsibilities of the Internal Auditor
Conducting Fraud Investigations
Responsibility for Fraud Detection
Management Fraud
Forensic Auditing
109
110
111
112
113
115
117
Appendix A: Sample Code of Conduct ........................................................................ 120
Appendix B: International Professional Practices Framework .................................. 122
Appendix C: The IIA Code of Ethics............................................................................. 124
Code of Ethics
Principles
Rules of Conduct
124
124
125
Answers to Questions ................................................................................................... 126
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
iii
Table of Contents
CIA Part 2
(This page intentionally left blank)
iv
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 2
Introduction
Exam Introduction
The CIA Part 2 exam, Internal Audit Practice, is 120 minutes (2 hours) long and consists of 100 multiplechoice questions. This exam tests aspects of managing the internal audit activity via the strategic and
operational role of internal audit and establishing a risk-based plan; the steps to manage individual
engagements (planning, supervision, communicating results, and monitoring outcomes); and management of
fraud risks and controls.
For more information about the exams, visit the IIA’s website (www.theiia.org).
The syllabus of the Institute of Internal Auditors (IIA) has identified three topical focus areas for the Part 2
exam. The IIA calls the focus areas Domains, but these materials will refer to them as Sections. The
percentages of the exam that these Sections represent are:
•
Section A: Managing the Internal Audit Function (40–50%).
•
Section B: Managing Individual Engagements (40-50%).
•
Section C: Fraud Risks and Controls (5-15%).
Additionally, the IIA syllabus refers to Proficiency and Awareness levels:
•
Proficiency: Candidates must exhibit proficiency (thorough understanding and ability to apply
concepts).
•
Awareness: Candidates must exhibit awareness (knowledge of terminology and fundamentals).
In your preparations for the exam, you need to make certain that, in addition to reading the textbook, you
also use the ExamSuccess software with questions from past exams. Many of the topics that are covered on
the exam are very large topics and by going through past exam questions you can get a feeling for how a
topic has been tested in the past and to what depth.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
1
Introduction
CIA Part 2
(This page intentionally left blank)
2
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Section A – Managing the Internal Audit Function – Introduction
Section A – Managing the Internal Audit Function – Introduction
The first section of the Part 2 exam covers Managing the Internal Audit Function, and it is worth
approximately 40–50% of the total exam. All of the topics in this section are covered at a proficiency level,
unless otherwise noted.
There are six topics discussed in this section:
1)
The strategic role of internal auditing. The business environment is in a never-ending state of
flux. Rapid advancements in technological development, aggressive competition, and sophisticated
customer tastes and awareness mean that businesses face a constant barrage of challenges in order
to succeed. In the face of these many competing pressures, the internal auditing activity (IAA) has
to be able to assist the organization in meeting its strategic goals and objectives.
2)
The operational role of internal auditing. The internal auditing activity (IAA), like any other
business function, has to be properly managed. From an operational standpoint, the chief audit
executive (CAE) has to make sure that:
•
Planned engagements are carried out in a timely manner
•
Resources needed to carry out the planned engagements are properly allocated
•
Results of the engagements are properly communicated to all interested parties
3)
The establishment of a risk-based internal audit plan. The CAE has a responsibility to establish
risked-based audit plans. Risk is a primary factor in determining which engagements to conduct;
however, it is not the only factor in prioritizing engagements. The internal auditor must understand
how to prioritize engagements properly.
4)
The role of internal audit in the risk management process. This section covers the role that the
internal auditor plays in the organization’s risk-management process.
5)
The managing of risks associated with internal auditing. This section explores the different
types of risks faced by the IAA, such as audit risk, false assurance risk, and risk to the reputation of the IAA.
6)
The types of internal audit engagements. This section describes some of the specific assurance
and consulting engagements that internal auditors may have to perform. These services are classified into three fundamental categories:
•
Financial: This is an analysis of economic activity in accordance with specific accounting methods.
•
Compliance: This is a review of financial and operating controls and transactions to see how
they apply to established laws, regulations, procedures, and standards.
•
Operational: This is a review of the organization’s efficiency and effectiveness of operations.
Questions are likely to be of one of two types: definitional (or a basic application of terms) or an
application to a particular situation (in which you need to identify the best or worst evidence or procedure
from the choices).
Definitional questions are relatively straightforward to answer (you either know or do not know the definition
of a given term). However, application questions require practice and patience to master. In order to prepare
for application questions, you will need to go through the past exam questions and become familiar with the
way the questions are worded and also the correct answers. For example, some questions are worded in such
a way as to suggest that there might be more than one correct answer. Upon closer inspection, however, you
will notice that the question has a short phrase that narrows its scope and thereby focusing the question to a
particular area, topic, or problem—making the correct answer easier to find. As you learn to identify these
phrases, you will find answering these questions much easier to do.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
3
Section A – Managing the Internal Audit Function – Introduction
CIA Part 2
As a word of caution, you might notice that the terminology in this section (and every other section) might be
slightly different than what you are familiar with. Because internal auditing is an internal activity, there are no
established, standardized terms that apply for every organization. Bear in mind that these are terms that
appear in the exams, and so it is best that you become accustomed to them.
The Standards and Practice Advisories are excellent resources to assist in your preparation for this section;
however, you do not need to memorize the specific Standard or Practice Advisory texts.
Throughout this book, you will see the term internal audit activity (or IAA) in reference to the internal audit
department. You will also see the term chief audit executive (or CAE) in reference to the head of internal
auditing.
4
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Managing the Internal Audit Function
Managing the Internal Audit Function
Standard 2000: Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the
organization.
An internal audit activity (IAA) adds value to the organization by making sure:
•
That the engagement work fulfills the general purposes and responsibilities described in the charter
that was approved by senior management and accepted by the board of directors (or audit committee)
•
That engagement work conforms to the Definition of Internal Auditing and the Standards for the
Professional Practice of Internal Auditing
•
That the internal auditor conforms to the Code of Ethics and Standards
The Institute of Internal Auditing (IIA) writes that the “IAA adds value to the organization (and its
stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and
efficiency of governance, risk management and control processes.”
Beyond accomplishing these goals and objectives, the internal audit activity must also be forward-looking,
setting the groundwork both for current success and future success. This section discusses the strategic and
operational roles of internal auditing.
Strategic Role of Internal Auditing
For internal auditing to remain a relevant function within an organization, the management and board must
regard the IAA to be a value-added activity. In its initial inception, internal auditing simply looked at
processes and controls and made judgments as to whether they were effective or not. However, increased
pressure for profits and a rapidly evolving business environment has meant that internal auditing is now a
much more active rather than a passive contributor to a company’s overall strategy for success.
In this section, we discuss the issues facing internal auditing and the strategic role it should play within the
organization.
Changing Business Environment
High levels of technological innovation and increasingly discriminating and sophisticated customer
demands have put pressure on companies to redesign their products and shorten the time it takes to
get their new products to market. As a result, companies need any competitive advantage they can get
to survive. A company is said to have competitive advantage when it is more profitable than the average
company in its industry.
Publicly held companies are beholden to their shareholders, and shareholders want profitable growth,
meaning high profitability and sustained profit growth. The general rule is that a company with profits but low
(or no) profit growth will not be valued as highly as a company with profitability and profit growth. Realizing
these two objectives is one of the greatest challenges facing management.
In order to increase profitability and sustain growth, managers need to formulate strategies that will give
their company a competitive advantage. Strategic leaders are responsible for effectively managing the
company’s strategy-making process to increase company performance and maximize shareholder value. The
strategies that a company’s management follows will determine the company’s performance in relation to that
of its competitors.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
5
Strategic Role of Internal Auditing
CIA Part 2
Internal Auditing as a Value-Laden Activity
How much value can or should be attached to internal auditing? From a government perspective, internal
auditing of corporations has high value. Corporate governance codes, such as Sarbanes-Oxley (SOX) and
others, require or recommend the presence of an internal auditing function, and ninety percent of European
Union (EU) member countries require or recommend an internal auditing function in listed companies.
However, from a corporation standpoint the value of internal auditing has a more ambivalent position. Since
internal auditing has traditionally focused on meeting financial reporting and compliance requirements,
these efforts consisted primarily of a concentration on a company’s past (the “what was”) and present (the
“what is”) performance; in other words, it had little to do with proactively adding to a company’s forward
momentum. Furthermore, the SOX and EU requirements do not specifically stipulate the level of support that
the internal auditing function should receive, and thus companies have a great deal of latitude to determine
the level of funding they provide to their internal auditing function. In addition, internal auditing is a cost
center, meaning that its functions do not generate revenue. Therefore, if management decided that costcutting measures were necessary to increase profitability, internal auditing would not be immune from budget
cutbacks.
Therefore, the CAE has a responsibility to convince the management and the board that internal auditing can
be a high-value-laden function that needs to be supported. A key part of the CAE’s strategy is to demonstrate
that internal auditing can be an active participant in the company’s future growth (the “what should be”). The
moment that management and the board realize the critical function internal auditing fulfills in helping the
company achieve its growth objectives, the CAE will have an easier time securing the appropriate support and
funding to fulfill internal auditing objectives.
Developing an Internal Audit Strategic Plan
The IIA defines strategy as “a means of establishing the organization’s purpose and determining the nature
of the contribution it intends to make while predefining choices that will shape decisions and actions.”
Ultimately, IAA strategy must enable it to allocate financial and human resources to assist management and
board achieving the organization’s long-term objectives. In addition, the IAA’s strategic plan needs to be
reported to senior management and the board, as noted in Standard 2060, “Reporting to Senior Management
and the Board”: “the chief audit executive must report periodically to senior management and the board on
the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.”
The strategic plan needs to ensure that all areas of the business are audited periodically. Some areas, such as
those with the most assessed risk, will need to be audited at least annual auditing or even more frequently,
while other areas may be addressed once every two or three years. Without such long-range planning, it is
possible that an area of the business may never be audited because it would not meet the requirements for a
short-term audit. A well-constructed long-range schedule can:
•
Be used as the auditor’s guide
•
Support budget requests
•
Be a way of involving management and the board in audit planning
•
Be a way of measuring the auditor’s performance
•
Give notice to external auditors of proposed audit coverage
Additionally, larger company items, plans, and objectives should be addressed in the strategic plan. The IAA
will need to prepare for the necessary resources for major, future initiatives.
6
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Coordinating Activities
Review of the Strategic Plan
Similar to the strategic plan developed by the organization, the internal-audit strategic plan needs to be
periodically reviewed and modified as necessary. Some of the factors that influence the frequency of the
internal-audit strategic plan’s review are:
•
Changes in the organization’s strategy
•
The degree of growth in the organization
•
Significant changes to the availability of the internal audit activity’s resources
•
Significant changes to the regulatory environment
•
Significant changes to the organization’s policies and procedures
•
Key changes to the organization’s senior management and board of directors
•
Evaluation of how internal audit activity has qualitatively or quantitatively delivered on its strategic
plan
•
Results of the activity’s internal and external quality assurance and improvement program (QAIP)
•
The ability of the IAA to coordinate its activities with other assurance functions
Based on the Standards, the CAE should align resources and priorities, determine how the IAA will work, and
coordinate with other assurance functions (explained below). These other assurance functions also have a
strong interest in risk management and control, so it makes sense that the IAA would coordinate activities
with them to minimize duplication of work and help to ensure that key business risks are being addressed.
Ultimately, this coordination will help the IAA fulfill its strategic objectives.
Coordinating Activities
Standard 2050: Coordination of Activities
The chief audit executive should share information and coordinate activities with other internal and
external providers of assurance and consulting services to ensure proper coverage and minimize
duplication of efforts.
The CAE also has the responsibility to share information and coordinate activities with other internal and
external providers of relevant assurance and consulting services to ensure proper coverage and minimize
duplication of efforts. These internal and external participants might include:
•
External auditors
•
Regulatory oversight bodies (example, governmental auditors)
•
Other internal assurance functions (example, health and safety department)
Assurance Mapping
According to the IIA, assurance services are activities that provide “an objective examination of evidence
for the purpose of providing an independent assessment on governance, risk management, and control
processes for the company.” The CAE has to make sure that there is proper audit coverage, especially in
relation to external auditors and other internal assurance service providers (such as the quality department,
the environmental department, and so forth). “Proper audit coverage” means that every activity in the
business that needs auditing is in fact audited, regardless of which group conducts the audits.
Assurance mapping can play an important role in providing proper audit coverage. The aim, as stated in PA
2050-2 (Assurance Mapping), is to ensure that there is a comprehensive risk and assurance process with no
duplicated effort or potential gaps. Practically speaking, assurance mapping is the grouping of all of the
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
7
Coordinating Activities
CIA Part 2
assurance providers together and then using the company’s risk management process to identify the “key”
risks that need to be assessed. This process allows the company to identify and assess gaps in the risk
management process and gives primary stakeholders the reassurance that risks are being managed and
reported and that regulatory and legal obligations are being met.
Coordination with External Auditor
Coordination between the internal and external auditor is beneficial for all parties, and the CAE is in the best
position to arrange the coordination in order to identify any savings or efficiencies that may arise. To be
certain, the roles are not identical. The internal auditor is more concerned with the operating activity and
controls within the company and the external auditor is concerned almost exclusively with the presentation of
the financial statements. However, because the work of internal and external auditing has many points of
overlap and connection, coordination can increase the efficiency of audit areas and reducing overall costs.
Coordination between external and internal auditors is important for the following two reasons:
1)
Internal auditing continues to become increasingly professionalized, with more internal auditors
being former external auditors or full-time internal auditors. As a result, the scope and quality of internal auditing has increased.
2)
The cost of the external audit has risen, and therefore companies are looking for ways to reduce
expenses in this area. Having a strong, objective, competent internal auditor means that the work of
the external auditor can be better streamlined and thus less costly.
Note: Although internal auditors should act independently and objectively, the external auditor will be very
careful about what work the internal auditor will perform in connection with an external audit. For
example, the external auditor will not allow the internal auditor to assess risk or to draw any conclusions
about numbers or amounts in the financial statements. The external auditor will ask the internal auditor for
information about areas of high risk or control weaknesses, but the external auditor will personally
investigate and make the final assessment of risk. The same is true for financial numbers: the external
auditor will ask the internal auditor about areas that have risks, but the external auditor will make the final
conclusions.
Assistance Provided by the Internal Auditor
The CAE should encourage any assistance the internal auditor can provide the external auditor because any
additional support and direction lowers the overall cost of the external audit. Before the external auditor relies
on the internal auditor’s work, however, he or she needs to assess the internal auditor’s competence and
objectivity.
•
Competence is the measure of an IAA’s skills and abilities to perform acceptable work.
•
Objectivity measures the IAA’s capacity to work without any influence from management or others
in the organization.
Once the external auditor is comfortable with both the competence and objectivity of the internal auditor, he
or she may feel more inclined to rely on the IAA’s work; however, it may still be necessary for the external
auditor to review any work that the IAA performs.
Note: The external auditor needs to assess the competence and objectivity of the IAA only if the plan is to
rely on the work of the IAA. If there is no intention or requirement for the IAA to provide work specifically
for or related to the audit (for example, if the IAA did not perform any engagements that are relevant to
the external audit), then the external auditor does not need to assess the IAA.
8
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Coordinating Activities
Assistance Provided by the External Auditor
The coordination process between internal and external auditors is generally viewed in the context of internal
auditor assisting or benefiting the external auditor. However, the opposite may also occur. In some cases, the
work of the external auditor will be beneficial to the internal auditor. In such instances, the internal auditor
will rely on work performed by the external auditor, at least to the extent that the CAE has confidence in the
work of the external auditor.
Just as an external auditor would want to review the work of an internal auditor before relying on it for an
external audit, the internal auditor will want to review the work of an external auditor before using it for an
internal audit. This review of the external auditor’s work requires the external auditor’s permission, and this
request is part of the management of the relationship with the external auditor by the CAE.
Control and Use of the Auditors’ Working Papers
Working papers contain all of the work and tests performed during an engagement and form the basis for any
conclusion drawn by the internal auditor. In the process of coordinating the efforts of the internal and
external auditors, there arises the question of the control and ownership of the working papers. The
underlying principle is that the working papers belong to the party who developed them, meaning that the
working papers for the external audit belong to the external auditor and the working papers for the internal
audit belong to the internal auditor.
Therefore, external working papers should not be made available to anyone (even other subsidiaries within
the same company) without the permission of the external auditor. The CAE can provide copies of the internal
audit working papers to the external auditor and to others within the organization. However, the external
auditor should not give the internal audit working papers to anyone without the permission of the internal
auditor.
Note: When parties other than the external auditor outside the organization seek access to the IAA’s
working papers, the CAE should first obtain approval from senior management and/or legal counsel.
Evaluating the Work of the External Auditor
The CAE coordinates the activities of the internal and external auditors. In addition, upon requests from
management and board, the CAE may participate in an assessment of external auditors. This assessment
should be carried out at least annually and it should address the external auditor’s:
•
Professional knowledge and experience
•
Independence
•
Knowledge of the company’s industry
•
Availability of the specialized services
•
Responsiveness to the needs of the company
•
Maintenance of appropriate working relationship
•
Delivery of overall value to the company
The results of the assessment need to be communicated to senior management and the board along with
relevant information about the external auditor’s performance.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
9
Coordinating Activities
CIA Part 2
Question 1: The internal auditor is often requested to coordinate the internal audit activity with that of
the external auditors. Which of the following activities is most likely to be restricted to the external
auditor?
a)
Evaluating the system of controls over cash collections and similar transactions.
b)
Attesting to the fairness of presentation of cash position.
c)
Evaluating the adequacy of the organization’s overall system of internal controls.
d)
Reviewing the system established to ensure compliance with laws, regulations, and contracts.
(CIA Adapted)
Question 2: The CAE plans to meet with the independent external auditor to discuss joint efforts
regarding an upcoming external audit of the organization’s pension plan. The independent external
auditor has performed all external audit work in this area in the past. The CAE’s objective is to:
a)
Determine if the work in this area could not be performed exclusively by internal auditors.
b)
Coordinate the external audit so as to fulfill professional responsibilities and not duplicate work of
the independent external auditor.
c)
Ascertain which account balances have been tested by the external auditor so that the internal
auditors may test the internal controls to determine the reliability of these balances.
d)
Determine whether the independent external auditor’s techniques, methods, and terminology
should be used by internal auditors in this area to conform to past work or use techniques consistent with those used by other internal auditors.
(CIA Adapted)
Question 3: Exchange of engagement communications and management letters by internal and external
auditors is
a)
Consistent with the coordination responsibilities of the chief audit executive.
b)
Not consistent with the independence guidelines of the Standards.
c)
A violation of the Code of Ethics.
d)
Not addressed by the Standards.
(CIA Adapted)
Coordinate with Regulatory Bodies
Some industries are more heavily regulated than others, and therefore they are subject to stricter auditing
guidelines. If closer scrutiny is required by regulatory bodies, the CAE should coordinate audits with the
regulatory body responsible for the oversight of the company, and this coordination should be done with the
approval of the board. The extensiveness of this coordination depends on the requirements of the regulatory
body.
Note: The best examples of regulated industries include banks, insurance, and power utility companies.
These industries are heavily regulated in most countries and subjected to frequent outside audits by
regulators. This outside regulation forces these companies to have strong internal controls and internal
audit functions.
A benefit of coordinating the efforts of the IAA and regulators is that the internal auditor would be given the
chance to provide evidence of compliance testing through its internal working papers and other documents.
10
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Coordinating Activities
Coordinate with Other Internal Assurance Functions
It is very likely that a company will have multiple departments, not just internal auditing, that are concerned
with controls. Although their interests might be more of a technical nature, it is highly probable that the
control measures of interest to other departments may “complement the internal auditor’s interest in the
administrative forms of controls.” 1
The following is a list of departments with control concerns:
1)
The security department is concerned with control over specific irregularities.
2)
The quality control department is concerned with control over product reliability and conformance
to specifications.
3)
The safety and health department is concerned with control over accident prevention.
4)
The industrial engineering department is concerned with control over operating practices and
procedures.
It is vital that the internal auditor maintain good communication lines with these departments in the course of
organizing and planning an audit. It is quite possible that the internal auditor will gain valuable information
from these departments that would help to reduce possible “duplicate surveillance” or “point to areas where
2
special audit emphasis may be warranted.”
Question 4: When assessing a function or a process, the internal audit activity should consider the work
of the other departments that are responsible for reviewing that function or process because
a)
The internal auditor would be able to provide additional technical assistance to the department.
b)
The internal auditor would be able to give assurance that the function or process has proper control
without doing any further review work.
c)
The internal auditor would be able to produce better forecasting models for management.
d)
Reviewing and testing of the other department’s procedures may reduce necessary audit coverage
of the function or process.
(HOCK)
Question 5: Which of the following is a false statement about the relationship between internal auditors
and external auditors?
a)
Oversight of the work of external auditors is the responsibility of the chief audit executive.
b)
Sufficient meetings should be scheduled between internal and external auditors to assure timely
and efficient completion of the work.
c)
Internal and external auditors may exchange engagement communications and engagement letters.
d)
Internal auditors may provide engagement work programs and working papers to external auditors.
(CIA Adapted)
1
2
Sawyer’s Internal Auditing, 5th edition, 970.
Ibid., 971.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
11
Role of Internal Audit in Governance
CIA Part 2
Question 6: In recent years, which two factors have changed the relationship between internal auditors
and external auditors so that internal auditors are partners rather than subordinates?
a)
The increasing liability of external auditors and the increasing professionalism of internal auditors.
b)
The increasing professionalism of internal auditors and the evolving economics of external auditing.
c)
The use of computerized accounting systems and the evolving economics of external auditing.
d)
The globalization of audit entities and the increased reliance on computerized accounting systems.
(CIA Adapted)
Role of Internal Audit in Governance
Standard 2110: Governance
The internal auditing activity must assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the organization,

Ensuring effective organizational performance management and accountability,

Communicating risk and control information to appropriate areas of the organization, and

Coordinating the activities of and communicating information among the board, external and internal
auditors and management.
The accounting scandals at Enron, WorldCom, Adelphia and others in the early 2000s highlighted the pressing
need for robust internal auditing. Corporations were encouraged to intensify their documentation and testing
of internal controls that became required under Section 404 of Sarbanes-Oxley and other governance
codes, including the Second Combined Code (UK). Internal auditing took the lead in these efforts. However,
the global financial crisis of 2008-09 highlighted an additional overarching weakness in the area of corporate
governance. As a result, many IAAs have become more involved in advising organizations and boards on
governance issues, including ethics.
Ethics Advocates
Standard 2110.A1 states that “the IAA must evaluate the design, implementation, and effectiveness of the
organization’s ethics-related objectives, programs, and activities.” In other words, The IAA should serve as
the “eyes and ears” of management, audit committee, and external auditors, and as such the IAA can play an
important role in the governance function of the organization.
The corporate culture of an organization must be the wellspring of its ethical climate. Though a great deal of
the ethical climate originates from the behavior and actions of management, all people associated with the
organization, and specifically internal auditors, should assume the role of ethics advocates. A supportive,
ethical environment can be supported by having a detailed code of conduct and specific ethical codes for the
organization.
Shared Responsibility for the Organization’s Ethical Culture
Because of the complexity and dispersion of decision-making processes in many companies, all individuals
should be encouraged to be an ethics advocate, whether the role is delegated officially or merely conveyed
informally. Codes of conduct and statements of vision and policy are important declarations of the
organization’s values and goals, the behavior expected of its people, and the strategies for maintaining a
culture that aligns with its legal, ethical, and societal responsibilities. A growing number of organizations have
designated a Chief Ethics Officer to serve as counselor to executives, managers, and others and as a
champion within the organization for “doing the right thing.”
12
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Role of Internal Audit in Governance
Internal Audit Activity as Ethics Advocate
Internal auditors and the internal audit activity should take an active role in support of the organization’s
ethical culture. They possess a high level of trust and integrity within the organization and the skills to be
effective advocates of ethical conduct. They have the competence and capacity to appeal to the enterprise’s
leaders, managers, and other employees to comply with the legal, ethical, and societal responsibilities of the
organization.
The internal audit activity may assume one of several different roles as an ethics advocate, including Chief
Ethics Officer (ombudsman, compliance officer, management ethics counselor, or ethics expert), member of
an internal ethics council, or assessor of the organization’s ethical climate. In some circumstances, however,
the role of Chief Ethics Officer (if there is one in a company) may conflict with the independence attribute of
the internal audit activity.
Assessment of the Organization’s Ethical Climate
On a periodic basis, the internal audit activity should assess the state of the ethical climate of the organization
and the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired
level of legal and ethical compliance. A positive ethical climate includes the following:
•
A formal Code of Conduct that contains unambiguous statements, policies (including procedures
covering fraud and corruption), and other expressions of aspiration.
•
Frequent communications and demonstrations of expected ethical attitudes and behavior by the
influential leaders of the organization.
•
Explicit strategies to support and enhance the ethical culture that include regular programs to update
and renew the organization’s commitment to an ethical culture.
•
Several easily accessible ways for people to confidentially report alleged violations of the Code of
Conduct, policies, and other acts of misconduct.
•
Regular declarations by employees, suppliers, and customers that they are aware of the requirements for ethical behavior in transacting the organization’s affairs.
•
Clear delegations of responsibilities to ensure that ethical consequences are evaluated, confidential
counseling is provided, allegations of misconduct are investigated, and case findings are properly reported.
•
Easy access to learning opportunities to enable all employees to be ethics advocates.
•
Positive personnel practices that encourage every employee to contribute to the ethical climate of
the organization.
•
Regular surveys of employees, suppliers, and customers to determine the state of the ethical climate
in the organization.
•
Regular reviews of the formal and informal processes within the organization that could potentially
create pressures and biases that would undermine the ethical culture.
•
Regular reference and background checks as part of hiring procedures, including integrity tests, drug
screening, and similar measures.
Having a Code of Conduct does not automatically guarantee a higher standard of ethical behavior, nor should
it replace the need for an internal auditor to conduct an audit of ethical behavior. The establishment of ethics
monitoring should complement specific ethical codes or protocols.
A sample Code of Conduct is shown in Appendix A.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
13
Role of Internal Audit in Governance
CIA Part 2
Question 7: Management has requested the audit department to conduct an audit of the implementation
of its recently developed organization code of conduct. In preparing for the audit, the auditor reviews the
newly developed code and compares it with several others for comparable companies. The auditor
concludes that the newly developed code has severe deficiencies. Based on this conclusion, the auditor
should:
a)
Plan an audit for the implementation of management’s code of conduct and for compliance with the
“best practices” from the other codes since this represents the best available criteria.
b)
Report the nature of the deficiencies in a formal report to management.
c)
Inform management of the problems with the existing code and report that it would be inappropriate to conduct an audit until the code is revised to incorporate industry “best practices.”
d)
Conduct the audit as requested by management, reporting only noncompliance with the code.
(CIA Adapted)
Question 8: Which of the following are the key responsibilities that make up the governance process?
I.
Complies with society’s legal and regulatory rules.
II.
Satisfies the generally accepted business norms, ethical precepts, and social expectations of
society.
III. Provides overall benefit to society and enhances the interests of the specific stakeholders in both
the long term and short term.
IV.
Provides additional assistance in the consolidation of financial reports.
a)
I and II only
b)
I, II, and IV
c)
I, II, III, and IV
d)
I, II, and III
(HOCK)
14
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Operational Role of Internal Audit
Operational Role of Internal Audit
The operational role of internal auditing is to make sure that engagements have been properly planned for,
the IAA has the resources (human and financial) to carry out the engagements, and the results of the
engagements are communicated to those who can take action. The CAE must effectively manage the IAA so
that management and the board will regard all these functions as value-added activities.
The following section discusses the role of internal auditing within the organization’s risk management
framework.
Planning
Standard 2010: Planning
The chief audit executive must establish risk-based plans to determine the priorities of the internal audit
activity and to make certain that they are consistent with the organization’s goals.
When prioritizing risk, the CAE takes into consideration the company’s risk-management framework, including
the levels of risk appetite that management set for different parts of the organization. If management has not
yet developed a risk-management framework, the CAE will use his or her own judgment of risks after
consulting with senior management and the board.
This much larger, overall planning process is broken down into four smaller categories that the CAE is
responsible for:
•
Goals
•
Engagement work schedules
•
Staffing plans and financial budgets
•
Activity reports
Setting the Goals of the Internal Audit Activity
The goals that the IAA sets should be:
•
Specific: Goals should be specifically defined.
•
Measurable: The method of measuring the goals should be defined. By making goals measurable,
the CAE, the audit committee, and board of directors can progress toward achieving specific goals—
and by extension they can quantify the value of the IAA.
•
Agreed To: All interested parties (including senior management and the board) need to agree to the
goals.
•
Realistic and Achievable: Realistic and achievable goals keep expectations reasonable; conversely,
unrealistic and unachievable goals create unnecessary tension in an organization.
•
Timely: Goals should have specific completion dates, as open-ended time-frames reduce the sense
of urgency about objectives.
Note: For memorization purposes, the five objectives of the IAA form the acronym SMART.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
15
Establishing Risk-Based Plans
CIA Part 2
Developing the Engagement Work Schedules
The planning process and specific work schedules for engagements should include the following:
•
Which engagements should be performed
•
When engagements should be performed
•
The time required for each engagement (taking into account the scope of the planned engagement
work and the nature and extent of related work performed by others)
•
Which engagements should receive priority over other engagements
Once these questions are answered, the CAE can develop individual work programs for specific engagements.
Establishing Risk-Based Plans
Ultimately, the CAE makes the final decisions regarding which engagements will be performed, and to do so
the CAE will consider many factors. Many CAEs find it useful to first update the IAA’s audit universe, which
is a list of all the possible audits that the IAA is able to perform. To understand what the IAA’s audit universe
is, the CAE should obtain input from senior management and the board. However, if the IAA has been
properly established and is appropriately independent and objective, the CAE should be able to make such
decisions with only limited involvement and interference from senior management or the board.
The level of risk is one of the most important elements to consider when prioritizing engagements; that is,
items with high risk take precedent over those with low risk. (For this purpose, risk is defined as the likelihood
that the goals and objectives of the organization will not be achievable.) In the matrix shown below, risks are
prioritized based on likelihood and impact. The matrix shows prioritizing risk when internal auditing
resources are limited. Note that high-likelihood risks are given top priority before moderate risks (regardless
of financial impact), and risks with low likelihood correspondingly have the lowest priority.
Likelihood (%)
Impact ($)
Low
Moderate
High
High
(7)
(4)
(1)
Moderate
(8)
(5)
(2)
Low
(9)
(6)
(3)
Other Factors for Prioritizing Audit Engagements
Although risk plays a significant role in determining the priority of engagements, it is not the only important
criteria. Other factors that should be considered include:
•
The length of time since the last engagement was performed in this area
•
Requests from senior management, the audit committee, or other governing bodies
•
An engagement’s relation to the external audit
•
Changing circumstances in the business, operations, programs, systems, or controls
•
Changes in the risk environment or control procedures in the department
•
The potential benefit that could be achieved from the engagement
•
Changes in the skills of the available staff (through new employees or recent training) because new
skills may enable conducting different types of engagements
Risk assessment is generally the most important of all these factors, and it has both quantitative (numerical)
and qualitative (characteristic) assessments. Quantitative assessments include the dollar value of the assets
at risk or potential monetary loss, while qualitative assessments include the risk of fraudulent behavior or the
importance of the section to the operations of the business as a whole.
16
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Establishing Risk-Based Plans
One way to measure the extent of risk in different areas is to multiply the dollar amount that is at risk of loss
by the percentage chance of the loss occurring. For example, a CAE might be able to determine that although
petty cash is at great risk because it is technically available to everyone in the organization, the potential
overall financial risk to the company is minimal because the amount of petty cash is relatively low. By
contrast, an area where risk of loss is low but the loss value is great would be of much more concern to a CAE
than petty cash.
There are many other risks unrelated to the assets of the company or a specific monetary amount. For
example, control procedures (or, more accurately, lack of control procedures) may also be an area of risk
requiring investigation.
Following is an example of how the CAE would prioritize six audit engagements based on the following three
factors:
1)
The engagement’s potential to reduce risk to the operation.
2)
The potential benefit that could be achieved from the engagement.
3)
Changing circumstances in the operation.
The first step is for the CAE to assess each engagement based on high, moderate, or low assessment (or
a related method), as shown below.
Audit
Risk
Reduction
Potential
Benefits
Changing
Circumstances
1
Moderate
Moderate
Moderate
2
Moderate
Low
Low
3
Moderate
Moderate
Low
4
Moderate
Moderate
High
5
High
High
High
6
High
High
Moderate
Next, the CAE assigns a weight to each factor when assigning points. For this example, points are assigned in
the following manner.
Assessment
Points
High
3
Moderate
2
Low
1
The auditor then assigns the points to the factors.
Audit
Risk
Reduction
Potential
Benefits
Changing
Circumstances
Total
Score
Audit
Priority
1
Moderate (2)
Moderate (2)
Moderate (2)
6
4
2
Moderate (2)
Low (1)
Low (1)
4
6
3
Moderate (2)
Moderate (2)
Low (1)
5
5
4
Moderate (2)
Moderate (2)
High (3)
7
3
5
High (3)
High (3)
High (3)
9
1
6
High (3)
High (3)
Moderate (2)
8
2
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
17
Establishing Risk-Based Plans
CIA Part 2
Note: Checklists and questionnaires are often used as part of the risk assessment process, but they have a
few limitations:
1)
Staff members may get a false sense of security that all issues have been addressed when the
checklist is filled out.
2)
The reader of the checklist may assume that all items listed are of equal importance.
3)
The use of the checklist may weaken the professional skepticism and judgment of the auditor, who
may be more attentive to a specific listed item listed and not to the larger picture.
Question 9: Which of the following factors is not included in determining the engagement work schedule?
a)
Engagement work programs
b)
The effectiveness of risk management and control processes
c)
Workload requirements
d)
Issues relating to organizational governance
(CIA Adapted)
Question 10: Which of the following comments is (are) true regarding the assessment of risk associated
with two projects that are competing for limited internal audit resources?
I.
Activities that are requested by the board should always be considered higher risk than those
requested by management.
II.
Activities with higher financial budgets should always be considered higher risk than those with
lower financial budgets.
e)
Risk should always be measured by the potential monetary or other adverse exposure to organization.
a)
I only
b)
II only
c)
III only
d)
I and III
(CIA Adapted)
Question 11: The chief audit executive is preparing the engagement work schedule for the next budget
year and has limited resources. In deciding whether to schedule the purchasing or the personnel
department for an engagement, which of the following is the least important factor?
a)
Major changes in operations have occurred in one of the departments.
b)
The internal audit staff has recently added an employee with expertise in one of the areas.
c)
More opportunities to achieve operating benefits are available in one of the departments than in the
other.
d)
Updated assessed risk is significantly greater in one department than the other.
(CIA Adapted)
18
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Establishing Risk-Based Plans
Question 12: Which of the following factors is considered the least important in deciding whether existing
internal audit resources should be moved from an ongoing compliance engagement to a divisional-level
engagement requested by management?
a)
The potential for fraud associated with the ongoing engagement.
b)
A financial audit of the division performed by the external auditor a year ago.
c)
An increase in the level of expenditures experienced by the division for the past year.
d)
The potential for significant regulatory fines associated with the ongoing engagement.
(CIA Adapted)
Question 13: At a meeting with managers, the chief audit executive is allocating the engagement work
schedule for next year’s plan. Which of the following methods will ensure that each manager receives an
appropriate share of both the work schedule and internal audit activity resources?
a)
Each of the managers selects the individual assignments desired, based on preferences for the area
and the management personnel involved.
b)
Each manager chooses assignment preferences based on the total staff hours that are currently
available to him or her.
c)
Work is assigned to each manager based on risk and skill analysis.
d)
The full list of scheduled engagements is published for the staff, and work assignments are made
based on career interests and travel requirements.
(CIA Adapted)
Question 14: The chief audit executive set up a computerized spreadsheet to facilitate the risk assessment process involving a number of different divisions in the organization. The spreadsheet included the
following factors: 1) pressure on divisional management to meet profit goals, 2) complexity of operations,
3) competence of divisional personnel, and 4) monetary amount of subjectively influenced accounts in the
division, such as accounts where management’s judgment can affect the expense (for example, postretirement benefits).
The CAE used a group meeting of internal audit managers to reach a consensus on the competence of
divisional personnel.
Other factors were assessed as high, medium, or low by either the CAE or an internal audit manager who
had performed an engagement at the division. The CAE assigned a weight ranging from 0.5 to 1.0 to each
factor and then computed a composite risk score.
Which of the following statements is correct regarding the risk assessment process?
a)
The risk analysis is not appropriate because it mixes both quantitative and qualitative factors,
thereby making expected values calculation impossible.
b)
Assessing factors at discrete levels such as high, medium, and low is inappropriate for the risk
assessment process because the ratings are not quantifiable.
c)
The weighting is subjective and should have been determined through a process such as multipleregression analysis.
d)
Using a subjective group consensus to assess personnel competence is appropriate.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
19
Communicating Plans & Resource Requirements
CIA Part 2
Question 15: The internal auditor is considering making a risk analysis as a basis for determining the
areas of the organization where engagements should be performed. Which one of the following statements is true regarding risk analysis?
a)
The extent to which management judgments are required in an area could serve as a risk factor in
assisting the internal auditor in making a comparative risk analysis.
b)
The highest risk assessment should always be assigned to the area with the largest potential loss.
c)
The highest risk assessment should always be assigned to the area with the highest probability of
occurrence.
d)
Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons
across an organization.
(CIA Adapted)
Communicating Plans & Resource Requirements
Standard 2020: Communication and Approval
The chief audit executive must communicate the internal audit activity’s plan and resource requirements,
including significant interim changes, to senior management and the board for review and approval. The
chief audit executive must also communicate the impact of resource limitations.
The CAE must ensure that the plans and resource requirements are communicated to senior management and
to the board for review and approval. These communications must also include any significant interim
changes and the impact of any resource limitations.
These engagement plans and resource requirements must be submitted on an annual basis and must include
a summary of the IAA’s work schedule, staffing plan, and financial budget. This information will help ascertain
whether the IAA objectives and plans are in line with those of the organization and its board and are
consistent with the internal audit charter.
Managing Resources
Standard 2030: Resource Management
The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.
A critical responsibility of the CAE is to make sure the internal auditing staff is professional, meaning that the
“right” people are in the “right” positions. It has been said that it is better to be understaffed than to hire the
wrong people who could damage the IAA’s credibility.
Standard 2030 states that internal audit resources must be “appropriate, sufficient, and effectively deployed.”
Appropriate means having the right mix of staff with the appropriate competencies to perform the plan.
Sufficient means having the right quantity of staff to accomplish the plan. Internal audit resources are
effectively allocated if they are used in a way that optimizes the achievement of the approved plan.
The CAE needs to oversee the assignment of individual staff to the engagements with both a short-term and
long-term view. In the short term, all of the jobs need to be staffed by qualified and capable internal auditors
so that the job can be completed to the highest level. In the long term, however, the staff needs to be
assigned to jobs that will allow them to grow and become more senior auditors.
This long-term view requires occasionally assigning jobs to staff members who may not currently have all of
the necessary skills and experience. Under such circumstances, the CAE needs to make sure that a skilled
supervisor can provide the needed support and guidance to the junior member of the team. Also, training can
be provided or additional resources can be made available to that auditor to assist in this process.
20
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Managing Resources
Some factors to consider when assigning staff to individual engagements are:
•
The complexity of the engagement
•
The resources that are available in the IAA
•
The experience (skill level) of the staff
•
The training and developmental needs of the audit staff
Recruiting and Promoting
The CAE needs to coordinate with human resources in order to be involved in recruiting and retaining qualified
audit staff. The most important criteria in hiring is the education and experience of the candidate. The
individual needs to have the technical skills or background to do the job. This does not mean that everyone
who is hired needs to be a CIA, but there should be some indication that candidates will be able to do the job
based on their formal education or by experience in a previous position that is related to what needs to be
done in this job. Not everyone in the IAA needs to be a trained or qualified accountant, since there are many
engagements that are not related to accounting or financial statements.
The ability of the candidate to communicate, both in written and verbal forms, and the individual’s overall
interpersonal skills should also be considered. These are critical elements of the IAA because a technically
capable but ineffective communicator is a much less effective internal auditor.
Once the staff has been hired, the next HR issue relates to staff promotion and filling higher-level positions in
the IAA. When a higher-level position becomes available, the CAE has two basic options for filling it: either
the CAE can fill the opening with someone from inside the company or he or she can look outside the
organization.
Hiring from inside the organization can be done quickly and with less “start-up” time for the person who
gets the position, since the employee is already familiar with the policies and procedures and the environment
of the organization. Also, there is less risk in this hire since the CAE already has worked with the individual
and is more aware of what the individual can and cannot do. Hiring from within the organization is also
generally a good motivating factor for others in the IAA because they know that good work will be rewarded
with promotion. If, however, the wrong people are promoted, or people are promoted because of reasons
other than their work skills, then promotion may have a negative effect on the others in the department.
Hiring someone from outside the organization is riskier, but it also has its advantages. For example:
•
The outside person could bring new ideas and new perspectives to the job and the organization.
•
It is possible that the person may have skills or experiences that were not within the organization.
•
It is also possible that that management training costs could be lowered since it is assumed that the
person is already qualified and will not require additional training.
Job Descriptions
An important basis for the recruitment and promotion of staff is the job description. Job descriptions should
be established for all positions, listing the necessary skills and requirements for the position. Accurate,
concise job descriptions and a strict adherence to hiring guidelines makes the recruitment process smooth
and easy because all potential candidates know what is required to be promoted and that only qualified
people will be hired for the jobs.
With detailed and complete job descriptions, the CAE has an easier time determining if the IAA is properly
staffed. If the people in all of the positions have the necessary skills as outlined in the job description, then
the function is properly staffed. If, however, there are some people without the necessary skills in some
positions, there is a missing element in the IAA, which will need to be addressed either through training or the
addition of someone to the IAA with those skills.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
21
Managing Resources
CIA Part 2
Training, Staff Development, and Performance Evaluations
The CAE is also responsible for the training, counseling, and performance evaluations of the staff. Training
needs to be provided with the goal of providing the staff with the necessary skills to perform their jobs in the
short term and also to develop and broaden their skills for their long-term development. Individuals often see
training as a benefit, and a well-developed training program is an excellent recruiting tool for the company.
Individuals’ personal desires should be considered, but they are not the only consideration, meaning that it is
possible that people will be trained or assigned to areas and engagements that they are not personally
interested in. However, training should benefit the individual and help the IAA meet its organizational goals.
Therefore, some staff may be trained in areas where the IAA does not currently have all of the required skills.
Counseling, or mentoring, is an important element of staff development. The CAE has a responsibility for
counseling and assisting staff members in their growth in the organization. This is not to say that the CAE is
supposed to have weekly counseling sessions with each member, but the CAE has a responsibility to step in
as needed. In a large internal audit department, there may be a formal counseling and mentoring program
and, in such a situation, the CAE most likely is responsible for the oversight and management of the process.
Additionally, the CAE may be the counselor for some of the higher-level staff members in the department.
Performance appraisals should be performed at least annually, and more often if needed. The performance
evaluations need to focus on the skills that are necessary for the individual to perform his or her work and for
IAA as a whole to perform its duties. These staff evaluations should be seen as a means of giving internal
audit employees the opportunity to identify their weaknesses and give them an opportunity to improve their
performance. The evaluation should not be based on personal likes or dislikes or other non-employment
related factors, especially when the evaluation is an engagement evaluation of work on a specific assignment
and not an annual evaluation.
There should be sufficient time to allow everyone to prepare for the annual evaluation. This usually involves
the auditor and the manager both filling out the evaluation form and preparing for the meeting. The meeting
should be scheduled when both parties are not pressed for time so that anything that arises during the
evaluation can be discussed and addressed without one person trying to hurry through the evaluation because
of other commitments.
The performance evaluation form can be a standard form (and it will be a standard form in large companies)
because it focuses the evaluation on the most important areas. However, for the process to work as well as
possible, the evaluation needs to be carefully thought through by the evaluator and should not include overgeneral comments that are applicable to everyone. Examples and specific references to events should be
included in order to make the evaluation as detailed as possible.
Question 16: An important part of an internal audit activity’s personnel development plan should be onthe-job training. Which of the following activities is the most important in broadening a staff internal
auditor’s knowledge?
a)
Rotating staff internal auditors through a variety of assignments.
b)
Developing expertise in a few particular areas by continuously assigning the same internal auditor
to those areas.
c)
Allowing staff internal auditors to participate in choosing the projects assigned.
d)
Assigning staff internal auditors to particular supervisor-trainers for extended periods.
(CIA Adapted)
22
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Developing Policies and Procedures
Question 17: The chief audit executive can best ensure that staff internal auditors are prepared to meet
their existing responsibilities by
a)
Enforcing established recruiting and selection criteria.
b)
Counseling them on their performance and providing appropriate training opportunities.
c)
Having experienced internal auditors supervise their work closely.
d)
Conducting formal evaluations of their performance on each assignment.
(CIA Adapted)
Developing Policies and Procedures
Standard 2040: Policies and Procedures
The chief audit executive must establish policies and procedures to guide the internal audit activity.
Another duty of the CAE is to establish the policies and procedures to guide the IAA and the individual internal
auditors in their work. These policies and procedures are essential in helping the staff comply with the IAA’s
standards of performance. The extent, depth, and formalization of the policies and procedures will depend
upon the size and structure of the IAA and the complexity of its work. In a small IAA with a simple business
structure, policies and procedures will be less developed and less formal than those in a multinational
business in a very complex business environment.
A small IAA is managed much more informally with a lot of personal and daily contact. Control may take place
through meetings and internal memorandum. In a large IAA, where contact with the managers may not be a
constant feature, there will need to be a more developed and formal set of policies and procedures to guide
staff in their day-to-day work.
Question 18: Policies and procedures relative to managing the internal audit activity should
a)
Ensure compliance with its performance standards.
b)
Give consideration to its structure and the complexity of the work performed.
c)
Result in consistent job performance.
d)
Prescribe the format and distribution of engagement communications and the classification of
engagement observations.
(CIA Adapted)
Question 19: In most cases, an internal audit activity should document policies and procedures to ensure
the consistency and quality of its work. The exception to this principle is directly related to:
a)
Departmentation
b)
Division of labor
c)
Size of the internal audit activity
d)
Authority
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
23
Reporting Results to Senior Management and Board
CIA Part 2
Reporting Results to Senior Management and Board
Standard 2060: Reporting to Senior Management and the Board
The CAE must report periodically to senior management and the board on the internal audit activity’s
purpose, authority, responsibility, and performance relative to its plan. Reporting must also include
significant risk exposures and control issues, including fraud risks, governance issues, and other matters
needed or requested by senior management and the board.
How often the CAE needs to report will depend on the importance of the information to be communicated and
the urgency of the related actions to be taken by senior management or the board. There are two types of
reports that the CAE will submit to senior management and the board: one will communicate what the IAA
has accomplished, and the other will communicate what the IAA has observed. The former are called “activity
reports” and the latter are “evaluation reports.”
Activity Reports
The CAE needs to submit activity reports to senior management and the board periodically. This report should
be done at least annually, but more often if the volume of work or the nature of the work requires the closer
involvement of the board—which may be the case if there are high-risk areas that are being audited and the
board wants to be kept more up-to-date in the process.
Activity reports should:
•
Be communicated, preferably in writing.
•
Highlight significant engagement observations (meaning observations that may have an adverse
effect on the organization as a whole).
Note: These observations and the following recommendations are normally discussed first with
the involved department, and any corrective action or improvements that have occurred will also
be included in the activity report to the board.
•
Identify recommendations that have arisen from the engagements.
•
Compare the engagements that were planned with those that were completed. (Any planned engagements that were not performed should be discussed as to why they were not performed.)
•
Compare actual performance with the internal audit activity’s goals and audit work schedules.
•
Compare expenditures to financial budgets. (Reports should explain the reason for major variances
and indicate any action taken or needed.)
Note: The activity report should be delivered to the board or other recipients before the meeting. Doing so
will enable them to read it and get a better understanding of its contents.
The CAE needs to be careful with activity reports because they can become so voluminous that they defeat
their purpose as a summary of accomplishments. Excessively long reports may be seen as a listing of every
activity that was undertaken by the internal audit department.
Significant Engagement Observations
Significant engagement observations are those conditions that, in the judgment of the CAE, could adversely
affect the organization, including irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness,
conflicts of interest, and control weaknesses. After reviewing such conditions with senior management, the
CAE should communicate significant engagement observations and recommendations to the board, whether
or not they have been satisfactorily resolved.
24
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Reporting Results to Senior Management and Board
Management Responsibility for Significant Engagement Observations
It is management’s responsibility to make decisions on the appropriate action to take regarding significant
engagement observations and recommendations. Senior management may decide to assume the risk of not
correcting the reported condition because of cost or other considerations. The board should be informed of
senior management’s decisions on all significant observations and recommendations. The internal auditor
should only provide the information and alternative courses of action. The internal auditor may also make a
recommendation, but the internal auditor should not make the decision as to which option to pursue.
CAE Considerations on Reporting Significant Engagement Observations
The CAE should consider whether it is appropriate to inform the board regarding previously reported,
significant observations and recommendations in those instances where senior management and the board
assumed the risk of not correcting the reported condition. If the board is aware of the risks and has decided
against addressing them, the item probably does not need to be reported each year. However, if there have
been significant changes in the organization, board, or senior management, the items should probably be
reported again so that the new management can determine its preferred course of action.
Relationship with Audit Committee
The relationship between the CAE and audit committee should revolve around the core role of the CAE,
ensuring that the committee understands, supports, and receives all assistance needed from the internal
audit function. Sound governance depends on the synergy generated among the four principal components of
effective corporate governance systems:
•
Boards of directors
•
Management
•
Internal auditors
•
External auditors
In that structure, internal auditors and audit committees are mutually supportive. The internal auditors are
the trusted advisors, the “eyes and ears,” of the audit committees. As such, there are three areas of activities
that are key to this relationship:
1)
Assisting the audit committee to ensure that its charter, activities, and processes are appropriate to
fulfill its responsibilities.
2)
Ensuring that the charter, role, and activities of internal audit are clearly understood and responsive
to the needs of the audit committee and the board.
3)
Maintaining open, effective communications with the audit committee and the chairperson.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
25
Reporting Results to Senior Management and Board
CIA Part 2
Assisting the Audit Committee
The CAE should assist the audit committee to ensure that the charter, role, and activities of the audit
committee are appropriate so it can fulfill its responsibilities. The CAE can play an important role by assisting
the audit committee in the periodic review of its activities and suggesting improvements. In this way, the CAE
serves as a valued advisor to the audit committee. The CAE can assist the audit committee in the following
ways:
•
Reviewing the charter for the audit committee at least annually, advising the committee regarding
whether the charter addresses all responsibilities directed to the committee by the board of directors
and requesting that the committee review and approve the internal audit charter on an annual basis.
•
Reviewing or maintaining a planning agenda for the audit committee’s meeting that details all required activities and their status or result. (This also assists the committee in reporting to the board
that it has completed all assigned duties.)
•
Drafting the audit committee’s meeting agenda for the chairman’s review, facilitating the distribution
of the material to the audit committee members, and writing up the minutes of the audit committee
meetings.
•
Encouraging the audit committee to conduct periodic reviews of its activities and practices compared
with current “best practices” to ensure that the activities are consistent with leading practices.
•
Meeting periodically with the chairperson to discuss whether the materials and information furnished
to the committee are meeting their needs.
•
Inquiring of the audit committee if any educational or informational sessions or presentations would
be helpful, such as training new committee members on risk and controls.
•
Inquiring of the committee whether the frequency of meetings and time allotted to the committee
are sufficient.
Communication with the Audit Committee
A large part of the overall effectiveness of the CAE and audit committee relationship revolves around the
communications between the parties. Today’s audit committees expect a high level of open and candid
communications from the IAA. If the CAE is to be a trusted advisor by the committee, communications is the
key element. Internal auditing, by definition, can help the audit committee accomplish its objectives by
bringing a systematic, disciplined approach to its activities. However, unless there is appropriate communication, it is not possible for the committee to determine whether this has happened.
Good communication between the CAE and the audit committee is fostered by:
26
•
Meeting privately with the committee on a regular basis to discuss sensitive issues.
•
Providing an annual summary report or assessment on the results of the audit activities relating to
the defined mission and scope of audit work.
•
Issuing periodic reports to the audit committee and management summarizing results of audit
activities.
•
Keeping the audit committee informed of emerging trends and successful practices in internal auditing.
•
Together with external auditors, discussing fulfillment of committee information needs.
•
Reviewing information submitted to the audit committee for completeness and accuracy.
•
Confirming that there is an effective and efficient work coordination of activities between internal and
external auditors and determining if there is any duplication between the work of the internal and
external auditors (and giving the reasons for such duplication).
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Reporting Results to Senior Management and Board
Question 20: A CAE activity report should not
a)
List the material engagement observations of major engagements.
b)
Compare engagements completed with engagements planned.
c)
List uncorrected reported conditions.
d)
Report the weekly activities of the individual internal auditors.
(CIA Adapted)
Question 21: An annual summary report of completed engagement work submitted to senior management and the board by the Chief Audit Executive should
a)
Discuss the administrative condition of the internal audit activity.
b)
Inform management of the scope of proposed work for the following year.
c)
Describe the extent to which the internal audit activity has completed its engagement schedule.
d)
Emphasize the number of deficiency observations discovered by the internal auditors.
(CIA Adapted)
Question 22: Which of the following audit committee activities is of the greatest benefit to the internal
audit activity?
a)
Review and approval of engagement work programs.
b)
Assurance that the external auditor will rely on the work of the internal audit activity whenever
possible.
c)
Review and endorsement of all internal auditing engagement communications prior to their release.
d)
Support for appropriate monitoring of the disposition of recommendations made by the internal
audit activity.
(CIA Adapted)
Question 23: The internal audit activity customarily has a dual relationship with management and the
audit committee. This means that:
a)
Management should help the internal audit activity by revising and forwarding engagement
communications to the audit committee.
b)
The internal audit activity should report directly to the audit committee, without corroborating
engagement communications with management.
c)
The accuracy of engagement communications should be verified with management, and the internal
audit activity should then report to management and the audit committee.
d)
Ideally, the internal audit activity works under the audit committee but reports to the Chief
Operating Officer on all engagements relating to operations.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
27
Responsibility for External Service Providers
CIA Part 2
Responsibility for External Service Providers
Standard 2070: External Service Provider and Organizational Responsibility for Internal
Auditing
When and external service provider servers as the internal audit activity, the provider must make the
organization aware that the organization has the responsibility for maintaining an effective internal audit
activity.
So far, we have discussed internal auditing in its more traditional role of being an in-house activity. However,
it is possible that the IAA could be fully outsourced to an external service provider. Standard 2070 states that
when an external service provider serves as the IAA, then the provider must take responsibility to make sure
that the IAA is operating in an effective manner. The effectiveness of the outsourced IAA can be assessed
through the quality assessment and improvement program (QAIP), which was covered in in the Part 1 exam.
According to Sarbanes-Oxley (SOX), publicly traded companies are required to have an internal audit activity;
however, SOX does not specify whether the activity should be in-house or outsourced. There are a variety of
reasons why an organization might consider outsourcing the IAA, including:
•
Saving time on staffing issues
•
Having the ability to quickly organize the activity
•
Having access to varied skills and knowledge
•
Potentially having greater independence and objectivity, since personnel would not be the staff of
the company
Companies that outsource will generally be small or mid-sized companies. However, a primary disadvantage to outsourcing is that the external service provider might not be familiar with the business
environment of the organization. Since internal auditing is supposed to be a value-added function, if executive
management and the board are not completely supportive then outsourcing could limit the benefits of the
IAA.
HOCK international books are licensed only for individual use and may not be lent,
copied, sold, or otherwise distributed without permission directly from HOCK
international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete, accurate,
and up-to-date materials. Books from unauthorized sources are likely outdated and will not
include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized training
center should have an individually numbered orange hologram with the HOCK globe
logo on a color cover. If your book does not have a color cover or does not have this
hologram, it is not a genuine HOCK book.
28
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Role of Internal Audit in the Risk Management Process
Role of Internal Audit in the Risk Management Process
Risk management is a key responsibility of management, but the internal auditor plays a role in this process.
Internal auditors, acting in a consulting role, can assist both management and the audit committee by
examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of
management’s risk processes. Senior management and the board are then responsible for the organization’s
risk management and control processes.
The assessment and reporting of an organization’s risk management processes are normally a high audit
priority. The expectations that management and the board have regarding the role of the IAA and risk
management should be outlined in the charter. The role of the IAA in risk management is likely to be
determined by such factors as the culture of the organization, the ability of the internal audit staff, and local
conditions and customs of the country.
When internal auditors come across risk exposures in any engagement, they should be addressed and
evaluated further as necessary, even if it is not part of the immediate engagement.
It is important to remember that the IAA’s role in the risk management process is not static and could
possibly change over time. Based on PA 2120-1 (Assessing the Adequacy of Risk Management Processes), IAA
can take on a number of different roles in the risk management process:
•
Auditing the risk management process as part of the internal audit plan
•
Active, continuous support and involvement in the risk management process (such as participation
on oversight committees, monitoring activities, and status reporting)
•
Managing and coordinating the risk management process (in which case the internal auditor is not
taking ownership of the actual risk, only the process)
•
No role at all
Ultimately, senior management and the board will decide the internal auditor’s involvement in the risk
management process.
Assessing the Adequacy of Risk Management Processes
According to Standard 2120.A1: “The IAA must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
•
Reliability and integrity of financial and operational information,
•
Effectiveness and efficiency of operations and programs,
•
Safeguarding of assets, and
•
Compliance with laws, regulations, policies, procedures, and contracts.”
Every organization is different and will have its own particular methodology to implement the risk management process. The function of the internal auditor should be to determine that the methodology is clearly
understood by the key groups, including the board and audit committee. The internal auditors have to satisfy
themselves that the organization’s risk management processes address these five key objectives in order to
form an opinion of the adequacy of the processes:
1)
Risks that arise from business strategies and activities are identified and prioritized.
2)
Management and the board determine the level of risk acceptable to the organization (that is, an
assessment of risk appetite).
3)
Risk mitigation (reduction) activities are designed and implemented to reduce or otherwise manage
risk at levels that are acceptable.
4)
Risk is periodically reassessed on an ongoing basis.
5)
Reports are given periodically to the board and management on the results of the risk assessment
process.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
29
Role of Internal Audit in the Risk Management Process
CIA Part 2
The IAA needs to assess whether or not these five objectives have been met in order to ascertain the
adequacy of the risk management processes, which will be addressed specifically during all engagements. The
auditors need to continuously look for signs that might indicate a problem or cause for concern related to risk
management.
During the process of gathering evidence, it is recommended that the internal auditor consider the following
types of engagement procedures:
•
Research and review reference materials and background information on risk management methodologies as a basis to assess whether or not the process used by the organization is appropriate and
represents best practices for the industry.
•
Research and review current developments, trends, industry information related to the business
conducted by the organization, and other appropriate sources of information to determine risks and
exposures that may affect the organization and related control procedures used to address, monitor,
and reassess those risks.
•
Review corporate policies, board, and audit committee minutes to determine the organization’s
business strategies, risk management philosophy and methodology, appetite for risk, and acceptance
of risks.
•
Review previous risk evaluation reports by management, internal auditors, external auditors, and
any other sources that may have issued such reports.
•
Conduct interviews with line and executive management to determine business unit objectives,
related risks, and management’s risk mitigation and control monitoring activities.
•
Assimilate information to independently evaluate the effectiveness of risk mitigation, monitoring, and
communication of risks and associated control activities.
•
Assess the appropriateness of reporting lines for risk monitoring activities.
•
Review the adequacy and timeliness of reporting on risk management results.
•
Review the completeness of management’s risk analysis and actions taken to remedy issues raised
by risk management processes, and also suggest improvements.
•
Determine the effectiveness of management’s self-assessment processes through observations,
direct tests of control and monitoring procedures, testing the accuracy of information used in monitoring activities, and other appropriate techniques.
•
Review risk-related issues that may indicate weaknesses in risk management practices and, as
appropriate, discuss with management, the audit committee, and the board of directors. If the auditor believes that management has accepted a level of risk that is inconsistent with the organization’s
risk management strategy and policies, or that is deemed unacceptable to the organization, the auditor should refer to Standard 2600 (Resolution of Senior Management’s Acceptance of Risks) and
any related guidance for additional direction.
The assessment of risk is, unfortunately, not always something that can be put into a formula and easily
measured. The successful assessment of risk often rests with the professional judgment and experience of the
internal auditors and the CAE.
The actual risk management processes that are implemented will differ from organization to organization and
will be influenced by the nature of the business, the size of the business, and the complexity of their
operations. These risk management processes can be:
30
•
Formal or informal
•
Quantitative or subjective
•
Embedded in the business units or centralized at the corporate level
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Role of Internal Audit in the Risk Management Process
The specific process that the organization uses will depend on its culture, management style, and business
objectives. For example, the use of derivatives or other sophisticated capital market products would require
the use of quantitative risk management tools. Smaller, less complex organizations may use an informal risk
committee to discuss the organization’s risk profile and to initiate periodic actions. The auditor should
determine if the chosen methodology is both comprehensive and appropriate for the nature of the
organization’s activities.
Question 24: Which of the following does not address a key objective of the risk management process?
a)
Risks that arise from business strategies are identified and prioritized.
b)
Risk mitigation (reduction) activities are designed and implemented to reduce, or manage, risk at
levels that are acceptable.
c)
Review of previous risk evaluation reports by management, external auditors, and other sources.
d)
Risk is periodically reassessed on an ongoing basis.
(HOCK)
Assessing the Adequacy of Risk Management Processes for Formal Consulting Services
Providing consulting services is a means for the internal auditor to add value to the organization’s operations.
Internal auditing may be asked to assist the organization in establishing or improving risk management
processes. Internal auditors are encouraged to be proactive, particularly when it comes to risk management;
however, the internal auditor needs to be conscious that the consulting engagement does not impair or
impede the auditor’s independence or objectivity.
Note: A consulting service is defined as advisory and related client service activities, the nature and
scope of which are agreed upon with the client. They are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming
management responsibility. Examples: counsel, advice, facilitation, and training.
Concerning risk management, internal auditors must incorporate knowledge of risks gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of the organization. If
significant risk exposure or control weaknesses are found, they will need to be brought to the attention of
management. It some cases, particularly where there are significant risk exposures, it might be necessary for
the internal auditor to communicate to the board or audit committee.
As with assessment engagements, the internal auditor should use professional judgment to
•
Determine the significance of exposures or weaknesses and the actions taken or contemplated to
mitigate or correct these exposures or weaknesses
•
Ascertain the expectations of management, the audit committee, and board in having these matters
reported
Internal auditors need to avoid managing risks during a consulting engagement (Standard 2120.C3) because
such actions could be perceived as an internal auditing failure and hurt the activities of the IAA.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
31
Managing the Risk of the Internal Audit Activity
CIA Part 2
Managing the Risk of the Internal Audit Activity
It often seems that when something goes wrong in a company, such as a case of fraud or failure in the
reporting process, the first question is: “Where was the internal auditor?” There is tremendous pressure on
internal audit to identify, assess, and recommend ways to mitigate financial, operational, information
technology, legal or regulatory, compliance, and strategic risks.
However, internal auditing departments often have difficulty finding and retaining qualified personnel. In
some cases, this has prevented the IAA from achieving its objectives, which in itself is a risk. Therefore, the
CAE needs to be constantly looking at ways the IAA can manage its own risk.
Practice Advisory 2120-2.3 (Managing the Risk of the Internal Audit Activity) has identified three distinct risks
faced by internal auditing: audit failure, false assurance, and reputation risk.
Audit Failure Risk
Audit failure can be caused by any one or more of the following factors:
•
Not follow the International Standards for the Professional Practice of Internal Auditing.
•
Failure to design effective internal audit procedures to test “real” risks.
•
Failure to evaluate both design adequacy and control effectiveness as part of internal audit procedures.
•
Failure to exercise heightened professional skepticism and extended internal audit procedures related to findings or control deficiencies.
•
Inexperienced and unskilled audit staff members.
•
Failure to provide adequate supervision.
•
Making the wrong decision when there was evidence of fraud. For example, saying that “it wasn’t
material” or “there were not the resources to deal with the issue.”
•
Failure to properly communicate suspicions to the right people.
•
Failure to report adequately.
While there can never be a guarantee that failure will not occur, some of the practices that the IAA can follow
to manage these risks are:
32
•
Making sure there is a QAIP. Follow Standard 1300.
•
Periodically reviewing the audit universe and making sure that the audit universe is complete by
reviewing the company’s risk profile.
•
Making sure there is proper audit planning.
•
Making sure there is effective audit design, which involves making sure there is proper time spent
understanding the design of the system of internal controls to determine whether it provides adequate control prior to the start of testing for its effectiveness.
•
Proper resource allocation, which means making sure that the right staff is assigned to the engagement.
•
Effective management review, meaning that there is proper internal audit supervision of the internal
audit process (for example, reviewing working papers).
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Managing the Risk of the Internal Audit Activity
False Assurance
The “expectation gap” surrounds the work of the IAA. On the one hand, management and the board usually
have high expectations as to the level of assurance that is provided by the IAA. On the other hand, there are
limits on how much assurance the IAA can actually provide.
While there is no way to mitigate all of the risk of false assurance, the IAA can proactively manage its risk of
false assurance. A key to manage this risk is to have frequent and clear communication with the audit
committee, management, and other key stakeholders.
Reputation Risk
Having a solid reputation is absolutely vital for the success of the IAA. In essence, the IAA is building a brand,
and the brand is built over several years of consistent, high quality work. Unfortunately, it only takes one
adverse event to destroy the IAA’s standing. For example, a string of significant financial restatements and
regulatory investigations would damage the reputation of the IAA. The audit committee might ask whether
the IAA has the right talent and QAIP to support the organization.
If some event does happen that affects the IAA, then the CAE has the responsibility to review the nature of
the event and gain an understanding of the root cause of the problem.
The following information is for the next two questions.
The internal auditors of a financial institution are evaluating the institution’s investing and lending
activities. During the last year, the institution has adopted new policies and procedures for monitoring
investments and the loan portfolio. The internal auditors know that the organization has invested in new
types of financial instruments during the year and is heavily involved in the use of financial derivatives to
hedge risks appropriately.
Question 25: The internal auditors are evaluating the adequacy of the new policies and procedures in
maintaining an appropriate risk profile. Which of the following engagement procedures is least relevant to
the accomplishment of the engagement objective?
a)
Meet with operational management to determine its interpretation of any procedures that are not
clear.
b)
Meet with senior management or a board member, if necessary, to clarify policy issues.
c)
Test a sample of investments for compliance with the new procedures.
d)
Review recent regulatory pronouncements to determine whether the new procedures are consistent
with regulatory requirements.
Question 26: The audit committee has expressed concern that the financial institution has been taking on
higher-risk loans in pursuit of short-term profit goals. Which of the following engagement procedures
provides the least amount of information to address this concern?
a)
Perform an analytical review of interest income as a percentage of the investment portfolio in
comparison with a group of peer financial institutions.
b)
Take a random sample of loans made during the period and compare the riskiness of the loans with
that of a random sample of loans made 2 years ago.
c)
Perform an analytical review that involves developing a chart to compare interest income plotted
over the past 10 years.
d)
Develop a multiple-regression time-series analysis of income over the past 5 years, including such
factors as interest rate in the economy, size of loan portfolio, and dollar amount of new loans each
year.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
33
Types of Internal Audit Engagements
CIA Part 2
Question 27: When the executive management of an organization decided to form a team to investigate
the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The
best reason doing this is the internal auditor's knowledge of:
a)
Activities and cost drivers.
b)
Information processing procedures.
c)
Current product cost structures.
d)
Risk management processes.
(CIA Adapted)
Types of Internal Audit Engagements
The IIA defines internal auditing as:
An independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control and
governance processes.
Internal auditors are able to perform two distinct types of services: assurance and consulting. Even though
the objective of the two approaches is different, audits will often contain elements of both. For example, an
internal auditor who is providing assurance about the quality of a control system will also offer a recommendation on ways to change and improve the system.
Assurance Services
Assurance services involve objective examination of evidence for the purpose of providing independent
assessment of risk management, control, or governance processes. When an assurance service is provided,
the auditor expresses an opinion or conclusion about something.
Despite the depth and breadth of internal auditing, assurance engagements usually fall into three fundamental categories:
1)
Financial Engagements, which are audits of financial amounts that may or may not be on the
financial statements.
2)
Compliance Engagements, which are audits of the company’s conformance to procedures, standards, regulations and laws.
3)
Operational (or Performance) Engagements, which are audits of the efficiency and effectiveness
of the operations of the company.
Note: External auditors can also perform any one of the above-mentioned engagements, which would be
done through outsourcing or co-sourcing engagements. However, the focus of the external audit will still
be on the fair presentation of the financial statements. Because the internal auditors’ focus is to support
management and governance authorities so that they can perform their functions, non-financial statement
related engagements are often performed by the internal audit function. Additionally, the cost of the
performance of these engagements is usually much higher if the external auditor performs them.
34
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Financial Audit Engagements
Assurance engagements can be performed at any of the three following levels within an organization:
1)
Organizational level, which is a department-by-department review.
2)
Functional level, which follows a single process across organizational lines (a “cradle to grave”
environmental audit is an example of a functional approach).
3)
Cycle level audits that are primarily financial systems reviews. (However, these have been expanded to cover all systems of a firm, even nonfinancial systems such as HR or environmental
impact systems.)
In the following pages we look at the specific types of audits that are done within the three main broad
categories of assurance audits (financial, compliance, and operational).
Additionally, because internal auditors are directly concerned with deterring and detecting fraud, we also
included a section on Control Self-Assessment (CSA). The purpose of control self-assessment is the
improvement of internal controls. If an organization has an established CSA program, then it is highly likely
that the internal auditor will be involved somehow in the program as either a reviewer or facilitator.
Financial Audit Engagements
A financial audit is an audit of the economic activity to test the reliability and integrity of reported financial
information and to ascertain that the company’s assets are properly safeguarded. External auditors usually
conduct financial audits, but they are also part of the internal audit universe as well. Internal auditors may
perform financial audits in areas that are not heavily tested as part of the external audit or may also look at
the efficiency of the use of resources instead of just the accounting for the use of the resources. As mentioned
earlier (in the section The Internal Audit Activity’s Role in Governance, Risk and Control), coordination
between internal and external auditors is crucial to minimize the duplication of efforts and optimize audit
coverage.
Financial audits are often performed or arranged in connection with a transaction cycle. A cycle is a
grouping of transactions around a particular activity in the business. It is possible that many combinations of
transactions exist within each one of these cycles, depending on the type of operations and accounting
systems in a given organization. For example, payroll may be combined with the payment cycle. It is also
possible to subdivide some of these cycles. For example, the revenue cycle may be separated from the cash
collection cycle or the acquisitions cycle may be separated from the payments cycle. Cycles can vary from
organization to organization.
Because a transaction cycle is often the basis for a financial audit, we will look first at some of the standard
cycles as well as the documents and people within these cycles. The main cycles (transaction) in a business
are:
•
Revenue and receivables (cash collections)
•
Purchasing and payables
•
Inventory and warehousing
•
Financial capital and payment
•
Personnel and payroll
Documents and Individuals in the Transaction Cycles
The next few pages provide the common documents that are involved in the different cycles as well as the
roles that are performed by different individuals within the cycle. The documents and roles of different
positions are useful to know for the exam to answer questions regarding the specific cycles.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
35
Financial Audit Engagements
CIA Part 2
Sales, Receivables, and Cash Receipts Cycle
Documents in the Sales Receivables and Cash Receipts Cycle
Sales Order
A document received by a customer placing the order.
Shipping Documents
Prepared by the company for the shipment of the goods to the
customer. Should include a description and number of goods shipped.
Sales Invoice
Invoice prepared to send to the customer to initiate payment.
Remittance Advice
Returned by the customer informing the company that payment has
been made.
Bills of Lading
Part of the record of shipping. Will be transferred from the shipping
company to the customer.
List of Remittances
Prepared by the individual who opens the mail. This is a list of all
checks received that day.
Deposit Slips
Prepared by the individual making the deposit at the bank.
Check Listing
This is also prepared by the individual making the deposit and is a list
of all of the checks that are deposited.
Credit Memoranda
(or Credit Memo)
Issued by the company when the customer does not need to pay an
invoice. This is necessary when the customer returns the goods.
Receiving Report
This is a record of the company receiving goods that have been
returned. If the returned items have not been received, no credit
memo should be given.
Individuals’ Responsibilities in the Sales Receivables and Cash Receipts Cycle
Opening the Mail
This individual opens the mail, makes a list of all checks received,
stamps all of the checks with “For Deposit Only,” and forwards the
checks to the person who makes the deposit.
Making the Deposit
Makes a deposit daily, including the preparation of the deposit slip and
the listing of checks.
Treasurer
Along with other duties in cash disbursements below, the treasurer
should authorize the write-off of receivables.
Controller
The controller is involved in the actual cash transactions of payment
and disbursement.
Personnel and Payroll Cycle
Documents in the Personnel and Payroll Cycle
Payroll Master File
This is the file in which all employee information is kept. Information
regarding pay rates, bonuses, authorized withholdings and deductions,
and so forth is kept here.
Time Clock
This is the clock that is used to determine when individuals start and
stop work.
Time Card
This is the card that records start and stop times for an individual
employee.
Job Time Tickets
This records all of the time that is spent by individuals on a specific
job.
36
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Financial Audit Engagements
Individuals/Accounts in the Personnel and Payroll Cycle
Paymaster
This individual should have no other payroll responsibilities (such as
preparation or calculation) and should distribute the payroll checks.
Internal Auditor
Any undistributed payroll checks should be given to the internal audit
department until they can be distributed.
Treasurer
The treasurer should sign the payroll checks.
Department Head
(or Foreman)
This individual should approve time cards.
Imprest Payroll Account
This is similar to petty cash in that the payroll checks are paid out of a
special bank account. The money necessary to pay the checks is
deposited on a monthly basis into this account, which means that
payroll is not paid out of the general bank account of the company.
Inventory and Production Cycle
Documents in the Inventory and Production Cycle
Requisitions
This is a request from a production department to transfer inventory
from the warehouse to the production line.
Shipping or Transfer Reports
This is a report of the transfer and movement of inventory.
Property, Plant, and Equipment Cycle
Documents in the Property, Plant, and Equipment Cycle
Purchase Authorization
Before a fixed asset is purchased, authorization must be obtained.
Purchase Order
This is the form on which the ordering of the item is recorded.
Receiving Report
This is the record of the item that is received.
Vendor Invoice
This is the invoice from the seller that must be paid.
Question 28: The primary difference between operational engagements and financial engagements is that
in the former the internal auditors
a)
Are not concerned with whether the client entity is generating information in compliance with
financial accounting standards.
b)
Are seeking to help management use resources in the most effective manner possible.
c)
Start with the financial statements of the client entity and work backwards to the basic processes
involved in producing them.
d)
Can use analytical skills and tools that are not necessary in financial engagements.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
37
Financial Audit Engagements
CIA Part 2
Question 29: An operating engagement relating to the production function includes a procedure to
compare actual costs with standard costs. The purpose of this engagement procedure is to:
a)
Determine the accuracy of the system used to record actual costs.
b)
Measure the effectiveness of the standard cost system.
c)
Assess the reasonableness of standard costs.
d)
Assist management in its evaluation of effectiveness and efficiency.
(CIA Adapted)
Audit Risk and Assertions Models
The audit risk and assertion models are used to develop an approach to financial audits. This process will be
used even if the full financial statements are not being audited. These ideas and concepts may also be used
with some modification in non-financial engagements.
Audit Risk
Audit risk is the risk that an auditor will give an unqualified (“everything is fine”) opinion when, in reality,
there is one or more material misstatements in the area being audited. In other words, there is a mistake in
the financial statements that was not detected and yet the auditor says that the financial statements are
correct. For the audit opinion to contain an error, three events all must have occurred:
1)
There is an error made in the first place
2)
The internal controls fail to detect the error
3)
The auditor fails to detect the error
Audit risk is calculated by multiplying together the chance of each of these three events happening. These
three events are each their own individual risk and these three associated risks in aggregate make up the
complete sense of audit risk. The three risks are listed below:
1)
Inherent risk (the risk that there is an error in the first place): This is the risk that is natural in an
element of the financial statements or the function being audited, assuming that there are no controls. It is the susceptibility to a material misstatement that exists “just because.” An example of an
area with a high level of inherent risk is the calculation of pension liabilities. Pension calculations are,
by their nature, extremely complex and the internal auditor cannot do anything to reduce this risk.
2)
Control risk (the risk that the internal controls will fail to detect the error): Internal control does not
guarantee that an organization will achieve its financial reporting, operational, and compliance objectives. No matter how well designed and operated, internal controls can provide only reasonable
assurance to management and the board of directors that the organization’s objectives will be
achieved. The major risks are that controls may fail because of human error, may be circumvented
by collusion, or that management may override internal control procedures.
3)
Detection risk (the risk that the auditor will fail to detect the error): No matter how thoroughly the
auditor completes the audit, there is always the risk that a misstatement in the financial statements
will not be found. This risk exists because the auditor does not test all of the transactions. Therefore,
as long as one transaction is not tested, there is a risk that there is a material misstatement in that
one untested transaction.
Audit risk is calculated as follows:
AR = IR * CR * DR
In addition to understanding what the risks are, you also must know how each of these risks are assessed and
which risks the auditor can influence or control.
38
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Financial Audit Engagements
The auditor assesses inherent risk and control risk, but the auditor is not able to do anything to influence or
change these risks. In other words, the auditor is not able to do anything to increase or decrease either of
these risks.
Note: The risks may be assessed either in a quantitative manner (1–100%) or in a qualitative manner
(minimum to maximum).
Inherent risk cannot be influenced because these are risks that are part of the item being tested. For
example, the auditor cannot do anything to make derivatives less risky since they are, by definition, a risky
product.
Control risk cannot be influenced in the current period because the audit covers events that have occurred in
a past period. The controls were already either functioning or not functioning at the time of the transactions
and the auditor is unable to go back in time to change the controls that were in place previously.
Note: The auditor is able to have some influence on the control risk of the next period. By making
recommendations during the current audit, the auditor can assist the company in improving the controls,
which will be seen with the reduction of control risk in future periods.
Detection risk is the only risk that the auditor can influence. One of the first things that the auditor will do is
determine the acceptable level of audit risk. Then, after assessing inherent and control risk, the auditor can
solve for the acceptable level of detection risk by using the audit risk formula. Once detection risk is
calculated, the auditor will be able to determine the nature, extent, and timing of the tests that will need to
be performed.
Note: Because of the nature of the formula, inherent risk, control risk, and detection risk are all
connected. As one risk is either raised or lowered, another risk will have to move in the opposite direction
in order to maintain the same level of audit risk.
Assessing Control Risk
Because inherent risk is a basic or natural risk that cannot be influenced by anyone, it is the assessment of
control risk that is the critical step in the determination of the necessary level of detection risk.
The auditor will assess control risk at the maximum level if the internal controls do not relate to an assertion,
if the controls are unlikely to be effective, or if evaluating the effectiveness of the controls would be
ineffective. When control risk is assessed at the maximum level, the auditor needs to document the
understanding of internal controls.
No matter which manner is used to measure control risk (either quantitative or qualitative), if it is assessed
below the maximum level, then the auditor must document the tests that were performed to confirm that the
controls are working and operating as planned. This documentation is required to support the auditor’s
conclusion that the controls were in fact working.
The Relationship between Control Risk and Detection Risk
The lower the control risk, the higher the detection risk can be while still achieving an acceptable
level of audit risk. The opposite is also true: a higher control risk means that the detection risk threshold
needs to be lowered in order to maintain the necessary level of audit risk. Therefore, control risk and
detection risk are inversely related.
You can remember this relationship by recalling that there are two ways in which a mistake can be detected:
the internal control system detects the mistake or the auditor detects the mistake. Therefore, one of these
two needs to be functioning. If the internal controls are not working (high control risk), the auditor must work
hard to detect every mistake (low detection risk). On the other hand, if the controls are working perfectly
(low control risk), the auditor will not need to work at all (high detection risk) because the controls are
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
39
Financial Audit Engagements
CIA Part 2
detecting the mistakes. Obviously, this is an extreme example, and in general a combination of both internal
controls and the auditor will detect the mistakes.
Note: If the internal auditors perform a financial audit and make assessments of these risks, their
assessment of risk will not be used by the external auditors. The risk assessment made by the internal
auditors may help or guide the external auditors, but external auditors will make their own assessments in
respect to risk.
Relationship Between Detection Risk and Audit Tests Performed
There is also an inverse relationship between detection risk and the amount of work that the auditor needs to
perform. If detection risk is low, the auditor needs to detect all of the mistakes that may be in the financial
statements. Therefore, the auditor will need to perform numerous tests during the audit.
If, however, detection risk is high, this means that the auditor is accepting a high level of risk that he or she
will not detect mistakes. With a high level of detection risk, the auditor does not need to detect the mistakes
because the internal control system is doing that work. The auditor does not need to perform many tests at
all in this situation.
The relationships between control risk, detection risk, and the amount of work that needs to be performed
can be shown as follows:
Control Risk
Detection Risk
Work to be Performed
High
High
High
Low
Low
Low
Knowing these relationships may make some exam questions easier and quicker to answer.
Question 30: There are three components of audit risk: inherent risk, control risk, and detection risk.
Inherent risk is:
a)
The risk that the auditor may unknowingly fail to appropriately modify his or her opinion on
financial statements that are materially misstated.
b)
The risk that the auditor will not detect a material misstatement that exists in an assertion.
c)
The susceptibility of an assertion to a material misstatement, assuming that there are no related
internal control structure policies or procedures.
d)
The risk that a material misstatement that could occur in an assertion will not be prevented or
detected on a timely basis by the entity’s internal control structure policies or procedures.
(CMA Adapted)
Financial Statement Assertions
“Assertions” are the claims that management makes when it presents financial information. It is the role of
the auditor to determine if these assertions made by management are correct. Therefore, most of the work in
a financial audit is spent on evaluating and forming an opinion on management assertions.
40
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Financial Audit Engagements
These five assertions are:
1)
Completeness: This means that everything that is supposed to be in the financial statements is
actually in the financial statements (that is, no material financial information has been omitted).
2)
Rights and Obligations: This means that everything that is reported as an asset represents something that the company has a right to and everything reported as a liability represents an obligation
of the company.
3)
Valuation or Allocation: This means that items in the financial statements are valued at the correct
amount and that income statement items have been allocated to the proper period.
4)
Existence or Occurrence: This means that all balance sheet items that are recorded exist and that all
income statement items occurred during the period. (In a sense, this is the opposite of completeness. “Completeness” is making sure that everything that is supposed to be included is included,
while “existence or occurrence” is making sure that everything that is included is supposed to be included.)
5)
Statement of Presentation and Disclosure: This means that the format organization and classification
of accounts on the financial statements and disclosures in the accounts, footnotes, and accounting
policies conform to generally accepted accounting principles.
Note: These assertions may be remembered by the acronym COVES (as identified by the bolded letters in
the list above).
When performing a financial audit, the auditor will need to make certain that there are procedures that test
each of these assertions for each financial item that is being tested. Different items, however, may have
different assertions as the most important. For example, when looking at assets, completeness is not an issue
because it is unlikely that a company wants to understate its assets. However, for assets, existence is a great
concern because the company may want to overstate its assets by including some things that it does not
really have.
On the other hand, when looking at liabilities, existence is not a great concern to the auditor because it is
unlikely that the company wants to overstate its liabilities. However, completeness will be important in
respect to liabilities because the company may not want to record all of its liabilities.
Even though some assertions are more important than others, the auditor still will want to perform at least
one procedure related to each of the assertions for each item tested.
Internal Auditors’ Role in the Financial Reporting Process
The establishment of an effective governance process is the responsibility of senior management and the
board of directors, but the internal audit activity can play a key role in support of good organizational
governance.
The financial reporting process consists of creating and preparing the financial statements, related notes,
and other accompanying disclosures in the company’s financial reports. The function of the internal auditor in
this process is to provide a level of assurance to senior management and the audit committee that the control
processes are adequately designed and effectively implemented.
The controls over financial reporting should be adequate to ensure the prevention and detection of significant
errors, irregularities, incorrect assumptions and estimates, and other events that could result in inaccurate or
misleading financial statements, related notes, or other disclosures.
The following lists are made up of suggested topics that the CAE may consider in supporting the organization’s governance process and the oversight responsibilities of the governing board and its audit committee
(or other designated committees) to ensure the reliability and integrity of the financial reports. We do not
suggest that you memorize the details of the lists; however, it is useful to be familiar with the contents of the
topics and how they relate to the financial reporting process.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
41
Financial Audit Engagements
CIA Part 2
Financial Reporting
•
Providing information relevant to the appointment of the independent accountants.
•
Coordinating audit plans, coverage, and scheduling with the external auditors.
•
Sharing audit results with the external auditors.
•
Communicating pertinent observations with the external auditors and audit committee about accounting policies and policy decisions (including accounting decisions for discretionary items and offbalance sheet transactions), specific components of the financial reporting process, and unusual or
complex financial transactions and events (such as related-party transactions, mergers and acquisitions, joint ventures and partnership transactions).
•
Participating in the financial reports and disclosures review process with the audit committee, external auditors, and senior management; evaluating the quality of the financial reports, including those
filed with the regulatory agencies.
•
Assessing the adequacy and effectiveness of the organization’s internal controls, specifically those
controls over the financial reporting process. This assessment should consider the organization’s susceptibility to fraud and the effectiveness of programs and controls to mitigate or eliminate those
exposures.
•
Monitoring management’s compliance with the organization’s code of conduct and ensuring that
ethical policies and other procedures promoting ethical behavior are being followed. An important
factor in establishing an effective ethical culture in the organization is for members of senior management to set a good example of ethical behavior and provide open and truthful communications to
employees, the board, and outside stakeholders.
Corporate Governance
•
Reviewing corporate policies relating to compliance with laws and regulations, ethics, conflict of
interest, and the timely and thorough investigation of misconduct and fraud allegations.
•
Reviewing pending litigation or regulatory proceedings bearing on organizational risk and governance.
•
Providing information on employee conflicts of interest, misconduct, fraud, and other outcomes of
the organization’s ethical procedures and reporting mechanisms.
Corporate Control
42
•
Reviewing the reliability and integrity of the organization’s operating and financial information compiled and reported by the organization.
•
Performing an analysis of the controls for critical accounting policies and comparing them with
preferred practices (for example, transactions in which questions are raised about revenue recognition or off-balance sheet accounting treatment should be reviewed for compliance with appropriate,
generally accepted accounting standards).
•
Evaluating the reasonableness of estimates and assumptions used in preparing operating and financial reports.
•
Ensuring that estimates and assumptions included in disclosures or comments are in line with underlying organizational information and practices and with similar items reported by other companies, if
appropriate.
•
Evaluating the process of preparing, reviewing, approving, and posting journal entries.
•
Evaluating the adequacy of controls in the accounting function.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Compliance Audit Engagements
Compliance Audit Engagements
Compliance audit engagements are based on determining whether or not the company is adhering to
established laws, regulations, contracts, and/or policies and procedures set by the company’s management.
Examples of situations in which compliance engagements may need to be performed include environmental
laws, employment laws, or compliance with loan or debt agreements.
Environmental auditing is included in this compliance auditing section. The potential for substantial fines and
bad publicity makes it extremely risky for companies to not comply with environmental laws and regulations.
Environmental Auditing
Organizations subject to environmental laws and regulations need to establish an environmental management
system. Internal audit should review whether the environmental control systems are adequate to ensure
compliance with regulatory requirements and internal policies. Hazardous waste is of major interest to the
internal auditor because of the potentially large financial penalties that may be levied against a company for
violation of environmental laws.
The IIA Research Foundation has identified seven types of environmental audits:
1)
Compliance. These are the most frequent types of environmental audits and are site-specific reviews of the company’s past, current, and planned practices. The greater the risk from
noncompliance with environmental laws to the company, the greater the scope and depth of the audit.
2)
Environmental Management Systems. These are audits to make certain that the company can
manage any future environmental risk that might result from changing legislation.
3)
Transactional. This is a review of a property prior to its purchase or sale to make sure that there
are no associated environmental risks.
4)
Treatment, storage, disposal facility. This audit follows the documentation of hazardous materials from “cradle to grave,” meaning following material from its creation to its final disposal.
5)
Pollution prevention. These audits work on the process of eliminating or minimizing the pollution a
company generates at its source rather than controlling pollution after it has been created.
6)
Environmental liability accrual. This is the process of establishing the moment that an environmental liability needs to be accrued on the balance sheet and a corresponding expense entered on
the income statement. The difficulty with this procedure is that it is often very unclear as to when
such procedures should be done and what value should be assigned.
7)
Product audit. This is a review of the production process to determine whether pollutant restrictions are being met.
Internal Audit’s Role in Identifying and Reporting Environmental Risks
Part of the assessment of risk for the organization needs to include risks in the areas of the environment,
health, and safety (EH&S), which is of particular importance in countries (such as the United States) where
there are very high fines and penalties for environmental damages, employee rights lawsuits, and safety
liability.
The CAE needs to establish that these risks have been assessed and addressed as needed.
In larger companies, this assessment may be done by a separate environmental audit function (this is an area
that is most likely legal in the assessment of risk, so lawyers are usually involved in this process). When there
is a separate environmental audit function, the organization must make sure that it does not report to the
group or individuals responsible for these areas in which there are environmental issues. If improper reporting
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
43
Compliance Audit Engagements
CIA Part 2
occurs, there may be impairment to the required independence needed for this operation. In this case, the
CAE will also want to offer his or her assistance to the environmental auditors.
The risk exposures that should be evaluated are:
•
Organizational reporting structures
•
Likelihood of causing environmental harm, fines, and penalties
•
Expenditures mandated by the Environmental Protection Agency (EPA) or other governmental agencies
•
History of injuries and deaths
•
Record of losses of customers and episodes of negative publicity and loss of public image and reputation
It is not unusual for the environmental audit function to report to their organization’s environmental
component or general counsel and not to the CAE.
Suggestions for the CAE
The CAE and chief environmental officer should foster a close relationship so that they can coordinate and
plan for environmental auditing. In cases where the environmental audit function reports to someone other
than the CAE, the CAE should still review the audit plan and the performance of engagements. The purpose of
the review is so that the CAE can determine if the environmental risks are being adequately addressed.
An environmental audit can be compliance-focused (verifying compliance with laws and regulations),
management-systems-focused (providing assessment of management systems intended to ensure compliance
with legal and internal requirements and the mitigation of risks), or a combination of both.
The CAE should evaluate the organizational placement and independence of the environmental audit function
to ensure that significant matters resulting from serious risks to the organization are reported up the chain of
command to the audit or other committee of the governing board. The CAE should also facilitate the reporting
of significant EH&S risk and control issues to the audit (or other board) committee.
Question 31: An organization is considering purchasing a commercial property. Because of the location of
the property and the known recent history of activities on the property, management has asked the
internal audit activity, in cooperation with legal counsel, to provide a preliminary identification of any
environmental liability. The strongest reason supporting management’s decision to request such an
investigation is:
a)
The potential for future liability may outweigh any advantages achieved by obtaining the property.
b)
Management will be able to pay a lower price for the property if environmental contamination can
be identified.
c)
The current owner would be required by law to clean up all identified contamination before the sale
is closed.
d)
Regulatory agencies require a purchaser to identify and disclose all actual and potential instances of
contamination.
(CIA Adapted)
44
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Compliance Audit Engagements
The following information is for the next three questions.
An organization has two manufacturing facilities. Each has two manufacturing processes and a separate
packaging process. The processes are similar at both facilities. Raw materials used include aluminum,
materials to make plastic, various chemicals, and solvents. Pollution occurs at several operational stages,
including raw materials handling and storage, process chemical use, and finished goods handling. Nonhazardous waste is transported to the local landfill. An outside waste vendor is used for the treatment,
storage, and disposal of all hazardous waste.
Management is aware of the need for compliance with environmental laws. The organization recently
developed an environmental policy including a statement that each employee is responsible for compliance with environmental laws.
Question 32: Management is evaluating the need for an environmental audit program. Which one of the
following should not be included as an overall program objective?
a)
Conduct site assessments at both facilities.
b)
Verify organizational compliance with all environmental laws.
c)
Evaluate waste minimization opportunities.
d)
Ensure management systems are adequate to minimize future environmental risks.
Question 33: If the internal audit activity is assigned the responsibility of conducting an environmental
audit, which of the following actions should be performed first?
a)
Conduct risk assessment for each site.
b)
Review organizational policies and procedures and verify compliance.
c)
Provide the assigned staff with technical training.
d)
Review the environmental management system.
Question 34: In many countries, the organization generating hazardous waste is responsible for the waste
from “cradle to grave” (creation to destruction). A potential risk to the organization is the use of an
outside vendor to process hazardous waste. Which of the following steps should be performed during a
review of the waste vendor?
a)
Review the vendor’s documentation on hazardous waste.
b)
Review the financial solvency of the vendor.
c)
Review the vendor’s emergency response planning.
d)
All of these steps should be performed during a review of the waste vendor.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
45
Operational (Performance) Audit Engagements
CIA Part 2
Operational (Performance) Audit Engagements
Auditors conducting a financial audit are directly concerned about the reliability and accuracy of the financial
information produced and only indirectly concerned about the effectiveness and efficiency of the system that
produced the financial information. However, operational or performance audits are directly concerned with
the effectiveness, efficiency, and economy of the produced information. The objective of operational audits is
to assist management so they are able to achieve their operational goals.
Listed and described below are two different types of operational or performance audit engagements. It is
sometimes difficult to classify a specific engagement as one or the other of these categories (and sometimes
an operational engagement is also similar to a consulting engagement), but the distinction of a specific
engagement is not critical. It is possible that one engagement may encompass some of the goals of all of
these different classifications of engagements.
Economy and Efficiency
An economy and efficiency engagement is an audit of a certain program or activity that primarily focuses on
the economy and efficiency of given operations. This type of engagement will determine the following:
•
Whether or not an operation is using its resources economically and efficiently. Goals and
standards are required in order to provide performance gauges. “Due professional care” involves
evaluating established operating standards and determining whether those standards are acceptable
(that is, whether they agree with the strategic plan of the organization, whether they are realistic)
and whether they are being met. To make a meaningful examination, auditors must compare their
findings against the standard.
Standards that may be used to measure actual performance may not be financial in nature. For example, they may include the following considerations: How many invoices should each clerk in the
accounts payable department be able to process in a day? How many telephone calls should a customer service representative be able to handle per day?
The information about the standards may come from sources such as job instructions, product specifications, contracts, cost accounting standards, or any number of other sources.
If goals and standards have not been set and no agreement can be reached on them with the client,
then that condition is itself a deficiency because managers have a responsibility to set goals and
standards for themselves and their employees.
Note: Goals usually represent what senior management or the board of directors wants to accomplish, and the auditor needs to know what they are so that the standards that they select are
meaningful in relation to the goals of the company. Internal auditors do not have the authority or
the responsibility to set objectives, goals, or standards for operations personnel. However, the internal auditor may identify goals and standards and, through discussion with the client, gain the
client’s approval of them.
46
•
The reasons for operations’ inefficiencies. One way of identifying problems is by talking to
people in the activity being audited or with people downstream who are affected by the problems
upstream. Once problems have been identified, internal auditors can study the systems and procedures and determine why they did not prevent the problem. If the problem is caused by people not
following procedures, it is likely that either supervision or training is inadequate or that the systems
and procedures themselves are inadequate for the job. The relevant reasons should be brought to
the attention of management.
•
Compliance with laws and regulations pertaining to issues of economy and efficiency. The
internal auditor needs to be aware of any laws and regulations governing the activity.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Other types of Operational Engagements
Program-Result
A program-result engagement is an audit of a particular program or activity that primarily focuses on costs,
output (effectiveness), benefits, and the effects of a program. The engagement involves testing against the
established criteria to assess:
•
The achievement of the desired, preset objectives
•
The effectiveness of the programs or activities in achieving the desired objectives
•
Compliance with related laws and regulations pertaining to the program or function under audit
Other types of Operational Engagements
The following pages cover other types of operational engagements that internal auditors may be involved in.
These include:
•
E-commerce Engagements
•
Due Diligence Engagements
•
Business Continuity Planning Engagements
•
Quality Engagements
•
Physical Security Audit Engagements
•
Audits of Third Parties and Contract Auditing
•
Privacy Audit Engagements
E-Commerce Engagements
The IIA’s International Professional Practices Framework (IPPF) defines e-commerce as “conducting
commercial activities over the Internet,” and it is included in the discussion of financial engagements.
Commercial activities can be business-to-business (B2B), business-to-consumer (B2C), or business-toemployee (B2E).
Understanding and Planning an E-Commerce Engagement
The significance of e-commerce is heightened by the rapid rate of change in e-commerce technology.
Accordingly, the internal audit function needs to keep pace with the rate of technological advancement in ecommerce. For example, fax machines have since given way to more sophisticated modes of information
transfer, from email to text messaging to more immediate and rapid forms of communication. Thus, a
company that is heavily reliant on faxes might find itself losing ground to its more technologically advanced
competitors.
The major elements of auditing an e-commerce business are:
•
Assessing the internal control structure, including the tone set by senior management
•
Providing reasonable assurance that goals and objectives can be achieved
•
Determining if the risks are acceptable
•
Understanding the information flow
•
Reviewing the interface issues (hardware to hardware, software to software, hardware to software)
•
Evaluating the business continuity and disaster recovery plans
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
47
Other types of Operational Engagements
CIA Part 2
The CAE will need to assess if the IAA has the necessary skills and capacity to perform the engagement; and
if it does not, then the CAE must decide how to obtain the needed skills (either through training or
outsourcing). Some questions that may constrain the internal audit activity in this type of engagement are:
•
Does the IAA have sufficient skills? If not, can the skills be acquired?
•
Is training or other resources necessary?
•
Is the staffing level sufficient for the near-term and long-term?
•
Can the expected audit plan be delivered?
E-Commerce Risks and Control Issues
The goals and objectives of an e-commerce system audit are similar to those of the audit of a regular
business system. The difference between these two activities relates to the structure of the information being
audited. For example, in e-commerce documentation might lack hard copies (since much of the information is
stored in databases), some data may exist for a very short period of time, or the absence of a paper trail. By
contrast, a “regular” business system will have none or few of these issues to contend with. Furthermore, the
difference in information structure between e-commerce and “regular” business systems raises new risk and
control issues that management must understand and try to mitigate.
Some of the more critical risk and control issues of e-commerce to be addressed by the internal auditor are:
•
General project risks
•
The potential for fictitious sales and returns
•
The potential for competitors to be able to access critical information
•
Specific security threats, such as denial of service (DoS) attacks, physical attacks, viruses, identify
theft and unauthorized access or disclosure of data
•
Maintenance of transaction integrity under a complex network of links to legacy systems and data
warehouses
•
Website content review and approval when there are frequent changes and sophisticated customer
features and capabilities that offer around-the-clock service
•
Rapid technology changes
•
Legal issues, such as increasing regulations throughout the world to protect individual privacy,
enforceability of contracts outside of the organization’s home country, and tax and accounting issues
•
Changes to surrounding business processes and organizational structures
Reviews of the risks should be conducted frequently, due to the fast rate of technological change in the field.
Internal auditors should pay attention to recently publicized news stories about security breaches and other
situations, as well as to changes in their organization’s e-commerce operations.
In order to evaluate the risks posed by e-commerce, the IT internal auditing activity needs to understand the
system and the infrastructure, including the front-end web servers, transmission methods and protocols,
firewalls, gateways, the back end, the middleware, and links to back office systems. They need to determine
which programs affect the data, how distributed the programs are, and the locations, servers, and processes
involved. They need to evaluate controls and procedures for handling critical or sensitive information and
assess monitoring procedures. It may even be necessary to seek certification from an external source.
Auditing E-Commerce Activities
Regarding risk and control issues, it is important that the internal auditor avoids getting caught up in the
uniqueness of the environment and lose sight of the primary objective, which is they ensure that all ecommerce processes have effective internal controls.
48
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Other types of Operational Engagements
The audit objectives for an e-commerce engagement may include:
•
Evidence of e-commerce transactions
•
Availability and reliability of a security system
•
Effective interface between e-commerce and financial systems
•
Security of monetary transactions
•
Effectiveness of the customer authentication process
•
Adequacy of business continuity processes, including the resumption of operations
•
Compliance with common security standards
•
Effective use and control of digital signatures
•
Adequacy of systems, policies, and procedures to control Public Key Certificates (using public key
cryptographic techniques)
•
Adequacy and timeliness of operating data and information
•
Documented evidence of an effective system of internal control
While the specific audit of an e-commerce activity will vary depending on the industry, country, and legal and
business models, there are possible e-commerce audit protocols that can be followed for key areas. These
protocols include the following:
E-Commerce Organization. The internal auditor should do the following:
•
Determine the value of transactions
•
Identify the stakeholders (external and internal)
•
Review the change in management process
•
Review the business plan for e-commerce activities
•
Evaluate the policies over Public Key Certificates
•
Review the digital signature procedures
•
Examine service level agreements between buyers, suppliers, and the certification authority
•
Ascertain the quality assurance policy
•
Assess the privacy policy and compliance in e-commerce activities
•
Assess the incident response capability
Fraud. The internal auditor should be alert for the following conditions:
•
The unauthorized transfer of money (that is, the transfer of funds to jurisdictions where the recovery
of funds would be difficult)
•
Duplication of payments
•
Denial of orders placed or received, goods received, or payments made
•
Exception reports and procedures and effectiveness of the follow-up
•
Digital signatures (Are they used for all transactions? Who authorizes them? Who has access to
them?)
•
Protection against viruses and hackers
•
Access rights (Are they reviewed regularly? Are they promptly revised when staff members are
changed?)
•
History of interception of transactions by unauthorized persons
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
49
Other types of Operational Engagements
CIA Part 2
Authentication. The internal auditor should review the policies for authenticating transactions and evaluating
controls:
•
Evidence of regular reviews
•
CSA tools used by management
•
Regular independent checks
•
Segregation of duties
•
Tools that management should have in place (such as firewalls, password management, independent
reconciliation and audit trails)
Corruption of Data. The internal auditor should evaluate controls over data integrity:
•
Catalogues, rates and prices (Who can amend them? What is the approval mechanism?)
•
Audit trails (How can they be destroyed?)
•
Bulletin board announcements (Who can approve them?)
•
Ordering and recording (What are their procedures?)
•
On-line tendering (Does the process provide adequate documentation?)
•
Tools that should be in place include intrusion management (monitoring software, automatic
timeout, trend analysis), physical security for servers, change controls and reconciliation
Business Interruptions. The internal auditor should review the business continuity plan and determine if it
has been tested. Management should have devised an alternative means to process transactions in the event
of an interruption. Therefore, management should have a process in place to address the following conditions:
•
Volume attacks
•
Denial of service (DoS) attacks
•
Inadequacies in interfacing between e-commerce and financial management systems
•
Backup facilities
•
Strategies to counter hacking, intrusion, cracking, viruses, worms, Trojan horses, and back doors
Management issues. The internal auditor should evaluate how well business units are managing the ecommerce process. The following are some relevant topics:
•
Project management reviews of individual initiatives and development projects
•
System Development Life Cycle reviews
•
Vendor selection, vendor capabilities, employee confidentiality, and bonding
•
Post-implementation economic reviews (Are anticipated benefits being achieved? What metrics are
being used to measure success?)
•
Post-implementation process reviews (Are new processes in place and working effectively?)
Question 35: The audit of an e-commerce system contains all the following except:
a)
Understanding the information flow.
b)
Evaluating the business continuity and disaster recovery plans.
c)
Assessing the internal structure, including the tone set by senior management.
d)
Ensuring that the goals and objectives are achievable.
(HOCK)
50
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Other types of Operational Engagements
Due Diligence Engagements
Due diligence engagements are usually performed in connection with a potential acquisition, joint venture, or
divestiture. The purpose of the engagement is to validate the reasons for making the transaction or
identifying problems that need to be resolved prior to undertaking the transaction. External professional
advisors are normally part of the team, often leading it.
Due diligence is essentially a way of preventing unnecessary harm to either party involved in a transaction.
Part of any preliminary agreement to purchase a business must be an authorization to gain access to the
books and the facilities of the seller in order to perform the due diligence audit. Offers to purchase a business
or an asset are usually dependent upon the results of due diligence analysis, which includes reviewing all
financial records and anything else that may be material to the transaction. A seller might also perform a due
diligence analysis on the buyer to determine the buyer’s ability to purchase, as well as other items that would
affect the purchased entity or the seller after the sale has been completed.
An example of a due diligence audit situation is an environmental audit relating to the acquisition of land. The
audit’s objective would be to evaluate the property for potential environmental contamination in order to
determine whether or not liability for environmental cleanup would be associated with the purchase. The
owner of a piece of property may be held responsible for environmental contamination caused by previous
owners, and the potential liability connected with an acquisition could be greater than the market value of the
land.
Environmental due diligence audits were first developed by lenders to prevent liabilities for properties in
their loan portfolios. These audits have now become standard requirements for all loans and investments in
real property. The liability assessment will consist of preliminary activities, a site visit, review of records
including prior uses of the land, a regulatory review, a geologic and hydrogeologic review, and a report. If the
liability assessment indicates possible contamination, confirmation sampling is conducted. For any confirmed
contamination, the next step is to characterize and assess the nature and extent of the contamination and
identify appropriate cleanup technologies. Such an audit would naturally require specialized knowledge and
technical expertise that would need to be sought outside.
Note: The term “due diligence” also refers to the accountants’ legal defense against liability for mistakes in
a securities registration statement. In this case, due diligence means performing all the standard duties
expected of an accountant. Following professional standards is normally enough to prove due diligence and
is a defense against fraud and negligence.
Question 36: Internal auditors are often called upon to either perform or assist the external auditor in
performing a due diligence review. A due diligence review may be:
a)
A review of interim financial statements as directed by an underwriting firm.
b)
An operational audit of a division of an organization to determine if divisional management is
complying with laws and regulators.
c)
A review of operations as requested by the audit committee to determine whether the operations
comply with audit committee and operational policies.
d)
A review of financial statements and related disclosures in conjunction with a potential acquisition.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
51
Other types of Operational Engagements
CIA Part 2
Question 37: An organization is considering purchasing a small toxic waste disposal business.
The internal auditors are part of the team doing a due diligence review of the acquisition. The scope of the
internal auditors’ work will most likely not include:
a)
An evaluation of the merit of lawsuits currently filed against the acquiree.
b)
A review of the acquiree’s procedures for acceptance of waste material and comparison with legal
requirements.
c)
Analysis of the acquiree’s compliance with, and disclosure of, loan covenants.
d)
Assessment of the efficiency of the operations of the acquiree.
(CIA Adapted)
Question 38: The purchase price of a newly acquired subsidiary depends on the subsidiary’s profitability
during the first year following its acquisition. The former owners of the subsidiary will continue to manage
it. In conducting an engagement involving the subsidiary, internal auditors should pay special attention to
the:
a)
Fixed asset capitalization procedures.
b)
Payroll disbursement procedures.
c)
Bank account reconciliation procedures.
d)
Vendor invoice approval procedures.
(CIA Adapted)
Business Continuity Planning Engagements
Business continuity refers to the organization’s ability to continue operating during a crisis or disaster and its
ability to restart operations after an interruption. These crises or disasters may be natural (hurricanes, floods)
or manmade (war, economic crisis). Many business experts believe it is not a matter of if a crisis or disaster
will occur, but rather when. In this respect, advance planning is vital to an organization in order for it to
minimize losses and ensure continuity of its business activities.
The IAA should assess the business continuity planning process periodically to ensure that it is current and
reflects the issues most likely to face the organization. These plans need to be reviewed as the situation of
the business changes and the technology of the business changes. For example, twenty years ago company
documents were mainly kept as hard copies and usually only one copy existed at any given time. Today,
however, multiple soft copies and hard copies need to be kept and maintained. Accordingly, the security
issues for securing paper documents and electronic documents are very different.
Internal auditors can assist in planning for disasters and other interruptions to the business, evaluating the
design and comprehensiveness of the plan after it has been drawn up, and performing periodic assurance
engagements to verify that the plan is kept up-to-date. When the internal auditor is involved in the
development of the plan, care must be taken so that the internal auditor does not have ownership of the plan,
because there would then be independence issues in later engagements involving the plan.
52
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Other types of Operational Engagements
Planning
Organizations rely upon internal auditors for analysis of operations and assessment of risk management and
control processes. Internal auditors acquire an understanding of the overall business operations and the
individual functions and how they interrelate with one another. This knowledge and experience position the
internal audit activity as a valuable resource in evaluating the disaster recovery plan during its formulation
process.
The IAA can help with an assessment of an organization’s internal and external environment. Internal factors
to consider include the turnover of management and changes in information systems, controls and major
projects, and programs. External factors may include changes in outside regulatory and business environments, competitive conditions, international financial and economic conditions, and technological changes.
Internal auditors can help identify risks involving critical business activities and prioritize functions for
recovery purposes.
Evaluation
Internal auditors can be objective participants when they review the proposed business continuity and
disaster recovery plans for design, completeness, and overall adequacy. The auditor can examine the plan to
ensure that it reflects the operations that have been included and evaluated in the risk assessment process
and that the plan contains sufficient internal control concerns and prescriptions.
Periodic Assurance Engagements
Internal auditors should periodically audit the organization’s business continuity and disaster recovery plans.
The audit objective is to verify that the plans are adequate to ensure the timely resumption of operations and
processes after adverse circumstances and that they reflect the current business-operating environment.
Business continuity and disaster recovery plans can become outdated very quickly. Coping with and
responding to changes is an inevitable part of the task of management. Turnover of managers and executives
along with changes in system configurations, interfaces, and software can have a major impact on these
plans. The IAA should examine the recovery plan to determine the following questions:
•
It is structured to incorporate important changes that could take place over time?
•
Will the revised plan be sent to the appropriate people inside and outside the organization?
During the audit, internal auditors should consider the following:
•
Are all plans up-to-date? Do procedures exist for updating the plans?
•
Are all critical business functions and systems covered by the plans? If not, are the reasons for
omissions documented?
•
Are the plans based on the risks and potential consequences of business interruptions?
•
Are the plans fully documented and in accordance with organizational policies and procedures? Have
functional responsibilities been assigned?
•
Is the organization capable of and prepared to implement the plans?
•
Are the plans tested and revised based on the results?
•
Are the plans stored properly and safely? Is the location of and access to the plans known to management?
•
Are the locations of alternate facilities (back-up sites) known to employees?
•
Do the plans call for coordination with local emergency services?
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
53
Quality Engagements
CIA Part 2
The Internal Auditor’s Role after a Disaster
The internal auditor has an important role to play immediately after a disaster. A company is most
vulnerable soon after a disaster occurs and the company is trying to recover. This is the time when there is
the greatest threat to lapses in controls and procedures and could lead to exploitation (internally or
externally).
During the recovery process the internal auditor should:
•
Supervise the effectiveness of the recovery and control of operations
•
Identify areas where controls and mitigating actions can be improved
•
Recommend improvements to the business continuity plan
•
Possibly provide support during the recovery activity
Within a period of several months after a disaster, the internal auditor can assist the company by identifying
the lessons learned from the disaster and recovery operations and make recommendations to enhance the
processes of the business continuity plan.
It is senior management that ultimately decides the degree of the internal auditors’ involvement in business
continuity and disaster recovery, considering their skills, knowledge, independence and objectivity.
Question 39: Internal auditors can play a role in the business continuity process. Which of the following is
not a role that is played by internal auditors in the business continuity or disaster recovery plan?
a)
Assist with the risk analysis.
b)
Evaluate the design and comprehensiveness of the plan after it has been drawn up.
c)
Decide what involvement they will play in the disaster recovery process.
d)
Perform periodic assurance engagements to verify that the plan is kept up-to-date.
(HOCK)
Quality Engagements
Total Quality Management (TQM) was invented in the US but perfected in Japan. Its objectives are to
increase revenue by focusing on client satisfaction and to decrease costs by lowering waste and improving
efficiency through continuous improvement in company performance. Continuous improvement is one of
internal audits’ key objectives, and therefore the internal audit activity has an assured role in the TQM
process. TQM pursues the approach of “right first time” and zero-tolerance of wastage. Teamwork,
training, empowerment, and allowing innovation from all levels are key components to this process.
A central tenet of TQM is that every department has a customer, and this customer must be kept in mind at
all times. For some departments, the customer may exist internally within the organization itself, but such a
person is still considered a customer. Identifying the needs of this customer enables the provider to improve
areas that require enhancement and to eliminate unnecessary tasks. Everyone within an organization has a
role to play in the process of adopting and implementing TQM because everyone has an impact on the overall
quality of the product or service being produced.
A quality audit engagement refers to the audit of a function or unit within the organization to ensure that it
is meeting its defined quality standards. If there are no defined standards, then the auditor should coordinate
with management to establish such standards.
In cases where a quality assurance department or other quality team performs regular audits, the internal
auditor could coordinate with such a department. It may even become possible for this department to become
part of the internal audit function.
54
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Quality Engagements
Benchmarking
Benchmarking is a primary tool in implementing TQM. Benchmarking can help an organization with its
productivity management and business process review. Thus, it is a source of consulting services for
internal auditors.
In benchmarking, a company using the standards set by other companies as a target or model for its own
operations. This process is also known as best practices. A company tries to emulate the best companies in
the world by adopting the same strategies that they employed in order to become highly successful. By
striving to meet the standards of the best companies, an organization may be able to create a competitive
advantage by achieving a higher standard than its competitors. Both financial and nonfinancial measures can
serve as appropriate benchmarks for a company’s goals.
The benchmark company does not necessarily need to be in the same industry or country as the company
that is trying to improve itself. It simply needs to share the same process or objective. For example, the
inventory management should be largely the same in any country, so a company that is very effective and
efficient in inventory management may be able to be used as a benchmark by companies in many other
countries or industries.
Benchmarking Process
1. Select and prioritize
benchmarking
projects
2. Organize
benchmarking teams
3. Researching and
identifying the bestin-class practices
4. Analyzing the critical
success factors of the
best-in-class practices
5. Implementation phase
6. Follow up and
feedback
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
55
Quality Engagements
CIA Part 2
Types of Benchmarks
Benchmarks can be financial or nonfinancial:
•
Financial benchmarks: Uses numbers to make a comparison, such as profitability, cost of production per unit, and so forth.
•
Nonfinancial benchmarks: Makes a comparison based on other factors besides financial numbers,
such as the percentage of on-time deliveries or percentage of satisfied customers.
Benchmarks can also be internal or external:
•
Internal benchmarks: A company compares against its own internal divisions, processes, functions, or departments.
•
External benchmarks: A company makes an external comparison, most commonly against a
competitor.
Other types of benchmarks are:
•
Functional benchmarks: This is a comparison with organizations that operate within the same
technological area. It provides information on what is being achieved in the company’s business.
•
Competitive benchmarks: This is a comparison with the best of a company’s competitors.
•
Generic benchmark: This benchmark compares processes that are virtually the same, regardless of
the industry or production line (such as document processing). This type of benchmarking is not as
helpful as comparison of processes that are the same.
Question 40: An example of an internal, nonfinancial benchmark is
a)
The labor rate of comparably skilled employees at a major competitor’s plant.
b)
The average cost per pound of a specific product at the company’s most efficient plant.
c)
A $40,000 limit on the cost of employee training programs at each of the company’s plants.
d)
The percentage of customer orders delivered on time at the company’s most efficient plant.
(CIA Adapted)
Limitations of Benchmarking
When done correctly, benchmarking can be a source of competitive advantage. However, a company’s benchmarking should not violate antitrust laws or unfair trade practices. Benchmarking itself is not anticompetitive, but companies need to be careful about their sources of information. Information gained from
the Internet, research books, or other outside sources are acceptable. Engaging in discussion about pricing
schemes with competitors, on the other hand, could draw the attention of regulators.
Some other possible issues or limitations of benchmarking are as follows:
56
•
Appropriate benchmarks make apples-to-apples comparisons. Companies can and do gather a lot
of different types of data, but in many cases the source of the data may be questionable, thereby
causing comparison errors and causing the company to spend time reconciling data that ends up not
being useful.
•
Improper benchmarking may lead to a loss of focus on customers and employees. From the
employee standpoint, companies that quickly try to produce better numbers could lead to burnout,
errors, and low morale. Also, a company that is trying to meet a certain numeric goal (for example,
by hastening its receivables and delaying payables) could end up adversely angering customers and
suppliers.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
•
Quality Engagements
Benchmarking can fail due to a lack of proper implementation. If the benchmarking process is
improperly implemented (for example, by not getting top management’s complete support or by not
involving employees during the process), then it may likely fail. The participation of management
and employees is a critical component to the success of benchmarking.
ISO 9000 Quality Standards Audits
In 1987, the International Organization for Standardization (ISO) introduced ISO 9000, a series of
standards designed to provide a level of quality assurance. There is no legal requirement for companies to
adopt the ISO standards and qualify for ISO 9000 certification, but many companies have done so to compete
internationally. In order to qualify for ISO 9000 certification, a firm’s compliance with ISO 9000 standards
must be certified by an external auditor. However, a review by internal auditors can provide information
about areas for improvement before the external audit takes place.
The ISO 9000 series is a set of five standards.
1)
ISO 9000 describes fundamental quality concepts and provides guidelines as to which standard is
appropriate for a particular company.
2)
ISO 9001 provides a model for quality assurance in design and development, production, installation, and servicing.
3)
ISO 9002 provides a model for quality assurance in production and installation. It also addresses the
prevention, detection, and correction of problems in industries in which work is based on
designs and specifications supplied by customers.
4)
ISO 9003 provides a model for quality assurance in final inspection and testing.
5)
ISO 9004 helps a company develop and implement an internal quality system or evaluate an
existing system.
These standards are not set to assure the quality of an individual product, but rather to assure that
the quality is the same throughout all of that type of product produced by the company. The five
standards say only what should be achieved but are silent about how to achieve them. They are targets
rather than specific instructions.
Note: In addition to these ISO standards, other ISO standards have been developed.
The ISO has also promoted a set of environmental standards known as ISO 14000. These standards are
similar to the ISO 9000 standards but focus on environmental quality systems. This standard is applicable
to any organization that wishes to establish, implement, maintain, and improve an environmental management system in order to assure itself that it conforms to its stated environmental policy and demonstrates
conformity with ISO 14001.
ISO 19011 is applicable to all organizations that need to conduct internal or external audits of management
systems or manage an audit program.
ISO Audit Engagements
The scope of an ISO 9000 quality audit may involve a number of areas, such as physical location, organizational units, activities and processes to be audited, and the time period to be covered.
The audit will determine conformity with applicable policies, procedures, standards, laws and regulations,
management requirements, contract requirements, and industry or business sector codes of conduct.
Preparation for the audit should include review of the auditee’s documentation, including management system
records and previous audit reports.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
57
Quality Engagements
CIA Part 2
The audit itself includes:
•
Interviews with employees, observations of activities and the work environment and conditions
•
A review of inspection records, records of monitoring programs, and results of measurements
•
Inquiries to obtain information on the auditee’s sampling programs and on control of sampling and
measurement procedures
•
Customer and supplier feedback
•
Information from databases and websites
Information relevant to the audit objectives, scope, and criteria should be collected through sampling and
should be verified.
An auditor performing an ISO 9000 audit should be familiar with applicable laws, regulations, and other
requirements that apply to the organization or the unit, including local and national regulations, contracts and
agreements, and international treaties and conventions.
Quality management system auditors should also understand quality terminology, quality management
principles, and tools such as statistical process control. The basic idea of statistical process control is that a
stable production process should produce products whose attributes conform to a stable statistical
distribution. A lack of this statistical stability in the process indicates problems. Thus, by monitoring the
statistical stability of a particular production process, an operator can recognize if production is out of control
and product quality is in jeopardy. When variation occurs, the process needs to be adjusted in order to regain
statistical stability and good quality control. The goal is to improve the mean of the distribution and reduce
the variation. Subsequent quality control would then be monitored with reference to the improved mean and
new distribution. A quality audit requires verification of the reliability and integrity of the statistical control
system and also employees capable of understanding and using the system.
In addition, the quality auditor also needs to be familiar with sector-specific terminology and sector-specific
processes and practices, as well as the technical characteristics of processes, products, and services. It may
be necessary to use technical experts if the auditors on the audit team do not have the necessary knowledge
and skills.
Physical Security Audit Engagements
A physical security audit involves ensuring that an organization’s physical facilities are properly secured and
that the environment is safe for management and staff. It includes perimeter security, proximity security, and
physical security of the premises.
Perimeter security auditing requires a review of the property boundaries and a boundary risk assessment,
including documenting risks on a site map. Risks can include rail lines, roads, unsecured access points,
improperly lighted areas, power lines, phone lines, and other service access points. All cameras and
surveillance equipment should be documented. All guard stations should be identified and assessed as to
whether they are manned or unmanned, whether there are barriers, whether they have telephone access,
emergency panic buttons, and camera surveillance. The auditor should attempt to gain unauthorized access
both by bypassing the guard station and by using “social engineering” (for example, attempting to pass
through security without credentials by using a convincing excuse). Lighting should be sufficient to deter
intruders.
Proximity security involves determining whether the buildings are subject to risks from nearby items or
buildings, whether vehicles entering the proximity of the building are inspected for weapons or other
hazardous materials, whether there are procedures in place to ensure that visitors have business in the
facility, whether all entrances are properly protected, and whether there is camera surveillance.
Physical security includes determining whether building entry points are properly secured. The facility
should be toured to identify and document security and safety issues. The location and characteristics of
58
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Quality Engagements
windows are important because they are highly vulnerable to forced entry. All doors should be hung on hinges
that are not removable. If key card access is used, determine whether the key card server is secure and
review administrative procedures for access cards. The process should require proper authorization and
background checks. Employees should have badges and visitors should also be provided with entry
credentials. Visitors to restricted areas should be escorted at all times. Surveillance equipment should be
identified and documented, and it should be determined whether security staff monitors the surveillance
equipment.
Employees should be able to have a guard escort them to their cars after hours or any time it is necessary.
Furthermore, employees should be required to attend training sessions that explain procedures in case of a
fire or bomb threat.
Physical assets such as inventory are also part of a security audit. The auditor should determine how
frequently inventory is taken as a basic control for detecting theft, and there should be surveillance
equipment in the inventory area.
Information systems’ physical security and logical security are separate topics, and they are covered in the
Information Systems section of Part 3.
Audits of Third Parties
A “third party” is a service provider that processes transactions between a business and its clients, its
employees, or its trading partners. An audit of a third party would be appropriate when maintaining a smooth
operation is directly linked to the continued work of the third party.
However, this type of audit can be conducted only with the approval of the third party. Therefore, approval
should be received up front through the contract process. A contract with a service provider should specifically
state the scope of the service to be provided, service standards, and minimum acceptable service provider
characteristics (such as process controls and financial condition). Additionally, if auditing of the provider is
necessary, the contract should include the right to audit.
Note: The requirements of the Sarbanes-Oxley Act make third party audit reports even more important
to the process of reporting on effective internal controls at service organizations. Requirements under
Sarbanes-Oxley include management’s quarterly certification of their financial results and management’s
annual assertion that internal controls over financial reporting are effective. In order for management to
make this annual assertion on the effectiveness of its internal control, it must document and evaluate all
controls that are deemed significant to the financial reporting process. If the organization uses a service
provider to process transactions, host data, or provide other significant services, management will need to
audit the design and operating effectiveness of the service organization's controls.
Examples of third party engagement include an electronic data interchange (EDI) provider or a third party
administrator of employee benefits for employees. In third-party situations, the company is the first party,
the company’s clients, employees, and trading partners are the second party, and the service provider is the
third party.
Service providers must be able to demonstrate that they have adequate controls and safeguards when they
host or process data belonging to their customers and their customers’ clients.
A third party audit may be performed either by internal auditors or by an outside, independent auditor. The
decision whether to audit internally or to contract for the third party audit should depend upon the risk
assessment made by management and whether management feels it can rely on internal auditors, or if there
is a need for external auditors (for example, if specialized knowledge is required). Furthermore, if a company
uses outside auditors for a third-party audit, they should ensure that the independent auditor is qualified to
perform the work, that the scope satisfies their own audit objectives, and that any significant reported
deficiencies are corrected.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
59
Quality Engagements
CIA Part 2
The scope of a third party audit will depend upon the situation. In an audit of a third party, the auditor needs
to obtain an understanding of the third party’s internal control that is sufficient to plan the audit. This
understanding is especially important if the service provider is providing transaction processing or other data
processing services to the user organization. The auditor needs to be aware of any and all applicable federal
and state laws and regulations, such as personal data privacy laws, that apply to the service provider in order
to ascertain whether the service provider is in compliance.
Contract Auditing
Contract auditing usually refers to the auditing of construction-type contracts or operating contracts.
There are three types of contracts that are discussed below, and after each type is a list of potential risks
related to that type of contract.
1)
Lump-Sum Contracts: These contracts give a total price in accordance with specifications or
requirements. Even though the final price is set and determined, there may be considerations given to
the contract including progress payments, escalation clauses, delay penalties, and adjustments for some
costs (such as field labor or significant raw materials). These types of contracts are rarely completed
without some kind of modification. If the contract is executed in accordance with the contract and with
little or no modification, then there is usually no need for an internal auditor. Audit challenges arise as a
result of the changes that complicate the contract details.
Some of the risks associated with lump-sum contracts are:
2)
•
Inadequate competition, insurance, or bond coverage
•
Certification of completion when work is not completed
•
Charges for equipment or activities that are not received
•
Escalation provisions may be used even if the event that triggers the price escalation has not happened
•
Changes in specifications or prices and authorization for extras and revisions may allow a contract to
grow in size outside of the formal tender and authorization process
•
Extras, changes, and revisions that are already part of the original contract may be charged again
•
Additional charges may be added for overhead items that should not be included
•
Content of change orders, including appropriate fees, may not be appropriately authorized
•
Inadequate inspection relative to specifications
Cost-Plus Contracts: With these contracts, the buyer pays the cost of performing the contract plus a
fixed dollar amount or percentage of the cost to the contractor. These types of contracts can cause
problems because the contract generally does not have an incentive for economy or efficiency on the
part of the producer. This type of contract is used when dealing with projects with numerous and significant unknown factors. Audit challenges arise since the cost-savings motive may not be emphasized
when the contract is being executed. The internal auditor of the purchasing company will likely be
involved in the monitoring of the costs that are charged to the contract.
The risks associated with cost-plus contracts are:
60
•
Overhead costs also billed directly
•
Inadequate internal controls by contractor over charges for people, materials, and services
•
Unreasonable charges for use of contractor-owned equipment
•
Excessive manning of the project
•
No effort to obtain best prices for materials and equipment
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
3)
Quality Engagements
•
Billings in excess of the amounts the contractor pays for labor or material
•
Failure to credit project for discounts, insurance rate refunds, or returned or salvaged material
•
Duplication of effort or costs between headquarters and field offices
•
Inadequate job-site supervision or inspection by contractor or by architect engineers
•
Inadequate communication and follow-up from the headquarters office
•
Unreliable cost accounting and reporting procedures by a contractor
•
Billing supervision as direct labor in violation of contract terms
•
Idle rented equipment
•
Poor work practices and poor quality
•
Extravagant use or early arrival of materials and supplies
•
Excessively high standards for and poor physical protection of materials and equipment
•
Lack of control over absences of contractor employees and uncontrolled overtime
•
Cost-plus type work going simultaneously with fixed-type work
•
Excessive costs incurred because of a contractor’s negligence
Unit-Price Contracts: These are contracts where the cost-per unit is set but the total units will be
specified as the contract is being executed (such as hectares to be cleared, cubic meters to be hauled or
square meters to be patrolled by a security service).
The risks associated with unit-price contracts are:
•
Excessive progress payments
•
Improper reporting of units completed
•
Prices bearing no relation to cost
•
Improper changes to the original contract
•
Unauthorized escalation adjustments
•
Inaccurate field records or inaccurate extension of unit prices
In order to protect the interests of the company, it is recommended that internal auditors play a role
throughout the contracting process. Internal auditors should support the evaluation of the following:
•
Bidding procedures (such as competitive bidding)
•
Cost estimates and cost controls
•
Tax treatments
•
Terms of the contract and progress payment plans
•
Budgets and financial forecasting, availability of resources and sources of funding
•
Contractor’s accounting and management systems
•
Required performance bond
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
61
Quality Engagements
CIA Part 2
Privacy Audit Engagements
“Privacy” refers to an individual’s right to be left alone and for personal information to be protected by
individuals or entities that possess such information.
Internal auditors need to make certain that, in addition to the physical security of the information, the privacy
of the information is also maintained and the information is not distributed to unauthorized people, even
within the organization. For example, the details of a customer maintained in the company’s database should
not be disclosed to a third party without the proper consent of the customer. This disclosure refers to both
sensitive information (such as social security numbers, credit card numbers, bank accounts, credit records,
loan information) and less sensitive information (such as home phone number, email address, income, blood
type).
Privacy concerns exist at all aspects of an organization, from its paper-based records to its internal databases
to its policies of data collection on its website.
The implications of privacy vulnerabilities on a company and on individuals are numerous. To the
individual, unauthorized disclosure of private information could be embarrassing, inconvenient, and even
cause financial loss. For a company, disclosing or losing control of private information could lead to lawsuits,
penalties, fines and, of particular importance, negative publicity. Therefore, privacy security is of major
importance for organizations and the reason for which organizations spend considerable resources to avoid
these vulnerabilities.
Note: Even though there is no guaranteed security, organizations have the responsibility to ensure that
all reasonable measures have been enacted to safeguard data and information.
Most countries have laws and regulations to protect personal data and information, but application of these
laws and their enforcement will vary. In addition, the types of personal data and information that should be
protected, and the degree to which they should be protected, vary between countries and also among
industries and organizations. Thus, it is the internal auditor’s responsibility to evaluate the privacy
framework, identify significant risks, evaluate controls and make recommendations for improvements.
During the process of evaluating the privacy framework, the internal auditor should be aware of the
following issues:
62
•
Compliance with governmental statutory and regulatory mandates. The internal auditor should
consult with legal counsel (possibly in-house) to determine which laws, regulations, and other standards apply to the organization and country of business and ensure that management is aware of
these requirements.
•
Evaluate the organization’s existing policies and procedures. Before an audit can be conducted, the organization should have a policy statement on privacy in place. The privacy policy should be
developed with knowledge of the applicable laws and regulations.
•
Protection of personal information to ensure that all possible controls are in place and that these
controls are regularly reviewed and assessed.
•
Documenting that the laws and regulations are being complied with.
•
Deciding whether the benefits of additional security measures exceed the costs.
•
Ethical imperative of maintaining the confidentiality of the private information. With regards to the
Code of Ethics, the rules state that internal auditors:
1)
Shall be prudent in the use and protection of information acquired during the audit.
2)
Shall not use information for any personal gain or in any manner that would be contrary to the
law or be detrimental to the legitimate and ethical objectives of the organization.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Quality Engagements
Identifying significant risks includes the following considerations:
•
Consider organization information, such as organization size, geographic locations, number of customers served, percentage of transactions completed over the Internet, and recent history of
significant data security breaches.
•
Consider data characteristics, such as the nature of data collected (sensitive or non-sensitive personal information, information subject to specific regulatory requirements such as medical
information, financial information, or information collected from children under the age of 13).
•
Who is collecting information? How is each type of information being used, and what uses are permitted with respect to each type of information?
•
Which information is being collected without a user’s explicit knowledge and consent, such as in
website logs and “cookies”?
•
How is each type of information being stored, and what opportunities are there for breaches to
occur, both from outside access or unauthorized internal access?
•
Map the data flows. What information is moving within your organization? Which information is
moving from your organization to third parties?
•
To whom, and under what circumstances, may information belonging to each class be disclosed?
•
At what point is information destroyed? Who is responsible for its destruction?
Evaluating controls includes evaluating administrative controls, technical controls, physical controls, and
other controls, and involves the following considerations:
•
Which administrative controls are in place? For example, employee education programs concerning the privacy policy, initial screening of employees who will have broad access to data, internal
control over security practices of third-party vendors or service providers, specific procedures for
outsourced IT and data management, initial due diligence, contractual controls, or controls over collection, use and disclosure of information.
•
Which technical controls are in place? For example, sound password practices, restricted access
on a need-to-know basis, access logs, encryption, firewalls, intrusion detection systems, procedures
for updating operating systems and security software, or presence of personal information limited on
mobile devices (such as notebook computers). Which restrictions are in place to control merging of
sensitive data with unprotected data?
•
Which physical controls are in place? For example, restricted access to data centers, restriction
of removal of mobile devices from secured premises, termination of remote access if mobile equipment is compromised, or secure shredding bins.
•
Other controls include website privacy issues. For example: How can users opt out of having
their personal information used for purposes unrelated to the purposes for which the information was
collected (such as email communications)? What information can website users access, modify, and
correct? What verification mechanisms are in place to verify the identity of users who wish to access
or correct their personal information? Is the user informed when there is a change in their personal
information or a change in the use of it?
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
63
Quality Engagements
CIA Part 2
Question 41: During the survey phase of an engagement to evaluate the organization’s production cycle,
management stated that the sale of scrap was well controlled. Information to verify that assertion can
best be gained by:
a)
Comparing current revenue from scrap sales with that of prior periods.
b)
Interviewing persons responsible for collecting and storing the scrap.
c)
Comparing the quantities of scrap expected from the production process with the quantities sold.
d)
Comparing the results of a physical inventory of scrap on hand with perpetual inventory records.
(CIA Adapted)
Question 42: To control daily operating costs, an organization decreased the number of times a messenger service was used each day. Despite those measures, the monthly bill continued to increase. What
procedure should the internal auditor use to detect whether improper services were being billed?
a)
Test the mathematical accuracy of a sample of messenger invoices.
b)
Scan ledger accounts and messenger invoices.
c)
Observe daily use of the messenger service.
d)
Reconcile a sample of messenger invoices to pick up receipts.
(CIA Adapted)
Question 43: An organization recently entered into a cost-plus contract to build a new and larger
manufacturing plant. Which of the following procedures would be of most importance to the internal
auditor reviewing this contract?
a)
Review the contract for a specific date of completion.
b)
Review the contract and all of the related bids received to ascertain that the organization selected
the contractor with the lowest bid.
c)
Review the contract to ascertain that it contains a provision for the right of system and cost review
of the contractor.
d)
Review the business integrity of the contractor through direct inquiry.
(CIA Adapted)
Question 44: The most persuasive means of assessing production quality control is to
a)
Analyze labor efficiency variances.
b)
Analyze materials efficiency variances.
c)
Evaluate the production-inventory-sales mix.
d)
Evaluate the number of, and reasons for, sales adjustments (including returns).
(CIA Adapted)
64
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Consulting Services
Question 45: The cross-reference of individual payroll time cards to personnel department records and
reports allows an internal auditor to conclude that:
a)
Individuals were paid only for time worked.
b)
Individuals are bona fide (legitimate) employees.
c)
Individuals were paid at the proper rates.
d)
Personnel department records agree with payroll accounting records.
(CIA Adapted)
Question 46: The internal auditor is evaluating the effectiveness of a sales commission plan adopted
twelve months earlier. An engagement procedure likely to provide strong support for the plan’s effectiveness is to:
a)
Calculate the percentage change in monthly sales by product line for the last three years.
b)
Compare monthly selling costs of this year with those of the two preceding years.
c)
Regress monthly indices of external economic conditions against sales for the two preceding years
and compare predictions with reported sales.
d)
Compare the ratio of selling costs per dollar of sales each month for the past year with that of other
organizations in the industry.
(CIA Adapted)
Consulting Services
The IIA defines consulting services as:
Advisory and related client service activities, the nature and scope of which are agreed with the client
and which are intended to add value and improve an organization’s governance, risk management
and control processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation and training.
Management studies or consultancy projects are being increasingly undertaken by internal auditors.
Some of these projects also involve outside experts in addition to the internal auditors.
In the performance of these consulting-type engagements, internal auditors have the advantage of knowing
the organization and staff, as well as skills that are specific to the business. By either leading the project or by
being a team member, the internal auditor can accelerate progress on such a project.
Based on the IIA syllabus, the types of consulting engagements that the IAA may be engaged in are:
•
Providing internal control testing
•
Providing support and assistance to the business process reviews
•
Benchmarking (previously discussed in the quality engagement section, above)
•
Providing information technology support and assistance in the systems analysis and development
(discussed under the IT audit engagement)
•
Designing performance measurement systems
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
65
Consulting Services
CIA Part 2
Principles Guiding the Performance of Consulting Activities of Internal Auditors
The IIA’s previously published Practice Advisories (2006) lists twelve principles (formerly PA 1000.C1-1) that
were intended to guide internal auditors during the performance of consulting engagements. Even though
these Practice Advisories have since been eliminated, we believe that the principles can still serve as a useful
guide for internal auditors. The twelve principles are:
66
1)
Value Proposition: The value proposition of the internal audit activity is realized within every
organization that employs internal auditors in a manner that suits its culture and resources. The value proposition is captured in the definition of internal auditing and includes assurance and consulting
activities designed to add value to the organization by bringing a systematic, disciplined approach
to the areas of governance, risk, and control.
2)
Consistency with Internal Audit Definition: A disciplined, systematic evaluation methodology is
incorporated in each internal audit activity. The list of services can generally be incorporated into the
broad categories of assurance and consulting. However, the services may also include evolving forms
of value-adding services that are consistent with the broad definition of internal auditing.
3)
Audit Activities beyond Assurance and Consulting: There are multiple internal auditing services.
Assurance and consulting are not mutually exclusive and do not preclude other auditing services
(such as investigations and non-auditing roles). Many audit services will have both an assurance and
consultative or advising role.
4)
Interrelationship between Assurance and Consulting: Internal audit consulting enriches valueadding internal auditing. While consulting is often the direct result of assurance services, it should
also be recognized that assurance could also be generated from consulting engagements.
5)
Empower Consulting through the Internal Audit Charter: Internal auditors have traditionally
performed many types of consulting services, ranging from the analysis of controls built into developing systems, analysis of security products, serving on task forces to analyze operations and make
recommendations, and so forth. The board (or Audit Committee) should empower the internal audit
activity to perform additional services where they do not represent a conflict of interest or detract
from its obligations to the committee. That empowerment should be reflected in the internal audit
charter.
6)
Objectivity: Consulting services may enhance the auditor’s understanding of business processes or
issues related to an assurance engagement and do not necessarily impair the auditor’s or the internal audit activity’s objectivity. Internal auditing is not a management decision-making function.
Decisions to adopt or implement recommendations made as a result of an internal auditing advisory
service should be made by management. Therefore, internal auditing objectivity should not be impaired by the decisions made by management.
7)
Internal Audit Foundation for Consulting Services: Much of consulting is a natural extension of
assurance and investigative services and may represent informal or formal advice, analysis or assessments. The internal audit activity is uniquely positioned to perform this type of consulting work
based on its adherence to the highest standards of objectivity and its breadth of knowledge about
organizational processes, risk, and strategies.
8)
Communication of Fundamental Information: A primary internal auditing value is to provide
assurance to senior management and audit committee directors. Consulting engagements cannot be
rendered in a manner that masks information that in the CAE’s judgment should be presented to
senior executives and board members. All consulting is to be understood in that context.
9)
Principles of Consulting Understood by the Organization: Organizations must have ground
rules for the performance of consulting services that are understood by all members of an organization, and these rules should be codified in the audit charter approved by the audit committee and
promoted in the organization.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Consulting Services
10)
Formal Consulting Engagements: Management often engages outside consultants for formal
consulting engagements that last a significant period of time. However, an organization may find
that the internal audit activity is uniquely qualified for some formal consulting tasks. If an internal
audit activity undertakes a formal consulting engagement, the internal audit group should bring a
systematic, disciplined approach to the conduct of the engagement.
11)
CAE Responsibilities: Consulting services permit the CAE to enter into dialog with management to
address specific managerial issues. In this dialog, the breadth of the engagement and timeframes
are made responsive to management needs. However, the CAE retains the prerogative of setting the
audit techniques and the right of reporting to senior executives and audit committee members when
the nature and materiality of results pose significant risks to the organization.
12)
Criteria for Resolving Conflicts or Evolving Issues: An internal auditor is first and foremost an
internal auditor. Thus, in the performance of all services the internal auditor is guided by the Code of
Ethics and the Attribute and Performance Standards of the Standards. Any unforeseen conflicts or
activities should be resolved consistent with the Code of Ethics and Standards.
Question 47: The function of consulting services is to add value and improve the overall performance of
an organization. In the performance of consulting type engagements, internal auditors have the
advantage because:
a)
They can give an assurance on the fairness of the financial statements.
b)
They will be able to accelerate the progress of the engagement.
c)
They are able to perform the engagements in all circumstances at the request of management.
d)
They will not be under any time constraint and therefore can spend as much time as needed on the
engagement.
(HOCK)
Considerations for Formal Consulting Engagements
It is the responsibility of the CAE to make sure of the methodology used for classifying the consulting
engagements. There may be some cases in which a “blended” engagement is necessary, one that
incorporates the elements of consulting and assurance activities into a consolidated approach. In other
cases, the CAE may find it more appropriate to distinguish between the assurance and consulting activities of
the engagement. The important issue is that the CAE determines the methodology for classifying the
engagements.
Consulting services may be conducted as either part of the internal auditor’s normal or routine activity or as
a special request made by management. Each organization must consider the type of consulting activities to
conduct and determine the specific procedures to develop for each type of activity. The possible categories
include:
•
Formal consulting engagements: planned and subject to written agreement
•
Informal consulting engagements: routine activities, such as participation on steering committees, limited-life projects, ad-hoc meetings and routine information exchange
•
Special consulting engagements: participation in a merger and acquisition team or system
conversion team
•
Emergency consulting engagements: participation with a team established for recovery or
maintenance of operations after a disaster or other extraordinary business event, or a team assembled to supply temporary help to meet a special request or unusual deadline
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
67
Consulting Services
CIA Part 2
In addition, auditors generally should not agree to a consulting engagement simply to circumvent or to allow
others to circumvent requirements that would normally apply to an assurance engagement if the service in
question is more appropriately conducted as an assurance engagement. The auditor may, however, adjust
methodologies where services once conducted as assurance engagements are deemed more suitable to being
performed as a consulting engagement.
Independence and Objectivity in Consulting Engagements
It is becoming more common for internal auditors to provide consulting services relating to operations for
which they had previous responsibilities. While it is not forbidden for internal auditors to provide consulting
services to areas over which they had previous responsibility, the auditor should still act in an independent
and objective manner.
Note: If internal auditors have potential impairments to independence or objectivity relating to proposed
consulting services, disclosure should be made prior to accepting the engagement (Standard 1130.C2).
To assess the impact that a previous position may have on objectivity, the auditor should consider:
•
The appropriate requirements and standards of the profession.
•
Expectations of stakeholders, directors, the audit committee, and legislative bodies.
•
Any allowances or restrictions that are in the charter. If the charter prohibits this type of work, but
management insists, this discrepancy needs to be brought to the attention of the audit committee
for a final resolution of the matter.
•
Disclosures that may be required by standards.
•
Subsequent audit work, its scope and coverage.
If necessary, outside third party auditors may need to be used for an audit engagement when the objectivity
of the auditors has been impaired for one reason or another. Using third party auditors may not always be
possible, and in such circumstances disclosure of the responsibility that the auditor had in the area should be
made. This relationship should also be disclosed in the communications related to the engagement.
Due Professional Care in Consulting Engagements
As with every engagement, the internal auditor should exercise due professional care when providing
consulting services. The internal auditor should consider the following:
•
The needs and expectations of clients, including the nature, timing, and communications of engagement results.
•
The relative complexity and extent of work needed to achieve the engagement’s objectives (professional skills and resources).
•
Cost/benefit analysis of the engagement.
Scope of Work in Consulting Engagements
If consulting opportunities arise during an assurance engagement, a specific written understanding as to the
objectives, scope, respective responsibilities, and other expectations should be reached and the results of the
consulting engagement communicated in accordance with consulting standards.
In performing consulting engagements, the internal auditors should ensure that the scope of the engagement
and the methodology used is sufficient to address the objectives. In establishing the scope of the engagement, internal auditors may expand or limit the scope based on management’s request. The internal auditor
will still need to be satisfied that the scope of work will be adequate to meet the objectives of the engage-
68
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Consulting Services
ment. It is not uncommon for the objectives, scope, and engagement terms to be periodically reviewed and
possibly adjusted during the course of the work.
If internal auditors develop reservations about the scope during the engagement, these reservations should
be discussed with the client to determine whether to continue with the engagement. In these situations, it will
be the internal auditors’ responsibility to use their professional judgment for the following:
•
To determine the significance of exposures or weaknesses and the actions taken or contemplated to
mitigate or correct these exposures or weaknesses
•
To ascertain the expectations of senior management, the audit committee and board in having these
matters reported
Communicating the Results of Consulting Engagements
In a consulting engagement, there are no specific standards for the communication’s form, content, or
structure. The important item to remember when communicating the results of the consulting engagement is
that it should clearly describe the nature of the engagement and any limitations, restrictions, or other factors
about which users of the information should be made aware.
For whatever reason, it may be necessary for the internal auditor to expand the reporting to include other
parties. If so, the internal auditor should conduct the following steps until he or she is satisfied with the
resolution of the matter:
•
Determine what direction is provided in the agreement concerning the consulting engagement and
related communications.
•
Attempt to convince those receiving or requesting the service to voluntarily expand the communication to the appropriate parties.
•
Determine what guidance is provided in the internal audit charter or internal audit’s policies and
procedures concerning consulting communications.
•
Determine what guidance is provided in the organization’s code of conduct, code of ethics, and other
relative policies, administrative directives, or procedures.
•
Determine what guidance is provided by the IIA’s Standards and Code of Ethics, other standards or
codes applicable to the auditor, and any legal or regulatory requirements that relate to the matter
under consideration.
Documentation Requirements for Consulting Engagements
It is the responsibility of the CAE to develop policies governing the custody and retention of engagement
records, as well as their release to internal and external parties. These policies should be consistent with the
organization’s guidelines and any pertinent regulatory or other requirements.
The documentation requirements of assurance engagements do not necessarily apply to consulting
engagements. A primary function of the internal auditor is to avoid potential misunderstandings involving
requests for the records. The more sensitive situations will require special handling of the records, such as
legal proceedings, regulatory requirements, tax issues, accounting matters, and so forth.
Monitoring of Consulting Engagements
In order to decide the appropriate follow-up for a consulting engagement, the issue will need to be agreed to
with the client. Varying types of monitoring efforts might depend on various factors, such as management’s
explicit interest in the engagement or the internal auditor’s assessment of the project’s risks or value to the
organization.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
69
Consulting Services
CIA Part 2
Question 48: Who is responsible to make sure of the methodology used for classifying the consulting
engagement?
a)
Chief Executive Officer
b)
Chairman of the Audit Committee
c)
Chairman of the Board
d)
Chief Audit Executive
(HOCK)
Question 49: Which of the following statements is true in regards to consulting services?
a)
Assurance and consulting services are mutually exclusive and do preclude other auditing services
such as investigations and non-auditing roles.
b)
The CAE does not retain the prerogative of setting the audit techniques and the right of reporting to
senior executives and audit committee members when the nature and materiality of results pose
significant risks to the organization.
c)
A disciplined, systematic evaluation methodology is incorporated in each internal audit activity. The
list of services can generally be incorporated into the broad categories of assurance and consulting.
d)
Audit services cannot have both an assurance and consulting role.
(HOCK)
Internal Control Testing Consulting Engagements
Section 404 of Sarbanes-Oxley directed the Securities and Exchange Commission (SEC) to adopt rules
requiring reporting companies to include in their annual reports a statement of management’s responsibility
for establishing and maintaining adequate internal controls over financial reporting and an assessment of
the effectiveness of those internal controls. Section 404 also specifies that the company’s independent
auditor must attest to and report on management’s assessment of internal control. If material weaknesses
that are likely to lead to a material misstatement in the financial statements are discovered, this fact must be
included in the report.
In order for management to make this assessment, a formal, internal control-testing program is required and
a company’s independent auditors may not be involved in this process. In order to maintain independence,
the company’s independent auditor cannot establish procedures for testing internal control, prepare the
required documentation, and then attest to the work. Although independent auditors may supply input to the
process, the majority of the work required in order to satisfy the requirements of Section 404 cannot be
performed by the auditing firm that subsequently will attest to the effectiveness of the company’s internal
controls.
In Staff Statement on Management’s Report on Internal Control Over Financial Reporting, dated 16 May 2005,
the SEC expressed the opinion that “efficient and effective assessments depend on internal audit and other
company personnel and external auditors who are ‘on the ground’ closest to the assessment.”
In June 2007, the SEC published Release No. 33-8810, which contained interpretive guidance for management on conducting an evaluation of internal control over financial reporting. The guidance was intended to
enable companies to implement the requirements more effectively and efficiently.
The interpretive guidance clarified for management where the focus of the internal control evaluation should
be, namely on whether it has put into place controls that adequately address the risk that a
material misstatement of the financial statements would not be prevented or detected in a timely
70
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Consulting Services
manner. Management is not required to identify every control in every process or document all of the
business processes impacting its internal control over financial reporting.
The guidance also clarified that management’s evaluation of evidence about its controls should be based on
its assessment of risk. In low-risk areas, management can use more efficient approaches to gathering
evidence while performing more extensive testing in high-risk areas. Management is thus able to concentrate
its resources on those areas of financial reporting that pose the highest risks to reliable financial reporting.
In addition, in July 2007, the Public Company Accounting Oversight Board (also formed by SOX) approved
Auditing Standard No. 5, superseding Auditing Standard No. 2, and provided guidance for the external auditor
in complying with the Act’s requirements.
Initially, the management assessment of internal controls provision of Sarbanes-Oxley (SOX 404) was
required only of large, publicly held companies. However, after the SEC’s interpretive guidance was released,
smaller public companies that were not accelerated filers were required to document their management
assessment of internal controls over financial reporting for fiscal years ending after 15 December 2007.
Because of all of these items, internal control testing can be an important consulting activity for an internal
auditor.
Internal auditors may be asked to assist in the design of the testing as well as carrying out the testing. Tests
of controls usually include inquiries of management, supervisory and staff personnel, observation of specific
activities in the control process, and inspection of documents and records. Their purpose is to obtain evidence
about whether the design and operation of activities in the internal control process is sufficient to prevent, or
detect and correct, significant misstatements.
The SEC staff statement recommends that the scope and process of the assessment be reasonable and the
assessment, including the testing, be supported by a reasonable level of evidential matter. It recommends
that management devote resources to the areas of greatest risk and avoid giving equal attention to all the
controls without regard to risk. It states, “The assessment of internal control over financial reporting will be
more effective if it focuses on controls related to those processes and classes of transactions for financial
statement accounts and disclosures that are most likely to have a material impact on the company’s financial
statements.”
Business Process Review/Reengineering Consulting Engagements
Business Process Review (BPR) is an important means of improving processes or completely reengineering
them. BPR promotes rapid change, which in the current business environment can provide a competitive
advantage. Key characteristics of BPR include the use of IT, empowering employees, using cross-functional
teams (often including the customer), and boundary-spanning coordination. BPR involves rethinking all
aspects of a process, including the outputs, structure, tasks, and technology. Internal auditors may be able to
assist during the decision-making and implementation phases by evaluating implications of organizational
change and considering how the change should be managed.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
71
Control Self-Assessment
CIA Part 2
Control Self-Assessment
Control Self-Assessment (CSA), also called Control Risk Self-Assessment (CRSA), examines and
assesses the effectiveness of the control system within the company performed by the company’s personnel
with the help of facilitators from the internal audit department. Since the process is shared among all
employees of the company, the responsibility for control is expanded to include all individuals in the company.
The employees thereby become process owners. The active engagement of all levels of personnel in the
self-assessment process is an important aspect of the CSA process. When people identify their own problems,
they are more committed to resolving them than they are if the same problems are identified for them in an
audit. Thus, the “self” in self-assessment is an important factor. Auditors are generally presumed to have the
knowledge and expertise to accurately assess control, but CSA presumes the opposite. Its underlying
assumption is that the scope of control is so broad and the pace of change is so great that it requires the
knowledge and expertise of all the people who perform the work to assess the control system.
Assessments are performed through a series of workshops or meetings or through questionnaires.
Assessments can be applied to any area of the company: projects, processes, business units, or functions.
Whichever format is used, the goal is to help organizations assess the likelihood of achieving their business
objectives by using the knowledge of the workers who are responsible for making it happen.
CSA procedures include the following:
•
Identifying potential risks and exposures
•
Assessing the control processes that mitigate or manage those risks
•
Developing action plans to reduce risks to acceptable levels
•
Determining the likelihood of achieving the business objectives
The primary advantages of a CSA program are that it:
•
Enhances employee understanding or the company’s risks and controls
•
Enhances employee control consciousness
•
Provides a mechanism for early risk detection
•
Encourages more open communication, teamwork, and continuous improvements
•
Empowers the employees and enhances accountability
CSA Approaches
There are a number of differing approaches used for CSA processes in organizations that reflect the
differences in industry, geography, structure, organizational culture, degree of employee empowerment,
dominant management style, and manner of formulating strategies and policies. This wide variety of
approaches tends to suggest that the success of a particular type of CSA program at one organization may
not necessarily be duplicated at another. Each organization’s CSA process should be customized to fit the
characteristics of that organization. This need for customization also indicates that the CSA approach
should be dynamic, meaning that is able to change as the organization changes.
The three primary CSA approaches are:
72
1)
Facilitated team workshops
2)
Surveys
3)
Management-produced analysis, or self-auditing/self-certification
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Control Self-Assessment
1. Facilitated Team Workshops
Facilitated team workshop is the process of gathering information from work teams that represent different
levels or areas in the business unit or function. The workshop approach, facilitated by auditors with
specialized training, is a particularly successful CSA technique. In a workshop setting, provided that the
facilitator has no hidden agenda, participants are usually truthful in identifying what is working well, what is
not working well, and what action needs to be taken.
The primary format of the workshop may be based on objectives, risks, controls, or processes.
•
Objective-based format focuses on the best way to accomplish a business objective. The aim of
the workshop is to decide whether the control procedures are working effectively and are resulting in
residual risks within an acceptable level.
•
Risk-based format focuses on listing the risks to achieving an objective. The aim of the workshop
is to determine significant residual risk. This workshop starts by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving objectives.
•
Control-based format focuses on how well the controls in place are working. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well
management expects those controls to work.
•
Process-based format focuses on selected activities that are elements of a chain of processes. The
general aim of this workshop is to evaluate, update, validate, improve, and even streamline the
whole process and its component activities.
To avoid the possibility that the workshop becomes merely a pleasant retreat for participants, hard work and
advance preparation is required by the facilitation team.
There are five critical components required if a workshop is to be successful:
1)
Facilitators interview participants before the workshop begins. The facilitators do this in
order to understand the team’s purpose, objectives, processes, and dynamics. This preparation
makes the discussion flow with fewer interruptions. Greater understanding on the part of the facilitators minimizes the risk that the facilitators will miss an important verbal cue that may signal the
need for deeper discussion.
2)
Time for the team to brainstorm, develop ideas, and discuss ideas. A good workshop begins
with brainstorming about which aspects are working well and what obstacles the team’s obstacles
faces in achieving their objectives. The participants need to feel that facilitators are accepting their
ideas. During the first half hour of the workshop, the team should identify issues that create barriers
to its efficiency and effectiveness. Discussion of these issues then takes two hours or more and the
team begins to identify the root causes of the problems and realizes that it has the ability to address
these root causes.
3)
Control issues. After the participants are satisfied that their issues have been identified and discussed, control issues are scrutinized, using a control framework such as COSO’s “Internal Control:
Integrated Framework.” The participants answer a series of questions and information is gathered. It
is important for the facilitators to listen to the participants.
4)
Quickly provide a summary of the discussion to the participants. This summary should not be
done in the same way as an audit report. Rather, the summary and the assessment belong to the
participants, because it is a record of their discussion, and they should ideally receive it by the following day. They will use this record to take corrective action on the issues discussed.
5)
Action. The participants and the managers prioritize the actions to be taken. Typically, items with
the largest payoff that are within the team’s own authority and capacity will be done first. However,
there may be other valuable actions that require resources beyond the team’s capacity. The auditor
can help the team by bringing matters to the attention of senior management or by arranging for
teams to work together.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
73
Control Self-Assessment
CIA Part 2
If a risk identified in a workshop is significant, there may be a need for the auditor to make a report to senior
management and/or the audit committee, just as would be done with material findings from a conventional
audit. Findings of a material nature are likely to emerge from comparison of results from several workshops,
during which all of them reveal the same disturbing pattern or trend. It is important that significant issues be
brought to the attention of senior management so that immediate action can be taken (unless, of course,
senior management is the source of the problem).
CSA can also be used to identify areas where it would be beneficial to conduct an audit. If the problem is
being addressed, an audit may not be needed. But if the problem seems ill defined, the nature of the problem
is very sensitive, or if it is not being taken seriously, then an audit is called for. Audits performed on this basis
usually bring major results, reducing the hit-or-miss element of traditional auditing. As a result, these audit
findings produce value for the organization.
2. Surveys (Questionnaires)
Surveys or questionnaires tend to ask simple “Yes/No” or “Have/Have Not” questions. The questions may be
customized for the unit’s regulatory environment or other specific needs. The questions should relate to the
primary internal controls and how the controls are monitored. However, questionnaires have several
weaknesses:
•
If the correct answer to a question is obvious, it can create pressure to stretch the truth in order to
be able to answer the question with what is perceived to be the correct answer.
•
When the results of the questionnaires are used by the process owners to assess their own control
structure, this is a valid CSA technique, particularly if the audit budget is small or if clients are too
widely dispersed to participate in a workshop. However, if someone else (such as the auditor) interprets the questionnaire information, then it is not self-assessment. Under such circumstances, the
participants will not have any sense of personal commitment to making changes and no sense of
teamwork.
•
Some people will be “too busy” to fill out a questionnaire, and their input, which may be critical, is
lost. If a questionnaire is used, it is essential also to get in-person feedback to understand specific
responses and to seek input from those who did not return the questionnaire. Some may dislike
questionnaires but will be forthcoming in an interview.
3. Management-Produced Analysis or Self-Auditing/Self-Certification
This term covers most other approaches by management groups to produce information about business
processes, risk management activities, and control procedures. The basis of the analysis may be an internal
control questionnaire that management fills out as a form of self-audit and then uses to produce a study of a
business process. The CSA specialist (generally the internal auditor) may synthesize material received from
various managers and key personnel to develop an analysis for the process owners to use in their CSA efforts.
Note: It is not unusual for organizations to combine more than one of the above-mentioned approaches.
Most implemented programs will share some features and goals.
Role of the Internal Auditor in a CSA Program
The internal audit’s role in a CSA program falls along a wide continuum. When the IAA becomes involved in a
CSA program, the CAE should be careful to monitor the objectivity of the IAA staff. The role of the IAA can
vary between two extremes:
74
•
It may sponsor, design, and implement the process, conduct the training, supply the facilitators,
scribes, and reporters and orchestrate the participation of management and work teams.
•
Alternately, the internal audit’s involvement is minimal, serving as interested party and consultant of
the whole process and as ultimate verifier of the evaluations produced by the teams.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section A
Control Self-Assessment
In most programs, internal audit’s investment in the organization’s CSA efforts is somewhere between those
two extremes. As the level of internal audit’s involvement in the CSA program and individual workshop
deliberations increases, the CAE should monitor the objectivity of the internal audit staff, take steps to
manage that objectivity (if necessary), and augment internal audit testing to ensure that bias or partiality do
not affect the final judgments of the staff.
Those who serve as workshop facilitators must have excellent interpersonal skills. They must have genuine
respect for others, must be willing to listen carefully, and must have a strong desire to provide value to the
organization. In addition, they need a deep knowledge of systemic control, a healthy skepticism, facilitation
skill, organizational ability, and be expert at using any software or hardware required for the workshop or the
reporting process. In addition, good analytical skills are important so they can understand the information
that they have gathered in order to draw meaningful conclusions from it.
Question 50: Of the three primary approaches to CSA, which one involves gathering information from
work teams that represent different levels in the business unit or function?
a)
Management-produced analysis
b)
Questionnaire (surveys)
c)
Facilitated team workshops
d)
Controller-produced analysis
(HOCK)
Question 51: Which one of the facilitated team workshops starts by listing all possible barriers, obstacles,
threats, and exposures that might prevent achieving the objectives?
a)
Risk-based format
b)
Objective-based forma
c)
Process-based format
d)
Control-based format
(HOCK)
Question 52: Which one of the facilitated team workshop’s general aim is to evaluate, update, validate,
improve, and even streamline the whole process and its component activities?
a)
Risk-based format
b)
Objective-based format
c)
Process-based format
d)
Control-based format
(HOCK)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
75
Section B – Introduction
CIA Part 2
Section B – Introduction
In this section, we will turn our attention to discussing how individual engagements need to be managed. This
section accounts for approximately 40–50% of the Part 2 exam. The topics within this section are tested at a
proficiency level, unless otherwise noted.
For any engagement to be conducted, it first needs to be planned for. The engagement then needs to be
properly supervised and the results communicated to the people who are in a position to take action on
the recommendations. The final stage of the audit engagement is monitoring. Through monitoring the
internal auditor finds out whether the engagement client took action on the recommendations provided by the
internal auditor.
As with Section A, you need to carefully read the material, making sure you fully understand the general
concepts and use the past exam questions to become familiar with what has been previously asked.
Because the Standards and Practice Advisories are referenced in this section, you may want to refer back to
either the Standards or Practices Advisories when going through the material.
76
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Planning the Engagement
Planning the Engagement
Standard 2200: Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagement’s
objectives, scope, timing, and resource allocation.
The Engagement Planning Process
The process for planning an engagement typically involves establishing:
•
The objectives of the audit
•
The scope or extent of the audit
•
The resources that will be required to achieve the objectives (that is, financial and required staff)
•
The work program
The final step in the planning process is the development of the work program. Work programs are needed
because they list the detailed procedures that should be conducted by the internal auditor in order to achieve
the specific audit objectives. Work programs should:
•
State the objectives of the engagement
•
Document the procedures that the internal auditor will use to collect, analyze, interpret, and document information during the engagement
•
Identify the technical elements, risks, transactions, and processes that will be examined
•
State the nature and extent of required testing
•
Be prepared prior to the commencement of engagement work and be modified, as appropriate,
during the course of the engagement with the approval of the CAE
As part of the planning process, the CAE needs to decide how, when, and to whom the results of the
engagement will be reported and in what manner. Though the work program will probably not be shared with
many others, the necessary people in management need to be informed about the engagement and meetings
will most likely be held with members of management who are responsible for the area being examined. The
topics of these meetings may cover:
•
The objectives and scope of work of the planned engagement
•
The timing of the work
•
The internal auditors who will be performing the work
•
The communication process throughout the engagement, including the methods, time frames, and
individuals who will be responsible
•
Business conditions and operations of the activity being reviewed, including recent changes in management or major systems
•
Any concerns or requests of management
•
Any concerns or matters of interest to the internal auditor
•
A description of the final reporting process and the follow-up that will be conducted
These meetings should be documented and becomes part of the documentation of the audit.
Note: In cases where it is noted during the audit that some elements were excluded from the work
program, the auditor needs to first assess if the engagement will be able to be concluded from the work
that has been or will be performed as per the work program. If the work program will not be sufficient, this
must be communicated to the CAE and a decision made about how to go forward.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
77
Planning the Engagement
CIA Part 2
We now need to understand the factors the internal auditor needs to consider before finalizing the
engagement work program. These planning considerations are covered under Standard 2201.
Planning Considerations
Standard 2201: Planning Considerations
In planning the engagement, internal auditors must consider:

The objectives of the activity that is being reviewed and the means by which the activity controls its
performance;

The significant risks to that activity, its objectives, resources, and operations and the means by which
the potential impact of risk is kept to an acceptable level;

The adequacy and effectiveness of the activity’s risk management and control systems compared to a
relevant control framework or model; and

The opportunities for making significant improvements to the activity’s risk management and control
processes.
If an organization is receiving outside services (for example, if an outside provider processes payroll for the
organization), then it is highly likely that the organization’s IAA will be requested to conduct an audit of the
outside service provider. This audit of an external organization is done so that the organization has confidence
that the outside party has adequate controls and safeguards when it processes data of the organization.
Standard 2201.A2 states that there needs to be “a written understanding with the outside party about the
objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of
the results of the engagement and access to engagement records.”
Question 53: Documentation required to plan an internal auditing engagement should include information
that
a)
Resources needed to complete the engagement were considered.
b)
Planned engagement work will be completed on a timely basis.
c)
Intended engagement observations have been clearly identified.
d)
Internal audit activity resources are efficiently and effectively employed.
(CIA Adapted)
Engagement Objectives
Standard 2210: Engagement Objectives
Objectives must be established for each engagement.
The objectives of the engagement should address the risks, controls, and governance processes associated
with the activities that are being reviewed.
Engagement objectives are broad statements that the internal auditor develops to define what the
engagement is supposed to accomplish. All of the procedures and other work during the engagement is then
done with the goal of achieving the objectives of the engagement. The objectives provide guidance and
purpose for all of the work done during the engagement.
One of the main elements that should be addressed in an engagement is the risk associated with the activity
being audited. Risk is the uncertainty of an event occurring that could have an impact on the achievement of
78
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Planning the Engagement
objectives. Events that are more likely to happen and which might have an adverse impact on the business
will be scrutinized in more detail than those unlikely to happen or that would have less of an impact on the
business.
Question 54: While planning an engagement, an internal auditor establishes engagement objectives to
describe what is to be accomplished. Which of the following is a key issue to consider in developing
engagement objectives?
a)
The qualifications of the internal auditing staff selected for the engagement.
b)
Risks associated with the activities to be reviewed.
c)
Recommendations of the engagement client’s employees.
d)
The recipients of the final engagement communication.
(CIA Adapted)
Question 55: An internal audit activity has stated an engagement objective of determining whether
property, plant, and equipment employed in manufacturing are properly reflected in the accounting
records. Which of the following approaches is likely to be most useful in meeting this objective?
a)
Interviewing members of the accounting department.
b)
Examining documentation concerning the cost of property, plant, and equipment used in the
manufacturing process.
c)
Inspecting property, plant, and equipment used in the manufacturing process and tracing to the
asset subsidiary ledger.
d)
Selecting items from the asset subsidiary ledger and recalculating depreciation.
(CIA Adapted)
Risk Assessment in Engagement Planning
The assessment of the risks related to the activity being reviewed must be considered as part of the planning
process. The objectives that are developed must include the results of the risk assessment.
In the consideration of risk, the auditor should review the following items when appropriate and relevant:
•
The objectives and goals of the activity being audited
•
The policies, plans, procedures, laws, and contracts that may impact the activity
•
Organizational information about the activity, key employees, job descriptions, and details of recent
changes in the organization, including changes of systems
•
Budget information, operating results, and financial data
•
The working papers of prior engagements
•
The results of other engagements (including work performed by the external auditor)
•
Correspondence files to determine potential significant engagement issues
•
Authoritative and technical literature, if relevant to the activity
In addition to all the items mentioned above, internal auditors should also consider the probability of errors,
fraud, noncompliance, and other exposures when developing the engagement objectives.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
79
The Preliminary Survey
CIA Part 2
The Preliminary Survey
The function of the preliminary survey was discussed in Part 1 (Data Gathering). The topic is revisited in this
section because the preliminary survey (also called an on-site survey) is the first step in the audit process.
The purpose of this survey is to give the internal auditor the opportunity to start collecting and to become
familiar with the preliminary information about the activity to be reviewed, without obtaining detailed
verification.
The importance of the survey cannot be overstated. The success or failure of the audit may well depend to an
extent on the survey: “A competent preliminary survey is likely to result in a competent audit program, and a
competent audit program is likely to result in a competent audit. When preliminary surveys are carefully
planned and executed, they become more than an effective familiarization tactic; they also represent a
powerful determinant for the success of the audit.” 3
Objectives of the Preliminary Survey
The preliminary survey should accomplish a number of things, allowing the internal auditor to:
1)
3
Become familiar with the client’s
•
Objective and goals
•
Organizational structure and key staff
•
Operations, facilities, key customers, and suppliers
•
Risk management, control and governance systems
•
Information systems
2)
Concentrate the audit work on matters of significance
3)
Identify areas of lower risk and then reduce the audit time spent in these low-risk areas
4)
Create a cooperative tone for the engagement
Sawyer’s Internal Auditing, 5th edition, 169.
80
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
The Preliminary Survey
To maximize the benefit of the preliminary survey, the auditor should:
•
Read all of the relevant background information, including recent financial results and operational
results
•
Prepare the questionnaires based on this information and assessment of the risks with the area in
question
•
Know who to see to obtain additional and needed information, and make appropriate appointments
•
Document the information received in this process (flowcharting and narratives are two of the more
common methods)
•
Understand the objectives and goals of each part of the operation
•
Identify the risks implicit in the areas under review
Any failure of internal control identified during the survey should be communicated to management
immediately. The first communication should be verbal. If no action is taken and the failure is significant, a
written report should follow.
Question 56: Which of the following best describes a preliminary survey?
a)
A standardized questionnaire used to obtain an understanding of management objectives.
b)
A statistical sample of key employee attitudes, skills, and knowledge.
c)
A “walk-through” of the financial control system to identify risks and the controls that can address
those risks.
d)
A process used to become familiar with activities and risks in order to identify areas for engagement emphasis.
(CIA Adapted)
Question 57: In planning an assurance engagement, a survey could assist with all of the following, except
a)
Obtaining engagement client comments and suggestions on control problems.
b)
Obtaining preliminary information on controls.
c)
Identifying areas for engagement emphasis.
d)
Evaluating the adequacy and effectiveness of controls.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
81
The Preliminary Survey
CIA Part 2
Preparation for the Preliminary Meeting
The preliminary meeting is the first meeting with the engagement client, and the auditor needs to be as
prepared as possible for it. All of the review of information and the surveys are part of the process of
preparing for this first meeting.
The survey should be sent to the client managers in advance to provide time for completion before the
meeting. The auditor will need the answers prior to the meeting. Example questions for the preliminary
meeting are:
•
How many sections and people are there in the activity?
•
What activities are carried out? Which are the most important and the most troublesome?
•
How are controls exercised, and what reports are received?
•
What are the work standards, and what training is given?
•
How are priorities for work set?
•
How frequent are backlogs, and what is the reason and cost implication?
•
Who are the main internal customers and suppliers? How do they interact?
•
Which areas would management most like to improve?
•
What action has been taken on the recommendations of the last audit report?
The auditor should also ask detailed questions relating to the sales cycle, purchasing cycle, production,
salaries, fixed assets control, and other areas of the engagement.
These questions should highlight the key risk areas and the methods and extent to which management is
controlling those risks.
Note: A list of documents or schedules that will be required for the audit should be provided with the
questionnaire. These may be accounts listings, charters, job descriptions, or flowcharts.
The Preliminary Meeting
This first meeting with the client should set the cooperative tone of the engagement, explain the engagement
in detail (unless it is a fraud investigation, in which case the full nature of the meeting should not be disclosed
at this stage), and stress that all observations and recommendations will be discussed with the client before
being reported to the board.
Additionally, the auditor should explain that the internal auditor would acknowledge any corrective action
taken by the client prior to circulation of the written reports.
At the meeting, the replies to the questionnaire will be reviewed, with special emphasis on those areas that
appear to need high levels of testing, or further clarification.
Collection of as many relevant documents as possible, or organizing their prompt transmission to the auditor,
will be another efficient result of the meeting.
A walk-through of the premises or office provides a physical structure for the auditor in organizing the
engagement plan. It provides an opportunity to meet and question additional staff on the risk management,
control, and governance of their areas of responsibility.
The walk-through may follow key processes and documentation, allowing the auditor to confirm that controls
are working.
82
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
The Preliminary Survey
Further Meetings
If the client deems it necessary, a further meeting can be arranged to discuss initial impressions and the
general objective of the engagement work program. The cost of further meetings should be a consideration in
planning these additional meetings.
Question 58: Which of the following is least likely to be placed on the agenda for discussion at a preengagement meeting?
a)
Purpose and scope of the engagement.
b)
Records and client personnel needed.
c)
Sampling plan and key criteria.
d)
Expected starting and completion dates.
(CIA Adapted)
Documentation of the Preliminary Survey
A comprehensive report of the preliminary survey should be documented. Using the documents obtained from
the meeting, the auditor will produce or update the permanent file.
The permanent file provides information on the client that each engagement will use. It includes items such
as client objectives and goals, organization structure, unit addresses, flowcharts, bank accounts, and so forth.
The engagement plan and working papers will benefit from the answers to the questionnaire and the obtained
documents. The audit supervisor should be given a copy of the report of the results for reference during the
engagement.
Question 59: The preliminary survey phase of an engagement to evaluate recruiting activity shows that
hotel and airfare expenses are approximately equal. Both hotel and airline arrangements are made by the
recruiting group secretary. Based on this information, the scope of fieldwork should include:
a)
Considering competitive factors involved in the selection of hotel accommodations.
b)
Recommending that someone outside the recruiting group make hotel and airline reservations.
c)
Comparing the detail of hotel charges per candidate’s expense reports to copies of hotel bills
obtained directly from hotel sources.
d)
Obtaining assurance that candidates’ legal rights are protected during the course of the interview
experience.
(CIA Adapted)
Question 60: In advance of a preliminary survey, a chief audit executive sends a memorandum and
questionnaire to the supervisors of the department to be evaluated. What is the most likely result of that
procedure?
a)
It creates apprehension about the engagement.
b)
It involves the engagement client’s supervisory personnel in the engagement.
c)
It is an uneconomical approach to obtaining information.
d)
It is only useful for engagements of distant locations.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
83
Engagement Scope
CIA Part 2
Engagement Scope
Standard 2220: Engagement Scope
The established scope must be sufficient to satisfy the objectives of the engagement.
The scope of an assurance engagement must include considerations of relevant systems, records, personnel,
and physical properties, including those under the control of third parties. If significant consulting opportunities arise during an assurance engagement, a specific, written understanding of the objectives, scope,
respective responsibilities, and other expectations should be reached and the results of the consulting
engagement communicated in accordance with consulting standards.
In performing consulting engagements, internal auditors must ensure that the scope of the engagement is
sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope
during the engagement, these reservations must be discussed with the client to determine whether to
continue with the engagement.
Engagement Resource Allocation
Standard 2230: Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives
based on an evaluation of the nature and complexity of each engagement, time constraints, and available
resources.
During the course of determining the necessary resources needed to perform the engagement, the internal
auditor should consider the following:
•
The number and experience of the auditing staff should be based on the evaluation of the nature and
complexity of the engagement assignment, time constraints, and available resources.
•
Knowledge, skills, and other competencies of the auditing staff should be considered in selecting
internal auditors for the engagement.
•
Training needs of the internal auditors should be considered, as engagements could serve as a basis
for meeting future development needs of the IAA.
Engagement Work Program
Standard 2240: Engagement Work Program
Internal auditors must develop and document work programs that achieve the engagement objectives.
The work program must be written and developed for each engagement that the internal auditor performs.
The purpose of the work program is to help the internal auditor achieve the engagement objectives. The size
of the work program will be influenced by all of the factors that were considered above. Some work programs
may be very short and consist of only a few steps or procedures, while others may be very long and detailed.
The work program needs to be prepared and completed prior to the engagement beginning (and usually after
the preliminary survey), but it may need to be revised as the engagement proceeds.
The engagement work program is part of the planning for each audit engagement or project. The work
program details the work to be accomplished, how and what will be done, and, as with an external audit
program, it will facilitate the supervision and review of the work.
The extent of the audit program depends upon the scope and extent of the work to be performed. The larger
the project, the more detailed the program. This scope of the project is determined in the first step in the
planning process: establishing the objectives and scope of the work.
84
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Engagement Procedures
After an initial survey of the task at hand, the audit program is prepared. The program must be prepared
before the start of the work, since it is the program that informs the auditors what to do.
The audit program should include information about the objectives of the area that is being audited and a
description of the controls that are in place, as well as those that need to be in place in order to achieve the
area’s objectives. The audit program then includes the procedures, or the detailed steps, to carry out to
reach the objectives of the audit.
This initial program may be adapted from previous audits or it may be a simple pro forma program. In any
case, as the audit progresses, the program may need to be amended or expanded depending upon the
findings as the audit is performed. If the auditor finds that work on the audit needs to be expanded, the cause
for that expansion must be investigated to make sure that there is not some sort of problem or weakness in
internal controls that should be addressed.
The CAE approves the work plan in writing. Any adjustments to the work plans should be approved in a timely
manner. If necessary, it is possible for approval to be done verbally.
Question 61: The internal audit activity is planning a three-year effort to perform engagements at all
branches of a large international car rental agency. Management is especially concerned with standardized operation of the accounting, car rental, and inventory functions. What type of work program is most
appropriate for this project?
a)
A pro forma program developed and tested by the internal audit activity.
b)
Individual programs developed by the internal auditor-in-charge after a preliminary survey of each
branch.
c)
A checklist of branch standard operating procedures.
d)
An industry-developed engagement guide.
(CIA Adapted)
Engagement Procedures
In order to properly plan an engagement, the auditor has to clearly understand which procedures need to be
conducted so the audit engagement objectives can be achieved. The engagement work itself is made up of a
series of procedures that are to be performed by the internal auditor. These procedures may be simple (for
example, checking to see if a particular document was signed) or complex (for example, the valuation of a
derivative instrument).
The procedures to be performed are written in the work program. The work program will serve as the source
of work to be done and as a supervisory tool to make sure that all of the required and expected procedures
are performed.
Unfortunately, the number of procedures that could be performed is limitless. As such, it is not helpful to
provide a complete list of procedures here. We have, however, set out below some concepts and ideas related
to the procedures performed.
For any engagement, the internal auditor will need to perform procedures to gather evidence. This evidence
will provide the support for the opinion that the internal auditor concludes. The auditor needs to gather
information until he or she is in a position to thoroughly support the conclusion that is drawn.
All audit evidence has to be able to stand the test of sufficiency, competency, and relevance, meaning
that auditors must collect information until they have collected sufficient, competent and relevant evidence.
Although these terms were discussed in detail in Part 1, for the sake of reinforcing their importance they will
be reviewed again here.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
85
Engagement Procedures
CIA Part 2
Sufficiency of Evidence
The question of how much evidence is enough is a one that cannot be answered definitively or quantitatively.
Rather, this is a question that must be answered using the professional judgment of the auditor, and it
depends on many factors. One of the main factors in the determination of the sufficiency of evidence is the
effectiveness of the client’s internal controls. If the internal controls are working, then the amount of evidence
required by the auditor for it to be considered “sufficient” is less than if their controls are not working. This
reduction in the amount of evidence needed comes about because, when the internal controls of the client are
working, the auditor is more likely to accept the information and need less evidence to be convinced that it is
“correct.”
No matter how well the client’s internal controls are working, the auditor must always obtain some amount of
direct evidence to confirm the numbers. If the auditor were to draw a conclusion based solely on the client’s
information without confirmation, his or her work would be unnecessary. In the determination of sufficiency,
the auditor will also consider the item’s materiality and inherent risk. The less material or less risky the
item, the less evidence the auditor will require in order to reach a sufficient amount of evidence.
Reliability of Evidence
In order for evidence to be competent, it must be reliable. The reliability of the evidence relates to the
extent to which the auditor can believe and trust the evidence. The most reliable evidence available to the
auditor is something that is obtained directly by the auditor. The auditor obtains this evidence many times
through direct observation.
However, there is a great deal of information that the auditor cannot obtain directly and, as a result, he or
she will need to rely on information obtained from other parties. The next best source of evidence for the
auditor is that obtained directly from an independent third party, meaning evidence that is not from the
client or from a party with a direct interest in the client. (An example of this kind of information is bank and
account receivable confirmations that are sent to the auditor directly by the bank or customer.)
If evidence cannot be obtained first-hand or from a third party, the auditor must obtain it from the client
directly. This is the weakest form of evidence and, as a result, the auditor will require more evidence to
corroborate information obtained from the client than for evidence obtained from outside parties.
Note: The more effective a client’s internal controls are, the more valid evidence obtained from the client
is. However, regardless of how well the controls of the client are working, the auditor will still need to
obtain confirming evidence in some manner.
Relevant Evidence
In order for information to be considered relevant, it must be related to the item being audited. However, that
does not mean that information that is not relevant to the engagement should be disregarded or ignored. The
information may be relevant to another planned engagement or operation of the company. In this case, the
information should be reported to the appropriate company managers.
Useful Evidence
Useful evidence is information that helps the organization meet its goals. This process of finding useful
information is one of the main goals and roles of the internal audit function. For example, management needs
to have confidence that its financial statements are accurately stated. Therefore, any evidence that the
auditor gathers that helps management meet this goal would be considered useful.
86
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Engagement Procedures
Sources of Evidence
Internal auditors collect evidence that is used to support the conclusions. There are two main types of
auditing evidence:
1)
Underlying accounting data is the information that is part of the accounting system. It includes
the original documents, journals, ledgers, supporting information, and the output from the accounting systems. This type of evidence by itself is not sufficient and it will always need to be
supplemented by at least some corroborative evidence.
2)
Corroborative evidence is essentially all other evidence and it is generally evidence that is obtained from somewhere else or is a document that can be verified with a third party, such as an
invoice, a check, contracts, or similar type of document.
Selected Engagement Procedures
There are six categories of procedures: 4
1)
Observing. This is a visual examination of a specific item or event by the auditor. It may be the
observation of a specific document or the application of an internal control procedure. All observations should be documented and described.
2)
Questioning. The auditor may accomplish this either verbally in the form of an interview or in
written form, such as a questionnaire. In-person interviews are more common but they are more difficult to lead effectively because they require the ability to understand the answers, develop the next
question, and ask the questions that provide the best answers.
Interviews need to be conducted in a non-threatening manner to help the interviewee feel comfortable, which is often difficult because of the perception that the internal auditor is looking for
something wrong.
Information that is obtained from an interview or other form of questioning should be confirmed, if
possible, either by other individuals or by other evidence supporting the statement. Questioning is
usually the best way to determine what someone thinks or feels about a particular subject.
3)
Analyzing. This is the process of understanding something larger by looking at the individual components that make it up. This involves comparing items, noting trends in information, and looking at
differences between actual and expected results. Analytical procedures are part of the analysis when
the auditor looks at the relationship between two items to see if this relationship is as expected.
For example, if the number of employees increased by 10% during the period, it would be expected
that the total payroll cost would increase as well. Whether it is exactly 10% would depend on who
was hired and when they were hired, but payroll should certainly increase if the number of employees increased 10%.
4
4)
Verifying. This is the process of checking one source of information against another. Corroborating
evidence supports another piece of evidence. Any one individual item may not be enough to support
a conclusion, but if there are enough pieces of evidence all pointing in the same direction, the conclusion may be able to be supported.
5)
Investigating. This is the search for evidence or facts that are not readily available. This method is
often used when there is suspicion of wrongdoing. (The search for wrongdoing is called a probe.)
6)
Evaluating. This is the process of taking all of the available information, putting it all together, and
coming up with a conclusion. A lot of professional judgment is required in this final evaluation because it is rare that there will be such evidence that the auditor is completely certain about the
conclusion.
Ibid., 283.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
87
Engagement Procedures
CIA Part 2
Evaluations are made in respect to financial balances, internal control procedures (whether they are
functioning properly and are sufficient), and risk assessment.
The process of evaluation will include a number of different considerations:
•
How many deviations there were
•
The size of the deviations
•
Why the deviations occurred
•
What the area was in which the deviations occurred
•
Whether the deviations will likely occur again
Note: You need to be familiar with the difference between inductive and deductive reasoning. Inductive
reasoning begins with a specific item and draw general, broader conclusions about it. An example of
inductive reasoning is when an auditor samples receivables in order to conclude that accounts receivable
exist as recorded.
Deductive reasoning begins with a general statement and draw specific conclusions from that generality.
An example of deductive reasoning is when an auditor performs analytical procedures in order to estimate
the accuracy of a particular account balance.
Tracing and Vouching
Two procedures that you should be specifically aware of are tracing and vouching. The discussion below is
related to the financial statements, but these procedures can be performed anytime there is an original
source document and place where the event is ultimately recorded.
Tracing is the process of starting with a source document and following it through the accounting records
into the final ledger. This test for completeness makes sure that every event or transaction is actually
recorded.
Vouching is the opposite of tracing. It starts with an amount in a ledger and find the supporting documentation for it. This is a test for existence or occurrence, making certain that every event or transaction that
has been recorded in the records has actually occurred.
In almost any engagement, there is some document to trace and some amount to vouch.
Original Source Document
Tracing
Vouching
Financial Statements
Note: On the exam, there will be some questions that require you to identify the best procedure to
accomplish an objective, or the procedure most or least likely to be done. What makes these types of
questions difficult is that there are different ways in which different companies or auditors would approach
a question. Also, there are an almost unlimited number of situations to which this type of question can be
applied. In order to prepare for these types of questions, you need to look at ExamSuccess questions to
get a feel for the way the questions are asked and what the IIA perceives as the appropriate procedure in
different situations. Some of these questions are on the next few pages.
88
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Engagement Procedures
Question 62: A production manager for a moderate-sized manufacturing organization began ordering
excessive raw materials and had them delivered to a wholesaler that the manager was running as a side
business. The manager falsified receiving documents and approved the invoices for payment. Which of the
following engagement procedures is most likely to detect this fraud?
a)
Take a sample of cash disbursements; compare purchase orders, receiving reports, invoices, and
check copies.
b)
Take a sample of cash disbursements and confirm the amount purchased, purchase price, and date
of shipment with the vendors.
c)
Observe the receiving dock and count materials received; compare the counts with receiving
reports completed by receiving personnel.
d)
Perform analytical tests, comparing production, materials purchased, and raw materials inventory
levels; investigate differences.
(CIA Adapted)
Question 63: A large manufacturer has a transportation division that supplies gasoline for the organization’s vehicles. Gasoline is dispensed by an attendant who records the amount issued on a serially prenumbered gasoline disbursement form, which is then given to the accounting department for proper
recording. When the quantity of gasoline falls to a certain level, the service station attendant prepares a
purchase requisition and sends it to the purchasing department where a purchase order is prepared and
recorded in a gasoline purchases journal. Which of the following engagement procedures will best
determine whether gasoline disbursements are fully and completely recorded?
a)
Compare the gasoline purchase requisitions with the gasoline disbursement records.
b)
Select a number of gasoline purchases from the gasoline purchases journal and compare them with
their corresponding purchase orders and ascertain that they are serially pre-numbered, are
matched with purchase requisitions, and are authorized by someone independent of employees of
the service station.
c)
Perform analytical procedures comparing this period’s gasoline consumption with prior periods.
d)
Match the quantity of gasoline disbursed according to disbursement forms with an independent
reading of quantity disbursed at the pump.
(CIA Adapted)
Question 64: The internal auditor is concerned about whether all the debits to the computer security
expense account are appropriate expenditures. The most appropriate engagement procedure is to:
a)
Take an attribute sample of computing invoices and determine whether all invoices are properly
classified.
b)
Perform an analytical review comparing the amounts of expenditures incurred this year with the
amounts incurred on a trend line for the past five years.
c)
Take a sample of all debits to the account and investigate by examining source documents to
determine the nature and authority of the expenditure.
d)
Take an attribute sample of employee wage expenses incurred by the outsourcing organization and
trace to the proper account classification.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
89
Engagement Procedures
CIA Part 2
Question 65: One of the engagement objectives of a financial audit of the organization’s accounts
receivable function is to determine whether prescribed standard procedures are followed when credit is
granted. Which of the following engagement procedures will produce the most reliable information?
a)
Ask management of the credit department if specific policies and procedures are followed when
granting credit.
b)
Select a statistical sample of credit applications and test them for conformance with prescribed
procedures.
c)
Analytically review the relationships between trends in credit sales and bad debts.
d)
Review procedures for periodically aging accounts receivable.
(CIA Adapted)
Question 66: The auditor determines that a major user application is implemented on a spreadsheet,
which takes input regarding projected freight deliveries from the mainframe computer and develops an
optimal dispatching plan. When first used two years ago, the spreadsheet reduced costs dramatically.
However, freight costs have been increasing and no one, other than the developer, has reviewed the
spreadsheet. The freight-dispatching algorithm is complicated, but the auditor has researched and
understands it and its current computation, and wants to gain assurance on whether the spreadsheet has
properly implemented the freight-dispatching algorithm. Which of the following audit procedures would
accomplish the task?
I.
Develop an independent spreadsheet and run test data through it and through the user’s spreadsheet. Compare the results.
II.
Use a product to print out the logic of the user spreadsheet. Examine the logic to determine if it has
been correctly incorporated into the spreadsheet.
III.
Develop a set of test data and manually calculate the expected results. Run the test data through
the user application.
a)
I only
b)
II only
c)
I and III
d)
I, II, and III
(CIA Adapted)
Question 67: Assume the internal auditor becomes concerned that significant fraud may be taking place
by dentists who are billing the health care processor for services that were not provided. For example,
employees may have their teeth cleaned, but the dentist charges the processor for pulling teeth and
developing dentures. The most effective procedure to determine if such a fraud exists is to:
a)
Take a random sample of payments made to dentists and confirm the amounts paid to the dentists’
offices to determine that the amounts agree with the amount billed by the dentists.
b)
Take a discovery sample of employee claims that were submitted through dentists offices, and
confirm the type of service performed by the dentist through direct correspondence with the patient
who had the service performed.
c)
Take a random sample of claims submitted by dentists and trace them through the system to
determine if the claims were paid at the amounts billed.
d)
Develop a schedule of payments made to individual dentists. Verify that payments were made to
the dentists by confirming the payments with the health care processor.
(CIA Adapted)
90
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Supervising the Engagement
Supervising the Engagement
Standard 2340: Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff
is developed.
All engagements must be properly supervised. This helps to ensure that objectives are achieved, quality is
assured, and the staff is developed.
Supervision starts in the planning stages and continues all of the way through the engagement until the
report is issued. Ultimate responsibility for supervision rests with the CAE. As part of this responsibility, the
CAE should periodically review each job in respect to budget, actual time spent, expected completion time,
and a review of any control or technical issues that have arisen and not yet been resolved.
Note: The extent and amount of supervision required for an engagement will be determined by the skills
and experience of the internal auditors and the complexity of the engagement.
When any additional time or costs need to be incurred from what was budgeted, this should be communicated
and addressed as soon as the issue becomes known.
Supervision includes:
•
Ensuring that the auditors assigned have the necessary knowledge, skills, and other competencies to
perform the engagement
•
Providing appropriate instructions during the planning of the engagement and approving the engagement plan
•
Seeing that the approved program is carried out, unless changes are both justified and authorized
•
Determining that working papers adequately support observations, conclusions, and recommendations
•
Ensuring that communications are accurate, objective, clear, concise, constructive, and timely
•
Ensuring that objectives are met
•
Providing opportunities for developing auditors’ knowledge, skills, and other competencies
•
Having a working paper review checklist
•
Ensuring budgetary control of engagements, including timesheet control
•
Calculating savings as a result of recommendations
•
Resolving differences of judgment between CAE and auditors
The supervisor should inform assistants of their responsibilities and the objective of the audit procedures they
will perform. The assistants’ work should be reviewed in order to determine if results are consistent with the
evidence, and they should be instructed to bring significant accounting and audit questions to the supervisor’s
attention. The review of the working papers needs to be documented, usually by the reviewer initialing each
page as it is reviewed.
The reviewer should identify any items within the working papers that are not complete or correct, or which
require additional work. Items requiring additional work should be documented and the completion of these
items by the audit staff also needs to be disclosed.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
91
Supervising the Engagement
CIA Part 2
Review of Working Papers
The quality of the engagement is assured when the working papers are properly reviewed. All working papers
need to be reviewed by the engagement management, and it is ultimately the CAE who is responsible for the
performance of the review. This review is done to ensure that the evidence, properly collected, supports the
conclusions that were drawn and any communications that were sent.
When the reviewer makes notes, he or she should do so in written format so that the completion of these
notes can be documented. Before the engagement can be closed, all open items (meaning uncompleted
review notes) in the files need to be completed and closed.
The specific elements that the reviewer is looking to confirm through the review process are:
•
That the work program and any specific instructions were followed and all steps were completed
•
The working papers completely record and document the work that was done and the results from
any tests performed
•
That the conclusions that were made are supported by sufficient, competent evidence
•
All relevant guidelines of the company for the preparation of working papers have been followed
Complete Engagement Staff Performance Appraisals
Staff performance appraisals are normally conducted at the end of each significant audit assignment.
These evaluations provide both staff auditor and audit management with immediate feedback on
performance. It allows for an exchange of ideas while the audit is still fresh in the minds of those concerned.
These evaluations can also:
•
Become another input source for promotions, compensation and/or employment termination
•
Help the CAE in necessary staff training
•
Help the CAE review methods for improving staff performance
•
Help the CAE assign staff to future assignments
Many factors can be considered when performing the evaluation, such as whether the auditor:
92
•
Developed an understanding of the audit objectives and procedures
•
Understood the auditee’s processes, systems, and workflows
•
Completed the work in accordance with the work plan (including the timeframe and budget)
•
Maintained appropriate relations with the auditee
•
Prepared the working papers in accordance with the Standards
•
Performed due diligence in the documentation process to report the findings, and cross referencing
working papers among each other and with the audit work program and mapping tools, as appropriate
•
Properly utilized audit tools when appropriate
•
Added value to the audit team and the auditee
•
Demonstrated proficiency in the application of internal auditing standards
•
Developed a professional relationship with the auditee
•
Was ethically responsible during the audit
•
Demonstrated technical competence as appropriate under the circumstances
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Supervising the Engagement
Question 68: The chief audit executive is responsible for engagement supervision. The most important
form of supervision during the fieldwork phase of engagements involves:
a)
Seeing that the approved engagement work program is carried out unless changes are both
justified and authorized.
b)
Providing suitable instructions to subordinates at the outset of the engagement and approving the
engagement work program.
c)
Appraising each internal auditor’s performance at least annually.
d)
Making sure that communications are accurate, objective, clear, concise, constructive, and timely.
(CIA Adapted)
Question 69: When engagements are performed for the internal audit activity by non-staff members, the
chief audit executive is responsible for:
a)
Ensuring that the engagement communications are objective, clear, and timely.
b)
Reviewing the engagement work programs for approval.
c)
Providing appropriate supervision from the beginning to the conclusion of the engagement.
d)
None of the engagement work performed by those outside the department.
(CIA Adapted)
Question 70: Which of the following items does not constitute evidence of proper supervision of an
internal auditing engagement?
a)
An internal audit manager approves the engagement work program and gives instructions to
subordinates at the outset of the engagement. The internal audit manager is available for consultation but does not actively participate in the performance of procedures.
b)
An internal audit manager is not intimately involved in an engagement but does review the results
to ensure that all engagement objectives are met.
c)
A senior internal auditor continuously deviates from the approved engagement work program but
consistently completes the engagement within the approved time budget. The internal audit manager approves the time budget, and the internal audit manager reviews compliance with the time
budget.
d)
The internal audit manager carefully reviews all analytical procedures performed by internal audit
seniors during the preliminary planning to determine if the conclusions are justified.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
93
Communicate Engagement Results
CIA Part 2
Communicate Engagement Results
Standard 2400: Communicating Results
Internal auditor must communicate the results of engagements.
The statement above seems obvious, but it is also important to make sure that the engagement results are
properly communicated. The process of properly communicating results (whether interim or final) needs to
be clearly understood by the internal auditor. There are certain steps that the internal auditor needs to follow
in order for communications to be clearly understood by all interested parties.
Communications and monitoring are the output of the Internal Audit Activity. These interim and final products
provide observations, conclusions, and recommendations that should be useful to the auditee. These products
are an important basis for the evaluation of the IAA by senior management and the board, and these reports
can also be useful to external auditors, regulatory agencies, and judicial authorities.
Criteria for Communicating
Standard 2410: Criteria for Communicating
Communications must include the engagement’s objectives and scope as well as applicable conclusions,
recommendations, and action plans.
There are no specific standards for the communication’s form, content, or structure, but communications
must include:
•
The objectives and scope of the engagement
•
Conclusions
•
Recommendations
•
Action plans
The form of the communication will depend upon the item involved, the scope of the audit, the urgency of the
item, and the people involved, among other things. For example, an audit discovery that reveals a great
weakness or risk to the company should be communicated more quickly (and perhaps therefore verbally) than
a routine result.
No matter what form the communication takes, the internal auditor needs to make certain that the
communication meets the expectations and requirements of both the operational managers (people involved
in the day-to-day operations), the senior managers, and the board.
The process of informing the recipient is one of the main goals of the communication. Additionally, the
communication can be used to persuade people to a particular action to improve the company’s systems and
operations.
Question 71: Which of the following is not a major purpose of an engagement communication?
a)
Inform
b)
Get results
c)
Assign responsibility
d)
Persuade
(CIA Adapted)
94
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Communicate Engagement Results
Contents of the Final Report
At a minimum, the final report must contain the purpose, scope, and results of the engagement (all of
which are discussed more fully below). Also, where appropriate, the report should contain the internal
auditor’s overall opinion.
According to PA 2410-1 (Communication Criteria), the
final engagement communications may include background information and summaries. Background
information may identify the organizational units and activities reviewed and provide relevant explanatory information. It may also include the status of observations, conclusions and recommendations
from prior reports and an indication of whether the report covers a scheduled engagement or is
responding to a request. Summaries are balanced representations of the communication’s content.
Note: The final report should be signed by either the CAE or an equivalent designated person.
Purpose of the Engagement
In this section of the report, the auditor outlines the engagement objectives (this must always be included
in the report) and also may include why the engagement was performed and what the expected results were
from the engagement (cost savings, increased efficiencies, and so forth).
Scope of the Engagement
This section outlines what was done on the engagement, including:
•
The activities that were reviewed
•
The time period reviewed (if appropriate)
•
Any related activities that were not reviewed
•
The nature and extent of the work performed
Note: Any scope limitations should also be reported. A scope limitation occurs when the auditor is unable
to perform all of the required procedures. The cause of the scope limitation is not important.
Results of the Engagement
This section includes the observations, conclusions (or opinions if appropriate), and recommendations and
action plans from the engagement.
Observations
Observations are the relevant statements of fact discovered during the engagement. Any observations that
are essential to the understanding of the conclusion should be included in the communication. Other less
material or less significant observations will be communicated in less formal manners.
These observations are made as a result of comparing the difference between the current state of affairs
(“what is”) with the ideal state of affairs (“what should be”).
If the engagement finds that everything that is supposed to happen is actually happening, then this
satisfactory performance may also be communicated in the report.
Conclusions
Conclusions are the internal auditor’s evaluations of the effects of the observations and recommendations
on the activities that were reviewed. These may state whether a function is operating as intended, if control
criteria are being met, if objectives and goals are being met, and so forth.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
95
Communicate Engagement Results
CIA Part 2
Recommendations and Action Plans
The report should include recommendations for improved performance, acknowledgement of satisfactory
performance, and any corrective actions that need to be implemented. The recommendations are based on
the observations and conclusions of the internal auditor. The suggested corrective actions may be very
specific about what needs to be done or more general in nature, such as the identification of areas for further
study.
Note: The final communication may also include improvements that have been made or implemented by
the auditee since the last engagement.
Question 72: An engagement communication relating to an engagement performed at a bank categorizes
observations as “deficiencies” for major problems and “other areas for improvement” for less serious
problems. Which of the following excerpts is properly included under “other areas for improvement?”
a)
Many secured loans did not contain hazard insurance coverage for tangible property collateral.
b)
Loan officers also prepare the cashier’s checks for disbursement of the loan proceeds.
c)
The bank is incurring unnecessary postage costs by not combining certain special mailings to
checking account customers with the monthly mailing of their statements.
d)
At one branch, a large amount of cash was placed on a portable table behind the teller lines.
(CIA Adapted)
Criteria for Observations and Recommendations
Any observations and recommendations that are made should be based on these four attributes:
1)
Criteria: These are the standards, measures, or expectations that will be used in making measurements (in other words, what should exist).
2)
Condition: This is the factual information that the auditor finds during the engagement (in other
words, what does exist).
3)
Cause: This is the reason that there is a difference between what exist and what should exist
(that is, why the difference exists).
4)
Effect: This is the risk or exposure that the organization (or others) faces as a result of the actual
conditions being different than they should be (that is, the impact of the difference).
Note: The observations and recommendation parts of the communication may also include client
accomplishments, related issues, and supportive information (if they are not included elsewhere).
96
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Communicate Engagement Results
Question 73: As a result of an engagement performed at a bank, the internal auditor included the
following observation in the final engagement communication:
“The late charges were waived on an excessive number of delinquent installment loan payments at the
Spring Street Branch. We were informed that late charge waivers are not approved by an officer.
Approximately $5,000 per year in revenues is being lost. In order to provide a better control over late
charges waived and loss of income, we recommend that a lending officer be responsible for waiving late
charges and that this approval be in writing.”
Which of the following elements of an observation is not properly addressed?
a)
Criteria or standards
b)
Condition
c)
Cause
d)
Effect
(CIA Adapted)
The following information is for the next two questions.
An excerpt from an engagement observation indicates that travel advances exceeded prescribed
maximum amounts. Organizational policy provides travel funds to authorized employees for travel.
Advances are not to exceed 45 days of anticipated expenses. Organizational procedures do not require
justification for large travel advances. Employees can and do accumulate large, unneeded advances.
Question 74: The cause of the engagement observation is
a)
Advance procedures do not require specific justification.
b)
Organizational policy is to provide travel funds to authorized employees.
c)
Employees accumulate large travel advances.
d)
Travel advances have not been cleared in a timely manner.
Question 75: Which of the following is the condition attribute of an engagement observation?
a)
Advances are not to exceed estimated expenses for 45 days.
b)
Employees accumulate large unneeded advances.
c)
Procedures do not require justification for large advances.
d)
Travel advances exceeded prescribed maximum amounts.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
97
Communicate Engagement Results
CIA Part 2
Question 76: During an engagement involving sales representatives’ travel expenses, the internal auditor
discovered that 152 of 200 travel advances issued to sales representatives in the past year exceeded the
prescribed maximum amount allowed. Which of the following statements is a justifiable engagement
opinion?
a)
The majority of advances in the organization exceed the prescribed maximum.
b)
Travel advances are not controlled in accordance with existing policy.
c)
The prescribed maximum travel advance is too low.
d)
Seventy-six percent of all travel advances exceed the management-prescribed maximum.
(CIA Adapted)
Quality of Communications
Standard 2420: Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
We elaborate further on what it means to be accurate, objective, clear, concise, constructive, complete, and
timely.
•
Accurate communications are free from errors and distortions and are faithful to the underlying
facts.
•
Objective communications are fair, impartial, and unbiased, and they are the result of a fair-minded
and balanced assessment of all relevant facts and circumstances.
•
Clear communications are easily understood and logical, avoid unnecessary technical language, and
provide all significant and relevant information.
•
Concise communications are to the point and avoid unnecessary detail. Summaries should be used
for long reports.
•
Constructive communications are helpful to the engagement client and the organization, and they
lead to improvements where needed. Constructive communications should be professional and not
name individuals unnecessarily or point out mistakes in a negative manner.
•
Complete communications lacks nothing. It includes all significant and relevant information that
support the recommendations and conclusions.
•
Timely communications are opportune and expedient, depending on the significance of the issue,
and they allow management to take appropriate corrective action.
Writing Style
The style of writing for communications should not draw attention to itself. The writing should be simple and
direct, following general guidelines such as:
98
•
The sentences should be brief, but some longer ones may be used if required due to the complexity
of the subject matter.
•
There should be a logical order to the writing.
•
References should be defined and understood.
•
Irrelevant matters should be avoided.
•
Unnecessary jargon should be avoided.
•
The writing style should be consistent.
•
Wordiness should be avoided.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Communicate Engagement Results
The writer should use the active voice whenever possible instead of the passive voice (saying “I hit the
ball” instead of “the ball was hit by me”).
Editing plays an important part in creating reports that are professional in content and professional in
presentation. Since these reports contain matters that are critical to the engagement client, proper time
should be spent on editing. The person reviewing the material should be concerned with readability,
correctness, and appropriateness.
•
Readability refers to the clarity of the writing.
•
Correctness refers to accurate grammar and punctuation.
•
Appropriateness refers to the tactfulness and objectivity of the report and the correct balance
given to major and minor observations.
The final step before presenting the report is to have it proofread. The report should be reference-checked,
comparing every statement, number, date, and title with source data in the working papers.
Errors and Omissions
Standard 2421: Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.
The definition of error or omission in this context is an unintentional misstatement or omission of
significant information in a final engagement communication. In the case where the final report contains a
significant error or omission, the CAE has the responsibility to communicate an amended report highlighting
the corrected information to those individuals or parties who received the original report.
Question 77: According to the Standards, which of the following best describes the nature of opinions that
are appropriate for an internal auditor’s final communication of results?
a)
Opinions are usually the internal auditor’s subjective judgments concerning why deficiencies exist.
b)
Opinions are the internal auditor’s evaluations of the effects of the observations on the activities
reviewed.
c)
Opinions are conclusions that the internal auditor has reached concerning the appropriateness of
the engagement client’s objectives.
d)
Opinions should only involve the fairness of the engagement client’s financial statements.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
99
Communicate Engagement Results
CIA Part 2
Question 78: The internal audit activity for a chain of retail stores recently concluded an engagement to
evaluate sales adjustments in all stores in the Southeast region. The engagement revealed that several
stores are costing the organization substantial sums in duplicate credits to customers’ charge accounts.
The final engagement communication, which was published eight weeks after the conclusion of the
engagement, incorporated the internal auditors’ recommendations to store management that should
prevent duplicate credits to customers’ accounts. Which of the following standards has been disregarded?
a)
The follow-up actions were not adequate.
b)
The internal auditors should have implemented appropriate corrective action as soon as the
duplicate credits were discovered.
c)
Internal auditor recommendations should not be included in the final engagement communication.
d)
The final engagement communication was not timely.
(CIA Adapted)
Question 79: An engagement observation is worded as follows:
“The capital budget includes funds to purchase 11 new vehicles. Review of usage records showed that 10
vehicles in the fleet of 70 had been driven less than 2,500 miles during the past year. Vehicles have been
assigned to different groups whose usage rates have varied greatly. There was no policy requiring
rotation of vehicles between high and low usages groups. Lack of criteria for assigning vehicles and a
system for monitoring their usage could lead to purchasing unneeded vehicles.”
Based on the facts presented, it is appropriate to recommend that management:
a)
Establish a minimum of 2,500 miles per quarter as a criterion for assigning vehicles to user groups.
b)
Establish a system to periodically rotate vehicles among users.
c)
Delay the proposed vehicle purchases until the apparent excess capacity is adequately explained or
absorbed.
d)
Withhold approval of the capital budget until internal auditing can review other projects.
(CIA Adapted)
Question 80: During an engagement to review a warehousing function, the internal auditor found that
personnel do not always examine each requisition before issuing supplies. As a result, $5,000 of supplies
were issued without proper authorization. Which of the following conclusions, as stated in the final
engagement communication, will help management determine whether organizational objectives are
being met effectively and efficiently?
a)
Requisitions are not always examined before supplies are released.
b)
Supplies costing $5,000 were released without proper authorization because requisitions are not
always examined.
c)
Personnel released $5,000 of supplies without proper authorization because requisitions were not
examined; we recommend each requisition be verified before supplies are issued.
d)
We recommend that personnel be required to verify each requisition before issuing supplies to
ensure that no supplies are released without proper authorization.
(CIA Adapted)
100
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Communicate Engagement Results
Disseminating Results
Standard 2440: Disseminating Results
The chief audit executive must communicate results to the appropriate party.
The internal auditor must discuss conclusions and recommendations with the appropriate levels of
management of the engagement client before the final communication is issued. This discussion, which is
normally done during the exit interview, should include the appropriate internal auditors and individuals who
are able to authorize the implementation of needed corrective actions. A primary objective of this meeting is
to ensure that there have been no misinterpretations of facts or misunderstanding by the auditor.
Ideally, the results of the audit will be discussed with the auditee and the auditee agrees with the results
and recommendations—and this agreement would be acknowledged in the communication itself. On the other
hand, if there is disagreement between the auditee and the internal auditor, the disagreement should be
explained in the communication with both sides presented along with the reasons for the disagreement.
The auditor should document the discussions of the exit interview once it has concluded. Any response that
the auditee has to the engagement may also be included in the communication.
Note: The discussion with the auditee is not a negotiation. The auditor is not seeking additional
information or agreement with the report itself, but simply informing management about the report’s
contents and confirming that everything is factually correct.
The final engagement communications should be distributed by the CAE to those members of the
organization who are able to ensure that engagement results are given due consideration. This distribution list
will usually include the manager in charge of the function that was audited as well as any other managers or
individuals who are in a position to effect change that is required as a result of the audit conclusions.
The board of directors may also be an appropriate recipient of the report if the item in question is material to
the operations of the company. In most cases, however, the board will receive only a summary of the report.
The CEO is usually not a recipient of any reports, though he or she may receive summaries of significant
items. Where appropriate, the CAE may also distribute the final engagement communication to other
interested or affected parties (such as external auditors).
Note: In cases where senior management is guilty of wrongdoing, the report needs to go directly to the
board.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
101
Communicate Engagement Results
CIA Part 2
Whistleblowing
If employees have a particular concern about an action or fear that something might be illegal or unethical,
then employees should feel comfortable reporting their concerns to their supervisor or manager. However,
complications may arise if the supervisor or manager is involved in the illegal or unethical activity, or if the
employee reported the issue but no action was taken or the concern was dismissed.
Under these circumstances, it might be necessary for employees to report their concerns through an
alternative channel, perhaps to a higher-level director or possibly to one of the committees of the board (such
as the audit committee). This type of reporting is commonly referred to as whistleblowing. The topic of
whistleblowing is covered in PA 2440-2 (Communicating Sensitive Information Within and Outside the Chain
of Command).
An important consideration associated with whistleblowing is protecting the rights of the whistleblower so as
to avoid retaliation, which might include being fired, not being promoted, or being ostracized. Although
whistleblowers are often protected by law against outright retaliation, there are still instances where
companies have found ways of punishing whistleblowers. However, in many jurisdictions there are safeguards
that can enable a whistleblower to sue for damages if retaliation is proven.
Internal auditors have a professional duty to report all illegal or unethical activities to management
and the board if they are revealed through an audit. However, most fraud is uncovered not by internal
auditors, but by a whistleblower. Therefore, internal auditors have a strong interest in making sure that the
organization has the right policies within its code of conduct that encourage employees to report illegal or
unethical behavior. Another measure that organizations use to encourage whistleblowing is to have a
telephone hot line, meaning an arrangement for employees to report illegal or unethical activities to
organizational authorities without having to disclose their identity. The reporting of suspicious activity does
not of itself constitute evidence; however, it serves to alert departments that an investigation is warranted.
Question 81: Which of the following individuals should normally not receive a final engagement communication related to a review of the purchasing cycle?
a)
The director of purchasing
b)
The independent external auditor
c)
The chief audit executive
d)
The chair of the board
(CIA Adapted)
Question 82: It is most likely that the final engagement communication regarding supply activities of a
division will be circulated to
a)
The lowest-level managers with sufficient authority to take action on engagement recommendations
because it is their responsibility.
b)
The highest level of managers because they should be kept informed.
c)
The mid- and lower-level engagement client personnel of the division because they are the ones
most affected.
d)
The organization’s external auditors, because they will need the information in performing their own
engagement.
(CIA Adapted)
102
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Communicate Engagement Results
Question 83: Exit interviews serve to ensure the accuracy of the information used by an internal auditor.
A secondary purpose of an exit interview is to:
a)
Get immediate action on a recommendation.
b)
Improve relations with the engagement clients.
c)
Agree to the appropriate distribution of the final engagement communication.
d)
Brief senior management on the results of the engagement.
(CIA Adapted)
Question 84: Which of the following is a possible disadvantage when the draft engagement communication is provided to local management for review and comment?
a)
The engagement client may take corrective action before the final communication is issued.
b)
The engagement client will have an opportunity to rebut observations and recommendations.
c)
Genuine consideration for the engagement client will be demonstrated.
d)
Discussion of the report might center unduly on words rather than on the substantive issues.
(CIA Adapted)
Oral Communications
Oral communication plays an important role during an engagement, but it needs to be used correctly and in
the correct situations. One drawback of a strictly spoken engagement is that, in the absence of note-taking or
recording, there is no permanent record of the conversation, which might lead to later discrepancies and
disagreements.
However, the advantages of oral communication include:
•
Timeliness
•
Opportunities for immediate feedback
•
Clients are able to respond
•
Improved relationships (due to the face to face interaction)
•
Incorrect information or misunderstandings can be immediately addressed
Progress (Interim) Communications
Interim reports are communications that are issued before the final report. They may be written or oral
and they will be used to communicate the following:
•
Information that requires immediate action
•
A change in the scope of the engagement
•
The status of the project (if it is a long-term operation)
The issuing of one or many interim reports does not eliminate the need for a final report.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
103
Communicate Engagement Results
CIA Part 2
Question 85: An internal auditor has completed an engagement to review an organization’s activities and
is ready to issue a final engagement communication. However, the engagement client disagrees with the
internal auditor’s conclusions. The internal auditor should:
a)
Withhold the issuance of the final engagement communication until agreement on the issues is
obtained.
b)
Perform more work, with the engagement client’s concurrence, to resolve areas of disagreement.
Delay the issuance of the final engagement communication until agreement is reached.
c)
Issue the final engagement communication and indicate that the engagement client has provided a
scope limitation that has led to a difference as to the conclusions.
d)
Issue the final engagement communication and state both the internal auditor and engagement
client positions and the reasons for the disagreement.
(CIA Adapted)
Question 86: During the course of an engagement to evaluate cash handling, the internal auditor notices
that considerable cash is stored overnight in a work area that has easy access from a busy street.
Furthermore, neither a security system nor an armed guard is in the vicinity. When this matter is
discussed with the appropriate managers, the internal auditor is informed, "We have never had a robbery
or loss of cash. Why should we spend money to improve security?" The internal auditor should:
a)
Make a verbal interim engagement communication. In the final engagement communication,
concentrate on the corrective measures to be taken.
b)
Explain all the facts but allow the managers the opportunity to tell their story so that corrective
action is more likely to be adopted.
c)
Because the organization has never suffered any losses from the cash handling procedures, there is
no need to report the observation.
d)
Widely distribute the engagement communication; this is a big problem that everyone in the
organization needs to know about.
(CIA Adapted)
104
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Monitor Engagement Outcomes
Monitor Engagement Outcomes
Standard 2500: Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of results
communicated to management.
Monitoring is the last phase of the engagement. Without proper or timely monitoring, the IAA might not know
the outcome of its observations and recommendations, and without this knowledge the value of the IAA to the
organization is greatly reduced.
The CAE must establish and maintain a system to monitor the disposition of results communicated to
management. Furthermore, although the CAE is responsible for the follow-up process, senior management
takes on the risk of inaction.
In some cases, there will be some observations and recommendations that are considered so significant
that they require management’s immediate attention. If senior management fails to act on these
observations and recommendations, they must accept the risk of not taking corrective action.
The follow-up conducted by internal auditors is defined by PA 2500.A1-1 (Follow-up Process) as a means
whereby internal auditors evaluate the adequacy, effectiveness, and timeliness of actions by management on reported engagement observations and recommendations, including those made by external auditors
and others. This process also includes determining whether senior management or the board have assumed
the risk of not taking corrective action on reported observations.
Note: Responsibility for follow-up should be defined in the IAA’s written charter.
Scheduling follow-up work for the audit engagements should be based on three factors:
1)
The risk and exposure involved
2)
Degree of difficulty
3)
Significance of timing in implementing corrective action
Also, according to PA 2500.A1-1, the CAE should determine the nature, timing, and extent of the follow-up.
Factors that should be considered in determining appropriate follow-up procedures are:
•
The significance of the reported observation or recommendation
•
The degree of effort and cost needed to correct the reported condition
•
The impacts that may result should the corrective action fail
•
The complexity of the correction action
•
The time period involved
In some cases the CAE may judge senior management’s response to be sufficient enough that he or she may
consider performing the follow-up as part of next engagement. In deciding the extent of the follow-up,
internal auditors should consider the procedures of a follow-up nature performed by others in the organization.
Note: The appropriate follow-up for a consulting engagement will need to be discussed and agreed upon
with the client. The extent of the monitoring effort will depend on various factors, including management’s
explicit interest in the engagement and the internal auditor’s assessment of the project’s risks or value to
the organization.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
105
Monitor Engagement Outcomes
CIA Part 2
Practice Advisory 2500-1.3 (Monitoring Progress) sets out the ways internal auditors are able to monitor
progress. “The IAA may effectively monitor progress by:
•
Addressing engagement observations and recommendations to the appropriate levels of management responsible for taking corrective action.
•
Receiving and evaluating management responses to engagement observations and recommendations
during the engagement or within a reasonable time period after the engagement results are communicated. Responses are more useful if they include sufficient information for the CAE to evaluate the
adequacy and timeliness of corrective action.
•
Receiving periodic updates from management in order to evaluate the status of management’s effort
to correct previously communicated conditions.
•
Receiving and evaluating information from other organizational units’ assigned responsibility for
procedures of a follow-up or corrective nature.
•
Reporting to senior management or the board on the status of responses to engagement observations and recommendations.”
Resolution of Senior Management’s Acceptance of Risks
Standard 2600: Resolution of Senior Management’s Acceptance of Risks
When the CAE believes that senior management has accepted a level of residual risk that is unacceptable
to the organization, the CAE must discuss the matter with senior management. If the decision regarding
residual risk is not resolved, the CAE must report the matter to the board for resolution.
As previously noted, it is senior management’s responsibility to decide the appropriate action in response
to reported engagement observations and recommendations. It will then be up to the CAE to assess
management’s action for the timely resolution.
There may be reasons that senior management decides to assume the risk of not correcting the reported
condition because of cost or other considerations. However, as long as the board is informed of management’s decision, then the IAA has fulfilled its responsibility to the organization, even if there is strong
disagreement with the decision.
Question 87: Follow-up activity may be required to ensure that corrective action has taken place for
certain observations made in an assurance engagement. The internal audit activity’s responsibility to
perform follow-up activities as required should be defined in the:
a)
Internal audit activity’s written charter or agreement with the client.
b)
Mission statement of the audit committee.
c)
Engagement memo issued prior to each engagement.
d)
Purpose statement within applicable engagement communications.
(CIA Adapted)
106
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section B
Monitor Engagement Outcomes
Question 88: Assume that the internal auditors’ observations are so serious that, in their view, they
require immediate action by management. Which of the following statements regarding the internal
auditors’ responsibility with respect to communicating results and follow-up are true?
I.
The conditions should be actively monitored by the internal auditors until corrected.
II.
The initial observations should be communicated to senior management and the audit committee
even if the engagement is not complete.
III.
The internal auditors should test the actions implemented by management to determine if they
remedy the problem.
a)
I only
b)
II only
c)
II and III only
d)
I, II, and III
(CIA Adapted)
Question 89: The preliminary survey discloses that corrective action was never taken on a prior reported
assurance engagement observation. Subsequent fieldwork confirms that the condition still exists. Which of
the following courses of action should the internal auditors pursue?
a)
Take no action. To do otherwise would be an exercise of operational control.
b)
Discuss the issue with the CAE. The problem requires an ad hoc solution.
c)
Discuss the issue with those responsible for the problem because they should know how to solve
the problem.
d)
Order those responsible to correct the problem. They have had long enough to do so.
(CIA Adapted)
Question 90: An organization’s internal auditors have conducted a series of assurance engagements. The
resulting recommendations have been readily accepted by engagement clients because of the potential
cost savings. Given the acceptance of the cost savings engagements and the scarcity of internal auditing
resources, the manager in charge of these engagements also decided the follow-up action was not
needed. The manager reasoned the cost savings should be sufficient to motivate the client to implement
the engagement recommendations. Thus, follow-up was not scheduled as a regular part of the engagement plan. Was the manger’s decision appropriate?
a)
Yes. Follow-up is not customary.
b)
No. The internal auditors should determine whether the client has appropriately implemented all of
the engagement recommendations.
c)
No. Scarcity of resources is not a sufficient reason to omit follow-up.
d)
Yes. Given sufficient evidence of motivation by the client, follow-up is not needed.
(CIA Adapted)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
107
Section C – Introduction
CIA Part 2
Section C – Introduction
The last section of the Part 2 exam is Fraud Risks and Controls. This part of the exam accounts for
approximately 5–15% of the exam. The topics in this section are covered at a proficiency level.
This section on fraud focuses on an examination and evaluation of the organization’s system of internal
control, which is the primary means of deterring and detecting fraud. Internal auditors play an important role
in minimizing the instances of fraud in the organization.
Because this section accounts for only 5–15% of the exam, it should not be your primary focus. In order to
help you study these sections, we recommend that you read through the material, make sure you understand
the general concepts, and use ExamSuccess to become familiar with what has been asked in the past.
108
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C
Fraud Risks and Controls
Fraud Risks and Controls
Fraud audits are sometimes part of the responsibilities of the internal audit function. Because of the grave
nature of the engagement and the legal implications of any suspicious discoveries, fraud engagements are
very serious and important to the company.
Fraud is an act that is intentionally committed, and it is the deliberateness of the intent that differentiates
fraud from a mistake or misstatement. Fraud is committed when there is an intentional:
•
Misappropriation (theft) of company assets
•
Misstatement of the financial statements
•
Corruption, including illegal gratuities, bribes and kickbacks, conflict of interest, and economic
extortion.
Note: If any of these acts are committed without the intent, it is not fraud.
A key role of the internal audit function is to understand the prevention, detection, and prosecution of fraud.
According to Standard 1210.A2:
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and manner in which it
is managed by the organization, but are not expected to have the expertise of a person whose
primary responsibility is detecting and investigating fraud.
To reiterate, internal auditors are not responsible for preventing fraud, but they should be able to be
sensitive to any evidence or conditions that suggest that fraud might be occurring.
We will start by looking at some of the different types of fraud and then closely examine the role of the
internal auditor with respect to a fraud engagement.
Types of Fraud
Fraud can encompass an array of irregularities and illegal acts characterized by intentional deception.
Persons outside as well as inside the organization can perpetrate fraud. Fraud may be carried out either
for the benefit or to the detriment of the organization.
Examples of fraud that can benefit the organization:
•
Sale or assignment of fictitious or misrepresented assets
•
Improper payments, such as illegal political contributions, bribes, kickbacks and payoffs to government officials, intermediaries of government officials, customers or suppliers
•
Intentional, improper representation or valuation of transactions, assets, liabilities or income
•
Intentional, improper transfer pricing (the valuation of goods exchanged between related organizations)
•
Intentional, improper related-party transactions in which one party receives some benefit not obtainable in an arm’s-length transaction
•
Intentional failure to record or disclose significant information to improve the financial picture of the
organization to outside parties
•
Prohibited business activities such as those that violate government statutes, rules, regulations or
contracts
•
Tax fraud
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
109
Fraud Risks and Controls
CIA Part 2
Examples of fraud that can be detrimental to the organization are:
•
Acceptance of bribes or kickbacks
•
Diversion of a potentially profitable transaction to an employee or outsider that would normally
generate profits for the organization
•
Embezzlement, as typified by the misappropriation of money or property and falsification of financial
records to cover up the act, thus making detection difficult
•
Intentional concealment or misrepresentation of events or data
•
Claims submitted for services or goods not actually provided to the organization
Committing Fraud
It is generally recognized that in order for a person to commit fraud, three conditions need to be present:
1)
The person has be motivated to commit the fraud
2)
The person has to have the opportunity
3)
The person has to have the ability to rationalize his or her behavior
Motivation
Motivation is the reason that the individual chose to commit fraud. There is no single reason why a person
might commit fraud, but some of the more common reasons include:
•
Internal pressure from top management to meet others’ expectations (for example, market or
revenue expectations), and failing to meet these expectations could lead to job loss or demotion
•
External pressure from financers that threatens the organization’s financial stability (for example,
not meeting various requirements in a debt agreement)
•
Pressure to pay for a personal lifestyle or vices (for example, gambling, drugs)
•
Pressure to maximize performance-based bonuses or compensation (for example, the company has
a contingent compensation structure)
Opportunity
Without opportunity, fraud cannot be committed, regardless of the strength of any motivations. Some of the
factors and conditions that enable an individual to have the opportunity to commit fraud include:
•
Knowledge of the weaknesses of the company’s internal control systems
•
Access to accounting records or assets
•
Lack of proper supervision
•
An environment of lax ethical standards
•
A belief that the person will not get caught
Ability to Rationalize Behavior
Unless an individual can rationalize fraudulent behavior, it is unlikely that fraud will be committed, even in the
presence of motivation and opportunity. In this context, to rationalize is to be able to justify behavior that
under different circumstances would be unethical or unacceptable. A sense of ethics, morality, and a firm
sense of right and wrong can prevent some individuals from rationalizing fraud.
110
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C
Fraud Risks and Controls
Examples of rationalization:
•
An employee believes that his work has not been properly compensated and that the company still
“owes” him something; therefore, stealing money is actually just compensation
•
An employee feels she is not getting the recognition she deserves
•
An employee feels that he needs more money
•
An employee sincerely believes that she will return the stolen money in the future
Responsibilities of the Internal Auditor
The internal auditor is responsible for examining the controls that are in place to determine if they are
adequate to prevent or detect fraud and are also responsible for examining for fraud.
However, the internal auditor is not responsible for preventing fraud; indeed, due to the complexities of
certain kinds of fraud, it is impossible for anyone to guarantee that all fraud can be prevented, let alone
detected. It is preferable to prevent fraud through controls rather than detecting fraud after the
fact, but even the best of controls can be evaded.
If fraud is suspected, the internal auditor should notify the appropriate management level within the
organization, which is most likely the audit committee and perhaps also the board of directors. The report
must be made at least one level above the level at which the fraud is occurring.
Note: In cases of fraud, the internal auditor is interested in how the fraud occurred, what needs to be fixed
in the controls, and what needs to be done to prevent it in the future.
The factors that contribute to fraud are varied and numerous, but by being aware of them the auditor is in a
better position to detect and prevent fraud. In carrying out their responsibility, internal auditors should
determine whether:
•
The organization has set goals and objectives that are realistic
•
The organization fosters an environment of control consciousness
•
There are written policies (for example, a Code of Ethics) that describe prohibited activities and the
actions that will be taken when violators are discovered
•
The organization has put in place policies, practices, procedures, and reports to monitor activities to
safeguard assets, particularly in high-risk areas
•
The organization has installed the proper communication channel that will provide management with
adequate and reliable information
•
Recommendations need to be established to enhance the control structure to help deter fraud
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
111
Fraud Risks and Controls
CIA Part 2
Question 91: In the course of their work, internal auditors must be alert for fraud and other forms of
white-collar crime 5. The important characteristic that distinguishes fraud from other varieties of whitecollar crime is that:
a)
Fraud encompasses an array of irregularities and illegal acts that involve intentional deception.
b)
Unlike other white-collar crimes, fraud is always perpetrated against an outside party.
c)
White-collar crime is usually perpetrated for the benefit of an organization, whereas fraud benefits
an individual.
d)
White-collar crime is usually perpetrated by outsiders to the detriment of an organization, whereas
fraud is perpetrated by insiders to benefit the organization.
(CIA Adapted)
Question 92: Which of the following statements is (are) true regarding the deterrence of fraud?
I.
The primary means of deterring fraud is through an effective control system initiated by senior
management.
II.
Internal auditors are responsible for assisting in the deterrence of fraud by examining and
evaluating the adequacy of the internal control system.
III.
Internal auditors should determine whether communication channels provide management with
adequate and reliable information regarding the effectiveness of the control system and the occurrence of unusual transactions.
a)
I only
b)
I and II only
c)
II only
d)
I, II, and III
(CIA Adapted)
Conducting Fraud Investigations
When suspecting fraud, the internal auditor should determine the possible effects of the fraud and discuss the
matter with the appropriate level of management. Management then initiates the full investigation.
It is generally not the auditor’s duty to report fraud to individuals outside of the organization, although the
auditor may in some cases need to report fraudulent events to the SEC, a predecessor auditor, a court, or a
governmental agency.
The internal auditor’s fraud investigation consists of performing additional procedures necessary to determine
whether fraud has occurred and, if so, its extent. In addition to internal auditors, other parties that usually
conduct or participate in fraud investigations include lawyers, investigators, security personnel, and other
specialists from inside or outside the organization.
5
White-collar crime is nonviolent crime committed for illegal monetary gain.
112
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C
Fraud Risks and Controls
When conducting a fraud investigation, the internal auditors should:
•
Assess the probable level and extent of complicity in the fraud within the organization, which can be
critical to ensuring that the internal auditor avoids providing information to or obtaining misleading
information from persons who may be involved.
•
Determine the knowledge, skills, and other competencies needed to carry out the investigation
effectively to ensure that engagements are conducted by those with appropriate types and levels of
technical expertise (including assurances on such matters as professional certifications, licenses,
reputation, and the absence of any relationship with those being investigated or with any of the employees or management of the organization).
•
Design procedures to identify the perpetrators, the extent of the fraud, the techniques used, and the
cause or causes of the fraud.
•
Coordinate activities with management personnel, legal counsel, and other specialists as appropriate
throughout the course of the investigation.
•
Be cognizant of the rights of alleged perpetrators and personnel within the scope of the investigation
and the reputation of the organization itself.
At the conclusion of a fraud investigation, it is suggested that internal auditors need to assess the known facts
in order to:
•
Determine if controls need to be implemented or strengthened to reduce future vulnerability.
•
Design engagement tests to help disclose the existence of similar frauds in the future.
•
Help meet the internal auditor’s responsibility to maintain sufficient knowledge of fraud and thereby
be able to identify future indicators of fraud.
The CAE must immediately report any incident of significant fraud to management and the board.
However, it is equally important that, before such a report is issued, sufficient investigation should establish
with reasonable certainty that a fraud incident has in fact occurred. The CAE must not report unsubstantiated
claims.
In conducting engagements, the internal auditor must:
•
Have sufficient knowledge of fraud to be able to identify indicators that fraud may have been
committed (including knowing the characteristics of fraud, the techniques used to commit fraud, and
the types of frauds associated with the activities audited).
•
Be alert to opportunities, such as control weaknesses, that could allow fraud. If significant control
weaknesses are detected, internal auditors should conduct additional tests to identify any other indicators of fraud, such as unauthorized transactions, override of controls, unexplained pricing
exceptions, and unusually large product losses. Internal auditors should recognize that the presence
of more than one indicator at any one time increases the probability that fraud may have occurred.
•
Evaluate the indicators that fraud may have been committed and decide whether any further action
is necessary or whether an investigation should be recommended.
•
Notify the appropriate authorities within the organization if a determination is made that there are
sufficient indicators of the commission of a fraud to recommend an investigation.
Responsibility for Fraud Detection
Management and the IAA have differing roles with respect to fraud detection. During the normal course of
work, the IAA provides an independent appraisal, examination, and evaluation of an organization’s activities
as a service to the organization. The objective of internal auditing in fraud detection is to assist members of
the organization in the effective discharge of their responsibilities by furnishing them with analyses,
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
113
Fraud Risks and Controls
CIA Part 2
appraisals, recommendations, counsel, and information concerning the activities reviewed. The engagement
objective includes promoting effective control at a reasonable cost.
To reiterate, management has the responsibility to establish and maintain an effective control system at a
reasonable cost. Internal auditors have the responsibly to exercise due professional care in respect to fraud
detection.
Question 93: The CAE uncovers a significant fraudulent activity that appears to involve the executive vice
president to whom the CAE reports. Which of the following tests describes how the CAE should proceed?
a)
Conduct an investigation to ascertain whether the executive vice president is involved in the
fraudulent activity.
b)
Interview the executive vice president to obtain essential evidence.
c)
Notify regulatory authorities and police.
d)
Report the facts to the CEO and the audit committee.
(CIA Adapted)
Question 94: An internal auditor has detected probable employee fraud and is preparing a preliminary
report for management. This report should include:
a)
A statement that an engagement conducted with due professional care cannot provide absolute
assurance that irregularities have not occurred.
b)
The auditor’s conclusion as to whether sufficient information exists to conduct a full investigation.
c)
The results of a polygraph test administered to the suspected perpetrator(s) of the fraud.
d)
A list of proposed engagement tests to help disclose the existence of similar frauds in the future.
(CIA Adapted)
Fraud Indicators
In the course of planning the engagement, the internal auditor should consider the potential areas of fraud
that might be present during the engagement. Therefore, auditors should have knowledge of the risk factors
and red flags of fraud.
Red flags are those items or actions that are associated with or are strongly suggest fraudulent behavior.
However, it is possible that a red flag might not come to the auditor’s attention during the course of a
properly planned and conducted audit.
The factors that contribute to fraud are varied and numerous, but by being aware of them the auditor is in a
better position to detect and prevent fraud. Insufficient internal controls often lead to fraud. Examples of
insufficient internal controls include:
114
•
No segregation of duties
•
Unlimited access to assets
•
Failure to compare existing assets with recorded assets
•
Executing transactions without proper authorization
•
Lack of personnel or qualified personnel that leads to improper controls
•
Collusion among employees
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C
Fraud Risks and Controls
•
Unrestricted access to computer disks
•
The existence of high-value, small, liquid assets
•
The ability of management to override the controls in place
•
Improper compensating controls for computers at off-site locations
Management Fraud
A major risk factor that could indicate possible fraudulent financial reporting is management override of
controls. In cases of fraudulent financial reporting, it has been found that management has been able to
repeatedly override systems of internal accounting control. Therefore, management fraud should be an area
of special concern for the internal auditor.
The types of controls and the types of assets a company has will influence the risk of the misappropriation of
assets. The auditors should also inquire of management about their understanding of the risks and their
knowledge of any frauds that are being or can be committed within the company.
Some of reasons for management fraud include 6:
•
Executives making rash decisions from which they cannot retreat
•
Profit centers distorting facts to hold off divestment
•
Incompetent managers deceiving the company in order to keep their jobs
•
Performance distorted to warrant larger bonuses.
•
The need to succeed turning managers to deception
•
Unscrupulous managers serving conflicting interests
•
Profits inflated to obtain advantages in the market place
•
The person who controls both the assets and their records falsifying data
Potential Red Flags
The following list, published by the IIA 7, details various red flags that could indicate trouble for organizations:
6
7
•
Unusually rapid growth or profitability, especially compared to other companies in the same industry
(for example, Enron had a 151% increase in revenues during 2000, with $100 billion, while the second-ranked pipeline company reported revenues of less than $30 billion)
•
Financial results that seems too good to be true or significantly better than competitors, without
substantive differences in operations
•
Unusual balance sheet changes or changes in trends or important financial statement relationships,
such as receivables growing faster than revenues
•
Significant bank accounts, subsidiaries or branch operations in tax-haven jurisdictions, with no clear
business justification
•
Widely dispersed business locations with decentralized management and a poor internal reporting
system
•
Inability to generate cash flows from operations while reporting growth in earnings
Sawyer’s Internal Auditing, 5th edition, 1203-1205.
Tone at the Top, November 2003.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
115
Fraud Risks and Controls
CIA Part 2
•
Overly optimistic news releases or shareholder communications, with the CEO acting as an evangelist to convince investors of future potential growth
•
Accounting methods that appear to favor form over substance
•
Accounting principles or practices that vary from industry norms
•
Unusually high dependence on debt or marginal ability to meet debt repayment requirements
•
Especially high vulnerability to changes in interest rates
•
Significant, unusual, or highly complex transactions close to year end
•
Failure to enforce the company’s code of conduct
•
Threat of imminent bankruptcy or foreclosure and significant related-party transactions not in the
ordinary course of business
•
Overly complex organizational structure involving unusual legal entities, numerous managerial lines
of authority, or contractual arrangements without apparent business purpose
•
Complex business arrangements that are not well understood and that appear to serve little practical
purpose
Question 95: Internal auditors have been advised to consider red flags to determine whether management is involved in fraud. Which of the following does not represent a difficulty in using the red flags as
fraud indicators?
a)
Many common red flags are also associated with situations in which no fraud exists.
b)
Some red flags are difficult to quantify or to evaluate.
c)
Red flag information is not gathered as a normal part of an engagement.
d)
Red flag literature is not well enough established to have a positive impact on internal auditing.
(CIA Adapted)
Question 96: An internal auditor should be concerned about the possibility of fraud if
a)
Cash receipts, net of the amounts used to pay petty cash-type expenditures, are deposited in the
bank daily.
b)
The monthly bank statement reconciliation is performed by the same employee who maintains the
perpetual inventory records.
c)
The accounts receivable subsidiary ledger and accounts payable subsidiary ledger are maintained
by the same person.
d)
One person, acting alone, has sole access to the petty cash fund (except for a provision for
occasional surprise counts by a supervisor or auditor).
(CIA Adapted)
116
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C
Fraud Risks and Controls
Engagement Procedures for Fraud Engagements
The internal auditor’s risk assessment will have an important impact on the nature and extent of the
procedures to be performed to detect and investigate fraud. Analytical procedures can be performed in
many engagements, which may provide an early indication that fraud exists.
Note: Benford’s Law is a theory that establishes the rate of occurrence of the different digits in a series
of naturally occurring numbers. For example, Benford’s Law predicts that 1 is the first digit of a number
30% of the time, 2 is the first digit 18% of the time, 3 – 12%, 4 – 10%, 5 – 8%, 6 – 7%, 7 – 6%, 8 – 5%,
9 – 4%. Based upon plausible assumptions that people who make up figures tend to distribute their digits
fairly uniformly, a simple comparison of first-digit frequency from the data with the expected distribution
according to Benford’s Law should reveal any anomalous results. Based on this idea, Benford’s Law can be
used as an indicator of accounting and expenses fraud.
Another method to detect fraud is discovery sampling. The objective of discovery sampling is to find at
least one item with a particular characteristic to establish the case for existing suspicions, rather than to
express an opinion on the population as a result of auditing the sample.
Because the number of items to be audited may vary, the sample is usually not preset. Generally, it will be up
to the auditor to decide under what circumstances the sample will be sufficient to support the auditor’s
conclusions that the population does not contain the sought attribute. It will also be up to the auditor to
evaluate the impact of the undiscovered items in the population.
Forensic Auditing
A new and growing accounting field is forensic auditing. Forensic auditing refers to the application of auditing
skills to situations that have potential legal implications and/or consequences (for example, money
laundering; flow of funds to terrorists, organized crime, and so forth). In this case, the role of the forensic
expert is to help the internal auditor gather evidence to prove or disprove suspicions, identify the parties
involved, and gather and maintain evidence that may be subsequently presented in disciplinary or criminal
proceedings.
Question 97: The chief of an organization’s security has received an anonymous call accusing a marketing
manager of taking kickbacks from a media outlet. Thus, the marketing department is on the list of
possible engagement clients for the coming years. The internal audit activity is assigned responsibility for
investigating fraud by its charter. If obtaining access to outside media records and personnel is not
possible, the best action an internal auditor could take to investigate the allegation of marketing
kickbacks is to:
a)
Search for unrecorded liabilities from media outlets.
b)
Obtain a list of approved media outlets.
c)
Develop a financial and behavioral profile of the suspect.
d)
Vouch any material past charge-offs of receivables.
(CIA Adapted)
Legal Hazards
When the internal auditor conducts a fraud investigation, he or she has to make sure that it is conducted
professionally and within appropriate legal standards. The failure to follow legal requirements may expose the
company to expensive litigation from the accused person.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
117
Fraud Risks and Controls
CIA Part 2
When interrogating a potential fraud suspect, the internal auditor should be aware of common and statutory
rights, the violation of which may enable the person to sue the auditor and organization. The following are
some common grounds on which individuals are able to sue a company that accused them of fraud:
•
Defamation of character is an unjustifiable, published allegation to a third party of a false statement by the employer or the employer’s agent (such as the internal auditor) that injures the
suspect’s reputation. There are two kinds of defamation:
o
Slander is spoken defamation
o
Libel is published defamation (for example, in a newspaper, film, or letter)
•
False imprisonment occurs if the employer unjustifiably restrains a person, and the restraint does
not necessarily need to be physical confinement.
•
Malicious prosecution refers to the prosecution of an employee without probable cause. For
example, an employer may go ahead with a groundless prosecution with the intent of causing harm
to the employee.
•
Compounding a felony is a situation where an employee has committed a crime, but the employer
agrees not to prosecute for a consideration (such as repaying stolen funds). The employer may accept the consideration, but the employer should not bargain for the acceptance of such amounts on
the grounds that they will not prosecute.
The auditor needs to be aware of the issues related to confessions. A confession is a complete acknowledgement of wrongdoing by the accused. However, the obtained confession may be tainted if the suspect
was under duress (meaning physical or emotional harm or the threat of physical or emotional harm) while the
confession was given. If the confession was not made voluntarily, then it may be overturned in court.
An admission is not as complete as a confession, but it may be used against the suspect. In an admission,
the accused party acknowledges committing a certain act, but he or she does not confess that there was
intent, nor does the accused party confess to the accusation.
Because of the legal issues involved in criminal investigations, it is generally best to allow a security specialist
to make decisions connected to obtaining confessions and admissions and other evidence from the accused.
Recommended actions on part of the internal auditor include:
•
If there is a possibly of legal hazards, the internal auditor should consult with legal counsel.
•
Interrogations are better performed when there are two or more people present with one of them
serving as a witness.
•
The internal auditor should thoroughly prepare and be certain of the facts before proceeding with an
interview.
Question 98: During the course of an audit, an internal auditor became aware that company funds were
missing. The auditor investigated further and found a likely suspect. When the investigation was
complete, the internal auditor agreed not to inform the authorities if the suspect returned the missing
funds. The internal auditor had probable cause to believe that the suspect did in fact steal the funds.
Which of the following best describes the internal auditor’s action?
a)
Malicious prosecution
b)
Libel
c)
Defamation
d)
Compounding a felony
(HOCK)
118
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section C
Fraud Risks and Controls
Question 99: Which of the following is a red flag that might indicate that a company is engaging in
fraudulent activity?
a)
The company has large cash reserves, but earnings were low the past couple of quarters.
b)
Financial earnings were 10% above the industry average the past two years.
c)
The existence of significant, unusual or highly complex transactions close to year-end.
d)
Decentralized management structure with strong internal controls.
(HOCK)
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
119
Sample Code of Conduct
CIA Part 2
Appendix A: Sample Code of Conduct
Our Values
•
The best solutions come from working together with colleagues and clients.
•
Effective teamwork requires relationships, respect, and sharing.
•
We deliver what we promise and add value beyond what is expected.
•
We achieve excellence through innovation, learning, and agility.
•
We lead with clients, people, and thought leadership.
•
Leadership demands courage, vision and integrity.
Upholding the [Firm] Name
•
Our clients and colleagues trust [the firm] based on our professional competence and integrity—
qualities that underpin our reputation. We uphold that reputation.
•
We seek to serve only those clients whom we are competent to serve, who value our service, and
who meet appropriate standards of legitimacy and integrity.
•
When speaking in a forum in which audiences would reasonably expect that we are speaking as a
representative of [the firm], we generally state only [the firm]’s views and not our own.
•
We use all assets belonging to [the firm] and to our clients, including tangible, intellectual and
electronic assets, in a manner both responsible and appropriate to the business and only for legal
and authorized purposes.
Behaving Professionally
120
•
We deliver professional services in accordance with [the firm]’s policies and relevant technical and
professional standards.
•
We offer only those services we can deliver and strive to deliver no less than our commitments.
•
We compete vigorously, engaging only in practices that are legal and ethical.
•
We meet our contractual obligations and report and charge honestly for our services.
•
We respect the confidentiality and privacy of our clients, our people, and others with whom we do
business. Unless authorized, we do not use confidential information for personal use, [the firm]’s
benefit, or to benefit a third party. We disclose confidential information or personal data only when
necessary, only when appropriate approval has been obtained, and/or we are compelled to do so by
legal, regulatory, or professional requirements.
•
We aim to avoid conflicts of interest. Where potential conflicts are identified, and when we believe
that the respective parties' interests can be properly safeguarded by the implementation of appropriate procedures, we will implement such procedures.
•
We treasure our independence of mind. We protect our clients' and other stakeholders' trust by
adhering to our regulatory and professional standards, which are designed to enable us to achieve
the objectivity necessary in our work. In doing so, we strive to ensure our independence is not compromised or perceived to be compromised. We address circumstances that impair or could appear to
impair our objectivity.
•
When faced with difficult issues or issues that place [the firm] at risk, we consult appropriate authorities at [the firm] before taking action. We follow our applicable technical and administrative
consultation requirements.
•
It is unacceptable for us to receive or pay bribes.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 2
Sample Code of Conduct
Respecting Others
•
We treat our colleagues, clients, and others with whom we do business with respect, dignity, fairness, and courtesy.
•
We take pride in the diversity of our workforce and view it as a competitive advantage to be nurtured and expanded.
•
We are committed to maintaining a work environment that is free from discrimination or harassment.
•
We try to balance work and private life and help others to do the same.
•
We invest in the ongoing enhancement of our skills and abilities.
•
We provide a safe working environment for our people.
Corporate Citizenship
8
•
We express support for fundamental human rights and avoid participating in business activities that
abuse human rights.
•
We act in a socially responsible manner, within the laws, customs, and traditions of the countries in
which we operate, and contribute in a responsible manner to the development of communities.
•
We aspire to act in a manner that minimizes the detrimental environmental impacts of our business
operations.
•
We encourage the support of charitable, educational, and community service activities.
•
We are committed to supporting international and local efforts to eliminate corruption and financial
8
crime.
Adapted from Enterprise Risk Management – Integrated Framework, COSO.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
121
International Professional Practices Framework
CIA Part 2
Appendix B: International Professional Practices Framework
Note: The following information about the IIA’s International Professional Practices Framework (IPPF) is
from the IIA website (theiia.org).
A trustworthy, global guidance-setting body, the IIA provides for internal audit professionals all around the
world authoritative guidance organized in the International Professional Practices Framework as mandatory
and strongly recommended guidance.
Mandatory Guidance
Conformance with the principles set forth in mandatory guidance is required and essential for the professional
practice of internal auditing. Mandatory guidance is developed following an established due diligence process,
which includes a period of public exposure for stakeholder input. The three mandatory elements of the IPPF
are the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional
Practice of Internal Auditing (Standards).
Element
Definition
Definition
The Definition of Internal Auditing states the fundamental purpose, nature, and
scope of internal auditing.
Code of Ethics
The Code of Ethics states the principles and expectations governing behavior of
individuals and organizations in the conduct of internal auditing. It describes the
minimum requirements for conduct, and behavioral expectations rather than specific
activities.
The Standards are principle-focused and provide a framework for performing and
promoting internal auditing. The Standards are mandatory requirements consisting of:
International
Standards
Statements of basic requirements for the professional practice of internal auditing and
for evaluating the effectiveness of its performance. The requirements are internationally
applicable at organizational and individual levels.
Interpretations, which clarify terms or concepts within the statements.
It is necessary to consider both the statements and their Interpretations to understand
and apply the Standards correctly. The Standards employ terms that have been given
specific meanings that are included in the Glossary.
122
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix B
International Professional Practices Framework
Strongly Recommended Guidance
Strongly recommended guidance is endorsed by the IIA through a formal approval processes. It describes
practices for effective implementation of the IIA's Definition of Internal Auditing, Code of Ethics, and the
Standards. The three strongly recommended elements of the IPPF are Position Papers, Practice Advisories,
and Practice Guides.
Element
Position
Papers
Practice
Advisories
Definition
Position Papers assist a wide range of interested parties, including those not in the internal
audit profession, in understanding significant governance, risk, or control issues and
delineating related roles and responsibilities of internal auditing. The IIA’s position papers
includes:
1)
The Role of Internal Auditing in Resourcing the Internal Audit Activity, and
2)
The Role of Internal Auditing in Enterprise-wide Risk Management.
Practice Advisories assist internal auditors in applying the Definition of Internal Auditing,
the Code of Ethics, and the Standards and promoting good practices. Practice Advisories
address internal auditing's approach, methodologies, and consideration, but not detail
processes or procedures. They include practices relating to: international, country, or
industry-specific issues; specific types of engagements; and legal or regulatory issues.
Practice Guides provide detailed guidance for conducting internal audit activities. They
include detailed processes and procedures, such as tools and techniques, programs, and stepby-step approaches, as well as examples of deliverables. These practice guides include:
Practice
Guides
1)
General practice guides. Currently there are eight guides covering topics such as
Assessing the Adequacy of Risk Management, Measuring Internal Audit Effectiveness
and Efficiency, CAEs – Appointment, Performance Evaluation and Termination, etc.
2)
Global Technology Audit Guides (GTAG). There are currently fifteen GTAGs, which are
written in straightforward business language to address a timely issue related to information technology (IT) management, control and security.
3)
Guide to the Assessment of IT Risk (GAIT). There are currently three GAITs, which
describe the relationships among business risk, key controls within business processes,
automated controls and other critical IT functionally, and key controls within IT general
controls. Each practice guide in the series addresses a specific aspect of IT risk and
control assessments.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
123
The IIA Code of Ethics
CIA Part 2
Appendix C: The IIA Code of Ethics
Note: The following information is taken directly from the IIA.
Note: Even though the Code of Ethics not specifically listed in the Part 2 syllabus, we believe that the topic
is important enough that it is presented again for your information.
Code of Ethics
The Code of Ethics states the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and
behavioral expectations rather than specific activities.
Introduction to the Code of Ethics
The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
1)
Principles that are relevant to the profession and practice of internal auditing.
2)
Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid
to interpreting the Principles into practical applications and are intended to guide the ethical conduct
of internal auditors.
“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifications,
and those who perform internal audit services within the Definition of Internal Auditing.
Applicability and Enforcement of the Code of Ethics
This Code of Ethics applies both to entities and individuals that perform internal audit services.
For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of
Ethics will be evaluated and administered according to the Institute’s Bylaws and Administrative Directives.
The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being
unacceptable or discreditable; therefore, the member, certification holder, or candidate can be liable for
disciplinary action.
Principles
Internal auditors are expected to apply and uphold the following principles:
1) Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
2) Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced
assessment of all the relevant circumstances and are not unduly influenced by their own interests or by
others in forming judgments.
124
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix C
The IIA Code of Ethics
3) Confidentiality
Internal auditors respect the value and ownership of information they receive and do not disclose information
without appropriate authority unless there is a legal or professional obligation to do so.
4) Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing
services.
Rules of Conduct
Note: Items in parentheses below have been added by HOCK for further explanation.
1) Integrity
Internal auditors:
1.1.
Shall perform their work with honesty, diligence, and responsibility. (In other words, the auditor
does the right thing.)
1.2.
Shall observe the law and make disclosures expected by the law and the profession.
1.3.
Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to
the profession of internal auditing or to the organization.
1.4.
Shall respect and contribute to the legitimate and ethical objectives of the organization.
2) Objectivity
Internal auditors:
2.1.
Shall not participate in any activity or relationship that may impair or be presumed to impair
their unbiased assessment. This participation includes those activities or relationships that may
be in conflict with the interests of the organization.
2.2.
Shall not accept anything that may impair or be presumed to impair their professional judgment.
(For example, a material gift is considered to impair objectivity.)
2.3.
Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review. (For example, there may be some items that were capitalized instead of
expensed. This fact needs to be disclosed to management and the Audit Committee.)
3) Confidentiality
Internal auditors:
3.1.
Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2.
Shall not use information for any personal gain or in any manner that would be contrary to the
law or detrimental to the legitimate and ethical objectives of the organization.
4) Competency
Internal auditors:
4.1.
Shall engage only in those services for which they have the necessary knowledge, skills, and
experience.
4.2.
Shall perform internal auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing.
4.3.
Shall continually improve their proficiency and the effectiveness and quality of their services.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
125
Answers to Questions
CIA Part 2
Answers to Questions
1 b – Any attestation (coming to a conclusion) and risk assessment work will be done only by the external
auditor. The internal auditor may do evaluating and reviewing, as long as it is the external auditor who makes
the final conclusion or assessment.
2 b – One of the role’s of the CAE is to coordinate the work of the internal and external auditors and to
reduce the duplication of work.
3 a – This is one of the things that the CAE will do in an attempt to coordinate the internal and external
audits and reduce the amount of work that is done twice.
4 d – By reviewing and testing the other departments’ procedures, the internal auditor may reduce the
necessary audit coverage of the function or process.
5 a – Oversight of external auditors is the responsibility of the board. The CAE should be responsible for
coordinating work between internal and external auditors. However, it is possible that the board could request
that the CAE provide input into the performance of the external auditor.
6 b – The overall professionalism of the internal auditor has improved, and the increased expense of external
audits makes it imperative to eliminate duplication of effort and monitor more closely the hours worked by
external auditors.
7 b – In any engagement, the deficiencies that are noted by the internal auditor should be reported to
management. Choice (c) is incorrect because it may be appropriate for the audit to be conducted if
management wants feedback about that at this point. It is not really the auditor’s decision about the
appropriateness of the audit.
8 d – The four key responsibilities include (1) complies with society’s legal and regulatory rules, (2) satisfies
the generally accepted business norms, ethical precepts, and social expectations of society, (3) provides
overall benefit to society and enhances the interests of the specific stakeholders in both the long term and
short term, and (4) reports fully and truthfully to its owners, regulators, other stakeholders, and general
public to ensure accountability for its decisions, actions, conduct, and performance.
9 a – The engagement work program is specific to the engagement and does not impact in determining the
schedule of engagements to be performed.
10 c – While the board would like to think that they can determine what engagements should be performed,
they cannot. The budget of the area is not a factor. Of the items listed, only the risk of financial loss or other
detrimental results would be considered.
11 b – The addition of new staff is probably less important than the other factors listed. Matters to be
considered in establishing the engagement should include: (a) length of time since last engagement; (b)
request from senior management; (c) changing business environment; (d) changes in risk environment; (e)
potential benefits; and (f) changes in skill level.
12 b – It is important to recognize that the question is “Which of the following is least important?” Whether
or not the external auditor audited the division last year is the least important of these factors listed. While
the fact that it was recently audited is a good thing, it does not relieve the duty that the internal auditors
have to monitor this potentially risky engagement on an ongoing basis.
13 c – In all cases, work should be assigned to managers based on their skills and the risk analysis. Personal
preferences and travel desires are not the way in which engagements should be assigned.
14 d – Personnel competence is a difficult thing to assess and measure. It is perfectly acceptable to use
group consensus to do this. In fact, group consensus is probably better than an individual doing it because
the group will hopefully eliminate any personal bias that one person has. Choice (a) is incorrect because risk
assessment uses both quantitative and qualitative measurements.
15 a – Risk and the measurement of risk includes the assessment of the probability and the potential loss.
Therefore, choices (b) and (c) are incorrect because they include only one of the two items. Choice (d) is
incorrect because risk assessment cannot always be reduced to a numerical measure. Management judgment
in an area may be a risk factor. The more that management has to make judgments, the more risk there is.
16 a – In order to broaden the staff auditor’s knowledge, they need to be exposed to more areas. This is
done through the rotation of auditors to different jobs.
17 b – In order to make certain that the internal auditors will be able to perform their duties, the CAE has a
responsibility to provide counseling and training to the auditors.
18 b – The policies and procedures in place are dependent upon the size and complexity of the business.
Choice (a) is incorrect because policies and procedures alone cannot ensure compliance with performance
standards. They only help in the process. The same is the case with choice (c): the policies and procedures
only assist in the consistency effort.
126
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 2
Answers to Questions
19 c – A small IAA can be managed more informally because the staff may be directed and controlled
through close daily supervision. In a large IAA, it is generally necessary to have more formal and comprehensive policies and procedures in order for staff to be consistent in the compliance of the Standards.
20 d – Reporting the weekly activities of the individual internal auditors would not be included in the activity
report submitted to the board and senior management. The board and senior management need summary
reports that highlight significant issues, and so forth.
21 c – As part of the activity report, the CAE should include information about the status and completion of
the engagements during the year.
22 d – Of the choices listed, the support that the audit committee can provide the IAA is of the greatest
benefit. The other three choices are not things that the audit committee will or could do.
23 c – The first step is for the internal auditors to discuss the audit conclusions and recommendations with
appropriate management. This allows the internal auditor the opportunity to verify the accuracy of the
engagement communications. Then next step is to distribute to members of the organization that have the
necessary power to ensure the results are given proper consideration, such as the audit committee.
24 c – The review of past risk evaluation reports is not a key objective of the risk management process. The
internal auditor must determine that the organization’s risk management processes address the five key
objectives in order to formulate an opinion on the overall adequacy of the risk management processes.
25 c – This is a detailed test of the systems. However, what the engagement in the question is about is
evaluating the adequacy of the new policies and procedures in maintaining an appropriate risk profile. This
test of some of the investments will not accomplish that.
26 c – Simply tracking interest rates over time will provide very little useful information in the assessment of
the current investment strategy. Interest rates are affected by many factors outside of the control of
management, perhaps most notably the economy and general economic environment.
27 d – Of the skills listed, this is the skill that probably only the internal auditor has. Engineers, IT specialists,
and cost accountants have more detailed knowledge of the items listed in choices (a), (b), and (c).
28 b – Operating engagements assist management by evaluating the accomplishments of established goals
and objectives for operations and economical and efficient use of resources.
29 d – By comparing the actual results with the standard (or expected) costs, management is able to start
evaluating the effectiveness and efficiency of the production function being audited.
30 c – The assessment of audit risk is the assessment of the overall probability that an assertion of
management will be materially misstated and the auditor will miss it. Inherent risk is the probability that an
assertion will be materially misstated if there are no controls in place and the auditor would miss the
misstatement.
31 a – The internal auditors should conduct a transactional auditor because a current landowner may be held
responsible for environmental contamination by previous owners.
32 a – Conducting site assessments at both facilities would be an engagement procedure, not objective.
Choices b, c, and d are all engagement objectives.
33 c – Auditing engagements should be performed with proficiency and due professional care. Thus,
providing staff with training would be the first step in performing an environmental audit.
34 d – All of the listed procedures would be performed during an audit of the outside processor. In addition,
the auditor would verify that the processor is approved by local authorities.
35 d – The internal auditor should provide only reasonable assurance, not be in a position to absolutely
ensure that the goals and objective can be achieved. The other answers are all components of the auditing
the e-commerce activity.
36 d – Due diligence reviews are conducted primarily to justify a major transaction, such as an acquisition,
joint venture, or divestiture.
37 a – To do an evaluation of the merits of a lawsuit would take legal expertise. The internal auditor is
supposed to have an appreciation of the fundamentals of law, but not be a lawyer.
38 a – If the purchase price of the subsidiary depends on its profitability, then the internal auditors would
want to pay special attention to the fixed asset capitalization procedures. It is possible that the former owners
(now the managers) could capitalize some expenses, thereby increasing the firm’s profitability and increasing
the purchase price.
39 c – It will be up to senior management it make the decision on the internal auditors’ involvement in the
disaster recovery process. The internal audit activity provides only an assurance and consulting service.
40 d – Benchmarks can be either financial or nonfinancial. The percentage of orders delivered on time at the
company’s most efficient plant is an example of an internal nonfinancial benchmark.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
127
Answers to Questions
CIA Part 2
41 c – Comparing the quantities of scrap expected from the production process with the quantities sold would
be the best way to ascertain that the sale of scrap is well controlled.
42 d – The method to use to determine whether improper services were billed would be to reconcile a sample
of messenger invoices to pickup receipts. The internal auditor would be able to check whether any improper
services were being carried out.
43 c – Since the contract is cost-plus, the internal auditor should have the right to review the costing system
of the firm to ascertain whether the company is being properly charged.
44 d – Of these choices the only one that would provide any indication of the quality of the production is
sales adjustments. Sales adjustments would include returns and one of the reasons for a return would be the
poor quality of the product. Therefore, as returns increase, this may be an indication that there are quality
problems.
45 b – By confirming that the people who received payroll cards were actually in the personnel department
records confirms that the individuals getting paid are in fact employees of the company.
46 c – Regression analysis would be the best method of evaluating the effectiveness of the sales commission
plan. Regression analysis is a statistical tool used to find trend line in business data such as sales or costs and
develop models based on the association of variables.
47 b – The internal auditors have knowledge of the organization and staff, as well as skills that are specific to
the business. In these cases, the internal auditor would be in a position to accelerate the progress on such a
project.
48 d – The CAE should determine the methodology to use for classifying engagements within the organization.
49 c – This is a true statement.
50 c – Facilitated team workshop is the process of gathering information from work teams that represent
different levels in the business unit or function. The primary format of the workshop may be based on
objectives, risks, controls or processes.
51 a – The risk-based format begins by listing all possible barriers, obstacles, threats, and exposures that
might prevent achieving an objective. The purpose of the workshop is to determine significant residual risk.
52 c – The process-based format focuses on selected activities that are elements of a chain of processes. The
general aim of this workshop is evaluate, update, validate, improve, and even streamline the whole process
and its component activities.
53 c – Engagement communications is intended to inform, persuade, and get results. Assigning responsibility
is not a major purpose of an engagement communication.
54 b – An engagement’s objectives should address the risks, controls, and governance procedures of the
area.
55 c – If the goal of the audit is to make sure that all of the equipment is properly recorded, the auditor
needs to start by selecting the equipment and then finding it in the accounting records and making sure that
it is correctly recorded.
56 d – This is the best definition of a preliminary survey because it is really an information gathering process.
Choice (a) is incorrect because standardized questionnaires can be used in other parts of the audit as well as
the preliminary survey.
57 d – The survey will not evaluate the effectiveness or adequacy of controls. It will only identify the controls
and maybe areas to which more attention needs to be given, but the survey collects information from the
client and the auditor will not conclude about the adequacy or effectiveness of controls without some testing.
58 c – While it is possible that this will be discussed, it is the least likely of the choices given. This is because
the sampling plan and criteria is something that the auditor prepares without the input of the client. If this is
discussed too much, the client may be in a position to influence what is tested through the sampling methods
used.
59 a – The internal auditor should be in a position to make recommendations, and this can be done to see if
there are policies and procedures in place and being used to make certain that the best prices are being
obtained. Choice (c) is incorrect because this is a specific work program step that will be performed.
60 b – By having a memo sent from the CAE prior to the survey, this should result in the involvement of the
client supervisors. If the letter is written correctly, it should not cause concern about the engagement.
61 a – Standard work programs that are used in more than one branch are appropriate when the work to be
performed is fundamentally the same. In this situation, this type of work program would be appropriate.
62 d – In this fraud, the amount that was ordered is different from the amount that was received by the
company, with the difference going to the manager’s own company. To detect this, the order documents and
128
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 2
Answers to Questions
the receiving reports need to be compared, as well as the receiving report and the invoice paid. Given that all
of the quantities will not match, the comparison of these will uncover this fraud.
63 d – In order to determine if all of the gas pumped is recorded, we need to look at the quantity that was
pumped (this is done by reading the pump itself) and the quantity that was recorded (this is done by looking
at the disbursement forms). This is choice (d). Choice (a) does not consider the amounts that have been
recorded. Choice (b) only determines if the gas that was purchased was done so correctly but says nothing
about the recording of disbursements. Choice (c) does not look at the recorded disbursements.
64 c – To determine if all of the debits are correct, the best way to test is to select some debits and confirm
that they are correct.
65 b – To determine if the credit procedures were followed when credit is granted, the best way is to select a
number of accounts for which credit was granted and investigate to see if the procedures were followed.
Choice (a) is not sufficient because it is only the word of the people in the department. Choices (c) and (d) do
not determine if the procedures were followed.
66 d – All three of these tests would perform the necessary work. Items I and II are much faster than item
II, but item II would also work if the auditor has the necessary skills, which the question says is the case.
67 b – The problem is that the dentist is doing one thing and charging the insurance company for another.
The best way to detect this is to get the claim from the dentist for the work performed and confirm the work
that was actually done with the patient. This may be time consuming but the best way to detect fraudulent
activity by the dentist. The other choices will simply confirming that the dentist did actually receive the
inflated amount.
68 a – The CAE has overall responsibility and because the CAE is not able to supervise every single procedure
that is performed, the CAE needs to review and supervise to make certain that the work program is carried
out as it is supposed to be. Any changes to the work program need to be authorized.
69 c – In any engagement, no matter who is doing the work, the CAE is responsible for the supervision of the
engagement.
70 c – Just because the engagement is completed in the time budget does not mean that the engagement
was properly completed. The numerous deviations that are not controlled or authorized demonstrate poor
supervision.
71 c – Engagement communications is intended to inform, persuade, and get results. Assigning responsibility
is not a major purpose of an engagement communication.
72 c – Unnecessary postage costs would probably not be that material so should be classified under the
heading “other areas for improvement.” The other answers are incorrect because of their potential for causing
material loss, and thus they would be classified as “deficiencies.”
73 a – The internal auditor should include the criteria or standards that should exist. All the other conditions
do exist in this problem.
74 a – Because there is no need to justify the advance, people accumulate large advances. Lacking the need
to justify the advance is the cause of the problem.
75 d – The condition attribute is what currently exists. The situation is that the advances that are
accumulated are in excess of what is permitted.
76 b – Since the sample included only travel advances for sales representatives, the auditor cannot reach a
conclusion about all advances in the organization. The conclusion reached can only be about travel advances
and that conclusion is that travel advances are not controlled in accordance with the existing policies. It is not
up to the auditor to determine if those policies are appropriate or not.
77 b – The opinion of internal auditors is their evaluation of what they found during the engagement.
78 d – Because the engagement discovered something that was currently causing the company to lose
money, this should have been reported immediately, during the engagement. Since the report was given
eight weeks later, the report was not timely.
79 c – In order to prevent the purchase of unnecessary vehicles, the purchase should be delayed until a
further review of usage can be made.
80 c – The report should include a description of the situation itself and what the internal auditor recommends to do about it.
81 d – The report on the review of the purchasing cycle is too detail oriented for the chairman of the board to
receive. The external auditor may receive this report because it is relevant to the work that the external
auditor does as well.
82 a – Reports need to be provided to the individuals who are in a position to influence the actions taken or
who are responsible for the function that was audited.
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
129
Answers to Questions
CIA Part 2
83 b – By performing an exit interview, the auditor should be able to help maintain the relationship with the
client by discussing the issues that were found during the audit.
84 d – One of the disadvantages of providing the draft of the engagement communication to the client is that
they will attempt to change the report or will start arguing the points raised in the report.
85 d – When the engagement client disagrees with the report, the auditor should include this disagreement
and the reasons for the disagreement in the report. The auditor should not change the report or change the
scope of the work because of the disagreement by the engagement client.
86 a – Any risk of cash is significant and the fact that none has been stolen in the past is only of minor
importance. Therefore, the auditor should make an initial verbal report of the weakness and then provide
more complete follow-up later, including recommendations.
87 a – The responsibility for follow-up in an assurance engagement should be defined in the IAA written
charter.
88 d – Certain reported observations and recommendations may be so significant as to require immediate
action by management. These conditions should be monitored by the IAA until corrected because of the effect
that they may have on the organization. The CAE should establish procedures to determine a time frame
within which management’s response to the observations is required, to evaluate the response, to verify the
response, to conduct a follow-up engagement, and to transmit unsatisfactory responses or actions to the
appropriate management levels (PA 2500-1).
89 c – If corrective action has not yet taken place, then the internal auditor should discuss the issue with
appropriate personnel. In this case, the appropriate person would be the person responsible for the problem.
This person (namely, the client) would be in the best position to solve the problem.
90 c – Follow-up would be required. The lack of resources is a factor in the timing and extent of the followup, not in determining whether or not to follow up.
91 a – Fraud can encompass an array of irregularities and illegal acts characterized by intentional deception.
Persons outside as well as inside the organization can perpetrate fraud.
92 d – All three are true statements.
93 d – The internal auditor should inform the appropriate authorities within the organization when fraud is
suspected and recommend any necessary follow up.
94 b – A preliminary or final report may be desirable at the conclusion of the detected phase. The report
should contain the internal auditor’s conclusion as to whether sufficient information exists to conduct a full
investigation.
95 d – Information on potential red flags is well documented.
96 a – All cash receipts should be deposited intact daily, not net of amounts used to pay petty cash.
97 c – The best action for the internal auditor to take is to develop a financial and behavioral profile of the
marketing manager. In this case, a common indicator of fraud by an employee is an unexplained change in
financial status.
98 d – Compounding a felony is a crime that involves an agreement for consideration not to prosecute a
felony.
99 c – When management engages in fraudulent transactions, management often will use complex legal
structures to disguise the fraud.
130
© 2013 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Download
Related flashcards
Create Flashcards