Chartered Institute of Internal Auditors - Past paper pack
IIA Diploma Past Paper Pack
Internal Audit Practice
P3
Tuesday 27 November 2012
Morning session
Time allowed – 3 hours and 10 minutes
DO NOT OPEN THIS PAPER UNTIL INSTRUCTED BY THE INVIGILATOR
Candidate information and instructions
There are two questions in Part A and four questions in Part B.
Answer both questions in Part A and any three questions in Part B on the answer
sheets provided.
There are 100 marks available in this paper.
Organisations marked with an asterisk, *, are fictitious. No similarity with any real
organisation is intended nor should it be inferred.
Start each question on a separate answer sheet.
Do not identify yourself in answering any questions.
Enter your candidate number, the paper number, the question number and the page
number within the answer at the top of each answer sheet used.
Any plans/notes that are made for each question should only be made on official IIA
exam paper. Separate answer sheets should be used for each question plan.
Clarity and logic of your answers, effective presentation and good use of English will be
taken into account by the examiners when marking this paper.
Past Paper Pack
Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
 March 2013
Chartered Institute of Internal Auditors - Past paper pack
PART A
There are two compulsory questions in this section. Questions one and two relate to
the following scenario.
NPGM* is a private property maintenance and repair service, which has grown over the past
ten years from a small family owned company operating in Birmingham, to a national service
organisation with ten regional depots covering the UK and Ireland. Each of its depots
consists of offices, stocks of materials and vehicles, managed by a regional manager
reporting to head office, and maintained by NPGM staff.
Maintenance, repair and emergency services are provided by locally recruited skilled
workforces, some employed directly by NPGM and some self-employed. The quality of all
services is monitored by a team at head office, reporting to a service director at board level.
All marketing of services provided, and contracts and procurement of most equipment and
materials is controlled at head office. In 2011 NPGM’s turnover was £100m and NPGM has
a business plan growth forecast of £150m in five years.
NPGM’s customer base is approximately 70% registered housing associations (HA) and
30% private landlords. Because of its HA links, the quality performance and cost of its HA
services is monitored regularly by its customers through formal value for money exercises,
as required by their regulator, the Homes and Communities Agency (HCA). This gives
NPGM a competitive edge with private landlords, who benefit from this monitoring of costs
and quality in their contracts.
In 2009 a significant fraud was uncovered at one of NPGM’s depots, discovered through
whistleblowing by a member of staff. The fraud involved collusion between some NPGM staff
and one of its local suppliers of materials. As a result, in 2010 NPGM’s external auditor
suggested to the board that an internal audit service should be established in Birmingham to
implement an independent assurance plan, covering risk management and control across all
the organisation’s operations. This was approved by the board and John Williams, a
qualified accountant, was appointed to head this function in early 2011, reporting to the
financial director. Subsequently, three other internal audit staff have been appointed and an
audit plan agreed with the financial director for the 2012/13 financial year. The audit plan
mainly covers accounting systems with limited reviews of operations.
External audit’s latest management letter to the board has expressed some concern over the
limited operational scope of the internal audit plan and the quality of some of the internal
audit work performed and its procedures. The board has asked the financial director to
review internal audit planning, procedures and reporting to ensure NPGM is receiving the
best added value from the internal audit services it is providing.
QUESTION ONE
The financial director has recently learnt of the International Professional Practices
Framework (IPPF) for internal auditing and considers that this should be adopted for internal
auditing at NPGM. The financial director has asked the head of internal audit to review this
framework and suggest how it could be used at NPGM.
You have been asked to draft a report for the head of internal audit in which you:
2
a.
b.
Describe the contents of the IPPF, its definition of internal auditing,
Code of Ethics, standards and guidance, and explain how its
implementation would improve the internal audit services at NPGM.
Identify any problems that IPPF implementation might create with the
board and senior management, and advise how these might be
overcome.
12 marks
8 marks
SYLLABUS REFERENCE
1.1 The focus and purposes of internal audit as outlined in the definition of internal audit
1.2 The key terms and requirements of the Code of Ethics, its purpose and role
2.1 The main components of the IIA’s Professional Practice Framework, including attribute
and performance standards and how these relate to the work of internal audit
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.
Question/Part
Remember/
Apply/
Evaluate/
Total
Understand
Analyse
Create
marks
a. Describe contents of IPPF:
(1/2 mark for each up to total 3
marks for Definition, 2 marks
COE, 2 marks Standards and 1
mark for supporting advisories):
8
Explain implementation:
(1 mark per valid point up to 4
marks)
b. Identify problems
(1 mark per valid problem up to 4
marks)
4
12
4
Advise
how these might be
overcome
(1 mark per valid advise up to 4
marks)
Total
16
Part a
Describe clearly
Definition – professional statement
Independent Objective
Assurance and consulting
Add value and improve an organisation to accomplish its objectives
Systematic and disciplined approach
To evaluate and improve
Effectiveness of governance, risk management and control processes
3
4
8
4
20
Code of Ethics: Principles/Rules of Conduct – internal auditors expected to apply and
uphold)
Integrity
Objectivity
Confidentiality
Competence
Standards - mandatory
Attribute
Performance
Implementation
Glossary
Supporting Practice Advisories/Guides/Research
Explain implementation
Include requirement to comply with IPPF in IA Charter approved by board.
Charter, planning and engagements to promote professionalism of IPPF
References to IPPF in internal audit manual and operating procedures
Compliance measured in quality assurance and continuous improvement programme
Part b
Identify any problems
Acceptance of IA Code of Ethics at board and senior management levels as a strengthening
of its independence, objectivity and professionalism
Acceptance at board and senior management levels of breadth of IA scope of work as
required by IPPF
Understanding of IPPF by IA staff
Motivation/Commitment of IA staff to be professional
Resources needed by IA to implement compliance with IPPF
Advise how problems can be overcome
Promotion of professionalism of IPPF at IA planning/engagement levels
Education/training of IA staff in IPPF and associated skills
Encouragement of IA staff to continuously improve
Education of board members and senior management in the benefits/added value for IA to
us and comply with IPPF
Sell IA as added value through its compliance with IPPF in its recruitment, planning,
engagement and reporting
4
EXAMINERS’ COMMENTS
Most candidates answered this question well in part a), describing in detail the contents of
each part of the IPPF – mandatory and recommended: though not required some supporting
this description in diagrammatic form, improving their presentation. The definition of
professional internal auditing, Code of Ethics and standards were understood and reflected
in many of the answers explaining how the implementation of IPPF would improve the
internal audit services: though, this part of the question was not answered as well. In part b)
many candidates did not use all the current and implied future issues in the Scenario to
address all the important improvements needed in the internal audit function, its services
and reporting lines to achieve professionalism and added-value in NPGM’s current and
possible future governance, risk management and control. Only a few candidates explained
the importance of establishing an internal auditing charter, approved by the board/or an audit
committee, which would include compliance to the mandatory contents of the IPPF and a
focus on its ‘added-value’ to the company.
QUESTION TWO
The head of internal audit is aware of inconsistencies in the quality of internal audit work and
methods used by the internal audit staff.
a.
b.
Construct a framework for an internal audit quality assurance
programme that meets the requirements of the International
Professional Practices Framework.
Describe the purpose and benefits of three components of your
framework from part (a), and explain how each component should be
measured to ensure continuous improvement of the internal audit
procedures and work performed at NPGM.
8 marks
12 marks
SYLLABUS REFERENCE
8.1 The purpose and benefits of an independent or supervisory review and the monitoring of
audit assignments
8.2 The purpose and benefits of quality assurance procedures
8.3 The role and purpose of benchmarking and the use of performance measures to
compare performance between organisations and within the same organisation over time
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.
Question/Part
Remember/
Apply/
Evaluate/
Total
Understand
Analyse
Create
marks
a. Construct quality assurance
framework
8
8
(1 mark for each up to 8 marks):
b. Describe purpose and benefits
(2 marks for full description of
each of three components
6
5
chosen up to 6 marks)
Explain how each should be
measured
(2 marks for each of three
components chosen related to
issues at NPGM - up to 6 marks)
6
Total
12
12
8
20
Part a
Quality Assurance Framework to contain each of the following:
Proficiency of staff
Due Professional Care
Culture of continuing professional development
Encouraged improvement programme
Quality management systems
Key quality measures
Internal assessments
External assessments
Quality reporting to board
Part b
Describe purpose and benefits of three components of your framework. This could
include:
Proficiency
IA must staff obtain appropriate knowledge, skills and other competencies
Due Professional Care
Apply care and skill expected of a reasonably prudent and competent internal auditor
Continuing Professional Development
IA staff must continuously enhance their knowledge, skills and other competencies through
CPD
Improvement Programme
Ongoing and periodic assessment of the entire spectrum of assurance and consulting work
performed by IA.
Quality management systems
Covering entire spectrum of internal audit activity, includes benchmarking, identification of
leading practices to ensure the IA is most efficient and effective. Incorporated into the
routine policies and practices used to manage internal audit
Key quality measures
Uses processes, tools and information necessary to evaluate conformance with the
Definition of Internal Auditing, Code of Ethics and the Standards. Includes ongoing
measures and analyses of performance metrics.
6
Internal Assessments
Composed of rigorous, comprehensive processes; continuous supervision and testing of IA
work; periodic validations of conformance to IPPF.
Internal Assessments
Ongoing monitoring is an integral part of the day-to-day supervision, review and
measurement of the internal audit activity, In addition should include peer reviews by other
staff in IA or organisation.
External Assessments
Conducted at least every five years by a qualified, independent reviewer or review team from
outside organisation. Frequency and qualifications of reviewers should be discussed at
board level.
Quality reporting at board level
Results of all assessments should be reported to the board and senior management. Use of
‘conforms with IPPF’ can only be used if QA & IP programme is established in accordance
with IPPF requirements.
Explain how each component
improvement at NPGM
should be measured to ensure
continuous
Measures could include any of the following appropriate for each component:
Engagement supervision
Checklists and procedures (e.g., in an audit and procedures manual) are [incompliance with
IPPF] being followed
Feedback from audit customers and other stakeholders
Selective peer reviews of workpapers by staff not involved in the respective audits
Project budgets, timekeeping systems, audit plan. Completion, and cost recoveries
Analyses of other performance metrics (such as cycle time and recommendations accepted
PA 1311-1 (2009)
In addition could be added:
Knowledge, skills of staff – staff appraisals and CPD
Changes to improve/innovations
Benchmarking – internal and external
Co-operation and collaboration with other assurance/consulting groups – internal and
external
Achievement of audit plans and engagement objectives
Relationships with audit committee/board
Scope of audit work
EXAMINERS’ COMMENTS
There was some mixed understanding by candidates in the requirements of this question but
despite this many answered the question well. Part a) required candidates to demonstrate
their knowledge of ‘…an internal audit quality assurance programme that meets the
requirements of the IPPF’. Most candidates focused only on the Attribute standards, some
only on the Performance standards and some on a mixture of both. What was required was
a framework of the components of a quality assurance programme based on the mandatory
requirements of the Attribute standards. Few candidates showed their ‘constructed’
framework in a graphic form linking their quality assurance components. Those that did most
7
often used the form of the EFQM business excellence model or SERVQUAL RATER
aspects of quality and linked these to internal audit quality. In part b) most candidates did
select three of the quality assurance components from the IPPF standards referred to in their
part a) answer but did not always present their descriptions and explanations clearly in the
required ‘purpose, benefits and measurements’ form and because of this contained
repetitive statements.
8
Chartered Institute of Internal Auditors - Past paper pack
PART B
There are four questions in this section. Answer any three questions.
QUESTION THREE
a.
Describe the characteristics of a good client-auditor relationship.
10 marks
b.
Identify the approaches that could be adopted to develop, manage
and help sustain effective client-auditor relationships.
10 marks
SYLLABUS REFERENCE
11.2
what contributes to good client-auditor relationships
11.3
the barriers to developing good client-auditor relationships
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.
Question/Part
Remember/
Apply/
Evaluate/
Total
Understand
Analyse
Create
marks
a) Describe the characteristics
(5 factors at up to 2 marks each)
10
10
b) Identify approaches
(5 factors at up to 2 marks)
Total
10
10
10
10
20
Part a
Characteristics include:
 Mutual Respect – both parties should acknowledge their respective roles. Audit
gains respect by demonstrating that it carries out its work in a professional manner
 Working Partnership - key aspect is Audit working alongside management in a
constructive way to help the organisation achieve its objectives. Accent should be on
the supportive role Audit can play rather that the often perceived role of “policeman”
 Adding Value - through assisting the organisation manage risks effectively, improving
the control environment. Responding to management requests to perform
consultancy work and also carrying out VFM audits which could highlight potential
cost savings
 Openness and Trust – both parties being open and frank. Includes discussing and
agreeing audit findings with client before issuing report i.e no surprise approach.
Knowledge that Audit will not divulge confidential information and keep this secure
 Empathy – important that Audit shows understanding of day to day pressures and
issues faced by clients i.e. ability to see things from the other side. Can be
demonstrated by arranging audits which avoid periods of heavy workload and also
putting forward recommendations which are practical and cost effective
 Availability – willingness for Audit to make itself readily available to answer queries
from client and to offer advice i.e not just restrict its involvement at the time of
individual audits. Prompt responses will encourage further requests. This approach
9
Chartered Institute of Internal Auditors - Past paper pack
also makes it easier for Audit to obtain information from clients or sound them out on
issues
Part b
Approaches include:
 Regular Face to Face Contact – with client management. Includes contacts at high
level when agreeing annual Audit Plan so ensure key risk areas are being covered
and Audit made aware of new initiatives/developments. Also to take account of any
concerns on client side. Regular meetings with operational management to discuss
issues/trends from audit reviews.
 Contact Focal Point – having a focal point (individual member of staff) on both sides
to discuss any issues or for seeking and answering advice will help to promote good
communication and understanding
 Facilitation – Audit can enhance its service to the organisation by acting as a
facilitator on risk management and self control workshops. This gives Audit to the
opportunity to meet other staff to gain a further understanding of operational issues
and how they are being tackled
 Secondment of Staff - bringing operational staff into the Audit Department to utilise
their expertise and also Audit staff transferring into operational areas for a period of
time. Gives both sets of staff a good insight into each others work areas and helps
promote overall working relationships
 Standard Audit Working Practices – covering agreement of remits, discussion of
audit findings before reports issued, grading/rating system and management action
plans. Ensures consistency across parts of organisation
 Feedback and Audit Questionnaires – it is important that there is a mechanism for
the client to feedback any issues it has about they way the Audit Department
operates or the way particular audit assignments are carried out. This can be done
through regular meetings with clients or though the use of audit questionnaires
 Induction Programmes – arrange for senior staff to meet Internal Audit as part of
their induction process. Gives Audit to meet new staff “face to face” and to explain
the role of the Department
 Publicity – Audit could set up intranet site to publicise role and work of the
Department along with frequently asked questions and answers. Could include
names, contact info and photographs of audit staff. Forum could be added for staff to
ask questions. It is however important that Audit keeps information up to date. Other
publicity info could include leaflets and business cards
EXAMINERS’ COMMENTS
Part a) was answered reasonably well, but a number of candidates were too narrow in their
response and focused on relationships for individual audit assignments rather on wider ongoing relationships with staff in the organisation. To gain good marks answers needed to
expand on points. Mutual respect is an important characteristic but it needs to be briefly
explained how that respect can be gained e.g. by auditors showing a professional approach
and good appreciation of operational issues.
It is however important to get a balance in the wording of answers. Some candidates had
made the relevant and pertinent point in half a dozen lines but then wasted time (and gained
no further marks) by over elaborating.
Part b) was less well answered. Again some candidates were too narrow in their responses
by concentrating on audit planning and assignment relationship. A number of scripts referred
to audit documentation such as the Audit Charter. The latter is important as it provides the
framework for Audit to carry out its work but is itself not an “enabler” for managing and
10
Chartered Institute of Internal Auditors - Past paper pack
developing client relationships. The question was seeking practical approaches such as
regular meetings with clients, audit contact point, feedback questionnaires etc
Some scripts very short indicating a lack of knowledge of the subject area and/or candidates
ran out of time
QUESTION FOUR
a.
b.
c.
Explain the purpose and importance of audit working papers to the
work of internal audit.
8 marks
Describe the range of formats of audit working papers that may be
prepared by internal auditors.
6 marks
Describe the main characteristics of an effective set of audit working
papers.
6 marks
SYLLABUS REFERENCE
9.3 The importance and range of audit working papers in both manual and electronic formats
6.1 The methods used to document information, including process diagrams, system notes,
and control matrices, and how and in what circumstances internal auditors would use the
different methods
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.
Question/Part
Remember/
Apply/
Evaluate/
Total
Understand
Analyse
Create
marks
a) Explain the purpose and
importance of audit working
papers to the work of internal
8
8
audit.
1 mark per explanation (max 4 for
purpose and 4 for importance)
b) Describe the range of formats
of audit working papers that may
be prepared by internal auditors
(1 mark for each format listed)
c) Describe the main
characteristics of an effective set
of audit working papers.
(1 mark for each characteristic
listed)
Total
6
6
6
6
20
10
Part a.
Understand the purpose of audit working papers to the work of internal audit:
11
20
Chartered Institute of Internal Auditors - Past paper pack






Record the nature, timing, extent and results of audit procedures performed during an
audit assignment.
Provide a repository for the accumulated audit evidence obtained in support of the audit
findings, results, conclusions, recommendations and opinions.
Provide a basis for peer, supervisory and/or quality assurance reviews.
Create background and reference data for subsequent follow-up audits.
Record matters of continuing significance for future audits.
Provide a means by which external auditors and other third parties can evaluate and rely
on the work of internal audit.
Appreciate the importance of audit working papers to the work of internal audit:






Provide a basis for the planning of the audit assignment and include background
documentation.
Provide the documented evidence of the examination and evaluation of the adequacy
and effectiveness of the system of internal control.
Link the work performed to the findings, conclusions and recommendations contained in
the final audit report.
Demonstrate that auditors have undertaken the work in accordance with the International
Standards for the Professional Practice of Internal Auditing.
Reflect the level of professional care exercised by the auditors assigned to the audit.
Help auditors respond to questions about the extent of audit coverage, findings and test
results.
Part b.
Understand the range of formats of audit working papers that may be prepared:












The audit remit including details of the scope and objective of the audit.
Narrative and system notes prepared in bullet point format to describe the main
component parts of a system or process from start to finish.
Block diagrams of the main parts, operations and controls of the system being reviewed.
Process diagrams and flowcharts showing the information flows, documents and
departments or functions responsible for each event in a system.
Risk and control matrices to record the business objectives, risks, causes of risk and the
controls established by management for the area being reviewed.
Internal Control Questionnaires prepared to record the responses of auditees to a set of
questions designed to discover the existence of controls.
Sampling plans to show the type of statistical sampling being carried out.
Checklists and correspondence (including emails) concerning significant matters.
Test work papers and schedules.
Spreadsheets showing results of data analysis.
Film and photographic evidence.
Final communications with management and their written/recorded responses to
conclusions reached and recommendations presented.
Part c.
Recognise the main characteristics of an effective set of audit working papers.

Completeness. Each working paper should be self-standing and self-explanatory. It
should include the purpose and description of the work performed, scope and depth of
coverage and all the information and data needed to fulfil all the objectives of the audit
and to support the conclusions reached.
12
Chartered Institute of Internal Auditors - Past paper pack








Reliability. The evidence contained in working papers must be sufficiently reliable to
ensure that it forms a sound basis for audit opinion and recommendations such that a
third party would come to same conclusion.
Consistency. The use of a uniform format to aid standardisation and consistency in the
preparation of working papers. It should be clear from working papers that the
conclusions reached are consistent with the results of the testing carried out.
Relevance. There should be clear statements of the audit objective for the work being
undertaken and all items included on each working paper should be relevant to that audit
objective.
Accuracy. It is self-evident that all statements and computations included in working
papers are accurate and technically correct.
Organisation and ease of reference. Working papers should have an index of contents, a
legend of symbols or abbreviations used and cross referencing to other working papers
as appropriate. The name of the department or area of the activity being reviewed and
sources of data used should be clearly identified. Each working paper should be
referenced so that they can be filed and found easily at a later date.
Legibility and neatness. All working papers should be legible and neatly presented.
Ease of review. Working papers should be in a reader-friendly layout to facilitate
supervisory and/or quality review of the work carried out. The evidence of review should
be documented and/or the reviewer’s satisfaction with the work carried out and
agreement with conclusions reached clearly indicated.
Ownership. Each audit working paper should show clearly the name and initials
(signature) of the preparer and date of production.
EXAMINERS’ COMMENTS
This was a popular question and the majority of candidates who attempted it scored
reasonable marks.
Part a) was the least well answered part of the question with some candidates not
considering the use of working papers beyond documenting and recording an audit. Few
made the distinction between the purpose and importance of working papers. The better
answers scoring higher marks identified working papers as a source of background and
reference data, the basis for quality assurance reviews and a measure of the level of
professional care exercised by auditors. A number of candidates gave answers more
appropriate to parts b) and/or c). Some answers went off at a tangent and strayed from the
question set.
For part b) most candidates were able to provide examples of the different formats of audit
working papers that may be prepared. However, some lost marks by listing rather than
describing the formats they chose or not being specific in their answers e.g. “e-working
paper” or “output from testing”.
Part c) was generally well answered by candidates with many identifying the characteristics
of completeness, reliability, consistency, accuracy and ease of reference. Again some lost
marks by listing rather than describing the characteristics they chose. Others had wasted
time by duplicating some of their statements made to part a).
Generally the standard of presentation, clarity and legibility of the answers was poor.
Candidates should make better use of headings, sub-headings and bullet points to get their
points across more clearly.
13
Chartered Institute of Internal Auditors - Past paper pack
QUESTION FIVE
a.
Explain the key elements of an effective system of internal control.
b.
Describe four different types of control, giving two examples of each.
8 marks
12 marks
SYLLABUS REFERENCE
3.3 The nature, objectives and types of control
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.
Question/Part
Remember/
Apply/
Evaluate/
Total
Understand
Analyse
Create
marks
a) Explanation of key elements
8
8
4 elements at 2 marks each
b) Description of different types of
control and examples of each
Identifying control types (1 mark
each)
Examples (2 marks each)
4
8
12
Total
4
16
20
Part a
Internal control systems comprise many different things from an originations structure and
culture, risk assessment through to its human resources, management information,
monitoring, communication and physical and logical activities all with the aim of helping it
achieve its objectives. The COSO model reflected these main elements of an effective,
pervasive approach to internal control across and organisation. Internal control systems help
prevent fraud and protect an organisation's assets (financial, intellectual and physical) and
reputation.
An effective control system manages risk to a defensible level. There are few, if any,
systems of control that can eliminate risk altogether. Any system of control can be seen as a
cycle. It starts with the “environment” or the tone at the top, which affects the control
consciousness of staff. This is where risk tolerance and appetite with be set.
An effective internal control system then starts with an assessment of risk, the likelihood and
impact of undesirable events/outcomes and what an originations deems to be an acceptable
level of error or loss. Controls should then be designed and operated that reflect the risk
assessment and risk appetite. Too much control will introduce unwanted cost and delay and
hinder the achievement of objectives; too little and the risk of unwanted events occurring will
be higher than deemed acceptable. Control activities can be physical (i.e. security over
stores) or logical (i.e. ICT access controls). An effective system will have a balance of
different type of control such that unwanted events are either prevented, detected promptly
should they occur and corrected as soon as possible. There should be a process for
capturing information on the effectiveness of a control system (i.e. management reports)
such that the system can be improved as necessary, any errors.
14
Chartered Institute of Internal Auditors - Past paper pack
An effective internal control system will look to establish segregation of duties in key areas
and not place too much reliance on specific or key controls; should the latter fail then there is
immediately an increased likelihood that unwanted events will occur.
Part b
Directive Controls are designed to ensure that a particular outcome is achieved. They are
particularly important when it is critical that an undesirable event should be avoided (e.g. the
non protection of assets). An example of a directive control would be to train staff and
providing guidance, giving them the required skills to undertake a role. Another example is
found where an action is determined by a preceding outcome such a system of delegation
authority limits where payments are escalated for authorisation once they exceed a certain
value.
Preventative controls seek to stop an unwanted event from happening. Prevention works on
many levels; for example physical access controls (i.e. to as site or a store) are other
examples of prevention as is segregation of duties, and segregation of key duties (ie. issues
from stocks and maintenance of inventories) to avoid giving an individual too much power
and responsibility that might be abused and do undetected, at least initially.
Detective controls identify an unwanted event after they have occurred (preferably as soon
as possible). Examples include bank reconciliation, surprise cash counts, taking inventories,
and peer reviews. Detective controls can also have deterrent effect. If staff know that
activities are being checked independently then they are more likely to be honest.
Corrective (or adaptive) controls correct errors identified by detective internal controls.
Examples include an employee escalating a problem to a manager or supervisor for action,
and training courses that an organisation may run to improve performance.
EXAMINERS’ COMMENTS
This question was tackled very well by the vast majority of candidates. Most offered robust
explanations of key elements of an effective control system, mostly using the COSO model
in their answers. Better marks were gained by those who related effective control to risk,
risk appetite and cost. Some ventured into part b) of the question with too much material on
types of control where reference to them (direction/prevention/detection/correction) while few
included reference to embedded ICT controls against manual intervention and the place both
of these have in an effective system of control.
Most candidates scored very well in part b), correctly identifying the main categories of
control and giving examples of each. Some answers were presented without following the
direction/prevention/detection/correction format (i.e. by referring to physical controls, logical
controls and segregation of duties) and these were marked just as positively as long as they
followed the format requested in the question.
QUESTION SIX
a.
Describe the different types of audit plan used by internal auditors.
b.
Explain how different types of audit plans contribute towards an
effective internal audit service.
15
8 marks
12 marks
Chartered Institute of Internal Auditors - Past paper pack
SYLLABUS REFERENCE
4.1 The importance and purpose of audit planning
4.2 The different types of plan and the strengths and limitations of each, including strategic,
annual, periodic and operational plans
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.
Question/Part
Remember/
Apply/
Evaluate/
Total
Understand
Analyse
Create
marks
a) Describe type of plan
8
4
4
4 key plans at 2 marks each
b) Explain contribution to effective
service
Marks for
Strategic impact
Range of services
Stakeholder engagement
Total
4
4
4
4
4
4
4
16
20
Part a
There are several different types of internal audit plan. The key ones include the Audit
Strategy, the Annual Audit Plan and the Assignment Plan.
The Audit Strategy is the overarching statement of internal audit’s focus and how it will
deliver a range of services in order to provide an annual opinion to the Audit Committee and
the Board on the organisation’s systems of risk management, control and governance. It is
supported by the Audit Charter and generally covers a 2-3 year timeframe, depending on the
nature of the organisation. It will include both assurance and consultancy work and how this
will be prioritised and focused. The Strategy is submitted to the Audit Committee for
endorsement and the Board for approval.
The Annual Audit Plan sets out a detailed programme of audits and other internal audit
activity (such as consultancy work) that will be undertaken and provide the basis of the Head
of Internal Audit’s end-year opinion. The Annual Plan should be derived from the
organisations risk registers and internal audit’s own assessment of risk, depending on the
level of the business’ risk maturity. The basis for the Annual Audit Plan will be set out in the
Audit Strategy. Like the Strategy the Annual Audit Plan is submitted to the Audit Committee
for endorsement and the Board for approval. The annual audit plan must be agreed to help
ensure adequate coverage of risk such that the Head of Internal Audit’s annual statement to
the Board on internal control and risk management is robust.
Assignment Plans establish the scope and objectives of individual internal audits. This plan
should be derived initially from information in the Annual Plan, but will be further informed by
preliminary work in the area to be audited, establishing with managers what the key risks are
that should be included in the audit scope and the depth of audit the is appropriate to
different areas with the audit in question. Progress against the Assignment Plan is
monitored by audit management to ensure that the scope and deadlines are met.
16
Chartered Institute of Internal Auditors - Past paper pack
All plans should remain flexible and capable of change, sometimes at short notice. But by
having plans, internal audit is able to assess quickly the impact of any change at various
planning levels and make informed decisions, or make sound recommendations for action to
the Audit Committee.
Finally, internal audit will have other plans, mainly internal, that contribute to its work. A
resource plan will assess the productive (chargeable) days available and form the basis of
achievable coverage in the Strategy and Annual Plan. Financial budgets will also be planned
ad reviewed and there should also be plans for meeting Continuing Professional
Development requirements. (CPD).
Part b
Audit planning helps to establish what internal audit will do, how it will be done and the
resources it will use in doing so. Plans provide evidence of audit coverage and provide the
Audit Committee and the Board with the means to measure and evaluate internal audit
performance and in so doing help establish the professional service that internal audit
provides.
The Audit Strategy sets out the direction of internal audit and how audit services will be used
based on organisational need and risk maturity. The Strategy will reflect assurance and
consultancy services and how/where internal audit can place reliance on the work of others
thus establishing its role and professionalism and how this relates to others. The Strategy
will reflect the role of internal audit as set out in its Charter. Once approved, The Strategy
establishes the focus of internal audit work in the organisation and how this adds value to
the business.
The Strategy sets out and provides a means of protecting internal audit’s independence and
objectivity which are the cornerstones of its professionalism. The fact that it is approved by
the Audit Committee and the Board also adds to its importance at a high organisational level.
The activity in the Annual Plan reflects a professional internal audit service by focusing on
the organisation’s most at-risk areas whilst also but being balanced so that the full scope of
risk management, control and governance is covered. Internal audit activity must be
proportionate and not focus overtly, or be directed, on/to certain parts of the business at the
cost of providing a rounded opinion. The Plan should demonstrate professionalism by
providing a range of assurance and consultancy services. Point in time and continuous
assurance should be evident and reflect the organisation’s business needs at the time. At a
time of organisational change internal audit might provide more consultancy and continuous
assurance helping the business to evolve and establish need processes while this work is
on-going.
To this end, the Annual Plan should be drafted through a consultative process, engaging
senior business managers and the Audit Committee. This helps establish internal audit’s
role and how it will add value to the organisation over the coming year and it provides the
means to monitor internal audit output and performance. The annual audit plan must be
agreed to help ensure adequate coverage of risk such that the Head of Internal Audit’s
annual statement to the Board on internal control and risk management is robust. The plan
reflects the scope of internal audit - agreeing the plan helps to re-iterate this with key
stakeholders. The plan as agreed will bring credibility and acceptance to/of internal audit’s
work. As a statement of what needs to be audited it helps the Head of Internal Audit secure
the necessary resources to carry out the work. Once agreed the plan helps set priorities and
becomes a benchmark against which requests for additional or different work can be
measured.
17
Chartered Institute of Internal Auditors - Past paper pack
The Assignment Plan should be signed-off by relevant business managers and it then
provides an unambiguous statement of what internal audit will deliver during the assignment,
establishing professionalism and expected levels of service. This plan also sets outs
deadlines for the work and the audit resources that it will use. This provides a tool for
internal audit management to monitor the progress of the audit. Internal audit supervision
also uses the scope laid out in the Assignment Plan as the primary means to establishing if
the audit work performed meets its objectives. (2)
Internal plans add to internal audit professionalism by bringing discipline to internal audit
budgets and other resources, and in committing staff to maintaining their professional
competence (CPD)
EXAMINERS’ COMMENTS
The question was answered reasonably well on the whole but many candidates either failed
to stick to the relevant material or spent too much time on a lot of detail around planning at
different levels. Answers to part a) sometimes described the planning processes rather than
the plans themselves, for example. Most candidates identified macro and micro level plans,
while the better answers also mentioned internal plans that the HIA would have to maintain
professional standards (i.e. training and resources).
Answers to part b) often covered the relevant material and the role of plans in establishing
internal audit’s role in the business, increasing its profile while making it accountable for its
performance and output. The role of plan in keeping internal audit aligned with an
organisations key activities and risks was included in a lot of answers as was the need to be
inclusive whether planning at the macro or micro level.
END
18