IMPORTANT NOTES To improve audit efficiency, internal auditors can rely upon the work of external auditors that

upon the work of external auditors that is Coordinated with internal audit activity. A chief audit executive would most likely use risk assessment for audit planning because it provides a systematic process for assessing and integrating professional judgment about probable adverse conditions. Who has primary responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities: The chief audit executive. If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should consider the work of the other department when assessing the function or process. Corporate compensation systems and related bonuses a bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control. What is residual risk? --Risk that is not managed. Preliminary survey -A process used to become familiar with activities and risks in order to identify areas for engagement emphasis. Audit engagement programs testing internal controls should be tailored for the audit of each operation Determining that engagement objectives have been met is ultimately the responsibility of the CAE The control that would most likely ensure that payroll checks are written only for authorized amounts is to: Require supervisory approval of employee time cards. Chief audit executive plans to make changes that may be perceived negatively by the audit staff. The best way to reduce resistance would be to: Approach the staff with the general idea and involve them in the development of the changes. An organizations management perceives the need to make significant changes. The factor the management would not be able to change is: The organizations environment The best risk assessment technique: Assessment if the risk levels of current and future events, their effect on achievement of the organizations objectives, and their underlying causes. Best reason for the chief audit executive to consider the strategic plan in developing the annual audit plan is: To ensure that the internal audit plan supports the overall business objectives. When assessing the risk associated with an activity and internal auditor should: Provide assurance on the management of the risk. The chief audit executive has responsibility for providing information to the audit committee on the professional and organizational benefits of coordinating internal audit assurance and consulting activities with other assurance and consulting activities. To improve audit efficiency, internal auditors can rely upon the work of external auditors that is: Coordinated with internal audit activity. One of the major objective of The Institute of Internal Auditors is to Cultivate, promote and disseminate information concerning internal auditing and related subjects One of the purposes of the Standards for the Professional Practice of Internal Auditing as stated in the Introduction to the Standards is to establish the basis for guidance and measurement of internal auditing performance The purpose of The IIA Code of Ethics is not to explain the internal audit profession's responsibility to society at large. The most significant benefit provided by the audit committee to the internal auditor is protecting the independence of the internal auditor from undue management influence A written charter, approved by the board of directors, is primarily meant to enhance the department's Independence. A primary purpose for establishing a code of conduct within a professional organization is to demonstrate acceptance of responsibility to the interests of those served by the profession the association's primary purpose for establishing the code of ethics is to outline criteria for professional behavior to maintain standards of competence, morality, honesty and dignity within the association Preliminary survey is the basis of preparing the audit program. Interview with the auditee personnel may be conducted as part of the preliminary survey to obtain an overall understanding of operations. During the preliminary survey the auditor learns about t he auditees objectives, organization, operations, information systems, personnel and the internal control structure. Time budgets should be revised as soon as the preliminary survey is completed. The preliminary survey should help the auditor to understand the magnitude of any inefficient internal control structure. Checklists are the best source for an audit team to use to identify common risks in a company. An analysis of quality control documents would not be used for the preparation of a preliminary survey of an audit of a quality control department. The increasing professionalism of Internal Auditors and the evolving economics of external auditing makes the internal auditors partners rather than subordinates in relation to the external auditors. The internal auditor should consider the work of another department when assessing a function or process which has already been reviewed by another department. In an audit of a nonprofit organizations restricted funds, the primary audit objective would be to determine if the entity complied with special requirements and performed specified activities. The objective in the audit of the personnel department is to determine reference checks of prospective employees are being performed. The scope of an audit of recruiting expenses should include an inquiry as to whether procedures to minimize costs are in place and functioning effectively. An advertising agency customarily charges for its costs plus a commission based on those costs. To avoid being overcharged the organization requires assurance that the agency can justify the costs incurred and that theses costs are reasonable. Determining that the audit engagement objectives have been ultimately met is the responsibility of the CAE. Performance can be measured always only with a set standard to check if the objective has been met. The goals of the internal audit activity, as stated in specific operating plans and budgets, should include measurement criteria and targeted dates of accomplishment. Criteria for audit are often established and agreed upon during an audit if management has not already established them.

If the auditor determines that the set criteria are inadequate or nonexistent the auditor can: 1.rport the inadequacies to the appropriate level of management and recommend the appropriate course of action. 2. Recommend alternative sources of criteria to management such as acceptable industry standards. 3. Formulate criteria the auditor believes to be adequate and perform the audit and report in relationship to the alternative criteria. One of the purposes of conducting a meeting between the director of audit and the audit staff is to explain administrative policies and to obtain suggestions from the audit staff. In addition training staff on new techniques or emerging technology might also be conducted during such meetings. The log range schedule provides evidence of coverage of key functions at planned intervals. Updating the audit permanent file is normally done by the audit staff and not the audit team leader. Proforma audit program is designed to be used for repeated audits of similar operations. It is ordinarily modified over the years in response to the problems faced in the field. (Used in companies with many branches and when the management would want a standardized operations to be in use.) Budget indentifying the costs of resource needed is not required when creating an audit program. Time budget is included in an audit program to provide a means of controlling and evaluating the progress of the audit. Primary role for an audit program is to serve as a tool for planning, directing, and controlling audit work. Efficiency is the ratio of effective output to the input required to achieve it Audit programs are detailed listing of audit procedures to be carried out during fieldwork to obtain audit evidence which is the basis for the auditors findings, conclusions, recommendations and reports. Audit programs outline what is to be done and how it is to be done, provide for documentation and facilitate planning, directing and control of audit. The audit program is prepared after the auditor has established the audit objectives and scope, obtained background information, determined the necessary resources and performed a preliminary survey. The survey involves familiarization with controls and identification of audit emphasis. To ensure that due professional care has been taken at all times during an engagement, the internal auditor should always: Consider the possibility of nonconformance or irregularities at all times during an engagement. The duty of the internal auditor who suspects fraud is to determine the facts and then notify appropriate authorities within the organization. The in charge auditor should notify the audit manager. Audit work schedule should include activities to be audited, when they will be audited, and the estimated time required, taking into account the scope of the audit work planned and the nature and extent of the audit work performed by others. This audit work schedule in turn permits determination of staffing plans and financial budgets and furnishes a basis for the presentation of activity reports. Organizational procedures help employees anticipate / accomplish is known as Feed forward control. Check digit is an example of an input control. Input controls are designed to provide reasonableness assurance that data received for information systems processing have been properly authorized and are in a form suitable for processing i.e. is accurate, complete and valid. Input controls also include those relate to rejection, correction and resubmission of data that were initially incorrect. In order to maintain the CIA designation the CIA must commit to a formal program of CPD and report to the certification department of the IIA. The best means for the internal auditing activity to determine whether its goal of implementing broader audit coverage of functional activities has been met is through, Implementation of a quality assurance and improvement program. During an internal audit, the internal auditor should exercise due professional care. Due professional care means that the internal auditor should consider: The extent of work needed to achieve the engagements objectives, The relative complexity and materiality to which assurance procedures are applied, The probability of significant errors, irregularities, or noncompliance According to the Standards, internal auditors are able to provide both assurance and consulting services. The following would be considered consulting services: Facilitation engagements, Training engagements, Process design engagements. A control likely to prevent purchasing agents from favoring specific suppliers is: Rotating buyer assignments periodically. Which of the following control agencies function in much the same way as internal auditing and should have their planned activities considered in developing engagement work schedules : Quality control and industrial engineering, because The primary control agencies in an organization are security, quality control, safety and industrial engineering. Finalizing the audit budget is done after the preliminary survey. When determining the necessary resources required performing an engagement the following should be considered: the number and experience of the audit staff Knowledge, skills and other competencies of the auditing staff. The probability of errors, irregularities, noncompliance, and other exposures should be considered when developing the engagement objectives, not when determining the appropriateness and sufficiency of resources. An internal auditor determines that actual procedures differ from prescribed control procedures. The internal auditor should: Document the discrepancies and make any appropriate recommendations to management &modify the engagement work program as warranted by the differences noted. Assignment board is a toll which would be of no use in the supervision of a specific engagement. During an audit if the auditor finds out that the prescribed controls are not being followed and a new set of controls are followed which is more efficient and takes less processing time, without a discernible in the control, in such a case the auditor should report the change and suggest that the change in procedures be documented. The following fraudulent entries are most likely to be made to conceal the theft of an asset: Debit expenses, and credit the asset. A manager is characterized as very cooperative but not very assertive. The behavior likely to be shown by the manager in conflict situations is accommodating. Accommodating is characterized as not very assertive but is very cooperative. Accommodating entails placing another persons interest above ones own. However, in doing so, you are not being very assertive. Which of the following would not affect a companys span of control: The size of the organization.

The cash receipts function should be separated from the related record-keeping function in an organization to: Physically safeguard the cash receipts. The elements of a system of internal control are the control environment, risk assessment, control activities, information and communication and monitoring. Operating controls are always NON FINANCIAL CONTROLS Which of the following comments is correct regarding the assessment of risk associated with two projects that are competing for limited audit resources? Risk should always be measured by the potential dollar or adverse exposure to the organization. Preventive controls are actions taken prior to the occurrence of transactions with the intent of stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of unacceptable suppliers. Which of the following best describes a preliminary survey? A process used to become familiar with activities and risks in order to identify areas for engagement emphasis Audit engagement programs testing internal controls should: Be tailored for the audit of each operation. If an auditor's preliminary evaluation of internal controls results in an observation that controls may be inadequate, the next step would be to: Expand audit work prior to the preparation of an engagement final communication. Which of the following activities is not presumed to impair the objectivity of an internal auditor: Recommending standards of control for a new information system application and performing reviews of procedures for a new computer application before it is installed. Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. If appropriate, internal auditors conduct a survey to (1) become familiar with the activities, risks, and controls to identify areas for engagement emphasis and (2) invite comments and suggestions from engagement clients. The survey is appropriate as a means to conduct a preliminary assessment because the examined areas are relevant. The auditors should keep in mind the potential need to corroborate the information before making any final assessment, but this does not prevent use of the survey. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. The objective of directive controls is to cause or encourage desirable events to occur, e.g., providing management with assurance of the realization of specified minimum gross margins on sales. Which of the following statements is false regarding risk assessment as the term is used in internal auditing? Risk assessment is a judgmental process of assigning monetary amounts to the perceived level of risk found in an activity being evaluated. These amounts allow a chief audit executive to select the engagement clients most likely to result in identifiable savings. When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution (Standard 2600). Those conducting internal assessments generally should report to the CAE while performing the reviews and communicate directly to the CAE. External assessments of an internal audit activity contain an expressed opinion as to the entire spectrum of assurance and consulting work performed (or that should have been performed under its charter), including (but not limited to) conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. An external assessment also includes, as appropriate, recommendations for improvement. On completion of the review, a formal communication should be given to senior management and the board. An external assessment of an internal audit activity contains an expressed opinion. The opinion applies: To the entire spectrum of assurance and consulting work. An understanding means the ability to apply board knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. The required competencies include an understanding of management principles to recognize and evaluate the materiality and significance of deviations from goo business practice. Access to working papers by external auditors is subject to the approval of the CAE. The basic process of control for managers consists of establishing standards, measuring performance against standards, and correcting for deviations to ensure accomplishment of the entitys goals. Thus, assigning responsibility for de viations found is not a part of the controlling function. According to the contingency approach, the effective leadership style or behavior depends on the situational requirements. The situational factors are leader-member relations, task structure, and position power. Hence, the leaders style has to be matched with the situation by either changing the leader or changing the leaders behavior. The task-motivated leader performs best when the situation is very favorable or unfavorable (relations are very good or bad, tasks are well or poorly defined, and the leader has or lacks clear formal authority). However, in a moderately favorable situation, the relationship-motivated leader can build on the favorable factors and work to help group members cope with the unfavorable factors. The CAE must communicate the internal audit activitys plans and resource requirements to senior management and the board for review and approval. The CAE also must communicate the effect of resource limitations. Work programs are a necessary part of engagement planning. They include the procedures for collecting, analyzing, interpreting, and documenting information during the engagement. A work program for a comprehensive assurance engagement to evaluate a purchasing function should include: Procedures to accomplish engagement objectives. The internal audit activitys scope of work extends to evaluating the organizations risk management processes. The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor is the internal auditors knowledge of: Risk management processes.

When ranking potential engagements that are competing for limited internal audit resources, a decision criterion based on the degree of adverse exposure to the organization is preferable. Which of the following comments is (are) true regarding the assessment of risk associated with two projects that are competing for limited internal audit resources? Risk always should be measured by the potential monetary or other adverse exposure to the organization. Monitoring is a process that assesses the quality of internal control over time. It involves assessment by appropriate personnel of the design and operation of controls and the taking of corrective action. Monitoring can be done through ongoing activities or separate evaluations. Ongoing monitoring procedures are built into the normal recurring activities of an entity and include regular management and supervisory activities. Formal administrative and technical audit manuals may not be needed by all internal audit entities. A small internal audit activity may be managed informally. Its audit staff may be directed and controlled through daily, close supervision and written memoranda. In a large internal audit activity, more formal and comprehensive policies and procedures are essential to guide the internal audit staff in the execution of the internal audit plan. Penalties for violations of a code of conduct should enhance its effectiveness. Some individuals will be deterred from misconduct if they expect it to be detected and punished. The matrix organizational structure allows authority to flow both vertically and horizontally. A manager is appointed for each project. This manager draws on personnel who are organized by function and report to a manager for each function. This structure violates the principle of unity of command, which states that each subordinate should have only one superior. Hence, frequent and comprehensive communication is necessary to prevent power struggles and conflicts of interest. Internal auditors determine whether management has taken action or implemented the recommendation. The internal auditor determines whether the desired results were achieved or if senior management or the board has assumed the risk of not taking action or implementing the recommendation. Obtaining client cooperation (or at least understanding) is a vital part of the solution of any problem. The survey discloses that corrective action was never taken on a prior reported assurance engagement observation. Subsequent field work confirms that the condition still exists. Which of the following actions should the internal auditors pursue? Discuss the issue with the person(s) responsible for the problem. (S) He or they should know how to solve the problem. Planned audit activities of internal and external auditors need to be discussed to ensure that audit coverage is coordinated and duplicate efforts are minimized where possible. Coordination involves access to each others work programs and working papers. Access to the internal auditors work programs and working papers is provided to external auditors for them to be satisfied as to the accep tability, for external audit purposes, of relying on the internal auditors work. When an audit program is being created the budget identifying the cost of resources need is not used. The action taken by the auditor who discovers that a significant audit area is not included in the audit program should be evaluate whether completion of the audit as planned will be adequate. Audit engagement program testing internal controls should be a tailored for the audit of each operation. The purpose of using a time budget in an audit program is to provide a means of controlling and evaluating the progress of the audit. Monthly audit work schedules could be used as an effective tool to make sure that the internal audit staff could be used effectively. The director of internal auditing can best ensure that staff auditors are prepared to meet their existing responsibilities by counseling them on their performance and providing appropriate training opportunities. If the internal audit activity does not have staff auditor who has knowledge about a particular audit activity then the audit director should not notify the audit committee of the problem and should never assign the most component auditor to the job. When determining the number and experience of the internal audit staff to be assigned to an audit the least consideration the audit director should have about is the lapsed time since the last audit, as it is normally used for audit scheduling and not audit staff selection. There are four essential elements of control: 1. Establishment of objectives 2. Adoption of standards 3. Comparison of actual results with adopted standards and 4. Corrective action taken as needed. These four elements of control provide reasonable assurance to management that established objectives ad goals will be achieved. But as per the sawyers internal auditing control is known to have six elements 1. Setting standards 2. Measuring performance 3. Analyzing performance and comparing it with the standards 4. Evaluating deviations and bringing them to the attention of appropriate persons 5. Correcting deviations and following up on corrective actions.