Upgrade to remove ads
Only $2.99/month

ACCT 422 Chapter 9

Terms in this set (57)

Positioning the I/A Function in the Organization (To conform with the Standards) Two options
1. on Sr. manager level or 2. lower
Option 1: placed on the Sr. management level: CAE ( with direct assess to BOD Audit Committee)
Give I/A function the visibility, authority, and responsibility to
Independently evaluate management's assessment of I/C
Assess the organization's ability to
achieve business objectives and
manage, monitor, and mitigate related risks
Provide consulting services
I/A Charter how CAE fulfill the responsibilities outlined above:
A formal written document that defines the I/A function's purpose, authority, and responsibility
Is subordinate to the audit committee's charter
I/A Charter
A formal written document that defines the I/A function's purpose, authority, and responsibility
Is subordinate to the audit committee's charter
Standard 2000: CAE's management responsibilities:
The results of the internal audit [function's] work achieve the purpose and responsibility included in the internal audit charter;
The internal audit [function] conforms with the Definition of Internal Auditing and the Standards; and
The individuals who are part of the internal audit [function] demonstrate conformance with the Code of Ethics and the Standards."
Organizational independence vs. individual objectivity:
CAE reports to BOD (so that to allow I/A function to fulfil its responsibility) Organizational Independence (Structure)
Internal auditors have an impartial, unbiased attitude and avoid conflicts of interest Individual Objectivity (Unbiased mental attitude)
Option 2: I/A functions can be positioned lower in the organizational hierarchy (Under Sr. Management)
Often to perform nonaudit activities:
Quality assurance, compliance, operational, & other transaction processing activities
Lack of objectivity to independently evaluate the organization's operations and offer impartial suggestions for improvement
Unable to provide management with an evaluation of the design adequacy and operational effectiveness of operational controls (i.e., RM, Control, and Governance processes)
IIA Standard 1130: Impairment to Independence or Objectivity:
May include:
personal conflict of interest,
scope limitations,
restrictions on access to records,
personnel, and properties, and resource limitations, such as funding
If impaired in fact or appearance then what?
the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment
Reporting: I/A to CAE, CAE to BOD
A Scope Limitation
a restriction on the applicability of an auditor's report that may arise from the inability to obtain sufficient appropriate evidence about a component in the financial statements. Auditing standards suggest that when restrictions imposed by the client significantly limit the scope of the engagement the auditor should consider disclaiming the opinion.
I/A engagements must be performed with
Proficiency and Due Professional Care
Proficiency
Standard 1210: internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities
Due Professional Care
Standard 1220: internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
The positioning of the I/A function affects
the degree to which it can remain objective.
Ideally, how will the function will be positioned?
high enough within the organization with direct access to the board audit committee to allow conformity with The IIA's requirements and recommendations
So, what are the advantages of placing I/A function on Sr. Management level?
To better maintain independence when evaluating management's assessment ( of the org.'s system of I/C, ability to achieve objectives, and mitigate risks associated with achievement of those objectives)
Minimizes the possibility of Sr. Management exerting undue influence on CAE
I/A's professional expertise used in consulting on initiatives and projects
I/A plan (CAE's responsibility)
An outline of the specific assurance and consulting engagements scheduled for a period of time (typically a year) based on an assessment of the organization's risks.
Developed through a process that identifies and prioritizes possible audit entities (business units or processes) responsible for mitigating key risks to acceptable level
Top-down, risk-based approach (most effective)
Top-down, risk-based approach (most effective)
A risk assessment process completed annually at the beginning of, or prior to fiscal year
Provide the CAE with a definitive list of audit entities related to the prioritized risks
CAE aligns audit resources for the upcoming year with the conclusions drawn by management during the risk assessment process.
What should CAE present regarding the I/A plan to Sr. Management and BOD for approval :
Requirements, significant interim changes, and the potential implications of resource limitations (--required by Standard 2020)

A summary of the internal audit plan, work schedule, staffing plan, and financial budget (--recommended by Practice Advisory 2020-1: Communication and Approval
Key elements taken into consideration:
Organizational structure and staffing strategy
Right sizing
Staffing plan/ Human Resources
Hiring practices
Strategic sourcing
Training and mentoring goals
Career planning and professional development
Scheduling (I/A schedule and annual I/A Plan)
Financial budget
Flat organizational structure:
consist of internal auditors who all have more or less the same level of skills, experience, and seniority.
Internal audit functions employing flat structures tend to be:
stable, highly knowledgeable, and very collaborative,
higher cost base due to the higher salaries necessary to retain auditors who all have a high degree of knowledge and experience.
Two kinds of organizational structures
Flat and hierarchal
Hierarchical organizational structure:
include internal auditors with varying degrees of knowledge and experience.
Internal auditors with less knowledge and experience report to internal auditors with more knowledge and experience.
These I/A functions can be more dynamic than flat functions due to the fact that positions are often rotating with internal auditors promoting into higher positions as those in higher positions move up in the function or into positions outside of the function.
Due to their dynamic nature hierarchically organized functions can experience frequent change that, if not managed, can threaten the efficient achievement of the internal audit plan
Examples of positions within the hierarchal function:
Staff auditor (or IT Staff auditor)
Senior auditor (or IT senior auditor)
Audit manager (or IT audit manager)
Audit director ( or IT audit director)
CAE
Right Sizing
To achieve and maintain balance of competent staff without overloading workload within reasonable financial budget
Strategic Sourcing
Supplements the in-house I/A function through the use of 3rd party vendor services
Staffing plan and hiring
CAE's responsibility
Do all I/A activities need formal administrative and technical audit manuals?
No
Small internal audit activity
may be managed informally
Audit staff may be directed and controlled through daily, close supervision and memoranda
Large internal audit activity
More formal and comprehensive policies and procedures are necessary to guide the I/A staff in the execution of the I/A plan.
What are the three lines of defense?
Management, different functions within the organization, other than the internal audit function, I/A function
1st line of defense: management
Management owns and takes responsibility for assessing and mitigating risk and for maintaining effective internal controls.
2nd line of defense: different functions within the organization, other than the internal audit function
that work together to assist in risk mitigation by facilitating and monitoring the risk management efforts of the organization and communicating risk-related information.
Such functions include, for example, quality assurance, corporate responsibility, corporate security, and health and safety.
3rd line of defense: I/A function
works in partnership with management and the other functions involved in risk mitigation
The key difference between this line of defense and the first two is that the internal audit function is independent of management
Coordination between the 3 lines of defense may vary among organizations:
In smaller, less regulated organizations: coordination efforts can be less formal and, therefore, less costly.
In larger, more heavily regulated organizations: coordination can be quite formal and involved.
Large organizations typically begin by creating an assurance map that identifies:
where within the organization risk mitigation coverage exists,
who is providing the coverage,
what professional standards the different assurance providers adhere to, and
the frequency and timing of the assurance activities provided
The most notable external sources of assurance that organizations use to augment their internal lines of defense
independent outside auditors and applicable regulators
Matters of mutual interest discussed during coordination efforts with independent outside auditors include
Audit coverage.
Access to each others' audit programs and workpapers.
Exchange of audit reports and management letters.
Common understanding of audit techniques, methods, and terminology.
CAE's responsibilities when reporting to the board
The internal audit function's purpose, authority, responsibility, and performance relative to its annual internal audit plan.

Identified significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.
Standard 2110: Governance states that the internal audit function "must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the organization; and
Coordinating the activities of and communicating information among the board, external and internal auditors, and management."
I/A functions carries out governance responsibilities largely through the
assurance services
Risk management:
Refers to the administration and oversight processes typically performed by senior management to monitor efforts to minimize risk exposures or steps taken to exploit competitive advantages.
These administrative procedures are designed to help establish a common language for use when considering possible risk events or scenarios.
More concisely, risk management is a participatory process designed to identify, document, evaluate, communicate, and monitor the most significant risk events facing an organization requiring risk mitigation to achieve business objectives.
Risk mitigation
Refers to the tactical efforts undertaken by line management and operational employees to either reduce risk exposures or exploit competitive opportunities (advantages) that manifest themselves in day-to-day operations.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
Organizational objectives support and align with the organization's mission;
Significant risks are identified and assessed;
Appropriate risk responses are selected that align risks with the organization's risk appetite; and
Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
Core internal audit risk management activities include:
Giving assurance on the risk management processes.
Giving assurance that risks are correctly evaluated.
Evaluating risk management processes.
Evaluating the reporting of key risks.
Reviewing the management of key risks
Risk management activities that the internal audit function may perform, if appropriate safeguards are applied to protect its independence and objectivity, include:
Facilitating identification and evaluation of risks.
Coaching management in responding to risk.
Coordinating ERM activities.
Consolidating reporting on risks.
Maintaining and developing the ERM framework.
Championing establishment of ERM.
Developing ERM strategy for board approval.
Risk management activities that the internal audit function should avoid include:
Setting the risk appetite.
Imposing risk management processes.
Assuming management's risk management assurance role.
Making decisions on risk responses.
Implementing risk responses on management's behalf.
Assuming accountability for risk management
The I/A activity must assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and
promoting continuous improvement
I/A functions evaluate "the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the:
Achievement of the organization's strategic objectives;
Reliability and integrity of financial and operational [non-financial] information;
Effectiveness and efficiency of operations;
Safeguarding of assets; and
Compliance with laws, regulations, and contracts
Quality Assurance and Improvement Program
Ensures I/A function operates in accordance with established professional standards.
covers all aspects of the internal audit activity
is designed to enable:
an evaluation of the I/A activity's conformance with the Definition of Internal Auditing and the Standards and
an evaluation of whether internal auditors apply the Code of Ethics.
(IPPF mandatory guide)
assesses the efficiency and effectiveness of the I/A activity and identifies opportunities for improvement
Per IIA Standards, internal audit functions must establish:
Both internal and external quality assurance and improvement program assessments.
Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:
Accept the audit engagement because independence would not be impaired.
Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?
The CAE
Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?
a. To emphasize the importance of the internal audit function to the organization.
b. To make recommendations to improve the strategic plan.
c. To ensure that the internal audit plan supports the overall business objectives.
d. To provide assurance that the strategic plan is consistent with the organization's values.
To ensure that the internal audit plan supports the overall business objectives.
The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement?
a. A small internal audit function may be managed informally through close supervision and written memos.
b. Formal administrative and technical audit manuals may not be needed by all internal audit functions.
c. The CAE should establish the function's policies and procedures.
d. All internal audit functions should have a detailed policies and procedures manual.
All internal audit functions should have a detailed policies and procedures manual.
When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:
Discuss the problem with the customer and together evaluate whether the engagement should be continued.
Which of the following is not a responsibility of the CAE?
a. To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval.
b. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.
c. To follow up on whether appropriate management actions have been taken on significant issues cited in internal audit reports.
d. To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organization's goals.
To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.
The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement?
a. Holding a meeting between the CAE and the independent outside audit firm's partner to discuss the upcoming audit of the financial statements.
b. Providing the independent outside auditor with access to the working papers for an audit of third-party contractors.
c. Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.
d. Requesting that the internal audit function receive a copy of the independent outside auditor's management letter.
Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.
THIS SET IS OFTEN IN FOLDERS WITH...