Upgrade to remove ads
Only $2.99/month

ACCT 422 Chapter 14

Terms in this set (27)

How are internal audit assurance engagements related to senior management's assertions regarding the organization's system of internal controls?
Assurance engagements evidence the internal audit function's independent assessments of how effectively the organization's risks are mitigated.
These individual assessments, when taken in the aggregate, help corroborate and support senior management's assertions regarding the
design adequacy and
operating effectiveness of the organization's overall system of internal controls.
When and in what ways do assurance engagement communications occur?
Communication is an integral part of any assurance engagement and occurs throughout the engagement process.
Results are communicated in various ways, including memoranda, outlines, discussions, and draft working papers.
In conjunction with concluding an engagement, final results are communicated to affected parties.
This final engagement communication is often referred to as
"audit report" and is the formal way an internal audit function communicates the results of an engagement to management and other appropriate parties relying on the engagement outcomes.
How are assurance engagement observations identified?
During an assurance engagement, the internal audit function tests controls to ensure that they are designed adequately and are operating effectively to meet specific control assertions (objectives).
An observation is indicated if, during testing, the internal audit function concludes that any of the controls identified in the engagement are not designed adequately or operating effectively (as intended).
What are the steps an internal auditor takes to assess the observations identified during an assurance engagement?
Determining the COSO category: operations, reporting, or compliance
Classifying the observation in terms of assessing the applicable control as ineffectively operating or inadequately designed.
Determining the impact and likelihood of the observation.
Assessing whether the observation is insignificant, significant, or material in importance.
What distinguishes a significant observation from an insignificant observation?
An individual observation, or a group of observations, is considered insignificant if the control in question has a remote likelihood (slight chance) of failing or the impact of its failure is insignificant (trivial).
An individual observation, or a group of observations, is considered significant if the control in question has a more than remote likelihood of failing and the impact of its failure is more than insignificant (that is, significant).
What distinguishes a material observation from a significant deficiency?
An individual observation, or a group of observations, is considered significant if the control in question has a more than remote likelihood of failing and the impact of its failure is more than insignificant (that is, significant).
individual observation, or a group of observations, is considered material if the control in question has a more than remote likelihood of failing and the impact of its failure is not only more than insignificant, but also exceeds the financial statement materiality threshold (or other established thresholds for materiality).
What information should be included in an assurance engagement audit observation description?
Condition (facts) - Factual evidence and description of controls as they exist (what is). What was found through testing.
Criteria - Standards, measures, expectations, policy, or procedures used in making the evaluation (what should exist).
Cause - What allowed or caused the condition to exist (the why).
Effect - Risk or exposure encountered because the condition is not consistent with the criteria (what could go wrong, both past and possible future impact). Considers both the impact (financial, reputational, safety, etc.) and the likelihood.
Compensating controls - Other controls in place to mitigate the observation. Includes monitoring.
Conclusion - Detailed analysis, assessment, and justification for evaluation classifications and final conclusions.
Detailed recommendation - What the internal audit function recommends. This recommendation must reconcile with management's solution as discussed during the preliminary communication process.Management solution - What management will do to fix the existing condition or prevent the problem from happening again.
Observation evaluation: COSO category, Classification, Assessment.
Evaluation performed by: Internal audit function, Business unit management, Independent outside auditor, Working paper reference.
Why is interim and preliminary communication important in an assurance engagement?
The auditee must be made aware, throughout the engagement, of any observations that the internal audit function has identified so that he or she can respond as to the accuracy of the facts related to the observation as well as the best course for remediation.
Interim communication allows the auditee to address identified observations as soon as they are known as opposed to waiting for the final communication.
What is the purpose of a closing conference?
Allows the internal audit function to confirm the preliminary facts relative to any observations indicated by testing done during the assurance engagement with the appropriate management representatives of the area that was audited prior to distribution of the final engagement communication.
Allows all parties to review the form and content of what is anticipated to be included in the final (formal and informal) audit engagement communications and provides an opportunity for any misunderstandings to be resolved.
Provides management of the targeted functional areas a way to present their thoughts and planned actions regarding the items to be covered in the final engagement communication and to give feedback regarding how well the engagement team executed the assurance engagement.
Management's action plan to address and resolve control weaknesses identified during the assurance engagement is also agreed upon in the closing conference.
provides another check point on the completeness and accuracy of the draft final communication prior to distribution to management representatives of the area that was subject to the assurance engagement.
What information should be included in a well-designed final assurance engagement communication?
The purpose and scope of the audit,
the time frame of the audit,
the observations and recommendations (results) of the audit,
the conclusion (opinion or rating, if applicable) of the internal audit function,
management's response (action plan) to the recommendations.
What is the difference between providing positive assurance versus negative assurance in an audit report
The internal audit function's assessment of controls that is included in the final engagement communication can be stated either positively or negatively.
If an internal audit function chooses to state that the controls are designed adequately and operating effectively, it has given positive assurance.
If, on the other hand, the internal audit function chooses to communicate that nothing has come to their attention that leads them to believe that the controls are not designed adequately and operating effectively, it has given negative assurance.
What is the difference between final formal communications and final informal communications and when is each appropriate?
Informal communication is considered appropriate only when, during the observation evaluation and escalation process, all observations were assessed to be insignificant with no key control activities compromised.
The informal communication will cover insignificant observations related to secondary control activities that might be compromised and will only be distributed to management representatives of the area that was the target of the audit.
Formal communications are assurance engagement communications for which the intended recipient is
senior management, the audit committee, the organization's independent outside auditor, and/or management to whom the key individuals within the area that is the subject of the audit report.
Formal communications are indicated when the controls evaluated during an assurance engagement are assessed to be:
insignificantly compromised with key control activities affected,
significantly compromised, or
materially compromised.
Every assurance engagement, no matter if there are observations to report or not, must result in a final, formal communication for the internal audit function to fully discharge its responsibilities as outlined in the Standards.
What quality characteristics should assurance engagement communications possess?
Standard 2420: Quality of Communications: "communications must be accurate, objective, clear, concise, constructive, complete, and timely."
What steps should internal auditors take to ensure that the communications are of high quality?
Gather, evaluate, and summarize data and evidence with care and precision.
Derive and express observations, conclusions, and recommendations without prejudice, partisanship, personal interests, and the undue influence of others.
Improve clarity by avoiding unnecessary technical language and providing all significant and relevant information in context.
Develop communications with the objective of making each element meaningful but succinct.
Adopt a useful, positive, and well-meaning content and tone that focuses on the organization's objectives.
Ensure communication is consistent with the organization's style and culture.
Plan the timing of the presentation of engagement results to avoid undue delay.
What actions regarding assurance engagement observations must the internal audit function take after the final engagement communication is disseminated?
The internal audit function must have a process in place to monitor and follow up on agreed-upon actions to ensure management has done what they intended.
If management chooses to accept the risk associated with making no changes to the control activity, the CAE must
make a judgment regarding the prudence of that decision discuss the matter with senior management.
If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution"
If management accepts responsibility for implementing changes to remediate the observations, the internal audit function must monitor the progress management makes relative to the remediation of the observations.
Regular follow-up procedures should ensure that agreed-upon actions are taken on schedule with the time frame outlined in the final engagement communication.
Follow-up actions should be documented and retained in the internal audit function's working papers of the next assurance engagement relating to the area that was subject to the original audit.
Recommendations should be included in final audit communications to:
a. Provide management with options for addressing audit observations.
b. Ensure that problems are resolved in the manner suggested by the auditor.
c. Minimize the amount of time required to correct audit observations.
d. Guarantee that audit observations are addressed, regardless of cost.
a. Provide management with options for addressing audit observations.
Reported internal audit observations emerge as a result of comparing "what should be" with "what is." In determining "what should be" during an internal audit engagement, which of the following would be the least appropriate criterion against which to assess current controls?
a. Industry best practices.
b. Control policies and procedures prescribed by senior management.
c. A standard of control effectiveness determined by the internal audit function.
d. The controls documented as being in place during the last audit.
d. The controls documented as being in place during the last audit.
According to the International Professional Practices Framework (IPPF), an engagement final communication should include, at minimum, which of the following?
I. Background information.
II. Purpose of the engagement.
III. Engagement scope.
IV. Results of the engagement.
V. Summaries.
a. I, II, and III.
b. I, III, and V.
c. II, III, and IV.
d. II, IV, and V.
c. II, III, and IV.
Which of the following would not be considered a primary objective of a closing or exist conference?
a. To resolve conflicts.
b. To identify concerns for future audit engagements.
c. To discuss the engagement observations and recommendations.
d. To identify management's actions and responses to the engagement observations and recommendations.
b. To identify concerns for future audit engagements.
During a review of purchasing operations, an internal auditor found that procedures in use did not agree with stated company procedures. However, audit tests revealed that the procedures used represented an increased in efficiency and a decrease in processing time, without a discernible decrease in control. The internal auditor should:
a. Report the lack of adherence to documented procedures as an operational deficiency.
b. Develop a flowchart of the new procedures and include it in the report to management.
c. Report the change and suggest that the change in procedures by documented.
d. Suspend the completion of the engagement until the engagement client documents the new procedures.
c. Report the change and suggest that the change in procedures by documented.
A formal engagement communication must:
a. Provide an opportunity for the auditee to respond.
b. Document the corrective actions required of senior management.
c. Provide a formal means by which the independent outside auditor assesses potential reliance on the internal audit function.
d. Report significant observations.
d. Report significant observations.
Which of the following does the CAE need to consider when determining the extent of follow-up required?
I. Significance of the reported observation.
II. Past experience with the manager charged with the corrective action.
III. Degree of effort and cost needed for the corrective action.
IV. The experience of the internal audit staff.
a. I and III.
b. I, II, and III.
c. II, III, and IV.
d. I, II, III, and IV.
a. I and III.
An excerpt from an internal audit observation indicates that travel advances exceeded prescribed maximum amounts. Company policy provides travel funds to authorized employees for travel. Advances are not to exceed 45 days of anticipated expenses. Company procedures do not require justification for large travel advances. Employees can, and do, accumulate large unneeded advances. In this audit observation, the element of an audit finding known as "effect" is:
a. Advances are not to exceed estimated expenses for 45 days.
b. Travel advances exceed prescribed maximum amounts.
c. Employees accumulate large, unneeded advances.
d. Unauthorized employees are given travel advances.
c. Employees accumulate large, unneeded advances.
Internal audit reports can be structured to motivate management to correct deficiencies. Which of the following report-writing techniques is most likely to be effective?
a. State the procedural inadequacies and resulting improprieties in specific terms.
b. Recommend changes and state the punitive measures that will follow if the recommendations are not implemented.
c. List the deficiencies found so as to provide an easy-to-follow checklist.
d. Suggest practical improvements to address the identified observations.
d. Suggest practical improvements to address the identified observations.
The primary purpose of issuing an interim report during an internal audit is to:
a. Provide auditee management the opportunity to act on certain observations immediately.
b. Set the stage for the final report.
c. Promptly inform auditee management and their supervisors of audit procedures performed to date.
d. Describe the scope of the audit.
a. Provide auditee management the opportunity to act on certain observations immediately.
THIS SET IS OFTEN IN FOLDERS WITH...