Upgrade to remove ads
Only $35.99/year

Internal Audit Final

Terms in this set (70)

What two types of services do internal auditors provide? Provide 3 examples of each type of engagement.
1. Assurance Services (i.e. financial, performance, compliance, system security)
2. Consulting Services (i.e. counsel, advice, facilitation, training)
What are the three phases of the assurance engagement process?
- Plan
- Perform
- Communicate
What steps are included in the planning phase of an assurance engagement?
- Determine engagement objectives and scope
- Understand the auditee, including auditee objectives and assertions
- Identify and assess risks
- Identify key controls
- Evaluate the adequacy of control design
- Create a test plan
- Develop a work program
- Allocate resources to the engagement
What is the relationship between business objectives and business assertions?
- Objectives: what they are striving to achieve
- Assertions: after-the-fact statements of what was achieved
What does "inherent risk" mean?
- The combination of internal and external risk factors in their pure, uncontrolled state
Why is it useful for an internal auditor to express risks in terms of causes and effects?
- Helps the internal auditor assess how big the potential problem is and how likely it is to occur
What are management's risk response options?
- Avoiding risks
- Sharing risks
- Reducing risks
What purposes does a well-written work program serve?
- Outlines the audit procedures required to accomplish the engagement objectives
What does allocating resources to the engagement involve?
- Determining the audit expertise needed
- Assigning appropriate internal auditors to the engagement
- Scheduling the work so that it is completed timely
What steps are included in the performance phase of an assurance engagement?
- Conduct tests to gather evidence
- Evaluate audit evidence gathered and reach conclusions
- Develop observations and formulate recommendations
What elements do well-written observations include?
- Criteria
- Condition
- Consequences
- Causes
What are the characteristics of meaningful recommendations?
- Address the causes of the gap between the criteria and condition
- Provide long0term solutions rather than short-term fixes
- Are economically feasible
What are the key quality characteristics of internal audit engagement communications?
- Accurate
- Objective
- Clear
- Concise
- Constructive
- Complete
- Timely
What steps are included in the communication phase of an assurance engagement?
- Perform observation evaluation and escalation process
- Conduct interim and preliminary engagement communications
- Develop final engagement communications
- Distribute formal and informal final communications
What is the difference between "negative assurance" and "positive assurance?"
- Negative assurance: they conclude that nothing has come to their attention that indicates that the auditee's controls are designed inadequately or operating ineffectively
- Positive assurance: they conclude, in their opinion, the auditee's controls are designed adequately and operating effectively
What information must final assurance engagement communications include?
- Communications must include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans
- The CAE must communicate results to the appropriate parties
How do internal audit consulting engagements differ from assurance engagements?
- Nature and scope (internal audit function vs. engagement customer)
- Consulting engagements are more discretionary
What are the four reasons for conducting an assurance engagement?
- The engagement was identified in the internal audit plan because of inherent risks identified during the business risk assessment process, risks detected the last time the area was audited, and other relevant factors
- The engagement is part of an annual requirement to evaluate the organization's system of internal controls
- A recent event has tested the process under unusual circumstances and management desires a "post mortem"
- Changes in the business or industry require immediate modifications to the process and management desires a quick validation that these modifications appear to be designed appropriately to address the changes
Why is establishing engagement objectives important?
- Articulate specifically what the engagement is trying to accomplish
What are five types of scope statements?
- Boundaries of the process
- In-scope versus out-of-scope locations
- Subprocesses
- Components
- Time frame
What are the five typical exceptions that may be identified during testing in an engagement?
- Financial statement errors or misclassifications
- Control deficiencies
- Shortfalls in objective achievement
- Inefficiencies
- Out-of-compliance situations
Which type of process objective is the most common and why?
- Operations objectives, because they define the reason the process exists
What types of information may process owners have available that will help an internal auditor understand the process?
- Policies relating to the process
- Procedures manuals
- Organizational charts
- Job descriptions
- Process maps or flowcharts
- Narrative descriptions of key tasks
- Copies of key contracts
- Relevant information regarding laws and regulations
- Other documentation that may have been developed to support required reporting on the effectiveness of the system of internal controls
Why might an internal auditor perform analytical procedures during the engagement planning process?
May reveal process activities that warrant closer attention and, accordingly, more detailed testing
Why might an internal auditor perform CAATs during the engagement planning process?
- Obtaining information about a population during the planning phase can help the internal auditor design tests that most effectively address the inherent risks in the process
Why must an internal auditor understand how entity-level controls may influence the performance of a process before auditing that process?
- They can become inherent risks to the effective operation of controls at the process level
What are the three most common ways of documenting a process flow?
- Process maps
- Flowcharts
- Narrative memoranda
How does a detailed flowchart differ from a high-level flowchart?
High level: depict broad inputs, tasks, workflows, and outputs
Detailed: provides more depth and level of detail
What six categories of information should narrative memoranda generally include?
- Overall description of the process
- Key inputs
- Key steps in the process
- Key outputs
- Risks that threaten the process
- Key controls
Why is it important for internal auditors to identify and understand key performance indicators for a process?
- They can define the process owner's tolerance to performance deviations
Why might the inherent likelihood of a risk increases if there is the potential for fraud?
... NOT IN BOOK
What is the difference between a process-level risk scenario and a process-level risk?
The risk scenarios represent the specific real-life events that could affect the achievement of objectives. Risks are broader descriptions of the causes and effects of such events.
What three steps are generally involved in conducting a process-level risk assessment?
1. Determine the impact of various outcomes associated with each risk
2. Estimate the likelihood that each risk impact will occur
3. Combine the assessment of impact an the likelihood into a single risk assessment
What three key steps should an internal auditor follow when gaining an understanding of management's risk tolerance levels?
1. Identify possible risk outcomes
2. Understand established tolerance levels
3. Assess tolerance levels for outcomes that have not been established
Which of the nine examples of common control types typically occur before a transaction is completed?
- Approving
- Calculating
- Documenting
- Examining
- Matching
- Monitoring
- Restricting
- Segregating
- Supervising
What are the key questions that must be answered when evaluating the design adequacy of controls?
... pg. 13-30 (probably not on test)
What factors should an internal auditor consider when determining which controls to test?
- Higher-level controls
- Compensating control that address multiple risks
- Design of controls assessed as being adequate
- Is it practical to test certain key controls
- Have there been changes in the process
When developing a testing approach, what decisions must be made about the tests to be performed?
- Nature of tests
- Extent of tests
- Timing of testa
What are the key tasks covered in the typical work program?
- Key administrative tasks
- Planning tasks
- Fieldwork tasks
- Reporting tasks
What information should an internal audit engagement budget include?
- Hours needed to complete the engagement
- Other costs: travel, technology, supplies
What questions need to be answered when allocating human resources to an engagement?
... pg. 13-36 (probably not on test)
What four items should be considered when scheduling an engagement?
- Availability of key process personnel
- Availability of engagement resources
- Availability of outside resources
- Availability of key reviewers
What four questions must be answered to evaluate the evidence gathered from audit testing?
1. Are the key controls designed adequately?
2. Are the key controls operating effectively?
3. Are the underlying risks being mitigated to an acceptable level?
4. Overall, do the design and operation of the key controls support achievement of the objectives for the process or area under review?
What four elements are included in well-written audit observation?
- Condition
- Criteria
- Cause
- Effect
What are the six columns included in a completed Risk and Control Matrix?
- Process-level risk
- Key control
- Design adequacy
- Testing approach
- Results of testing
- Testing conclusions
How are internal audit assurance engagements related to senior management's assertions regarding the organization's system of internal controls?
- Help corroborate and support senior management's assertions regarding the design adequacy and operating effectiveness of the organization's overall system of internal controls
When and in what ways do assurance engagement communications occur?
- Throughout the engagement process (i.e. memoranda, outlines, discussions, and draft working papers)
How are assurance engagement observations identified?
- Based on evidence that a control is not operating effectively
What are the steps an internal auditor takes to assess the observations identified during an assurance engagement?
- Identify
- Assess
- Determine cause
What distinguishes a significant observation from an insignificant observation? What distinguishes a material observation from a significant deficiency?
Insignificant: A control has a remote likelihood of failing or that the impact of its failure is trivial

Significant: A control has more than a remote likelihood of failing and that the impact of its failure is more than trivial

Material: A control has form than a remote likelihood of failing and that the impact of its failure exceeds the materiality threshold
What information should be included in an assurance engagement audit observation description? Hint: Refer to exhibit 14-8.
- Condition
- Criteria
- Cause
- Effect
Why is interim and preliminary communication important in an assurance engagement?
- Discuss observations as they are identified during the engagement
- Helps formalize management's action plan
What is the purpose of a closing reference?
- The vehicle through which the internal audit function informs interested parties of engagement outcomes
What information should be included in a well-designed final assurance engagement communication?
- Purpose and scope of engagement
- Time frame covered by the engagement
- Observations as required by the evaluation and escalation process and recommendations
- Engagement conclusions and rating (if applicable)
- Mangement's action plan to appropriately address reported observations (if applicable)
What is the difference between providing positive assurance versus negative assurance in an audit report?
Positive assurance: a rating or conclusion by the internal auditor that provides specific assurances about an engagement

Negative assurance: a rating or conclusion indicating that nothing negative has come to the internal auditor's attention
What is the difference between final formal communications and final informal communications and when is each appropriate?
Formal - typically the recipient is senior management, the audit committee, outside auditor, and/or auditee management. Used when key controls are affected, significantly compromised, or materially compromised.

Informal - usually through memoranda, email, face to face meetings, or conference calls. Should be used when observations are determined to bed insignificant.
What quality characteristics should assurance engagement communications possess? What steps should internal auditors take to ensure that the communications are of high quality?
- Accurate
- Objective
- Clear
- Concise
- Constructive
- Complete
- Timely
- Gather, evaluate, and summarize data and evidence with care and precision
- Derive and express observations, conclusions, and recommendations without prejudice
- Improve clarity by avoiding unnecessary technical language and providing all significant and relevant information in context
- Develop communications with the objective of making each element meaningful but succinct
- Adopt a useful, positive, and well-meaning content and tone that focuses on the organization's objectives
- Ensure communication is consistent with the organization;s style and culture
- Plan the timing of the presentation of engagement results to avoid undue delay
What actions regarding assurance engagement observations must the internal audit function take after the final engagement communication is disseminated?
- Monitor and follow-up
Why is an internal audit function well qualified to add value by providing insight through its consulting activities?
- More forward-looking view of the way things should operate with improved controls rather than only providing assurance services relative to controls that will change over time
What are the differences between an assurance engagement and a consulting engagement?
- The number of parties involved in the engagement
- The application of the standards to both types of services
- The purpose of the engagement
- Communication of engagement results
What are three types of consulting engagements the internal audit function can perform? Give an example of each.
1. Advisory (i.e. Advising on control design)
2. Educational (i.e. Training on risk management and internal control)
3. Facilitative (i.e. Facilitating the organization's risk assessment process)
What is a blended engagement and when is it appropriate?
- Internal audit engagements that incorporate elements of both consulting and assurance services
- Make sure neither independence nor objectivity is compromised
What are the three ways potential consulting engagements are identified?
1. Proposed during the annual risk assessment process
2. Requested by management
3. New or changing conditions warrant the internal audit function's attention
How are consulting services addressed in the annual internal audit plan?
... (Couldn't find)
How does the internal audit function choose which consulting engagements to perform?
... (Couldn't find)
Why is it important to create and maintain robust working papers for a consulting engagement?
- Shows what has been accomplished so far
- Documents results as they become known
How can the CAE educate management regarding the value of consulting services to the organization?
- Consulting looks more forward and can help prevent fraud
What capabilities must an internal audit function possess to provide value-adding consulting services?
- Versatility
- Learn new things quickly
- may need significant experience and expertise in process design
What specific skills are required of an internal auditor performing consulting engagements?
- Exhibit facilitation and collaboration skills
- Demonstrate both broad business experience and specific subject matter expertise
- Build relationships quickly and demonstrate strong interpersonal skills
- Think analytically and solve unstructured problems
- Learn and adapt quickly in a dynamic environment
- Process information and respond quickly to requests
- Articulate and communicate results quickly, whether through presentations, written communications, or oral communications
What are some areas in which outside specialists may be needed to effectively perform consulting engagements? What are some examples of outside specialists who may be asked to assist in consulting engagements?
- Financial reporting
- Technology
- Treasury/cash management
- Fraud examination
- Engineering and environmental compliance
- Regulatory compliance

- Internal audit service providers
- IT and security specialists
- Fraud investigators
- Actuaries
- Engineers
- Lawyers
Sets with similar terms