Chapter 10 - Audit Flashcards

1
Q

Compare risk management with internal audit

A

Risk management:

  • A risk management team would be considered to own the entire risk management process
  • they would be ultimately responsible for all aspects of this process including identification and maintenance of the company’s risk register, assessment, prioritisation, treatment of risks and establishment of controls to manage these risks
  • the team would lead the company in developing a risk response strategy and would act in an advisory capacity supporting all areas of the business
  • provision of training and development by risk staff would facilitate operational managers’ ability to identify risks in their area of work and devise controls by which to manage them

Internal audit:

  • The role of internal audit is that of monitoring and reviewing the effectiveness of the controls implemented by operational managers
  • in the context of risk management their key activity is in the testing and evaluation of the risk controls (hence ensuring that those who design controls should not test them)
  • in a wider context the internal audit department can carry out special investigations as directed by management, and can assist the organisation in review of the efficient use of resources
  • internal audit teams can provide support and assistance to senior management in a range of projects, some of which may fall outside the risk management arena
  • they are often able to contribute to the work of operational teams in identifying risks due to their extensive knowledge of the business, but this is not their primary responsibility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Briefly summarise the difference between risk management team and internal audit team

A

Risk management identify risks or problems, management devise controls which they think will prevent the risk or problem and the auditors check that the control works. If it doesn’t, then i tis still a problem and management will implement further or different controls which audit will check again. And so the process goes on until the risk or problem is minimised to the satisfaction of management i.e. it is within the companies attitude to risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the scope of internal audit?

A
  1. Examine financial and operating information
  2. Review accounting and internal control systems
  3. Assist in carrying out external audit procedures
  4. Assisting with identification of significant risks
  5. Special investigation
  6. Review compliance with laws, regulations or internal policies
  7. Review economy, efficiency and effectiveness of operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Internal auditors can follow the same standards as external auditors. However, there also International Standards for Internal Audit issued by the Internal Auditing Standards Board (IASB) of the Institute of Internal Auditors. What are those standards? Briefly explain

A
  1. Attribute standards - deal with the characteristics of organisations and the parties performing internal auditing activities.
  2. Performance standards - describe the nature of internal auditing services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are 3 attributes of standards for internal audit?

A
  1. Independence
  2. Objectivity
  3. Professional care
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the performance standards for internal audit? (Areas of work)

A
  1. Managing internal audit
  2. Risk management
  3. Control
  4. Governance
  5. Internal audit work
  6. Communicating results
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

To ensure that the internal audit function provides an objective assessment of control systems, and their weaknesses, there should be measures in place to protect the independence of the internal audit department. What are those?

A
  • the internal auditors must be independent of executive management and should not have any involvement in the activities or systems that they audit
  • the head of internal audit should report directly to a senior director
  • in addition, however, the head of internal audit should have direct access to the chairman of the board of directors, and to the audit committee, and should be accountable to the audit committee
  • The audit committee should approve the appointment and termination of appointment of the head of internal audit
  • In large organisations the internal audit function will be a separate department
  • in a small company it might be the responsibility of individuals to perform specific tasks even though there will not be a full-time position
  • some organisations outsource their internal audit function, often to one of the large accountancy firms
  • the internal auditor will review the accounting and control systems, perform testing of transactions and balances, review the 3E’s, implementation of corporate policies, carry out special investigations, and assist the external auditors where necessary
  • They should be technically competent and exercise due professional care by planning, supervising and reviewing any work performed. Documentation should be kept, results communicated to management and recommendations made.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the advantages of outsourcing internal audit?

A
  • greater focus on cost and efficiency of the internal audit
  • staff may be drawn from a broader range of expertise
  • risk of staff turnover is passed to outsourcing firm
  • specialist skills may be more readily avaialble
  • costs of employing permanent staff are avoided
  • may improve independence
  • access to new market place technologies, e.g. audit methodology software without associated costs
  • reduced management time in administering an in-house department
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the disadvantages of outsourcing internal audit?

A
  • possible conflict of interest if provided by the external auditors
  • pressure on the independence of the outsourced function due to, for example, a threat by management not to renew contract
  • risk of lack of knowledge and understanding of the organisation’s objectives, culture or business
  • the decision may be based on cost with the effectiveness of the function being reduced
  • flexibility and availability may not be as high as with an in-house function
  • lack of control over standard of service
  • risk of blurring of roles between internal and external audit, losing credibility for both
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How to minimise risks associated with outsourcing of internal audit?

A
  • controls over acceptance of internal audit contracts to ensure no impact on independence or ethical issues
  • regular reviews of the quality of audit work performed
  • separate departments covering internal and external audit
  • clearly agreed scope, responsibilities and reporting lines
  • performance measures, management information and risk reporting
  • procedure manuals for internal audit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to assess efficiency and effectiveness of internal audit?

A

The efficiency of internal audit can be assessed by comparing actual costs and output against a target, such as:

  • the cost per internal audit day
  • the cost per audit report
  • the number of audit reports produced

The effectiveness of internal audit needs to be measured in a way that indicates the extent to which it provides assurance to management, the audit committee and the board about the effectiveness of the system of internal control.
- this can be done by identifying evidence of improvements of internal control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is general layout of internal audit report?

A
  1. Executive summary
  2. The scope of the assignment
  3. Observations and recommendations
  4. Recommendation graded by importance
  5. Statement of responsibility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The audit plan of the external auditors should be drawn up taking into consideration the work of internal audit, and the extent to which the external auditors can rely on the findings of the internal auditors in reaching their audit opinion. What are the factors that the external auditor should consider?

A
  • the status of internal audit within the organisation
  • the scope of the internal audit function
  • whether management act on the recommendations of the internal auditor
  • the technical competence of the internal auditors
  • whether the objectives of the internal audit work are aligned with that of the external auditor
  • whether the work of the internal audit function appears to have been planned, supervised, reviewed and documented with due professional care
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In a large company which complies with the UK Corporate Governance Code, the head of internal audit should report directly to who?

A

A senior director

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Compare external and internal audit according to following points:

  • Role required by
  • Appointed by
  • Reports to
  • Reports on
  • Forms opinions on
  • Scope of assignment
A

External audit:

  • Role required by: Statute, for limited companies
  • Appointed by: Shareholders or directors
  • Reports to: Shareholder and management
  • Reports on: Financial statements
  • Forms opinions on: True and fair view and proper presentation
  • Scope of assignment: Unlimited, to fulfil statutory obligation

Internal audit:

  • Role required by: Directors and shareholder, usually in large organisations
  • Appointed by: Directors, via the Chief Internal Auditor (CIA)
  • Reports to: Directors, via the CIA
  • Reports on: Internal controls mainly
  • Forms opinions on: Adequacy of ICS as a contribution to the economic, efficient and effective use of resources
  • Scope of assignment: Prescribed by directors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The primary scope of an internal auditor’s work includes: (Select all that apply.)

A Examining financial operating information
B Reviewing compliance with laws and regulations
C Identifying risk
D Assisting with external audit procedures

A

A, B, D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Internal audit can be outsourced. A disadvantage of this might be:

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The external auditor is responsible for identifying material misstatements in the financial statements in order to ensure that they give a true and fair view. By definition then, the external auditor is responsible for detecting any material fraud that may have occurred. However, they have no specific responsibility with regard to immaterial fraud. If they identify them they will be reported to those charged with governance, but there is no duty to identify them.

What assignments they can give to an internal auditor?

A
  • to assess the likelihood of fraud, or if a fraud has been discovered
  • to assess its consequences and
  • to make recommendations for prevention in the future
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Fraud investigation can be carried out by an auditor. It is not their primary objective when carrying out an audit, but they are duty bound to report a fraud if during the course of their work they identify fraudulent activities.

It is the company directors who are responsible for identifying fraud. What are the steps in fraud investigation?

A
  1. Ascertaining the facts of the fraudulent activity
  2. Gathering evidence of the crime, documentary, interviews with witnesses, observational, etc.
  3. Corroborating the evidence
  4. Consider whether you have the right of access to the evidence you require. Many cases have been thrown out of court because evidence has been improperly obtained.
  5. Maintaining confidentiality so that the perpetrator doesn’t realise they are being investogated
  6. Consider the cost of the investigation versus the value of the fraud, although ethically all frauds should be stopped
  7. Ascertain the value of the fraud
  8. Consider the loss of reputation if the fraud becomes public
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the types of audit work?

A
  1. Compliance audit
  2. Transactions audit
  3. Risk-based audit
  4. Quality audit
  5. Post-completion audit
  6. Value for money audit
  7. Social, and environmental audit
  8. Management audit
  9. Systems-based audit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is compliance audit?

A

Compliance audits check the implementation of written rules, regulations and procedures. They were used originally for financial transactions, because the government (tax authorities) needed assurance that the financial figures were correct. The concept of compliance has been extended to other areas, such as regulatory inspections and quality audits, where there is a requirement to verify that activities are being performed in strict compliance with approved standards and procedures

22
Q

What is transactions audit?

A

A transactions audit involves the checking of a sample of transactions against documentary evidence. This method can be used where control are weak or where transactions are high risk.

23
Q

What is risk-based audit?

A

A risk-based audit refers to a systems audit in which the auditors use their judgement to decide on the level of risk that exists in different areas of the system, and to plan their audit tests so that more effort is directed towards the most risky areas. In this way, less time and effort is spent on elements of the system that are relatively ‘safe’

24
Q

What is quality audit?

A

A quality audit is a systematic investigation to establish whether quality objectives are being met. A quality audit might look into the system for setting quality standards, the relevance of those standards, the system of comparing actual performance against the quality standards and whether the quality controls work effectively.

25
Q

What is post-completion audit?

A

A post-completion audit is an objective and independent appraisal of the measure of success of a project. It should cover the project throughout its lifecycle from the planning and implementation stages through to performance after commissioning. The review should take place at some time after the project or process has been completed or is being used. Review should not be too soon, where the project or process hasn’t been given a chance to bed in. But it should also not be too late where important feedback and learning has not been applied on later projects.

Projects are often assessed on three criteria: time, cost and quality. Was the project implemented on time? Did the project come in on budget? Was the project delivered at the expected quality level, or more commonly did it solve the original issue that prompted the project?

Post-completion audits are often performed by internal audit, as long as they are not involved in the original design of the project itself. The auditor will source the documentation which stated the original objectives of the project, and then follow the process carried out to ensure that all activities led to the successful completion of these objectives - in an economical, efficient and effective way. If the objectives are not met, why not? And what should be done about it?

26
Q

What is VFM?

A

Value for money audit is an investigation into whether proper arrangements have been made for securing economy, efficiency and effectiveness in use of resources. It is an audit into the 3 Es in an item or operation.

  • Economy of a business is assessed by looking at the inputs to the business and deciding whether these are the most economical that are available at an acceptable quality level. Economy means obtaining the required resources at the lowest cost. There would be a lack of economy for example, if there was overstaffing in a particular department or if an excessive price was paid for the materials of the required quality. ECONOMY DOEST NOT MEAN ACHIEVING THE LOWEST COST POSSIBLE: IT MEANS KEEPING COSTS WITHIN ACCEPTABLE LIMITS FOR OBTAINING RESOURCES OF THE DESIRED QUALITY.
  • Efficiency of an operation is assessed by considering how well operation converts inputs to outputs. It means using the minimum quantity of resources to achieve a given quantity and quality output. Efficiency can be measured either in terms of:
    a) maximising the output for a given quantity of input, such as the maximum quantity of services provided per employee or per $1 spent, or
    b) achieving a given quantity of output with the minimum resources possible.
  • Effectiveness exists when the output from a system achieves its intended aims and objectives. The effectiveness of an organisation is assessed by examining whether the organisation is achieving its objectives. To assess it there must be clear objectives for the organisation that can be examined.
27
Q

What are the problems with VFM audit?

A
  • it might be difficult to measure outputs, particularly in government services. For example, the output from an education system can be measured in many different ways, both in term of the numbers educated and the quality of education.
  • The objectives of the activity might be difficult to establish. Particularly in the public sector. For example, what are the objectives of the police service? If an activity has several different objectives, the problem is then how to decide their priorities.
  • The focus might be either on the economy and efficiency or on effectiveness. It is difficult to report on both issues simultaneously because costs can almost always be reduced by cutting back on the quality of service, while outputs can almost always be improved by spending more
  • Quality might be ignored when economy and efficiency measured.
28
Q

What is environmental audit?

A

Environmental audit is a management tool comprising a systematic, documented, periodic and objective evaluation of how well organisations, management and equipment are performing, with the aim of contributing to safeguarding the environment by facilitating management control of environmental practices, and assessing compliance with company policies, which would include meeting regulatory requirements and standards applicable.

29
Q

What is social audit?

A

The social audit would look at the company’s contribution to society and the community. The contributions made could be through:

  • Donations
  • Sponsorship
  • Employment practices
  • Education
  • Health and safety
  • Ethical investments, etc
30
Q

What is a management audit?

A

A management audit is also called an operational audit.
A management audit is an objective and independent appraisal of the effectiveness of managers and the corporate structure in the achievement of the entities’ objectives and policies.

  • its aim is to identify existing and potential management weakness and recommend ways to rectify them.
  • This type of audit would require the use of very experienced staff who understand the nature of the business.
31
Q

What are the objectives of management audit?

A
  • re-focusing resources towards mission-critical objectives
  • improving efficiency (improving work flows, eliminating unnecessary activities, eliminating duplicated activities, etc.)
  • improving the effectiveness of management support tools (such as improvements in controls, automated system support etc)
  • assessing the appropriate levels of service for an activity or operation
  • identifying cost saving
  • identifying opportunities to enhance revenue
  • improvements in governance
32
Q

What might be elements of operational audit?

A
  • a review of policies and procedures
  • a general review of workloads, work methods and work flows
  • an evaluation of system and processes
  • a review of management practices
  • a review of resource utilisation
  • a detailed cost analysis
33
Q

What findings of a management audit might be focused on?

A
  • a lack of technical competence or knowledge of the business amongst managers, and insufficient management training
  • an unwillingness to delegate
  • regular failure to achieve standards or targets
  • inadequate management information systems
  • poor communications within or between departments
  • poor management/staff relationships
  • an absence of clear leadership
  • a failure by management to make good decisions
34
Q

What is systems-based audit?

A

A systems-based audit is an audit of internal controls within an organisation. Although term refers to any type of system, it is often associated with the audit of accounting systems, such as the sales ledger system, purchase ledger system, receipts and payments, fixed asset records, stock records, and so on.

The aim of such an audit is to identify weaknesses in the system (weaknesses in either the controls or in the application of controls, such that there is risk of material inaccuracy in financial records and statements, or risk fraud).

35
Q

What are the steps in systems-based audit?

A
  • identify the objectives of each system
  • identify the procedures
  • identify why the system might not meet its objectives
  • identify ways to manage the above
  • identify if current controls are adequate
  • report on the above
36
Q

Checking a sample of transactions against documentary evidence is example of what type of audit?

A

A transactions audit

37
Q

An objective and independent measure of the success of a project is knows as what type of audit?

A

A post completion audit

38
Q

What is the audit process? Identify the flow.

A
  1. Agree the objectives of the audit
  2. Planning:
    a) Plan the audit
    b) Find out about systems and controls
    c) confirm operations of the system
    d) assess if controls are adequate
  3. Testing
    a) test compliance with controls
    b) test application of controls
  4. Review, report and recommend
  5. Agree the objectives of the audit again
39
Q

What is risk-based audit?

A

The auditor assesses whereabouts the key risks are in a system, and then concentrates the audit effort at those key risks. The result of this approach is that the audit should be more efficient and effective at achieving its objectives than if another approach were followed. One of the key ways an auditor can try to identify risk is by benchmarking.

40
Q

What are the types of benchmarking? Define each

A
  1. Process benchmarking - the company focuses its observation and investigation on business processes with a goal of identifying and observing the best practices from one or more benchmarked firms. Process analysis is required where the objective is usually to benchmark cost and efficiency. This is increasingly applied to back-office processes where outsourcing may be a consideration.
  2. Product benchmarking - the process of designing new products or upgrades to current ones. This process can sometimes involve reverse engineering which is taking apart competitors products to find strengths and weaknesses.
  3. Functional benchmarking - a company will focus its benchmarking on a single function e.g. production, to improve the operation of that particular function. Complex functions such as HR, finance and IT are unlikely to be directly comparable in cost and efficiency terms and may need to be disaggregated into processes to make valid comparison.
  4. Competitor benchmarking - involves studying the leading competitor of the company that best carries out a specific function
  5. Environmental benchmarking - this is the process of collecting, analysing and relating environmental performance data of comparable activities with the purpose of evaluating and comparing performance between or within the entities. Entities can include processes, buildings or companies. Benchmarking can be internal within a single organisation, or - subject to confidentiality restrictions - external between competing entities.
41
Q

When preparing an audit plan for the year, the internal auditors should try to focus on those areas of operation where potential risk to the business is greatest. One way of assessing risk is to consider, for the operations or procedures subject to audit Inherent risk and quality of control. Define them

A

Inherent risk is the risk in the activity or operation, ignoring the controls in the system. For example, a cash based business such as a market stall or taxi business is inherently risky due to their possible theft or mis-declaration of tax payable.

Inherent risk relates to both to the severity and the incidence of the risk, i.e. potential loss if an adverse situation or event arises, and the probability that an adverse situation or event will arise. The size of the inherent risk will depend on a variety of factors, such as:

  • the size of the operations unit or the size of the expenditure budget
  • the nature of the assets used or handled
  • the extent to which procedures are computerised.

The quality of control is the perceived quality of the existing controls for the activity. Confidence in the quality will be affected by:

  • the apparent effectiveness of management and supervision
  • pressures on management to achieve targets
  • changes in the system activities and procedures
  • changes in key personnel
  • a high staff turnover
  • a rapid expansion in operations and the volume of transactions handled
  • the length of time since the last audit of the activity was carried out. Confidence in the quality of controls will diminish over time without fresh reassurance from another audit that the controls are still effective.
42
Q

What is materiality?

A

The term materiality is often used in the context of financial reporting. An item in the financial statements is material if its omission or a misstatement of its value would be likely to influence a user of the financial statements.

Materiality should also be considered in relative terms. For example, the risk of valuing an asset incorrectly by $100k would be material in the context of the company with assets of $1 million, but far less material in the context of a company with assets of $100 mil.

43
Q

What methods can an auditor use to ascertain how the systems operate?

A
  1. Flowcharts - these could be examined or created from discussions with staff who use and operate systems. They might be used to record:
    - the sequences of activities and checks within an operation or procedure
    - which individuals carry out each procedure or check

The advantages of flowcharting the stages in an operation are that:

  • a flowchart is more often effective at presenting information in an understandable form than a narrative description
  • if there are weaknesses in the controls within an operation, these might be easier to identify by studying a flowcharts
  1. Questionnaires - A questionnaire is a list of questions for which the auditor needs to find answers in order to gather the information or evidence he needs. The questions should be specific, and should ideally call for a yes or not answer, although room should be left on the form for additional comments to be added if required. The answers to thee questions help the auditor both to:
    - establish the facts, and
    - identify potential control weaknesses.
44
Q

A company has a small accounting department, in which the same individual is made responsible for accounts payable and also for carrying out the bank reconciliation checks. Ideally, these tasks should be segregated, because there is a risk that the individual might be making out cheques to his or her personal bank account, and the fraud would not be identified by the bank reconciliation process. What controls can be implemented to overcome this weakness?

A
  • requiring that all cheques are signed by hand by a senior manager in the company, instead of signed automatically
  • a review by the individual’s supervisor of all bank reconciliations;
  • a periodic listing from the company’s bank of all the payments out of the company’s bank account in the period, for review by a senior manager
45
Q

What are the types of audit testing?

A
  • compliance testing (test of controls) - it should be carried out to ensure that the controls identified at the planning stage operate as they should. If the controls are not being complied with then there will be a material weakness in the control system and the result could be serious errors or fraud and the business objectives may not be achieved.

The results of the compliance testing should indicate whether:
a - the controls are effective, or
b - the controls are ineffective in practice, even though they appeared adequate on paper.

  • substantive testing (test of balances or transactions) - it does not look at the controls in the system, - it rather concentrates on the output and ensuring that the output is as expected. Substantive testing is normally associated with financial systems but can also be used for non-financial systems.

The purpose of the substantive tests is either to:
a - confirm that the controls are effective
b - or where the controls are ineffective, to establish the apparent consequences

46
Q

Which of the following is a substantive audit test?

A Observing the functioning of the quality control staff to ensure that they are checking output
B Matching customer orders to invoices
C Monitoring the number of quality control failures as a percentage of output
D Observing staff clocking in and out to ensure that productive time is recorded accurately

A

C

47
Q

The risk that an amount in the financial statements might be stated as materially incorrect (ignoring the existence of current internal controls) is called:

A Detection risk
B Control risk
C Inherent risk
D Sampling risk

A

C

48
Q

The final stage of the audit is the audit report. In an internal audit assignment the audit report does not have a strict structure, however, it would be expected to feature a number of different parts. What are those?

A
  • The objectives of the audit work
  • A summary of the process undertaken by the auditor
  • The results of tests carried out
  • The audit opinion
  • Recommendation for action
49
Q

The audit process is made up of the following steps:

A Plan the audit; document systems and controls; test compliance with controls; report to board
B Plan the audit; report to the board; document systems and controls; test compliance with controls
C Document systems and controls; test compliance with controls; report to board; test application of controls;
D Document systems and controls; test application of controls; test compliance with controls; report to the board

A

A

50
Q

What is CAAT?

A

CAAT - computer-assisted audit techniques are methods of using a computer to carry out an audit of computer system. There are two main categories of CAAT:

  • Audit software, such as audit interrogation software
  • test data