Chapter 12: Introduction to the Engagement Process Flashcards
The tasks performed during an internal audit assurance engagement should address the following questions:
I. What are the reasons for the results?
II. How can performance be improved?
III. What results are being achieved?
The chronological order in which these questions should be addressed is:
a. III, I, II.
b. I, III, II.
c. III, II, I.
d. II, III, I.
A is the best answer. The first of the three tasks the internal auditor should complete is to determine the results being achieved, that is, the “what is” condition of the business process. The next task would be to determine the reasons for, or the causes of, the observed condition. The third task would be to determine how the performance of the process can be improved. The recommendations for improve-ment should be directed at remedying the causes of the observed condition.
While planning an assurance engagement, the internal auditor obtains knowledge about the auditee’s operations to, among other things:
a. Develop an attitude of professional skepticism concerning management’s assertions.
b. Make constructive suggestions to management regarding internal control improvements.
c. Evaluate whether misstatements in the auditee’s performance reports should be communicated to senior management and the audit committee.
d. Develop an understanding of the auditee’s objectives, risks, and controls.
D is the best answer. It is virtually impossible to audit effectively something that is not sufficiently understood. The success of any engagement ultimately depends largely on how well the internal audit team understands the auditee. The first thing the internal auditors must understand is the auditee’s business objectives and assertions. The internal audit team also must identify and assess the business risks that threaten the achievement of the auditee’s objectives, identify the controls that are most critical to reducing business risks to acceptable levels, and determine whether the identified key controls are designed adequately to reduce risks, both individually and collectively, to acceptable levels.
Which of the following statements does not illustrate the concept of inherent business risk?
a. Cash is more susceptible to theft than an inventory of sheet metal.
b. A broken lock on a security gate allows employees to access a restricted area that they are not authorized to enter.
c. Transactions involving complex calculations are more likely to be misstated than transactions involving simple calculations.
d. Technological developments might make a particular product obsolete.
B is the best answer. A broken lock on a security gate is an example of a control deficiency. The potential that controls will fail to reduce a risk to an acceptable level is referred to as control risk, not inherent risk.
Comprehensive risk assessment involves analysis of both causes and effects. Which of the following statements concerning the analysis of causes and effects is false?
a. Analyzing the causes and effects of a particular risk should only be performed after the internal auditor has first obtained evidence that a problem has occurred.
b. Analyzing the causes and effects of a particular risk provides insights about how to best manage the risk.
c. Analyzing the effects of a particular risk provides insights about the relative size of the risk and the relative importance of the business objective threatened by the risk.
d. Analyzing the root causes of a particular risk helps the internal auditor formulate recommendations for reducing the risk to an acceptable level.
A is the best answer. During the planning phase of an engagement, the internal audit team focuses its attention on inherent risk, that is, the risk to the auditee in the absence of any actions management might take to reduce or otherwise manage identified risks. Risk assessment involves gauging both the impact of the risk (if it should occur) and the likelihood of the risk occurring. Expressing inherent risks in terms of causes and effects helps the internal auditor assess how big the potential problem is and how likely it is to occur.
Internal auditors obtain an understanding of controls and perform tests of controls to:
a. Detect material misstatements in account balances.
b. Reduce control risk to an acceptable level.
c. Evaluate the design adequacy and operating effectiveness of the controls.
d. Assess the inherent risks associated with transactions.
C is the best answer. The internal audit team must determine whether identified key controls are designed adequately to reduce risks, both individually and collectively, to acceptable levels, assuming that the controls have been placed in operation and are operating as intended. If the key controls are assessed as being adequately designed, the internal auditors must then test the controls to determine whether they are in fact operating effectively as intended.
If an internal auditor’s evaluation of internal control design indicates that the controls are designed adequately, the appropriate next step would be to:
a. Test the operating effectiveness of the controls.
b. Prepare a flowchart depicting the system of internal controls.
c. Conclude that residual risk is low.
d. Conclude that control risk is high.
A is the best answer. Determining that controls are designed adequately is necessary, but not suffi-cient, for reaching a conclusion regarding their effectiveness. To reach a conclusion regarding their effectiveness, adequately designed controls must be tested to determine whether they are operating as intended.
Reportable internal audit observations emerge by a process of comparing “what should be” with “what is.” In determining “what should be” during an audit of a company’s treasury function, which of the following would be the least desirable criterion against which to judge current operations?
a. Best practices of the treasury function in relevant industries.
b. Company policies and procedures delegating authority and assigning responsibilities.
c. Performance standards established by senior management.
d. The operations of the treasury function as documented during the last audit.
D is the best answer. The operations of the treasury function as documented during the last audit represent the “what is” condition of the function at that point in time. This would be an inappropri-ate criterion against which to judge current operations unless the internal auditor found no room for improvement in the function during the last audit and there have been no changes in the function since then. The other three answers represent appropriate “what should be” criteria for the internal auditor to use in evaluating current operations.
Internal auditors sometimes express opinions in addition to stating observations in their reports. Due professional care requires that internal audit opinions be:
a. Based on sufficient appropriate evidence.
b. Limited to the effectiveness of internal controls.
c. Expressed only when requested by management or the audit committee.
d. Based on experience and free from errors in judgment.
A is the best answer. IPPF Implementation Guidance indicates that due professional care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. To fulfill their due professional care responsibilities, internal audi-tors must base their conclusions on sufficient appropriate evidence.
Which of the following statements best describes an internal audit function’s responsibility for assurance engagement follow-up activities?
a. The internal audit function should determine that corrective action has been taken and is achieving the desired results, or that senior management has assumed the risk associated with not taking corrective action on reported observations.
b. The internal audit function should determine whether management has initiated corrective action but has no responsibility to determine whether the corrective action is achieving the desired results. That determination is management’s responsibility.
c. The CAE is responsible for scheduling audit follow-up activities only if asked to do so by senior management or the audit committee. Otherwise, such activities are discretionary.
d. Audit follow-up activities are not necessary if the auditee has agreed in writing to implement the internal audit function’s recommendations.
A is the best answer. Standard 2500.A1 states that “The chief audit executive must establish a follow- up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.”
Internal auditors perform both assurance engagements and consulting engagements. Which of the following would be classified as a consulting engagement?
a. Directly assessing the organization’s compliance with laws and regulations.
b. Assessing the design adequacy of the organization’s entity-level monitoring activities.
c. Facilitating senior management’s assessment of risks threatening the organization.
d. Assisting the independent outside auditor during the financial statement audit engagement.
C is the best answer. Consulting services are defined in the Glossary to the Standards as “Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”
When assessing the risk associated with an activity, an internal auditor should:
a. Determine how the risk should best be managed.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures.
d. Design controls to mitigate the identified risks.
B is the best answer. Assurance services involve the internal auditor’s objective assessment of man-agement’s risk management activities and the degree to which they are effective. The other choices are activities typically carried out by management.
In deciding whether to schedule the purchasing or the personnel department for an audit engagement, which of the following would be the least important factor?
a. There have been major changes in operations in one of the departments.
b. The audit staff has recently added an individual with expertise in one of the areas.
c. There are more opportunities to achieve operating benefits in one of the departments than in the other.
d. The potential for loss is significantly greater in one department than in the other.
B is the best answer. While auditor skills should be considered in the planning process, audit needs—not auditor skill availability—should drive engagement work schedules in a risk-based audit plan.
A performance audit engagement typically involves:
a. Review of financial statement information, including the appropriateness of various accounting treatments.
b. Tests of compliance with policies, procedures, laws, and regulations.
c. Appraisal of the environment and comparison against established criteria.
d. Evaluation of organizational and departmental structures, including assessment of process flows.
C is the best answer. Performance audit engagements involve review of performance against set criteria.
What two types of services do internal auditors provide?
Assurance and consulting services
What are the three phases of the assurance engagement process?
The three phases of the assurance engagement process are planning, performing, and communicating.