Chapter 9: Managing the Internal Audit Function Flashcards
Per IIA Standards, internal audit functions must establish:
a. Internal quality assurance and improvement program assessments.
b. External quality assurance and improvement program assessments.
c. Both internal and external quality assurance and improvement program assessments.
d. Neither internal nor external quality assurance and improvement program assessments.
C is the best answer. Standard 1300: Quality Assurance and Improvement Program states that “the
chief audit executive must develop and maintain a quality assurance and improvement program that
covers all aspects of the internal audit activity.” Standard 1310: Requirements of the Quality Assurance and Improvement Program, Standard 1311: Internal Assessments, and Standard 1312: External
Assessments detail the specific requirements for IIA Standard 1300 by specifying that internal audit
functions must establish both internal assessment and external assessment procedures.
Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:
a. Accept the audit engagement because independence would not be impaired.
b. Accept the engagement, but indicate to management that recommending controls would impair audit independence so that management knows that future audits of the area would be impaired.
c. Not accept the engagement because internal audit functions are presumed to have expertise on accounting controls, not marketing controls.
d. Not accept the engagement because recommending controls would impair future objectivity of the department regarding this client.
A is the best answer. This engagement would not impair the function’s independence. Making recommendations on the design or enhancement of internal control activities is a responsibility of the
internal audit function. It is management’s responsibility to implement and own controls.
Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?
a. The individual internal audit staff member.
b. The CAE.
c. The audit committee.
d. The internal audit engagement supervisor.
B is the best answer. The CAE is ultimately responsible for determining whether the objectives of an internal audit engagement have been successfully achieved. The CAE is pivotal to a successful internal
audit function. As explained by the interpretation to Standard 2000: Managing the Internal Audit
Activity, “the internal audit activity is effectively managed when:
■ It achieves the purpose and responsibility included in the internal audit charter.
■ It conforms with the Standards.
■ Its individual members conform with the Code of Ethics and the Standards.
■ It considers trends and emerging issues that could impact the organization.”
Which of the following is the best reason for the CAE to consider the organization’s strategic plan in developing the annual internal audit plan?
a. To emphasize the importance of the internal audit function to the organization.
b. To make recommendations to improve the strategic plan.
c. To ensure that the internal audit plan supports the overall business objectives.
d. To provide assurance that the strategic plan is consistent with the organization’s values.
C is the best answer. Even though the other choices have merit, the primary reason for the internal
audit function to consider the organization’s strategic plan when developing the annual audit plan is to
ensure that internal audit efforts align with and support the overall business objectives of the organization.
The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement?
a. A small internal audit function may be managed informally through close supervision and written memos.
b. Formal administrative and technical audit manuals may not be needed by all internal audit functions.
c. The CAE should establish the function’s policies and procedures.
d. All internal audit functions should have a detailed policies and procedures manual.
D is the best answer. It is important for the internal audit function to establish policies and procedures
to guide the internal audit staff. However, substance is much more important than form. As a result, it
is not necessary for these policies and procedures to be codified into a formal manual, but it is important for them to be established and effectively communicated to the staff in a way that is consistent
with the size and complexity of the internal audit function.
When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:
a. Resign from the consulting engagement and conduct an audit to determine why several months of data are not available.
b. Discuss the problem with the customer and together evaluate whether the engagement should be continued.
c. Increase the frequency of auditing the activity in question.
d. Communicate the potential effects of the scope limitation to the audit committee.
B is the best answer. When planning and performing a consulting engagement, the scope and engagement objectives are defined and agreed upon with the customer. As a result, the CAE should discuss the scope limitation with the customer and together evaluate whether the engagement should continue. For an assurance engagement, the scope limitation would need to be evaluated for impact on the
internal audit function’s ability to achieve the defined engagement objective. If it is concluded that the
problem makes the assurance engagement objectives unachievable, the engagement should be terminated and the scope limitation should be communicated to both management and the audit committee.
Which of the following is not a responsibility of the CAE?
a. To communicate the internal audit function’s plans and resource requirements to senior management and the board for review and approval.
b. To oversee the establishment, administration, and assessment of the organization’s system of internal controls and risk management processes.
c. To follow up on whether appropriate management actions have been taken on significant issues cited in internal audit reports.
d. To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organization’s goals.
B is the best answer. All are responsibilities of the CAE as defined by the Standards except for overseeing the establishment, administration, and assessment of the organization’s system of internal controls and risk management processes, which is management’s responsibility.
The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement?
a. Holding a meeting between the CAE and the independent outside audit firm’s partner to discuss the upcoming audit of the financial statements.
b. Providing the independent outside auditor with access to the working papers for an audit of third-party contractors.
c. Requiring the independent outside auditor to have the CAE’s approval of their annual audit plan for conducting the financial statement audit.
d. Requesting that the internal audit function receive a copy of the independent outside auditor’s management letter.
C is the best answer. It is appropriate for the CAE to request a copy of the external audit plan for conducting the financial statement audit to assist in planning the annual internal audit plan, but it is not
appropriate for the CAE to approve the external audit plan. That could impair the independence and
objectivity of the independent outside auditor’s work.
Organizational independence exists if the CAE reports to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity without interference:
a. List A: administratively; List B: controls the scope and performance of work and reporting of results.
b. List A: administratively; List B: approved the internal audit budget and risk-based internal audit plan.
c. List A: functionally; List B: controls the scope and performance of work and reporting of results.
d. List A: functionally; List B: approves the internal audit budget and risk-based internal audit plan.
A is the best answer. IIA Standard 1110 states that the CAE “must confirm to the board, at least
annually, the organizational independence of the internal audit activity.” Organizational independence
exists if the CAE reports functionally to the board, has direct and unrestricted access to the board,
reports administratively to the CEO or a similar head of the organization, or reports administratively
to some other organizational level so long as the internal audit activity controls the scope of work, performance of the work, and the reporting of results without interference.
Audit committees are most likely to participate in the approval of:
a. Audit staff promotions and salary increases.
b. The internal audit report observations and recommendations.
c. Audit work schedules.
d. The appointment of the CAE.
D is the best answer. The independence of the internal audit activity is enhanced when the audit
committee participates in naming the CAE. The company’s CAE is responsible for staff promotions.
The company’s CAE is also responsible for approving internal audit reports. Audit work schedules are a
part of the internal audit activity’s planning function
According to the IPPF, the independence of the internal audit activity is achieved through:
a. Staffing and supervision.
b. Continuing professional development and due professional care.
c. Human relations and communications.
d. Organizational status and objectivity.
D is the best answer. According to the Standards, organizational status and objectivity permit members of the internal audit activity to render the impartial and unbiased judgments essential to the
proper conduct of engagements. Staffing and supervision relate to the professional proficiency of the internal audit activity. Continuing professional development and due professional care relate to the
professional proficiency of the internal auditor. Human relations and communications relate to the
professional proficiency of the internal auditor
Which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence?
a. Risk management consultant.
b. Product development team leader.
c. Ethics advocate.
d. External audit liaison.
B is the best answer. In some circumstances, such as a product development team, the role of team
leader or member may conflict with the independence attribute of the internal audit function. The
auditor can participate as a consultant to the team but should not participate as a team leader. The
risk management consultant does not conflict with the independence of the internal audit function.
To improve the ethical climate, the internal auditor should assume the role of ethics advocate, which
therefore does not conflict with the independence of the internal audit function. External audit liaison
does not conflict with the independence of the internal audit function as the internal and external
audit functions both share information and work collaboratively outside the influence of management.
According to the IPPF, internal auditors should possess which of the following skills?
I. Internal auditors should understand human relations and be skilled in dealing with people.
II. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices.
III. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance, and IT.
IV. Internal auditors should be skilled in oral and written communication.
a. II only.
b. I and III only.
c. III and IV only.
d. I, II, and IV only.
D is the best answer, I, II, and IV only. Internal auditors are expected to be able to recognize good
business practices, understand human relations, and be skilled in oral and written communications.
Internal auditors are not expected to be experts in a wide variety of fields related to their audit responsibilities.
Which of the following best describes an auditor’s responsibility after noting some indicators of fraud?
a. Expand activities to determine whether an investigation is warranted.
b. Report the possibility of fraud to senior management and ask how to proceed.
c. Consult with external legal counsel to determine the course of action to be taken.
d. Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud.
A is the best answer. The auditor should first expand work to determine the existence of fraud before
reporting the matter to senior management. At this point, the auditor only has suspicions of fraud
given the red flags. More work should be performed before consulting with management, external
legal counsel, or the audit committee.
Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity?
I. Proper supervision.
II. Proper training.
III. Internal assessments.
IV. External assessments.
a. I, II, and III only.
b. I, II, and IV only.
c. I, III, and IV only.
d. All of these.
C is the best answer, I, III, and IV only. Quality assurance and improvement programs are designed to provide feedback on the effectiveness of an internal audit activity. A quality assurance and improvement program should include supervision, which provides day-to-day feedback. Proper training is important, but it does not provide feedback. A quality assurance and improvement program should
also include internal assessments and external assessments.