Internal Audit Process Flashcards
What is an audit?
Is an examination to verify the correctness of representations
What do internal auditor audits?
The reasonableness of financial information an the adequacy and effectiveness of internal control activities
True or False
A list of criteria is also required by the internal auditor to determine weather he/she is satisfied with a business unit/process
True
To audit is thus to:
- Set up a list of criteria which you see as acceptable (“What should be in place”)
- Measure the reality (condition) against these criteria (“What is in place”)
- Obtain evidence to support your findings
What do internal audit refer an audit as?
An audit engagement
What does assurance services refer to?
To compliance audit engagements, financial audit engagements, operational audit engagements and system security audit engagements
What does consulting services refer to?
- To advisory and related client service activities
- Counselling
- Providing advice
- Facilitation
- Training
Which levels within an organisation an audit engagement can be conducted?
- Strategic level
- Business level
- Operational/Functional level
True or False
The internal auditor needs to understand the organization’s vision, mission, specific organizational objectives as well as strategies to achieve the set objectives
True
Why should the internal auditor need to understand the organization’s vision, mission specific organizational objectives and strategies to achieve the set objectives?
The internal auditor will use these organizational objectives to do a risk assessment and determine the specific engagement objectives
What is an vision statement?
A statement about what the organization wants to become: thus something the organization aspires to
What is an mission statement?
Defines the purpose of the organization; thus what an organization does. The mission is broken down into strategic objective for each business unti/process
Who are responsible for determining a vision and mission for the organization as a whole and for determining the strategic organizational objectives?
The senior management
What should the internal audit plan specify?
The engagement objectives to be achieved by the internal audit when performing assurance or consulting engagements
How should the internal audit plan be structured?
In such a way that the engagement objectives relate to the achievement of the overall organizational objectives
What is the strategic level audit engagement?
(Objective) of the organization
What is the strategic level organizational objectives?
To ensure the (objective/control) of the organization
Disclose operational business unit organizational objectives
To ensure an effective (department division)
State operational business process audit engagement
(Specific control process)
Disclose organizational objectives
To ensure an effective (control process)
True or False
Some organization are subject to certain risk or threats that could prevent the organization achieving its organizational objectives
False
All organization are subject to certain risk or threats that could prevent the organization achieving its organizational objectives
How is the risk of the organization determined>
- First determine the objectives that were set by management.
- After objectives are set by management, the risks threatening the achievement of objectives can be identified
What is engagement objectives according to the Standards?
Are board statements developed by internal auditors that define intended engagement accomplishments
What should the engagement objectives address?
The risks associated with the business unit/process under review
State 2200 Engagement planning
Internal auditor must develop and document a plan for each engagement including the engagement’s objectives, scope, timing and resource allocations. The plan must consider the organisation’s strategies, objectives, and risks relevant to the engagement.
State 2300 Performing the engagement
Internal auditors must identify, analyze, evaluate and record sufficient information to achieve the engagement
State 2400 Communicating results
Internal auditors should communicate the engagement results promptly
State Monitoring progress
The CAE should establish and maintain a system to monitor the disposition of results communicated to management
What should the written engagement plan address? (2200 engagement planning)
The scope/volume of work to be performed, taking into account any specific management requests, the risk assessment and background information about the engagement client obtained during a preliminary survey
What should be documented in an engagement work programme?
The specific engagement objectives to be achieved and the engagement procedure to be performed
What is the objective of stage 2: Performing the engagement?
The objective of this stage is to obtain sufficient appropriate evidence regarding the engagement objectives that were set and to measure this evidence against the acceptable criteria
What else is included in the engagement procedures (stage 2 : performing the engagement)?
Include testing and sampling techniques performed by the internal auditor to gather evidence, must, where possible, be selected up-front and extended or altered as circumstances require
What does stage 3: communicating results involve?
Disseminating the results of the audit engagement in the form of an internal audit engagement report
What should be measured against the acceptable criteria in stage 3: communicating results?
After analyzing an evaluating the evidence gathered regarding the engagement objectives, this evidence should be measured against the acceptable criteria
Which form is the findings or engagement observations communicated to the relevant parties? (stage 3: communicating results)
In the form of an internal audit report, and high light, amongst other things, any weaknesses in the processes, risks associated with these weaknesses, and recommendations for improvement
What is required by the internal audit in stage 4: monitoring progress?
After the audit engagement investigate whether the implementation and improvement of processes as recommended in the internal audit engagement report have been addressed
What should the internal auditor establish in stage 4: monitoring progress?
The internal auditor must establish whether any correctives measures have been taken by management and whether or not these measures are achieving the desired results or that the management or board of directors has accepted the risk in cases where no corrective measures have been taken
What engagements should be drawn up when addressed in the engagement programme? (2200 engagement planning)
- It must document the procedures followed for collecting, analysing, interpreting and documenting information during the engagement
- It must state the objectives of the engagement
- It must identify the technical aspects, risks, processes and transactions that should be examined
- It must state the nature and extent of testing required
What is subjected to review and approval by the CAE?
The programme (engagement programme 2200)
Can modifications be made on the engagement programme (2200 engagement planning)?
Yes, as needed, during the course of the engagement
Should meeting be held with management responsible for the area to be covered in the planning phase of the engagement? (2200 engagement planning)
Yes, concerns and request from management should be considered after this meeting and included in the engagement objectives, if needed
What should the internal auditor consider in the planning the engagement? (2201 planning consideration)?
- The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance
- The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level
- The adequacy and effectiveness of the activity’s goverance, risk management, and control processes compared to a relevant framework or model
- The opportunities for making significant improvements to the activity’s governance, risk management and control processes
State 2201 A.1
When planning an engagement for parties outside the organisation, IA must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access engagement records
What is an engagement objective according to 2210 engagement objective?
Are board statements developed by the internal auditor that define what the engagement is intended to accomplish
State 2201. C1 (planning consideratio)
Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented
What is an engagement procedure according to 2210 engagement objectives?
Are the means followed by the internal auditor to achieve the engagement objective
What combined constitutes the scope of the engagement? (2210 engagement objective)
Engagement objective and engagement procedures
What should the engagement objective address according to 2210 engagement objectives?
The risks associated with the activity under review
What is used further define the initial objectives and identify other significant areas of concern?
The risk assessment conducted during the engagement planning phase (2210 engagement objectives_
State 2210 A.1
Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment
Disclose 2210 engagement objectives
Objectives must be established for each engagement
What should internal auditors consider in the engagement objectives and procedures setting (2210.A1)?
Risks associated with the activity under review
How should risk be measured according to 2210.A1?
In terms of consequences and likelihood
How is risk for an activity determined? (2210.A1)
Background information on the activity should be obtained
State one method to obtaining information when determining risk for an activity (2210.A1)
Conduct a preliminary survey of the activity
What is the purpose of a preliminary survey? (2210.A1)
Would familiarize the internal auditor with the activity, its processes and control, to identify areas for engagement emphasis, and to invite comments and suggestions from engagement clients, but would include detailed verification of information obtained
State 2210.A2
Internal auditors must consider the probability of significant errors, fraud, non-compliance, and other exposures when developing the engagement objectives
State 2210.A3
Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been achieved, If adequate, Internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate criteria through discussion with management and/or the board
State the type of criteria that may included in 2210. A3
- Internal (e.g. policies and procedures of the organization)
- External (e.g. laws and regulations imposed by statutory bodies)
- Leading practices (e.g. industry and professional guidance)
State 2210. C1
Consulting engagement objectives must address governance, risk management and control processes to the extent agreed upon with the client
State 2210.C2
Consulting engagement objectives must be consistent with the organization’s values, strategies and objectives
State 2220 Engagement scope
The established scope must be sufficient to satisfy the objectives of the engagement
State 2220.A1 Engagement scope
The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties
State 2220.A2
If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards
State 2220.C1
In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives.
If the internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement
State 2220.C2
During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant control issues
Explain 2230 Engagement resources allocations
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives, based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources
What should be considered in determining the resources needed for each engagement according to 2230 engagement resource allocation?
- The number and experience level of the internal audit staff
- Training needs - involvement in certain engagements may be the ideal training method for internal auditors
- Where the engagement requires knowledge, skills and other competencies not found within the current staff resources: the use of resources should be considered
Explain 2240 Engagement work programme
Internal auditors must develop and document work programmes that achieve the engagement objectives
When should engagement procedures be determined and documented according to 2240 engagement work programmes?
Prior to the commencement of the engagement
True or False
According to 2240 engagement work programme, the process of collecting, analysis, interpreting, and documenting information is be supervised to provide reasonable assurance that engagement objectives are met and that the internal auditor’s objectivity is maintained
True
State 2240.A1
Work programmes must include the procedures for identifying, analysing, evaluating, and documenting information during the engagement. The work programme should be approved prior to its implementation, and any adjustments approved promptly
State 2240.C1
Work programmes for consulting engagements may vary in form and content, depending upon the nature of the engagement
Explain 2300 Performing the engagement
Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives
What concerns should internal auditors consider according to 2300 performing the engagement?
The protection of personally identifiable information gathered during audit engagements, as advances in IT and communications continue to present privacy risks and threats
State 2310 Identifying information
Internal auditors must identify sufficient, reliable, relevant, useful information to achieve the engagement’s objectives
State 2320 Analysis and evaluation
Internal auditors must base conclusions and engagements results on appropriate analyses and evaluations
What can internal auditors use to obtain audit evidence based on 2320 analysis and evaluation?
Analytical procedures
What is analytical procedures useful for?
In identifying unexpected differences, lack of expected differences, potential errors, fraud or illegal acts or unusual events.
State 2330 Documenting information
Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions
Who should prepare the working according to 2330 documenting information?
The internal auditor performing engagements procedures
Who should review the working paper according to 2330 documenting information?
The management of the internal audit activity
State 2330.A1
The CAE must control access to engagement records.
They must also obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate
State 2330. A3
The CAE must develop policies governing the custody and retention of consulting engagement records, and their release to internal and external parties. These policies must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements
State 2340 Engagement supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed
What does the 2340 engagement supervision interpretation state?
- The extent of supervision required will depend on the proficiency and experience of the internal auditors and the complexity of the engagement
- The CAE has overall responsibility for supervising the engagements, whether performed by or for the internal audit activity, but may designate appropriately experiences members of the internal audit activity to perform the review
Mention the implementation the standards steps for 2201 planning considerations
- Step 1: Obtain an understanding of the engagement client and business unit/process under review
- Step 2: Provisional contact with engagement client
- Step3 : Conduct a preliminary survey
- Step 4: Conduct a risk assessment/ use outcome of an organization’s risk assessment
State the implementation of the standards step for 2210 engagement objectives and 2220 engagement scope
- Step 5: Determine the engagement/audit objectives; criteria and engagement scope
State implementation of the standards step for 2230 resources allocation
- Step 6: Identify and allocate the resources needed to perform the engagement
State the implementation of the standards steps for 2240 engagement work programmes
-Step 7: Draw up an engagement work programme
- Step 8: Obtain final confirmation from management to proceed with the engagement
What are the factors to be considered for step 1: obtain an understanding of the engagement client?
- The characteristics of the services rendered and/or goods supplied by the organization
- The philosophy and culture within the organization
- The management style of the top management, including the existence and functioning of committees
- Labour matters, including relevant legislation and agreements, and the general climate of labour relations in the country
- The investment policy of the organisation and the management of capital
- Influence of political circumstances on the organization.
- The influence of changes in international trade on the organization
- Changes in the geographical distribution of the organization’s activities
- Exposure of the organization to changes in technology
What are the agenda and items for discussion at this meeting with the head of the business unit/process and other employees within the business unit/process to be audited in step2: meet with engagement client?
- The head of the business unit/process should be informed of the proposed engagement
- The proposed scope of the work should be discussed
- The objectives of the business unit/process being reviews should be obtained
- Documents that will be required may be identified and arrangements may be made for obtaining background information
- Information on how the business unit/process measures its effectiveness and performance with regard to the achievement of set objectives should be obtained
- The names and job descriptions of the team performing the audit engagement may be disclosed to the management
- A physical tour, which entails observations of people, processes and workflow, should be conducted.
Define engagement objectives
Broad statements developed by internal auditors that define intended engagement accomplishments – ‘what do you want to achieve’. EXAMPLE: “To determine/assess/evaluate whether all leave transactions are properly approved by the designated official.”
Define engagement/audit work programme
A document that lists the audit/engagement procedures to be followed during an engagement, designed to achieve the engagement objectives.
Define engagement/audit procedures
Audit actions performed by the auditor to gather sufficient, reliable, relevant and useful evidence to enable the auditor to make a conclusion / express an opinion. EXAMPLE: “Inspect (how) a sample of leave forms for a signature (what) to evaluate whether all leave applications were approved by the designated official (why).
List any eight (8) questions that you will ask the internal audit teams in assessing that the randomly selected audit engagements have been well planned by the internal auditors.
- Was an overview/comprehensive understanding of the engagement client obtained? Was preliminary contact done with the engagement client?
- Was a preliminary survey performed and were risk areas identified? Were audit objectives and scope of work, criteria and resource allocation determined?
- Was background information obtained and was adequate research for the audit project performed?
- Did the auditors perform sufficient review to determine the executive tone at the top?
- Was an audit budget developed and were actual audit day’s charges established (resource allocation)?
- Were appropriate auditee management personnel notified that the audit would take place? Were they advised as to the audit objective?
- Was an audit programme prepared and was the programme approved?
- Was an audit engagement approach established? Was final confirmation from management to proceed with the engagement received?
