Risk Based internal audit plan Flashcards
Directors may use a tool called “risk analysis” in preparing work schedules. Which of the following wouldnotbe considered in performing a risk analysis? Results of prior audits. Major operating changes. Skills available on the audit staff. Financial exposure and potential loss.
Skills available on the audit staff.
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
During the first meeting, a disagreement occurs over the approach taken regarding store compliance. The audit director for Company B questions Company A’s extensive use of store compliance testing, stating that the approach is neither responsive to materiality concepts nor an appropriate application of risk assessment. Company A’s audit director presents the following reasoning:
I.You have misconstrued materiality. Materiality is not based only on the size of individual stores; it is also based on the control structure that affects the whole organization.
II.Any deviation from a prescribed control procedure is, by definition, material.
III.The only way to ensure that a material amount of the company’s control structure is covered is to comprehensively audit all stores.
Which statement(s) by the audit director of Company A is (are) valid?
I and II only.
I only.
III only.
I, II, and III.
I only.
The first phase of the risk assessment process is to identify and catalog the auditable activities of the organization. Which of the following wouldnotbe considered an auditable activity?
Statutory laws and regulations as they affect the organization.
The agenda established by the audit committee for one of its quarterly meetings.
Computerized information systems.
General ledger account balances.
The agenda established by the audit committee for one of its quarterly meetings.
In planning an audit, the internal auditor should design audit objectives and procedures to address the risk associated with the activity. Risk is defined as:
The failure to adhere to organizational policies, plans, and procedures, or not complying with relevant laws and regulations.
The risk that the balance or class of transactions and related assertions contain misstatements that could be material to the financial statements.
The probability that an event or action may adversely affect the activity under audit.
The failure to accomplish established objectives and goals for operations or programs.
The probability that an event or action may adversely affect the activity under audit.
Management is concerned with a recent increase in expenditures and lower profits at a division and has asked the internal audit department to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The director of internal audit is concerned with the time pressure since the internal audit department is heavily involved in a major legal compliance audit that had been requested by the audit committee.
Which of the following factors would be considered theleastimportant in deciding whether existing internal audit resources should be moved from the ongoing legal compliance audit to the management-requested division audit?
The increase in expenditures at the division for the past year.
A financial audit of the division by the external auditor a year ago.
The potential for significant regulatory fines associated with the legal compliance audit.
The potential of fraud associated with the legal compliance audit.
A financial audit of the division by the external auditor a year ago.
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
Company A’s audit director, who is also a Certified Internal Auditor, faces an ethical dilemma. For an audit in process, persuasive evidence indicates that a top manager has been involved in insider trading. The extent and type of trading is such that the trading would be considered fraudulent. However, the findings were encountered as a side issue of another audit and are not considered relevant to the compatibility of the computer systems. Regarding this finding, which of the following is the audit director’smostappropriate action?
Discontinue audit work associated with the insider trading since it is not an integral part of the existing audit and the audit committee has established higher priority work for the auditors.
Continue work on the insider trading sufficient to conclusively establish whether fraudulent activity has taken place, then report the findings to the chairperson of the audit committee. Report the matter to government officials if appropriate action is not taken.
Discontinue audit work associated with the insider trading and report the preliminary findings to the company’s external legal counsel for their investigation. Report the legal counsel findings to management.
Discontinue audit work associated with the insider trading. Report the preliminary findings to the chairperson of the audit committee and recommend an investigation.
Discontinue audit work associated with the insider trading. Report the preliminary findings to the chairperson of the audit committee and recommend an investigation.
Risk models or risk analysis is often used in conjunction with development of long-range audit schedules. The key input in the evaluation of risk is:
Management concerns and preferences.
Specific requirements of the IIAStandards.
Judgment of the internal auditor.
Previous audit results.
Judgment of the internal auditor.
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
Assume the auditor concludes that the most reasonable explanation of the observed data in the prior question is that inventory fraud is taking place in the three stores. Which of the following audit activities would provide themostpersuasive evidence that fraud is taking place?
Schedule a surprise inventory audit to include a physical inventory. Investigate areas of inventory shrinkage.
Take a sample of individual store prices and compare them with the sales entered on the cash register for the same items.
Use an integrated test facility (ITF) to compare individual sales transactions with test transactions submitted through the ITF. Investigate all differences.
Interview the three individual store managers to determine if their explanations about the observed differences are the same, then compare their explanations to that of the section manager.
Schedule a surprise inventory audit to include a physical inventory. Investigate areas of inventory shrinkage.
Corporate management has just implemented a policy that every department must downsize by immediately cutting 10% of each department’s staff and budget. The director of internal auditing has reacted to the organization’s recent plans for downsizing (reducing the size of staff across the board) by notifying the audit managers that the time allocated for all jobs must be cut by 10%. Which of the following statements regarding the director’s action and potential manager’s action would becorrect?
I.The director’s action should result in approximately the same amount of risk coverage as the previous audit plan but reduced by 10%.
II.Individual audit managers can attain 90% of the previously defined audit coverage by uniformly cutting audit procedures by 10%.
III.The director should have reprioritized risks and cut out specific audit engagements rather than cutting 10% across the board.
IV.I, II, and III
III only.
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
The audit director for Company B decides to review selected store compliance audit reports issued by the internal audit department of Company A. Upon reviewing the reports, the director comments that most items included in the report are inappropriate because they are very minor and cannot be considered material. The director states that such reports would not be tolerated by the management of Company B. Which assertion(s) by the audit director of Company A is (are) valid?
I.These are the kinds of reports we have provided since the company has been in operation, and they have served our company well.
II.The reports are consistent with management’s control philosophy and are an integral part of the overall control environment.
III.Materiality is in the eyes of the beholder. Any deviation is considered material by my management.
I only.
II only.
III only.
II and III.
II only.
The audit process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All audits include a description and analysis of internal controls. Auditees are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible audit in the coming year and attributes of those departments are listed below.
Department Assets Ann Costs Prob
Production A $50k $700k 10%
Production B $5M $10M 1%
Production C $1M $1M 1%
Purchasing $50k $150k 10%
Marketing $50k $500k 10%
Shipping $60k $100k 50%
Security $10k $100k 90%
Travel $6k $30k 50%
All of these departments except two are on the potential list of auditees because of a risk analysis performed by the audit director. Production Department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing.
What is the audit director’s most logical definition of risk of loss to be used in selecting auditees?
Probability of loss.
Amount of risk exposure times the probability of loss.
Amount of assets in a department.
Amount of annual costs in department.
Amount of risk exposure times the probability of loss.
The audit process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All audits include a description and analysis of internal controls. Auditees are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible audit in the coming year and attributes of those departments are listed below.
Department Assets Ann Costs Prob
Production A $50k $700k 10%
Production B $5M $10M 1%
Production C $1M $1M 1%
Purchasing $50k $150k 10%
Marketing $50k $500k 10%
Shipping $60k $100k 50%
Security $10k $100k 90%
Travel $6k $30k 50%
All of these departments except two are on the potential list of auditees because of a risk analysis performed by the audit director. Production Department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing.
Which department would most likely need a pure operational (nonfinancial) audit?
Production A.
Marketing.
Production C.
Purchasing.
Production A.
The internal auditor is considering performing risk analysis as a basis for determining which areas of the organization ought to be examined. Which one of the following statements iscorrectregarding risk analysis?
The highest risk assessment should always be assigned to the area with the largest potential loss.
The highest risk assessment should always be assigned to the area with highest probability of occurrence.
The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.
Audit risk.
Detection risk.
Inherent risk.
Control risk.
The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
Which one of the following items includes the other three items? Audit risk. Detection risk. Inherent risk. Control risk.
Audit risk.
In an audit of a purchasing department, which of the following generally would be considered a risk factor?
Purchase specifications are developed by the department requesting the material.
There is a failure to rotate purchases among suppliers included on an approved vendor list.
Purchases are made from parties related to buyers or other company officials.
Purchases are made against blanket or open purchase orders for certain types of items.
Purchases are made from parties related to buyers or other company officials.
