SECTION A — MANAGING THE INTERNAL AUDIT ACTIVITY

Question 1

Define Internal Auditing?

Answer 1

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Question 2

What is Internal Auditing’s nature of work?

Answer 2

The internal audit activity must evaluate and
contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive, and their evaluations offer new insights and consider the future impact.

Question 3

What are the operational duties of CAE?

Answer 3

From an operational standpoint, the chief audit executive (CAE) has to make sure that:
1.Planned engagements are carried out in a timely manner.
2. Resources needed to carry out the planned engagements are properly allocated.
3. Results of the engagements are properly
communicated to all interested parties.

Question 4

What does the Standard 2000 - Managing the Internal Audit Activity elaborates?

Answer 4

The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. The internal audit activity is effectively managed when:

1. It achieves the purpose and responsibility
   included in the internal audit charter.
   2.It conforms with the Standards.
   3.Its members conform with the Code of Ethics
   and the Standards.
2. It considers trends and emerging issues that could impact the organization.

The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.

Question 5

What does Standard 2040 - Policies and Procedures say?

Answer 5

The chief audit executive must establish policies
and procedures to guide the internal audit activity.
The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.
The size, structure, and complexity of the IAA will determine the necessary extent, depth, and formalization of the policies and procedures.

Question 6

With whom the Internal Audit Activity policies and procedures must be aligned with?

Answer 6

It is essential to ensure that internal audit policies and procedures are aligned with:
1.The Mandatory Guidance of the International Professional Practices Framework (IPPF).
2.The internal audit charter.
The organization’s strategies, policies, and processes.

Question 7

What is generally included in

Internal Audit policies?

Answer 7

Internal Audit policies include the:
1. The overall purpose and responsibilities of the
internal audit activity.
2.Adherence to the Mandatory Guidance of the IPPF.
3.Independence and objectivity.
4.Ethics.
5 .Protecting confidential information.
6. Record retention.

Question 8

What is generally included in Internal Audit procedures?

Answer 8

Internal Audit procedures include the:
1.Preparing a risk-based audit plan.
2.Planning an	audit and preparing the engagement work program.
3.Performing audit engagements.
4. Documenting audit engagements.
5.Communicating results/reporting.
Monitoring and follow-up processes.

Question 9

Who develops the policies and procedures of Internal Audit Activity?

Answer 9

The chief audit executive develops policies and procedures. Formal administrative and technical audit manuals may not be needed by all internal audit activities.

Question 10

What is the role of Audit Committee regarding the Internal Audit Activity?

Answer 10

The following are other functions of the audit
committee regarding the internal audit activity:
1)Selecting or removing the CAE and setting his
or her compensation
2)Approving the internal audit charter
3)Reviewing and approving the internal audit
activity’s work plan
4)Ensuring that the internal audit activity is
allocated sufficient resources
5)Resolving disputes between the internal audit activity and management
6)Communicating with the CAE, who attends all audit committee meetings
7)Reviewing the internal audit activity’s work
product (e.g., interim and final engagement communications)
8)Ensuring that engagement results are given due consideration
9)Overseeing appropriate corrective action for deficiencies noted by the internal audit activity
10)Making appropriate inquiries of management and the CAE to determine whether audit scope or budgetary limitations impede the ability of the internal audit activity to meet its responsibilities.

Question 11

What is the role of Audit Committee regarding the External Auditors?

Answer 11

The following are other functions of the audit committee regarding the external auditor:
1.Selecting the external auditing firm and
negotiating its fee
2.Overseeing and reviewing the work of the
external auditor
3.Resolving disputes between the external
auditor and management Reviewing the external auditor’s internal control and audit reports

Question 12

What does the Audit Manual covers?

Answer 12

The audit manual covers everything from the
Internal Audit Charter to performance reviews and evaluations and provides guidance from planning the engagement to the final report.

Question 13

What does Standard 2010 - Planning say?

Answer 13

The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity and to make certain that they are consistent with the organization’s goals.
To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

Question 14

What are the factors that Internal Auditor considers while developing Internal Audit plan?

Answer 14

Factors the internal auditor considers when
developing the internal audit plan include:
Inherent risks—Are they identified and assessed?
Residual risks—Are they identified and assessed?
Mitigating controls, contingency plans, and
monitoring activities—Are they linked to individual events and/or risks?
Risk registers—Are they systematic, completed,
and accurate?
Documentation—Are the risks and activities
documented?
Also, the internal auditor coordinates with other assurance providers and considers planned reliance on their work.

An internal audit activity’s plan will normally focus on:
Unacceptable current risks where management
action is required. These would be areas with
minimal key controls or mitigating factors that
senior management wants to be audited
immediately.
Control systems on which the organization is most
reliant.
Areas where the differential is great between
inherent risk and residual risk.
 Areas where the inherent risk is very high.

Question 15

What are the characteristics of Engagement Work

Schedule?

Answer 15

The planning process and specific work schedules for engagements should include the following:
Which engagements should be performed.
When engagements should be performed.
The time required for each engagement, taking
into account the scope of the planned engagement work and the nature and extent of related work performed by others.
Which engagements should receive priority over others.

Question 16

What does the Standard 2030 - Resource Management say?

Answer 16

The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan.
Sufficient refers to the quantity of resources
needed to accomplish the plan.
Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan.

Question 17

What is the responsibility of External Service provider for Internal Auditing?

Answer 17

When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.

Question 18

What are the three lines of defenses?

Answer 18

1.Operational Management
2.Business Enabling Functions
Internal Auditors

Question 19

What are the factors to consider when assigning staff to

individual assignments?

Answer 19

Some factors to consider when assigning staff to individual engagements are:
The complexity of the engagement.
The resources that are available in the IAA.
The experience and skill level of the staff.
The training and developmental needs of the audit staff.

Question 20

What is the Internal Audit Budget?

Answer 20

The size of the budget for the internal audit activity is determined by the internal audit plan, the organizational structure, and the staffing strategy. The budget must include all of the activities that are needed to accomplish the objectives of the IAA, including:

Paying staff.
Training and staff development.
Hiring external specialists as needed.
Any other expenses that the department will incur in the performance of its duties.

Question 21

What are the repercussions of hiring candidates

in IAA from inside the organization?

Answer 21

Hiring from inside the organization has
advantages:
It is faster because the employee is already
familiar with company’s policies and procedures.
There is less risk because the CAE has already
worked with the employee and is more aware of his or her capabilities and limitations.
Hiring from within provides motivation for the IAA
staff to do good work and earn a promotion. If, however, the wrong people are promoted, or people are promoted because of reasons other than their work skills, then hiring from inside may have a negative effect on the entire department.

Question 22

What are the repercussions of hiring candidates

in IAA from outside the organization?

Answer 22

Hiring from outside the organization is riskier, but it also has advantages:
The outside person could bring new ideas and new perspectives to the job and the organization.
The new person may have skills or experience that are not currently within the organization.
Management training costs could be lowered because it is assumed that the person is already qualified and will not require additional training.

Question 23

What does the Training purpose serve?

Answer 23

Training gives the staff the necessary skills to perform their jobs in the short term and also develop and broaden their skills for their long-term development. Training should benefit the
individual and also help the IAA meet its organizational goals. Therefore, some staff may be trained in areas where the IAA does not currently have all of the required skills, even if the staff does not have a personal interest in those areas. Also, a well-developed training program is an excellent recruiting tool for the company.

Question 24

What does the Counseling purpose serve?

Answer 24

Counseling, or mentoring, is an important
element of staff development. In a large internal audit department, there may be a formal counseling and mentoring program and, in such a situation, the CAE most likely is responsible for the oversight and management of the process. Additionally, the CAE may be the counselor for some of the higher-level staff members in the department.

Question 25

What is the purpose of Performance Evaluation?

Answer 25

Performance evaluations should be made at least annually, or more often if needed. The performance evaluations need to focus on the skills that are necessary for the individual to perform his or her work and for IAA as a whole to perform its duties. These staff evaluations should be seen as a means of allowing internal audit employees to identify their weaknesses and give them an opportunity to improve their performance. The evaluation should not be based on personal likes or dislikes or other non-employment related factors.

Question 26

What are the advantages of decentralization of Internal Audit Department?

Answer 26

The advantages are:

a) Reduced travel time and expense,
b) Improved service in the operating locations served by the field offices,
c) Better morale of internal auditors as a result of increased authority, and
d) The possibility of employing persons who do not wish to travel.

Question 27

What is the Audit Universe?

Answer 27

The Audit Universe is the list of all possible
engagements that could be performed, and the list will need to be refined over time with changes in management’s objectives. There are a number of sources that the CAE will use to establish the audit universe. Among them are:

 Previously-performed engagements.
Engagements that were considered in the past but not performed for some reason.
New engagements that are connected to new business lines, departments, or business activities.
Engagements that are legally required, or newly required because of a new law or regulation.
New engagements that are needed because of new technology or changes in the technologies used by the company.

Question 28

What is the Risk Assessment?

Answer 28

Risk Assessment is a systematic process for
assessing and integrating professional judgments about probable adverse conditions and/or events. The risk assessment process should provide a means of organizing and integrating professional judgments for development of the audit plan.

Question 29

What are the quantitative and qualitative assessment of Risk Assessment?

Answer 29

Risk Assessment has both quantitative (numerical) and qualitative (characteristic) factors. Quantitative assessments include the dollar value of the assets at risk or potential monetary loss, while qualitative assessments include the risk of fraudulent behavior or the importance of the section to the operations of the business as a whole.
Risks are prioritized based on likelihood and impact.

Question 30

What are the limitations of Checklists and Questionnaires?

Answer 30

Checklists and questionnaires are often used as part of the risk assessment process, but they have a few limitations:
1)Staff members may get a false sense of security that all issues have been addressed when the checklist is filled out.
2)The reader of the checklist may assume that all items listed are of equal importance.
3) The use of the checklist may weaken the
professional skepticism and judgment of the auditor, who may be more attentive to a specific item listed and not to the larger picture.

Question 31

What are the other factors for prioritizing Audit

Engagements?

Answer 31

Other factors besides risk that should be
considered when prioritizing engagements

include:
The length of time since the last engagement was
performed in this area and audit cycle requirements.
Many companies establish a system in which
specific engagements are conducted at set intervals (for example, every year, every two years, or every three years). How often each engagement is conducted depends largely on the assessed risk of the area.
Requests from senior management, the audit
committee, or other governing and regulatory bodies.
An engagement’s relation to the external audit.
Changing circumstances in the business,
operations, programs, systems, or controls.
Changes in the risk environment or control
procedures in the department.
The potential benefit that could be achieved from
the engagement.
Changes in the skills of the available staff
(through new employees or recent training), because new skills may enable different types of engagements.

Question 32

What are the three levels of Planning of Internal Auditors?

Answer 32

There are three basic levels of planning:
1. Internal audit plan - for each period, an internal audit plan is developed that covers the planned audits of the internal audit activity during the period. This plan would be the result of the risk assessment of the entire organization. The plan would detail what engagements are planned to be performed during the period.

2. Engagement Plan - for each engagement, the internal auditor develops an audit plan which is based on a detailed risk assessment of the engagement area and identifies the engagement objectives.
3. Engagement Work Program - lists detailed procedures that should be conducted by the auditor to achieve specific audit objectives that will achieve the engagement objectives.

Question 33

What are Assurance and Consulting services?

Answer 33

Assurance services. “An objective examination
of the evidence for the purpose of providing an independent assessment of governance, risk
management, and control processes for the
organization. Examples may include financial,
performance, compliance, system security, and
due diligence engagements.”

Consulting services. “Advisory and related
client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”

Question 34

At what levels, Assurance Engagements can be performed?

Answer 34

Assurance engagements can be performed at any of the following three levels:
Organizational, which is a department-by-
department review.
Functional, which follows a single process across
organizational lines.
Cycle, which is primarily a financial systems
review. Cycle-level engagements have been expanded to cover non-financial systems, such as HR or environmental impact.

Question 35

What is Risk and Control Self- Assessments?

Answer 35

Risk and Control Self-Assessments (RCSA)
examine and assess the effectiveness of a
company’s risk and control system. Although auditors are presumed to have the knowledge and expertise to assess controls accurately, RCSA begins with the premise that the scope of control is so broad, and the pace of change so great, that properly assessing the control system requires the knowledge and expertise of all the employees who perform the specific work that needs to be assessed.

RCSA procedures include the following:
Identifying potential risks and exposures.
Assessing the control processes that mitigate or
manage those risks.
Developing action plans to reduce risks to
acceptable levels.
Determining the likelihood of achieving business
objectives.

The primary advantages of an RCSA program are:
It increases employee understanding of the
company’s risks and controls.
It raises employee control consciousness.
It provides a mechanism for early risk detection.
It encourages more open communication,
teamwork, and continuous improvements.
It empowers employees and enhances accountability.

Question 36

What is a Survey or Questionnaire?

Answer 36

Surveys or Questionnaires can be used when
budgets are limited or if individuals who would
normally participate are too widely dispersed to participate in a workshop. Survey questions need to be customized for any specific circumstances or needs, including the regulatory environment. Regardless of the type or nature of the questions, they should relate to the primary internal controls and the way in which they are monitored. Furthermore, the process owners themselves (that is, those who fill out the original questionnaire) should interpret the data after it is collected.

Question 37

What are the limitations of Questionnaire?

Answer 37

Questions can sometimes be worded to suggest
or imply a “correct” or desired answer. Such manipulative questions can pressure the
respondent to give an answer that the
questionnaire designer prefers rather than an
honest answer. Therefore, questions should be
carefully worded.

Lack of interest may limit the number of
questionnaires that are filled out and returned,
potentially skewing results and rendering the entire
exercise invalid. If the number of returned Questionnaires is unacceptably low, supervisors
might consider gathering feedback in person, because some people may dislike questionnaires but would be forthcoming in an interview.

Question 38

Who should perform the Third Party Audit?

Answer 38

A third-party audit may be performed either by internal auditors or by an independent auditor. The decision whether to audit internally or to contract for the third-party audit depends on a number of factors. For example, the risk assessment made by management should provide guidance as to whether internal or external auditors should conduct third-party audits. In instances where specialized knowledge is required to complete the audit, management might prefer the work of a particular external auditor with a specific skill set. Therefore, if outside auditors for a third-party audit are employed, then the company should ensure that the independent auditor is qualified to perform the work, that the scope satisfies their own audit objectives, and that any significant reported deficiencies are corrected.

Question 39

What is Total Quality Management?

Answer 39

TOM pursues the approach of “right first time” and zero-tolerance of waste with the objective of both increasing revenue through improved client satisfaction and decreasing costs with improved efficiency. Continuous improvement is one of the internal audit’s key objectives, and therefore the internal audit activity has a critical role in TQM. Teamwork, training, empowerment, and innovation are key components of TOM.
A quality audit engagement assesses whether or not a function or unit meets its defined quality standards. If there are no defined standards, then the auditor should coordinate with management to establish quantifiable standards before moving forward with the audit engagement.

Question 40

What are the advantages of a properly implemented and effective TQM?

Answer 40

A properly implemented and effective TQM system should result in:
a.Greater customer satisfaction
b.Fewer defects and thus less waste
c.Improved total productivity
Reduced costs and thus better profitability

Question 41

What is the scope of ISO Audit Engagements?

Answer 41

The scope of an ISO 9000 quality audit covers a number of areas, such as physical location, organizational units, activities, and processes to be audited, and the time period to be covered.

The audit will determine conformity with applicable policies, procedures, standards, laws and regulations, management requirements, contract requirements, and industry or business sector codes of conduct. Preparation for the audit should include a review of the auditee’s documentation, including management system records and previous audit reports.

The audit itself includes:
Interviews with employees.
Observations of activities, the work environment, and work conditions.
A review of inspection records, records of
monitoring programs, and results of measurements.
Inquiries into the auditee’s sampling programs,
control of sampling, and measurement procedures.
Customer and supplier feedback. Information from databases and websites.

Question 42

What is Due Diligence Assurance Engagements?

Answer 42

Due diligence assurance engagements are often performed for a potential acquisition, joint venture, or divestiture. The purpose of the engagement is to validate the reasons for making the transaction or identify problems that need to be resolved prior to undertake the transaction. External professional advisors are normally part of the team, often leading it.

Question 43

What is Environmental Due Diligence Audits?

Answer 43

Environmental due diligence audits were first
developed by lenders to prevent liabilities for
properties in their loan portfolios. If undetected
environmental pollution were to be passed on through the sale, the new property owner might be held responsible for contamination caused or left behind by the previous owners. Therefore, environmental audits have now become standard requirements for all loans and investments in real property.

The liability assessment consists of preliminary
activities, a site visit, review of records (including
prior uses of the land), a regulatory review, a geological and hydrogeological review, and a
report. If the liability assessment indicates possible contamination, confirmation sampling is conducted.

For any confirmed contamination, the next step is to characterize and assess the nature and extent of the contamination. It is possible that, as a result of the audit’s findings, the potential liability connected with the land acquisition might be greater than the land’s market value.

Question 44

What is a Physical Security Audit?

Answer 44

A physical security audit ensures that an
organization’s physical facilities are properly
secured and that the environment is safe for
management and staff. The audit includes perimeter security, proximity security, and physical security of the premises.

Question 45

What is a Perimeter Security Auditing?

Answer 45

Perimeter security auditing requires a review of the property boundaries and a boundary risk assessment, including documenting risks on a site map. Risks can include rail lines, roads, unsecured access points, improperly lighted areas, power lines, phone lines, and other service access points. All cameras and surveillance equipment should be documented. All guard stations should be identified and assessed as manned or unmanned and noted for the presence (or absence) of barriers, telephone access, emergency
panic buttons, and camera surveillance. The
auditor should attempt to gain unauthorized access by bypassing the guard station or through “social engineering” (for example, attempting to pass through security without credentials). Lighting should be sufficient to deter intruders.

Question 46

What is a Proximity Security Auditing?

Answer 46

Proximity security auditing determines how
vulnerable company buildings are by being near
certain items or buildings. For example, a proximity security audit might assess how thoroughly
vehicles are inspected for weapons or other
hazardous materials, the procedures to ensure that visitors have legitimate business in the facility, how well entrances are protected, and whether there is camera surveillance.

Question 47

What is a Privacy Audit

Engagements?

Answer 47

Privacy concerns exist in all aspects of an organization, from its paper-based records to its internal databases to its policies of data collection on its website. Internal auditors need to make certain that personal information is protected from unauthorized access, both from inside and outside the organization. Furthermore, policies should be in place, in line with all applicable laws, to specify the appropriate instances where disclosure can be made with or without the individual’s consent. Privacy vulnerabilities pose a number of challenges and pitfalls for companies and their customers. For companies, disclosing or losing control of private information could lead to lawsuits, penalties, fines, and (of particular
importance) negative publicity. For individuals,
unauthorized disclosure of private information
could be embarrassing, inconvenient, and cause
financial loss (such as damaged credit ratings).
Therefore, organizations should spend considerable resources avoiding these vulnerabilities.

During the process of evaluating the privacy framework, the internal auditor should be aware of the following issues:
Compliance with governmental statutory and
regulatory mandates.
Documenting compliance with governmental
statutory and regulatory mandates.
The organization’s existing policies and procedures.
Protection of personal information.
Cost versus benefits of additional security
measures
The ethical imperative of maintaining the
confidentiality of private information.

Question 48

What is Financial Audit Engagement?

Answer 48

A financial audit tests the reliability and integrity of reported financial information and determines the degree to which the company’s assets are properly safeguarded.

Internal auditors may perform financial audits in areas that are not heavily tested as part of the external audit, or they may look at the efficiency of resource allocation instead of merely accounting for resource usage. Internal and external auditors should coordinate their efforts to optimize audit coverage and minimize duplicated efforts.

Financial audits are often performed or arranged in connection with a transaction cycle. The main transaction cycles in business are:
Revenue and receivables (cash collections)
Purchasing and payables
Inventory and warehousing
Financial capital and payment
Personnel and payroll

Question 49

What is an Audit Risk?

Answer 49

Audit risk is calculated by multiplying the chances of each of these three events happening. Each event has an associated risk, and these three associated risks in aggregate make up the complete audit risk. The three associated risks are:

1) Inherent risk (the risk that there is an error in the first place): This risk occurs naturally in a given element of the financial statements or the function being audited. That is, certain assertions are by their nature susceptible to producing or creating material misstatements (assuming that there are no controls in place). For example, pensions and financial instruments have a high level of inherent risk because pension calculations and financial instruments are, by their nature, extremely complex. In other words, the internal auditor cannot reduce the inherent riskiness of pensions or financial instruments. Cash, on the other hand, has low inherent risk.
2) Control risk (the risk that the internal controls will fail to detect the error): No matter how well designed and operated, internal controls can provide only a reasonable assurance that they will prevent and detect every mistake, because internal controls may fail due to human error, collusion, or management override. Control risk, therefore, refers to the chance that internal controls will fail to detect an error. “High control risk” means that controls are inadequate or faulty. “Low control risk” means that controls are adequate and functional.
3) Detection risk (the risk that the auditor will fail to detect the error): Auditing is the process of reviewing policies and procedures to determine their fitness and effectiveness. However, no matter how thoroughly audits are conducted, there is always the risk that a misstatement or error in the financial statements will not be found because auditors do not test every transaction. Therefore, the presence of even one untested transaction means that there is a risk that a material misstatement will go undetected. “Low detection risk” means that there is a low chance that the auditor will fail to detect an error (meaning that auditor has done a great deal of work and testing). “High detection risk” means that there is a high risk that the auditor will not detect an error (which would be the case if the auditor did not perform a great number of tests).

The formula for calculating audit risk is:
Audit Risk = Inherent Risk * Control Risk * Detection Risk
Inherent risk cannot be influenced because these are risks that are part of the item being tested. Control risk cannot be influenced in the current period because the audit covers events that have occurred in the past; in other words, controls were already either functioning or not functioning at the time of the transactions.
Detection risk is the only one of the three risks that the auditor can directly influence. To determine the level of acceptable detection risk, the auditor should begin by assessing inherent and control risk, then solve for detection risk using the audit risk formula. Once detection risk is calculated, then the auditor will be able to determine the nature, extent, and timing of the tests that need to be performed.

Question 50

What is the relationship between Control Risk and Detection Risk?

Answer 50

If control risk is reduced, detection risk can be increased without changing the overall level of audit risk. The opposite is also true: an increased control risk means that the detection risk threshold may be lowered while still maintaining the same overall level of audit risk. In other words, control risk and detection risk are inversely related.

Question 51

What are the Financial Statement Assertions?

Answer 51

“Assertions” are the claims that management
makes when it presents financial information, and the auditor determines if the assertions are correct.

Therefore, most of the work in a financial audit is spent on evaluating and forming an opinion about management assertions. There are five assertions:
1)Completeness. Financial statements contain all required information, and no material financial
information has been omitted.
2)Rights and Obligations. Everything that is
reported as an asset represents something that the company has rights over, and everything reported as a liability represents a real obligation.
3)Valuation or Allocation. Items reported in the financial statements are valued at the correct amount, and income statement items have been allocated to the proper period.
4)Existence or Occurrence. All balance-sheet
items exist, and all income-statement items
occurred during relevant period.
5)Statement of Presentation and Disclosure. The formal organization and classification of accounts on the financial statements and disclosures in the accounts, footnotes, and accounting policies conform to generally accepted accounting principles.

Question 52

What is an Environmental Audit?

Answer 52

An environmental audit is a systematic,
documented, periodic, and objective evaluation of
how well an entity, its management, and its
equipment are performing with regards to safeguarding the environment through facilitating management control of environmental practices and assessing compliance with entity policies and external regulation.

Question 53

What are the types of Environmental Audits?

Answer 53

The IIA Research Foundation has identified seven types of environmental audits:
1) Compliance. These are site-specific reviews of
the company’s past, current, and planned
practices. The greater the risk from noncompliance with environmental laws to the company, the
greater the scope and depth of the audit.
2)Environmental Management Systems. These audits make certain that the company can
manage any future environmental risk that might result from changing legislation.
3)Transactional. This is a review of a property prior to its purchase or sale to identify any
associated environmental risks.
4)Treatment, Storage, and Disposal Facility. This audit follows the documentation of hazardous materials from their creation (or appearance) to their destruction or disposal (that is, the oversight must cover these materials from “cradle to grave”).
5)Pollution Prevention. These audits review the process of eliminating or minimizing the pollution a company generates at its source rather than
controlling pollution after it has been created.
6)Environmental Liability Accrual. This process establishes the moment that an environmental
liability needs to be accrued on the balance sheet, and a corresponding expense entered on the
income statement. This procedure is particularly difficult because the precise moment that it should be done is not always clear, and the value of these liabilities is subject to interpretation.
7)Product Audit. This is a review of the production process to determine whether pollutant restrictions are being met.

Question 54

What are the risk exposures that should be evaluated in Environmental Audits?

Answer 54

The risk exposures that should be evaluated are:
The comprehensiveness of organizational
reporting structures.
The likelihood of environmental harm, fines, and
penalties.
Environment-related expenditures mandated by
governmental agencies.
The history of injuries and/or deaths related to environmental issues.
The loss of customers, negative publicity, and damage to public image and reputation due to an environment-related accident.

Question 55

When should consulting services be provided?

Answer 55

Consulting services may be conducted as eitherpart of the internal auditor’s normal or routine activity or as a special request made by management. Each organization must first consider the type of consulting activities to conduct and then determine the specific procedures to develop for each type of activity.

Question 56

What is the Independence and Objectivity requirement in Consulting Engagements?

Answer 56

Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.
If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, the disclosure must be made to the engagement client prior to accepting the engagement.
While internal auditors can provide consulting
services relating to operations for which they have
had previous responsibilities, the auditor should
still act in an independent and objective manner.

To assess the impact that a previous position may have on objectivity, the auditor should consider:
The appropriate requirements and standards of the profession.
Expectations of stakeholders, directors, the audit committee, and legislative bodies.
Any allowances or restrictions that are in the charter. If the charter prohibits this type of work but management insists anyway, this conflict needs to be brought to the attention of the audit committee for a final resolution.
Disclosures that may be required by standards.
Subsequent audit work, including its scope and coverage.

Question 57

What is the Due Professional Care requirement in Consulting Engagements?

Answer 57

The chief audit executive must decline the
consulting engagement or obtain competent advice and assistance of the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
Internal auditors must exercise due professional care during a consulting engagement by considering the:
Needs and expectations of clients, including the
nature, timing, and communication of engagement results;
Relative complexity and extent of work needed to
achieve the engagement’s objectives; and
Cost of the consulting engagement in relation to
potential benefits.

Question 58

What is the requirement of communicating the results of Consulting Engagements?

Answer 58

Communication of the progress and results of consulting engagements will vary in form and
content depending upon the nature of the
engagement and the needs of the client.

The chief audit executive is responsible for communicating the final results of consulting
engagements to clients.
During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization, they must be communicated to senior management and the board.

Question 59

Why should Internal Auditors participate in Internal Control Training?

Answer 59

Internal auditors should participate in internal
control training for the following reasons:
To communicate and embed a control
awareness within the organization’s operations. The more employees know about the functions of internal controls; the more likely control weaknesses will be identified and corrected in a timely manner.
To decrease fraud. The training should make
employees aware of what constitutes fraud and what they need to do if they suspect fraud is occurring.
To motivate employees to report control deficiencies and weaknesses.
To provide staff support for the organization’s Control Self-Assessment (CSA) program.
It is possible that the internal auditing staff could be involved in a CSA program by conducting training programs.

Question 60

What are the Financial and Non-Financial Benchmarks?

Answer 60

Financial benchmarks use monetary values to
make comparisons, such as profitability, cost of production per unit, and so forth.
Nonfinancial benchmarks make comparisons
using non-numerical factors, such as the percentage of on-time deliveries or percentage of satisfied customers.

Question 61

What are Internal and External Benchmarks?

Answer 61

With internal benchmarks, a company
compares its performance against its own internal
divisions, processes, functions, or departments.
With external benchmarks, a company makes an external comparison, most commonly against a competitor.

Question 62

What is Functional, Competitive, and Generic Benchmark?

Answer 62

A functional benchmark is a comparison with
organizations that operate within the same
technological area.
A competitive benchmark is a comparison with
the best of a company’s competitors.
A generic benchmark compares processes that are virtually the same, regardless of the industry or production line. This type of benchmarking is not as helpful as a comparison of processes that are exactly the same.

Question 63

What are the limitations of Benchmarking?

Answer 63

Effective benchmarks make apples-to-apples
comparisons. Companies must make sure that
the sources from which they collect benchmarking
data are reliable, accurate, and appropriate.
Incorrect data leads to comparison errors, causing the company to waste time reconciling useless data.

Improper benchmarking may cause the company
to lose focus on employee and customer wellbeing. Companies that use benchmarking data to produce rapid performance improvements risk causing employee burnout, errors, and low morale. Similarly, a company might anger customers and suppliers if their needs are being ignored for the sake of a benchmark objective.

Regardless of the quality of benchmarking
information, the lack of a proper implementation plan will undermine the usefulness of benchmarking. The participation of management and employees is a critical component to the success of benchmarking.

Question 64

What is Due Diligence Consulting?

Answer 64

Due Diligence Consulting engagements focus on a company’s internal operations such as:
Controls.
Corporate governance.
Risk assessment and risk management processes.

Due diligence consulting engagement may also assess how the company’s operations would
contribute to or detract from the company’s mission and the achievement of its goals and objectives.

Question 65

What should be the Internal Audit involvement in System

Development project?

Answer 65

For any systems development project, there are three basic approaches that internal auditors can take:

1) Traditional audit approach. Internal auditors monitor how the project is progressing and report back to management and the board.
2) Consulting approach. Internal auditors advise the systems development team on an as-needed basis regarding controls and risk management.
3) Embedded approach. The internal auditor is integrated within the systems development team, functioning as a control and risk management expert.

Question 66

What does Section 404 of the SOX require?

Answer 66

Section 404 of Sarbanes-Oxley (SOX) requires companies to include in their annual reports these two items:
A statement of management’s responsibility for
establishing and maintaining adequate internal
controls over financial reporting.
An assessment of the effectiveness of those
internal controls.

Question 67

What must management do to comply with the requirements of Section 404?

Answer 67

To comply with Section 404, management must establish a formal, internal control testing program to determine the extent to which the design and operation of activities in the internal control process is sufficient to prevent, or detect and correct, significant isstatements.

Question 68

What is the focus of Internal Control Evaluation?

Answer 68

The internal-control evaluation should focus on
establishing controls that adequately prevent or detect material misstatements in financial statements in a timely manner.

Question 69

Who is responsible for coordinating Internal Audit Efforts with other assurance providers?

Answer 69

The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.

Question 70

The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.

Answer 70

Coordination between external and internal
auditors is important for the following two reasons:
1)Internal auditing continues to become
increasingly professionalized, with more internal auditors being full-time internal auditors or former external auditors. As a result, the scope and quality of internal auditing have increased.
2)The cost of the external audit has risen, and therefore companies are looking for ways to reduce expenses in this area. Having a strong, objective, and competent internal auditor means that the work of the external auditor can be better streamlined and thus less costly.

Question 71

What are the two things that must be considered by External Auditors before relying on Internal Auditors?

Answer 71

Before the external auditor relies on the internal auditor’s work, however, he or she needs to assess the internal auditor’s competence and objectivity.
Competence is the measure of an IAA’s skills and abilities to perform acceptable work.
Objectivity measures the IAA’s capacity to work without any influence from management or others in the organization.

Question 72

Can Internal Auditors’ working papers be shared with the External Auditors?

Answer 72

The CAE can provide copies of the internal audit working papers to the external auditor and to others within the organization. However, the external auditor should not give the internal audit working papers to anyone without the permission of the internal auditor.

Question 73

Can Internal Auditors’ rely on the work of other assurance providers?

Answer 73

The decision to rely on the work of other assurance providers can be made for a variety of reasons, including to address areas that fall outside of the competence of the internal audit activity, to gain knowledge transfer from other assurance providers, or to efficiently enhance coverage of risk beyond the internal audit plan.

Question 74

What is Assurance Mapping?

Answer 74

Assurance Mapping is the grouping of all of the assurance providers together and then using the company’s risk management process to identify the “key” risks that need to be assessed.
This process allows the company to identify and assess gaps in the risk management process and gives primary stakeholders the reassurance that risks are being managed and reported and that regulatory and legal obligations are being met.
Assurance Map may include the following:
1.The identity of the assurance providers
2.Risk
3.Level of assurance
4.Urgency or importance of the issue
Action to be taken

Question 75

What is the requirement of Standard 2020 - Communication and Approval?

Answer 75

The chief audit executive must communicate the internal audit activity’s plan and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.

Question 76

What is the requirement of Standard 2060?

Answer 76

The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards.
Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.

Question 77

What is the purpose of KPIs on Internal Audit Activity?

Answer 77

KPIs of the internal audit activity provides a platform to discuss issues relative to the internal audit activity and potentially gain board support in making necessary changes. Establishment of KPIs should be done in a group that includes senior management, as well as the board, and there should be a consensus that the KPIs chosen are meaningful and appropriate.