Internal Auditing Practices

Questions and Answers

Flashcards

Importance of follow-up activities

Ensuring agreed action plans are fully implemented after communicating the audit results.

Auditor's Action on Disagreement

Include findings in the final report, noting the procurement manager's disagreement.

Importance of Auditor Relationships

To increase the chances of candid discussions that may not occur in formal meetings.

Who approves communications?

Chief Audit Executive (CAE).

Focus of Audit Communication

Organizational interests and concerns.

Auditor's Follow Up

Verify the implementation status and include the finding in the current report if unresolved.

NOT a Communication Attribute

Consistent.

Auditor's Responsibility

Include the finding in the report, providing a rationale for its significance.

What to do after the report?

Monitor the status of action plans and report progress to senior management.

Effective Communication

Building ongoing dialogue and mutual understanding with stakeholders.

Auditor's Action

Simplify key findings and conclusions to match the stakeholder's understanding.

Appropriate Audit Response

Provide a high-level summary with status updates.

Appropriate Action

Send a corrected version with an explanation immediately.

Audit Communication

Clear, concise, and tailored to its audience.

Communication Type

Formal and informal communication.

How to Ensure Accuracy?

By backing descriptions with information gathered.

Complete Engagement Communications

The reader can reach the same conclusions as the auditors.

Attribute of Communications

Clarity

Governance-level Collaboration

Board and chief audit executive.

CAE's Responsibility

Ensure engagement supervision and review of objectives

Study Notes

• Follow-up activities after audit results ensure agreed action plans are implemented.
• The most appropriate action for the auditor is to include findings in the final report and note the procurement manager’s disagreement.
• It is important for internal auditors to build personal relationships with stakeholders to increase chances of candid discussions that may not occur in formal meetings.
• The Chief Audit Executive (CAE) must review and approve final engagement communications.
• Communication between internal audit and stakeholders should focus on organizational interests and concerns.
• An internal auditor should verify the implementation status and include the finding in the current audit report if an IT department has not implemented previously agreed-upon security measures.
• Consistency stands out as a choice that does not align conceptually with typical attributes of effective engagement communication like being concise, complete, and constructive.
• The auditor is responsible for including the finding in the report and providing a rationale for its significance when a control weakness management believes is insignificant is assessed by the auditor as having a high potential impact.
• If management has not initiated any action plans to address the findings after an auditor issues the final audit report, then the auditor is responsible for monitoring the status of action plans and reporting progress to senior management.
• Building ongoing dialogue and mutual understanding with stakeholders best supports effective communication between internal audit and stakeholders, as required under GIAS 2024.
• If an auditor prepares an engagement report with highly technical language, and the department head receiving the report has no technical background, the auditor should simplify key findings and conclusions to match the stakeholder's understanding.
• If a board member asks the CAE to provide a summary of unresolved high-risk issues from recent audits, the most appropriate internal audit response is to provide a high-level summary with status updates.
• If an auditor shares engagement results via email, but forgets to include a significant finding, the most appropriate action is to send a corrected version with an explanation immediately.
• To fulfill GIAS Standard 11.2, audit communications must be clear, concise, and tailored to its audience.
• The CAE should promote formal and informal communication between internal audit and stakeholders.
• Internal auditors can ensure their communications are accurate by backing descriptions with information gathered.
• When providing complete engagement communications, the reader can reach the same conclusions as the auditors.
• Clarity ensures that communications are easily understood by the audience.
• Board and chief audit executive reflects the appropriate governance-level collaboration for a chief audit executive (CAE) responsible for coordinating internal and external audit efforts
• The CAE should focus on engagement supervision to address deficiencies in engagement execution, work quality, and staff development.
• Ensuring engagement supervision and review of objectives is a core responsibility of the CAE to ensure engagements are completed in alignment with organizational goals.
• To support the successful completion of audit engagements, the internal audit supervisor should prioritize coordinating team members for efficient engagement execution, ensuring workpapers support observations and conclusions, and reviewing and documenting whether engagement objectives were met.
• Using an independent external service provider and self-assessment with independent validation conforms to the IA Standards requirements for QAIP execution.
• The increased volume of unplanned advisory requests best justifies the CAE's decision to request temporary engagement of external consultants to assist with an internal audit advisory service.
• Aligning internal audit efforts with pre-set KPIs would add the least value to internal audit operations and their contribution to organizational objectives.
• Internal audit plans consistent with IA standards are based on risk assessment, assess effectiveness of risk management and are aligned with the organization's goals.
• An evaluation of internal audit team must be submitted solely to the CEO and not the board near the fiscal year end.
• Cost-effectiveness of audit resource allocation is least critical when evaluating the adequacy of the internal audit plan, according to IA Guidance.
• The CAE should accept the consulting engagement even if previous audit staff worked on the operations concerned when senior management requested internal auditors to deliver training to affected staff after the external auditor reported multiple deficiencies in production process controls.
• The primary benefit to the internal audit activity when performing an assurance mapping exercise is to identify risk coverage gaps and minimize duplicate assurance activities.
• Periodic monitoring of the internal audit activity is required when maintaining the quality assurance and improvement program (QAIP).
• The auditor should discuss the impact with the client and adjust engagement scope if needed when an internal auditor encounters newly identified risks impacting the engagement's scope during a consulting engagement .
• Minimizing ad hoc communication with board members would be least effective in building a stronger relationship between the CAE and the board.
• Identifying assurance gaps and improving relevance of audit recommendations are advantages of using an assurance map.
• A candidate with strong writing samples but weak verbal communication skills would be least preferred according to the principle of competency-based recruitment when recruiting a new auditor.
• CAE provides engagement results summaries without necessarily distributing all full reports indicates a healthy relationship between the audit committee and the internal audit function.
• The CAE should assess internal staff capability and identify skill gaps for technology risk auditing first when an updated risk-based audit plan reflects new technology risks.
• Evaluating and improving internal audit effectiveness and efficiency best reflects the purpose of a quality assurance and improvement program in an established internal audit activity.
• The CAE should communicate with the CEO and present the revised audit plan to the board for approval when a corporate merger decision prompts the chief audit executive (CAE) to propose interim changes to the existing annual audit plan to account for emerging risks.
• Post engagement surveys completed by management indicate a "meets or exceeds expectations" is an example of a KPI that measures effectiveness.
• The CAE can rely on the specialists' work only if it is carried out in accordance with the Standards when a chief audit executive (CAE) of a major retailer has engaged an independent firm of information security specialists to perform specialized internal audit activities.
• Discussions of audit needs with executive management and the audit committee would be the best source of information for a chief audit executive to use in planning future audit staff requirements.
• Providing periodic activity reports to the audit committee on audit engagements in progress would normally be involved in preparing for and carrying out the internal audit activity's annual plan except.
• The needs and expectations of the engagement client is a greater consideration for internal auditors when they are performing an advisory engagement than when they are performing an assurance engagement.
• Attaining an adequate understanding of the organization's key risk mitigation strategies is an appropriate role for the internal audit function with regard to the organization's risk management program.
• Invite a guest auditor from one of the organization's affiliates who has expertise in the area to be audited is the most appropriate solution considering the time constraint when the chief audit executive of an international organization is planning an audit of the treasury function, and the current internal audit team lacks expertise needed for the engagement.
• Components of the organization's strategic plan, and inputs from senior management and the board should be considered when determining the audit universe.
• If there is no risk management and control process and risk management is solely the responsibility of operational managers then that is a significant governance issue that should be reported by the chief audit executive to the board.
• Significant risk exposures and control issues should be reported to the board.
• The CAE should seek approval from the board before implementing the annual audit plan.
• Internal auditors should coordinate their activities with external auditors to enhance audit efficiency and effectiveness.
• Employee personal interests is not typically considered a source for identifying potential audit engagements.
• Establishing policies to guide the internal audit activity is a primary responsibility of the Chief Audit Executive (CAE) in managing the internal audit activity.
• Adequacy of the oversight of the work of external auditors should not be included in the assessment of a quality assurance and improvement program.
• A former employee knowledgeable of the IAF who resigned three years earlier from the organization would be considered independent for the purpose of participating in an external assessment of the quality assurance and improvement program for an internal audit function (IAF).
• The chief audit executive reports the results of internal assessments in the form of ongoing monitoring to senior management and the board annually.
• If nonconformance affects its ability to fulfill its professional responsibilities or stakeholder expectations, the internal audit function should disclose nonconformance as well as its impact.