IIA IIA-CIA-Part2 - Internal Audit Engagement

The internal audit activity's role in regard to the organization's risk management program includes ensuring that a proper and effective risk management process is in place. This involves evaluating the risk management processes and providing assurance that risks are identified and managed effectively. The internal audit activity should not be responsible for managing risks (Option A), but should ensure there is a systematic process (Option B). Attaining an adequate understanding of key mitigation strategies (Option C) and identifying appropriate controls (Option D) are part of the audit process, but ensuring the existence of a proper process is the primary responsibility. References: IIA Standard 2120 – Risk Management

Comprehensive and Detailed Explanation:

Cyclic counting is a control technique used to verify inventory accuracy and prevent fraud or misstatement. While documentation of approvals (A), valuation reconciliations (D), and frequency of counts (C) all contribute to control effectiveness, the most relevant evidence for evaluating fraud control adequacy is whether the organization analyzes root causes of differences and implements corrective actions (B). Simply reconciling and adjusting balances does not address why discrepancies occur, and fraud risks remain if underlying causes go unexamined. For example, if theft or unauthorized removals are occurring, approving adjustments without corrective measures merely hides the issue. By identifying and addressing root causes, management ensures sustainable fraud prevention and strengthens internal controls. Thus, the focus must be on corrective actions tied to root cause analysis, aligning with IIA guidance on ensuring controls address risks rather than only reporting deviations.

Comprehensive and Detailed Explanation:

The most objective way to validate hours worked is to cross-check billed hours with independent evidence of presence — such as access logs (C) from security or entry systems. This provides direct evidence that contracted personnel were on-site.

Option A (due diligence review) focuses on vendor selection, not time validation.

Option B relies on vendor-supplied data, which may be manipulated.

Option D provides insights but is subjective.

According to IIA Standard 2310, evidence must be reliable and verifiable. Access logs provide such assurance, making Option C the strongest choice.

Comprehensive and Detailed Explanation:

When auditors use judgmental (non-statistical) sampling, the results apply only to the items tested and cannot be extrapolated statistically to the entire population. In this case, auditors tested 60 timesheets and found 3 exceptions. The appropriate conclusion is simply that 5% of the selected sample was not properly approved (D). Statements about effectiveness percentages (A, B) would require statistical sampling. Option C is inappropriate because exceptions do not prove flawed design — they may reflect control execution lapses. Per IIA standards, conclusions must reflect evidence without overgeneralization. Thus, Option D is the most appropriate conclusion.

The guidelines for preparing audit engagement workpapers emphasize clarity, completeness, and accuracy to ensure that they can be easily understood and used by others within the auditing function.

Option A: Workpapers should be understandable to the auditor in charge and the chief audit executive.

While workpapers must indeed be clear to the auditor in charge and the chief audit executive, this guideline does not fully capture the broader requirement for understandability to other auditors.

Option B: Workpapers should be understandable to the audit client and the board.

Although transparency with the audit client and the board is important, workpapers are primarily internal documents used to support the audit process and conclusions.

Option C: Workpapers should be understandable to another internal auditor who was not involved in the engagement.

This is the most comprehensive requirement, ensuring that any internal auditor, even if not originally involved, can review the workpapers, understand the procedures performed, and the conclusions reached. This is crucial for maintaining continuity, quality control, and facilitating reviews or future audits.

Option D: Workpapers should be understandable to external auditors and regulatory agencies.

While external auditors and regulatory agencies may review workpapers, the primary audience is internal auditors, who need to ensure the workpapers are detailed and clear enough for effective internal use and review.

IIA guidance emphasizes considering risk, impact, and root cause in audit findings (Standard 2410 – Criteria for Communicating). In this case, brakes are safety-critical products. Even if the company discards failed items, testing in conditions not reflecting real-world use is a major deficiency, since it creates risk that unsafe products could pass the test and reach customers.

Therefore, Option C is correct: testing conditions must simulate real-world operating environments, especially where human life is at stake.

A. The decision affects the test procedures performed:Correct. The choice between statistical and nonstatistical sampling affects the design of the sample selection, execution of audit procedures, and the nature of conclusions drawn. Statistical sampling involves probabilistic techniques that influence sample size and evaluation, whereas nonstatistical sampling relies on auditor judgment.

B. The auditor's response to errors detected will be influenced:While error response is critical, it is influenced more by the nature and materiality of the errors than by the sampling approach.

C. The competence of the evidence obtained is greater with statistical sampling:This is incorrect because the competence of evidence depends on the procedure itself, not the sampling method used. Both methods can yield competent evidence if applied correctly.

D. Nonstatistical sampling may be more cost effective:While this can sometimes be true, it is context-dependent and not universally applicable, so it is not the best answer.

CIA Exam Syllabus Reference:

Domain II: Risk Management and Control – Sampling Techniques and Audit Evidence.

An operational audit would be the most appropriate type of engagement to assess the root causes of the quality issues with components received from an overseas supplier. Operational audits focus on the efficiency and effectiveness of operations, and in this context, would involve examining the processes related to the procurement, inspection, and quality control of components to identify the underlying causes of the quality problems.

IIA Standards: 2210 - Engagement Objectives

IIA Practice Guide: Auditing the Quality Process

Comprehensive and Detailed Explanation:

To evaluate the project manager’s effectiveness at controlling costs, the auditor should verify whether payments are properly authorized, valid, and consistent with agreements. The most direct test is to track a sample of project payments (B) from accounts payable back to contracts and authorizations. This demonstrates whether project expenditures were controlled and aligned with agreements. Bank reconciliations (A) are unrelated to project-level cost control. Validating feasibility model assumptions (C) relates to project planning, not ongoing cost control. Checking budget approval timing (D) relates to compliance but not cost management effectiveness. Therefore, Option B best aligns with the engagement objective.

According to the International Standards for the Professional Practice of Internal Auditing, particularly Standard 2420 – Quality of Communications, internal audit communications should be accurate, objective, clear, concise, constructive, complete, and timely. Ensuring that communications are relevant, logical, and free from errors is essential for maintaining the credibility and effectiveness of the internal audit function and for providing management with reliable information for decision-making.

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2420 – Quality of Communications.

The most reliable source of testimonial evidence regarding whether a process is effectively performed according to its design would be the supervisor in charge of the process. This is because supervisors are typically responsible for overseeing the day-to-day operations and ensuring that processes are followed correctly. They have a comprehensive understanding of the process and can provide valuable insights into its effectiveness and adherence to design. The reliability of evidence increases with the proximity of the individual to the process in question and their role in ensuring compliance and performance.

IIA's Global Technology Audit Guide (GTAG) – Testimonial Evidence.

Introduction:

Corporate Social Responsibility (CSR) involves companies taking responsibility for their impact on society and the environment beyond statutory obligations.

Nature of CSR Reporting:

CSR reporting is generally voluntary, although some regions and industries may have mandatory requirements.

Options Analysis:

Option A: Many CSR areas may overlap with the audit universe or annual audit plan, but not all.

Option B: Investors may increasingly rely on CSR information, particularly in ESG (Environmental, Social, Governance) investing.

Option C: CSR reporting is largely voluntary, unlike financial or regulatory reporting which is often mandatory.

Option D: Operating management typically plays a significant role in CSR efforts and reporting.

Conclusion:

The correct statement regarding CSR is that it is largely voluntary, unlike many other areas of reporting responsibilities that impact stakeholders.

Internal Audit Standards and Practice Guides

Analytical procedures involve evaluating financial and operational information by comparing it with expected values. These expectations can be based on historical data, industry benchmarks, budgets, or other relevant criteria. The primary purpose of analytical procedures is to identify any unusual or unexpected variations that could indicate potential issues or areas requiring further investigation.

IIA References:

IIA Standard 2320: Analysis and Evaluation requires internal auditors to analyze and evaluate the information gathered during an engagement. Analytical procedures are a critical part of this process, as they help auditors identify trends, anomalies, and areas of risk by comparing actual results with expectations.

The Practice Guide on Analytical Procedures defines these procedures as the analysis of relationships between different sets of data, with the goal of identifying inconsistencies or unexpected patterns.

Broad legislative reforms present the most critical external risk to an organization because they can fundamentally change the regulatory environment in which the organization operates. Such changes can impact compliance requirements, operational processes, and strategic planning. The organization must quickly adapt to remain compliant and avoid penalties or legal issues. This type of risk is external and largely uncontrollable, making it particularly critical compared to internal changes or new market entries.

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2120 – Risk Management.

When an internal auditor discovers an issue such as a programming error allowing multiple accounts for a single address, the auditor should ensure that the corrective actions are both adequate and effective. This includes scheduling a follow-up review (1) to verify that the program has been corrected and that the accounts have been consolidated. Additionally, evaluating the adequacy and effectiveness of the corrective action proposed by management (2) is essential to ensure the issue has been resolved properly. References: = IIA Standard 2500 - Monitoring Progress and IIA Standard 2320 - Analysis and Evaluation.