IIA IIA-CIA-Part2 - Practice of Internal Auditing

Analytical procedures involve evaluating financial and operational information by comparing it with expected values. These expectations can be based on historical data, industry benchmarks, budgets, or other relevant criteria. The primary purpose of analytical procedures is to identify any unusual or unexpected variations that could indicate potential issues or areas requiring further investigation.

IIA References:

IIA Standard 2320: Analysis and Evaluation requires internal auditors to analyze and evaluate the information gathered during an engagement. Analytical procedures are a critical part of this process, as they help auditors identify trends, anomalies, and areas of risk by comparing actual results with expectations.

The Practice Guide on Analytical Procedures defines these procedures as the analysis of relationships between different sets of data, with the goal of identifying inconsistencies or unexpected patterns.

Omitting advance client notice when planning an audit engagement is justifiable if the engagement includes audit assurance procedures that involve sensitive or restricted assets. Providing advance notice in such cases could compromise the integrity of the audit, as it may give management an opportunity to conceal or alter the status of these assets. The goal is to ensure that the auditors can observe the actual condition and handling of sensitive assets without any prior alteration. References: IIA Standard 2201 – Planning Considerations, IIA Practice Advisory 2201-1

An engagement work program is of greatest value to audit management when it helps ensure the achievement of the engagement objectives. The work program outlines the audit procedures and tests that need to be performed to gather sufficient and appropriate evidence to support the audit findings and conclusions. By aligning the work program with the engagement objectives, auditors can focus their efforts on the most critical areas, ensure that all necessary steps are taken, and ultimately achieve the intended outcomes of the audit.References:

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2240 – Engagement Work Program.

A draft internal audit report citing deficient conditions should be reviewed with relevant stakeholders to ensure accuracy, address concerns, and plan corrective actions. This includes the client manager and her superior (Option 1) to inform them of the findings and obtain their perspective. It should also be reviewed with anyone who may object to the report’s validity (Option 2) to address potential disagreements or misunderstandings early in the process. Finally, it should include anyone required to take action (Option 3) so they are aware of their responsibilities and can begin planning remediation efforts. While it may be beneficial to review with those who receive the final report (Option 4), it is not essential for the draft stage. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2440 - Disseminating Results.

The appropriate conclusion that can be drawn from the findings is that the internal controls guiding contract management are not operating effectively. The listed findings, such as noncompliance with contract provisions, lack of monitoring compliance with contract obligations and deliverables, and absence of contract agreements with key vendors, indicate significant control deficiencies in the contract management process. These deficiencies suggest that the controls intended to ensure compliance and effective management of contracts are either inadequate or not functioning as intended.References: IIA's Guide on Internal Controls and Audit Findings.

According to the International Standards for the Professional Practice of Internal Auditing, particularly Standard 2420 – Quality of Communications, internal audit communications should be accurate, objective, clear, concise, constructive, complete, and timely. Ensuring that communications are relevant, logical, and free from errors is essential for maintaining the credibility and effectiveness of the internal audit function and for providing management with reliable information for decision-making.References:

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2420 – Quality of Communications.

A risk-by-process matrix is a tool that allows users to identify and analyze the associations between various business processes and the risks that affect them. This matrix helps in understanding how risks are distributed across different processes and can be instrumental in prioritizing audit activities based on risk.

IIA References:

IIA Standard 2210: Engagement Objectives suggests that internal auditors should consider risks when setting audit objectives. A risk-by-process matrix is an effective tool for mapping out these risks in relation to processes, providing a clear visual representation of where the most significant risks lie.

The Practice Guide on Risk Assessment outlines the use of matrices, including risk-by-process matrices, to facilitate the identification and prioritization of risks within different processes.

Control self-assessment (CSA) processes typically emphasize the inclusion and evaluation of both formal (hard) and informal (soft) controls. The exclusion of informal, soft controls is not an outcome of an effective CSA process. Instead, CSA encourages a comprehensive review of all control types to enhance risk management and control effectiveness. References: = IIA’s Practice Guide on Control Self-assessment.

A. Vouching vendor invoices to payments made:This verifies payment accuracy but does not confirm whether purchases were authorized.

B. Sorting invoices by purchase orders and comparing for successive duplicate invoices:This approach focuses on detecting duplicate invoices, not authorization.

C. Comparing a random sample of vendor invoices to purchase orders:Correct. This method directly matches invoices to purchase orders, confirming that purchases were authorized and appropriately documented.

D. Sorting payments by invoice to detect successive duplicate invoices:Similar to option B, this approach focuses on detecting duplicates rather than verifying authorization.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Testing for Authorization and Validity.

To increase the deterrent effect of a code of business conduct, it should include appropriate descriptions of penalties for misconduct and notifications that violations may lead to criminal prosecution. These elements clearly communicate the serious consequences of unethical behavior, thus reinforcing the importance of adhering to the code. References: = IIA Practice Guide on "Evaluating Ethics-related Programs and Activities".