IIA IIA-CIA-Part2 - Practice of Internal Auditing

According to IIA guidance, if the internal audit team lacks the necessary skills and knowledge to perform an audit, the CAE should consider obtaining external expertise. Accepting the engagement and hiring an external expert allows the internal audit activity to leverage specialized knowledge while fulfilling the audit request. This approach ensures that the audit is conducted effectively and meets the required standards, while also addressing any competency gaps within the internal audit team.

According to the Institute of Internal Auditors (IIA) guidance, the chief audit executive (CAE) should develop a risk-based audit plan that takes into account the organization's risk management framework, including its risk appetite levels. This aligns with Standard 2010 – Planning, which states that the CAE must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Risk appetite levels from management are a critical component of understanding the organization’s risk profile and should be incorporated into the audit plan. Thus, the CAE may incorporate risk information, including risk appetite levels from management, at her discretion.References: IIA's International Standards for the Professional Practice of Internal Auditing, Standard 2010 – Planning.

Direct observation by the auditor provides the strongest and most reliable evidence of inventory existence, per IIA Standard 2310: Identifying Information. Observational evidence is primary and directly verifiable, whereas third-party confirmations (Option B) or photographs (Option D) may be manipulated. Interviews with personnel (Option C) provide insight but lack objectivity and reliability compared to physical observation. This aligns with the CIA syllabus emphasis on collecting sufficient and appropriate audit evidence (Part 2: Section II).

A. Determine whether the purchasing department complies with policy by examining a random selection of purchase orders:Correct. Reviewing a random sample of purchase orders is a standard procedure for evaluating compliance with purchasing policies, such as approval requirements, vendor selection, and adherence to budget constraints.

B. Evaluate whether purchasing requests are properly approved by authorized staff by obtaining independent verification from the vendors:Vendor verification is not typically used to evaluate internal approvals as this information is available within the organization’s records.

C. Ascertain whether material receipts are recorded on a timely basis by reviewing physical inventory stock counts:Physical inventory reviews focus on inventory management and reconciliation, not specifically on the timeliness of receipts.

D. Determine whether prices charged for goods received are correct by reviewing the appropriate accounts payable record by vendor:While reviewing accounts payable records helps verify the accuracy of pricing, it does not directly evaluate the purchasing department’s adherence to procedures.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Audit Engagement Objectives and Procedures.

The request for new vendor information to be summarized weekly and for invoices to be flagged automatically in the processing system indicates the use of continuous auditing. Continuous auditing involves ongoing, real-time monitoring of transactions and controls, which allows for the early detection of anomalies or issues.

IIA References:

IIA Standard 2320: Analysis and Evaluation suggests that internal auditors should use appropriate technology to support their analysis. Continuous auditing tools are designed to monitor transactions continuously, enabling auditors to identify and address risks more proactively.

The Practice Guide on Continuous Auditing outlines the benefits of real-time monitoring and how it can be integrated into the audit process to enhance the timeliness and relevance of audit results.

When deciding whether to report a finding, the sufficiency of the information is critical. Sufficiency refers to the quantity of information obtained to support audit conclusions and recommendations. In this case, the internal auditors need to ensure that the sample size and the evidence collected are adequate to demonstrate that the issue of employees signing purchase orders in a designated acting capacity due to employee absence is significant enough to report. Ensuring sufficiency helps validate that the finding is well-supported and justifies its inclusion in the audit report.References:

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2310 - Identifying Information

A finding can be removed from the final audit report if management provides additional information that accurately contradicts the initial findings. This indicates that the initial findings may have been based on incomplete or incorrect information. Disagreements (Option A) or beliefs about the insignificance (Option D) of the finding do not justify removal unless they are supported by new, contradicting evidence. Even if corrective actions are already taken (Option B), the original finding may still be relevant for documentation and historical context.References:

IIA Standard 2410: Criteria for Communicating.

IIA Practice Guide on Communicating Results.

The organization and content of workpapers should be based on the professional judgment of the internal auditor. Workpapers should provide sufficient detail to support the audit findings and conclusions but do not need to answer every conceivable question. Standard 2330 – Documenting Information states that internal auditors must document relevant information to support the conclusions and engagement results. This allows for flexibility and professional judgment in determining what is necessary and appropriate to include.References:

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2330 – Documenting Information.

An operational audit would be the most appropriate type of engagement to assess the root causes of the quality issues with components received from an overseas supplier. Operational audits focus on the efficiency and effectiveness of operations, and in this context, would involve examining the processes related to the procurement, inspection, and quality control of components to identify the underlying causes of the quality problems.

An internal control questionnaire (ICQ) is designed to gather detailed information about the operation of specific controls within an organization. It is particularly useful for understanding whether controls, such as adherence to approval matrices, are being followed consistently across different units. ICQs provide a structured way to collect this information from respondents, ensuring that all relevant aspects of the control environment are considered. This method is effective for assessing compliance with established procedures and identifying areas for improvement.References:

Institute of Internal Auditors (IIA), Practice Guide – Internal Control Questionnaire.