IIA IIA-CIA-Part2 - Internal Audit Engagement

Nonsampling risk is the risk that the auditor may reach incorrect conclusions for reasons not related to the sampling process, such as failure to recognize exceptions or misinterpretation of audit results. In this case, the internal auditor did not notice that some purchase requisitions were approved by unauthorized persons, which is an oversight unrelated to the sample size or selection process. This is distinct from sampling risk, which is the risk that the sample selected does not represent the population. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2320 - Analysis and Evaluation.

The IIA’s Practice Guide on Audit Sampling.

A flowchart is primarily used to evaluate the design of controls by visually representing the sequence of operations, decision points, and control activities within a process. This helps the internal auditor identify weaknesses, redundancies, and gaps in internal controls.

Preparing for testing the effectiveness of controls (A) comes later in the audit process, after evaluating the design.

Planning for evaluating potential losses (B) focuses on risk assessment rather than control design.

Preparing a sampling plan (C) is a different step in the audit process, where the auditor determines the scope and sample size.

An internal control questionnaire (ICQ) is best used to assess whether different subsidiaries apply centrally established procurement rules in the same manner because it helps gather structured responses from different units regarding their compliance with established policies.

Receiving mid-level management insight on hiring practices (A) is better suited for interviews or surveys.

Verifying adherence to approval matrices (B) requires observation and transactional testing rather than a questionnaire.

Gaining assurance on inventory counts (C) would involve direct observation and reconciliation rather than an ICQ.

The IIA Code of Ethics sets forth principles and expectations for ethical behavior in internal auditing, particularly regarding the communication of results.

Integrity and Transparency: According to the IIA Code of Ethics, internal auditors are expected to exhibit integrity and transparency in their reporting, ensuring that material facts are disclosed accurately to avoid misrepresentation.

Standard 2340 – Engagement Supervision requires supervisors to review work performed and provide feedback to ensure sufficiency and appropriateness. The first step when finding insufficient information is to discuss the issue with the auditor who prepared the workpapers, clarify what was done, and guide improvements. Training material adjustments may follow later, but the immediate supervisory responsibility is to resolve the issue directly with the assigned auditor.

Strategic goals are long-term, broad, and mission-driven.

Options A, B, and C represent short-term operational or tactical goals.

Option D (carbon neutrality in 5 years) represents a long-term strategic goal.

Introduction:

Continuing Professional Development (CPD) is essential for internal auditors to maintain and enhance their skills and knowledge.

Responsibility for CPD:

While the organization and CAE provide support and resources, the primary responsibility for ensuring CPD rests with the individual internal auditors.

Options Analysis:

Option A: Individual internal auditors are responsible for their own CPD.

Option B: The CAE facilitates opportunities for CPD but is not solely responsible.

Option C: The board oversees overall governance and strategy but not individual CPD.

Option D: Engagement supervisors support auditors in their roles but do not manage their CPD.

Conclusion:

Individual internal auditors are responsible for ensuring their own continuing professional development.

IIA's Continuing Professional Education Requirements

A significant governance issue that must be reported to the board is the absence of a formal risk management and control process, with risk management being solely the responsibility of operational managers. Effective governance requires a structured risk management framework overseen at the highest levels of the organization. The lack of such a process indicates a critical deficiency that can have severe implications for the organization's ability to manage and mitigate risks.

The Institute of Internal Auditors (IIA) Standard 2110 – Governance: "The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes."

Probability-proportional-to-size (PPS) sampling is a technique used to reach conclusions regarding monetary amounts in a population. It is designed to handle variable sampling by focusing on monetary units, making it appropriate for testing account balances. On the other hand, attribute sampling is used to assess the rate of occurrence of a specific characteristic or attribute in a population, such as compliance with a control procedure, and does not focus on monetary amounts.

The Institute of Internal Auditors (IIA) Practice Guide on "Audit Sampling"

Generally Accepted Auditing Standards (GAAS)

According to IIA guidance, a common assurance service performed by the internal audit activity is validating whether employees are following established policies and procedures in various departments, such as procurement. Assurance services involve assessing evidence and providing conclusions regarding the effectiveness of governance, risk management, and control processes. Ensuring compliance with established policies and procedures is a fundamental assurance activity that helps organizations maintain control and mitigate risks.

The Institute of Internal Auditors (IIA) Standard 2130 – Control: "The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement."

IIA Practice Guide on "Assurance Engagements"

Discovery sampling is a statistical sampling method that is specifically designed for detecting fraud or other irregularities. It is most appropriate when the auditor expects that deviations or fraud may be rare but significant if found.

Discovery Sampling:

Discovery sampling is used when the auditor is trying to identify at least one occurrence of a particular event, such as fraud. The sample is designed so that if a single error is found, it suggests that more may exist within the population, warranting further investigation.

Application in Fraud Detection:

Discovery sampling is effective in fraud detection because it focuses on identifying whether any instances of fraud exist within a population. This approach is well-suited for situations where even a small number of fraudulent transactions could have a significant impact.

IIA Practice Guide on Statistical Sampling:

The IIA suggests that discovery sampling is appropriate when the goal is to find the presence of an error or fraud, particularly in populations where such occurrences are expected to be infrequent.

Option B (Stop-or-go sampling): This method is used to control the risk of over-auditing when errors are expected to be low, but it is not specifically designed for fraud detection.

Option C (Haphazard sampling): This is a non-statistical sampling method and is not appropriate for systematic fraud detection.

Option D (Stratified attribute sampling): This method divides the population into subgroups but is not specifically aimed at discovering fraud.

Detailed Explanation:Why Not Other Options?Conclusion: Option A is correct because discovery sampling is the most appropriate statistical method for testing a population for fraud, as it is designed to detect even a small number of significant deviations, consistent with IIA guidance.

When an internal auditor discovers a significant issue, such as a manager’s spouse receiving paychecks without being employed, it’s essential to follow the appropriate protocols for reporting the finding.

IIA Standard 2060 – Reporting to Senior Management and the Board:

This standard mandates that the chief audit executive (CAE) must communicate significant risk exposures and control issues to senior management and the board. Following the normal chain of command ensures that the issue is escalated appropriately without bypassing necessary channels.

Ethical Considerations and Confidentiality:

According to the IIA’s Code of Ethics, internal auditors must respect the confidentiality of the information they handle. Reporting through the established chain of command ensures that sensitive issues are handled discreetly and appropriately.

IIA Standard 2440 – Disseminating Results:

This standard requires that the results of the audit, including significant findings, should be communicated to the appropriate parties. Reporting to senior management first allows for an initial review and appropriate action before escalating to higher levels, if necessary.

Option A (Contacting the external auditor): While external auditors may need to be informed, this step should follow internal reporting protocols, not precede them.

Option C (Meeting with the local manager): This could compromise the investigation, as the local manager may be involved in the issue.

Option D (Bypassing the chain of command): This should only be done in extreme circumstances, such as when senior management is directly involved in the wrongdoing, which is not indicated in this scenario.

Detailed Explanation:Why Not Other Options?

Facilitated team workshops are the method of examining entity-level controls that involve gathering information from work groups that represent different levels in an organization. These workshops encourage interactive discussion and collaboration among participants from various departments and hierarchical levels, providing a comprehensive view of entity-level controls and promoting a better understanding of control processes and issues.

IIA Standards: 2210 - Engagement Objectives

IIA Practice Guide: Assessing the Adequacy of Risk Management Processes

During planning, auditors gather information about processes and controls. While management (A) provides oversight and external auditors (C) focus on financial reporting controls, employees who perform the daily tasks (B) have the most accurate, detailed, and current knowledge of how processes and controls actually operate. The board (D) provides governance, not operational detail.

Upon discovering a potential conflict of interest, the most appropriate action for the internal auditor is to inform the audit supervisor. This ensures that the issue is properly addressed and investigated according to the organization's policies and procedures. The audit supervisor can then decide on the appropriate course of action, including whether further investigation is warranted. References: = IIA Standard 2440 - Disseminating Results and IIA Standard 2600 - Resolution of Senior Management’s Acceptance of Risks.