IIA IIA-CIA-Part2 - Practice of Internal Auditing

When developing the work program for an engagement reviewing an organization’s small contracting services, the chief audit executive (CAE) should consider the organization's recent changes to how it processes payments. Changes in payment processing can significantly impact the control environment and may introduce new risks or control gaps. Understanding these changes will help the CAE design appropriate audit procedures to evaluate the effectiveness of the controls over the new processes.

In the risk control map, Risk C is positioned in the upper left quadrant, indicating it is critical (high risk significance) but with a low level of control. This suggests that the current controls are insufficient to mitigate the high level of risk associated with Risk C. For critical risks, a higher level of control is necessary to ensure that the risk is properly managed and mitigated. References:

"Internal Auditing: Assurance & Advisory Services" (The Institute of Internal Auditors)

"Risk Management Framework" (COSO)

A risk that is deemed "unacceptable" to the organization is one where the residual risk (the remaining risk after controls are applied) exceeds the organization's risk tolerance level. This means that despite controls in place, the level of risk remains higher than what the organization is willing to accept. Identifying such risks is critical for ensuring appropriate management action to mitigate them further. References:

The IIA’s Practice Guide on Risk Management.

COSO’s Enterprise Risk Management – Integrating with Strategy and Performance.

A. ICQs are most useful in more organic, decentralized organizations with specialized departmental or regional characteristics:ICQs are standard tools and can be used in a variety of organizational structures, not just decentralized ones.

B. An ICQ can be used effectively either by sending it in advance for management of the area under review to complete or by testing each procedure and recording the results:Correct. ICQs are versatile tools that can be used for both self-assessment by management and as part of a detailed audit procedure.

C. An ICQ is not an efficient tool, as it can only inquire about controls and it does not test them:ICQs can test controls indirectly by revealing whether they are documented and applied properly.

D. ICQs are also known as checklist audits and encourage management of the area under review to answer "no" or "yes" more accurately:ICQs are not limited to a checklist format and their value goes beyond simple yes/no answers.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Tools for Assessing Internal Controls.

The efficiency of an audit is greatly influenced by the adequacy of preliminary survey information. Thorough preliminary surveys help auditors understand the audit scope, identify potential issues early, and plan their work efficiently, thereby increasing overall audit efficiency. References: = IIA Practice Guide: “Engagement Planning: Establishing Objectives and Scope” and IIA Standard 2201 - Planning Considerations.

Given the situation where a system error prevents the engagement supervisor from adding her electronic signature to the workpapers, the most appropriate response to provide evidence of supervisory review is to print, sign, and date each workpaper after the review is complete, and then scan the document into the database as evidence of review. This ensures that there is a clear and traceable record of the supervisory review process, which is crucial for maintaining the integrity and reliability of the audit documentation.

Printed Documentation: Printing the workpapers provides a physical copy that can be signed and dated, serving as a tangible record of the review.

Signature and Date: The supervisor's signature and date indicate the completion of the review process and provide accountability.

Scanning into Database: Scanning the signed documents back into the electronic workpaper database ensures that the evidence of review is stored in the system of record, maintaining consistency and accessibility.

This method upholds the standards of documentation and supervisory review, ensuring compliance with internal audit policies and procedures.

Root cause analysis identifies underlying reasons for control deficiencies or inefficiencies, enabling organizations to address systemic issues and enhance controls. IIA Practice Guide: Root Cause Analysis (2018) highlights its role in promoting continuous improvement. Reperformance (Option A) and vouching (Option B) are audit techniques to verify accuracy but do not diagnose systemic issues. Independent confirmation (Option C) corroborates evidence but does not uncover root causes. Root cause analysis aligns with the CIA Part 2 objective of enhancing organizational efficiency.

The chief audit executive (CAE) should prioritize risks to be used for the audit plan. Although the CAE is not accountable for managing risks, he is responsible for ensuring that the internal audit activity provides assurance on the effectiveness of the risk management processes. The CAE must understand the organization's risk landscape and determine which areas require audit attention based on their significance and potential impact. References: IIA Standard 2010 – Planning, IIA Practice Guide – Coordinating Risk Management and Assurance

Broad legislative reforms present the most critical external risk to an organization because they can fundamentally change the regulatory environment in which the organization operates. Such changes can impact compliance requirements, operational processes, and strategic planning. The organization must quickly adapt to remain compliant and avoid penalties or legal issues. This type of risk is external and largely uncontrollable, making it particularly critical compared to internal changes or new market entries.References:

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2120 – Risk Management.