IIA IIA-CIA-Part2 - Practice of Internal Auditing

The observation provided in the final engagement communication includes the criteria (competitive bidding requirements), condition (three of the 10 contracts reviewed did not meet these requirements), and cause (senior management deemed these purchases critical and awarded them as sole-source). However, it lacks the effect, which would explain the potential consequences or impact of not meeting the competitive bidding requirements, such as increased costs, lack of transparency, or potential for favoritism. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2410 - Criteria for Communicating.

The IIA’s Practice Guide on Communicating Results.

Judgmental sampling, also known as non-statistical sampling, is a technique where the internal auditor uses their professional judgment to select a sample that they believe is most representative of the population. In this scenario, the internal auditors are choosing to review a sample of complaints from the last three months based on their professional judgment that these complaints are reflective of current marketing practices. This method is particularly useful when the auditor has specific knowledge about the population that allows them to make informed selections.

A. Book value per common share ratio is lower than that of the prior year:This represents year-over-year comparison, which is an example of historical benchmarking, not internal benchmarking.

B. Staff turnover ratio is higher than the comparable organization in the same industry:This represents external benchmarking, as it involves comparing against a peer organization.

C. Utilities expense of the sales unit is higher than that of the customer service unit:Correct. This is internal benchmarking, as it compares performance metrics within the same organization.

D. Sales are significantly higher than the industry’s average for five years:This is an example of external benchmarking against the industry standard.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Benchmarking Techniques.

An audit finding should include the standard(s) used by the auditor to make the evaluation (2) and the factual evidence found during the examination (4). These components provide the basis for the auditor's conclusions and ensure that the findings are well-supported and objective. The scope of the audit (1) and the engagement's objectives (3) are typically included in the overall audit report but are not components of individual audit findings.

The rotational model refers to a staffing arrangement where employees, such as internal auditors, are rotated into different roles within the organization, often for a fixed period. In this scenario, a senior internal auditor is hired within the internal audit activity for two years before transitioning to an operations manager role. This model helps in developing a deeper understanding of the organization, broadening skill sets, and fostering cross-functional expertise. It benefits both the internal audit activity and the broader organization by facilitating knowledge transfer and career development.

Residual risk is the risk that remains after management has taken steps to mitigate or control the inherent risks. The chief audit executive (CAE) performs residual risk assessment to determine the effectiveness of management’s actions and whether the remaining risk is acceptable.

IIA Standard 2120 – Risk Management:

The standard emphasizes that the CAE should evaluate the residual risks faced by the organization. This involves assessing whether management’s risk responses are adequate and whether any unmitigated risks (residual risks) remain within the organization’s risk tolerance.

Cost-Benefit Analysis:

Conducting a cost-benefit analysis of management’s decision not to implement a recommendation directly relates to assessing residual risk. This analysis helps determine whether the residual risk is acceptable compared to the cost of implementing the recommendation.

IIA Practice Guide on Assessing Residual Risk:

This guide outlines that assessing residual risk involves evaluating the impact of management’s controls and the risks that remain. A cost-benefit analysis is a method to quantify the impact of not addressing a recommendation, thereby evaluating the residual risk.

Option B (Inquiry of corrective action to be completed): This is more about monitoring follow-up actions rather than assessing residual risk.

Option C (Reporting status of every observation): While important, this is related to tracking audit issues, not specifically assessing residual risk.

Option D (Soliciting management’s feedback): While valuable for engagement quality, this does not directly relate to residual risk assessment.

Detailed Explanation:Why Not Other Options?Conclusion: Option A is correct as it reflects the CAE’s role in assessing residual risk through cost-benefit analysis, in line with IIA standards.

To address the risk of fraud in the cash receipts process, it is essential to ensure that the accounts payable department reconciles all purchasing documents (purchase requisitions, purchase orders, packing slips, and invoices) before making payments. This step helps to detect discrepancies and prevent fraudulent activities, ensuring that payments are made only for legitimate and verified transactions. References:

IIA Standards - 1220: Due Professional Care

IIA Practice Guide - Auditing Accounts Payable: Reducing the Risk of Fraud

Administering control questionnaires to individuals with primary responsibilities in the process can yield valuable information about processes and controls. However, one significant drawback is that the information gathered may be limited regarding the actual functionality of the controls. This approach relies on the respondents' knowledge and perceptions, which may not accurately reflect the effectiveness of the controls in practice. Moreover, respondents might not fully understand the auditor’s intentions or may provide biased or incomplete information, thereby limiting the depth of insights into how controls function in real-world scenarios.References:

IIA Standard 2201: Planning Considerations

IIA Practice Guide: Assessing the Adequacy of Risk Management Processes

According to IIA guidance, the most important objectives for ensuring the appropriate completion of an engagement include coordinating audit team members to ensure efficient execution, confirming that engagement workpapers properly support the observations, recommendations, and conclusions, and ensuring that engagement objectives are reviewed for satisfactory achievement and are documented properly. These objectives focus on the quality and thoroughness of the audit work, which are critical for the engagement's success. References:

IIA Standards - 2300: Performing the Engagement

IIA Practice Guide - Audit Documentation

If an internal auditor decides to adjust the audit work program during the fieldwork phase of an assurance engagement, the most appropriate next step is to obtain approval from the engagement supervisor. This ensures that any changes to the scope or procedures are reviewed and sanctioned by the audit management, maintaining the integrity and alignment of the audit objectives.