CERTIFIED INTERNAL AUDITOR (CIA), US PART 2 PRACTICE OF INTERNAL AUDITING 2019 STUDY NOTES NOTES MUHAMMAD ZAIN CPA, CMA, CIA FOUNDER OF ZAIN ACADEMY
WhatsApp (Messaging & Call): +92 311 222 4261 Facebook: https://web.facebook.com/mzainhabib https://web.facebook.com/mzainhabib LinkedIn: https://www.linkedin.com/in/mzainhabib/ https://www.linkedin.com/in/mzainhabib/ Twitter: https://twitter.com/mzaincpacmacia https://twitter.com/mzaincpacmacia Email:
[email protected] [email protected] Web: www.zainacademy.us www.zainacademy.us
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
INDEX
ABOUT THE MENTOR ............... ............................... ................................ ................................. ................................. ...................... ...... 4 LETTER FROM MUHAMMAD ZAIN ................. ................................. ................................ ............................ ............ 5 CIA PART 2 – BASIC INFORMATION............... ............................... ................................ ............................ ............ 6 SECTION A – MANAGING THE INTERNAL AUDIT ACTIVITY ......... 7 SECTION B – PLANNING THE ENGAGEMENT ................. ................................. ................... ... 32 SECTION C – CONDUCTING INTERNAL AUDIT ENGAGEMENTS ............................................................................................................................... 40 SECTION D – COMMUNICATING RESULTS AND MANAGING PROGRESS ........................................................................................................ 56 BOOKS WRITTEN BY MUHAMMAD ZAIN ............................... ............... .............................. .............. 63 QUOTES THAT WILL CHANGE YOUR LIFE ............................... .............. ............................ ........... 64
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 3 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
ABOUT THE MENTOR (CPA) Muhammad Zain has passed Uniform Certified Public Accountant (CPA) exams from the American Institute of Certified Public Accountants (AICPA), US in February 2018, Certified Management Accountant (CMA) exams (CMA) exams from Institute of Management Accountants (IMA), US and (CIA) exams from Institute of Internal Certified Internal Auditor (CIA) Auditors (IIA), US in March 2014. 2014. He complete completed d his Masters of Business (MBA) in March 2010 from University of Karachi, Administration (MBA) Pakistan. He earned his Bachelors of Commerce (BCom) (BCom) from from the same University in November 2007. He has working experience of twelve years which includes five years of Public Accounting experience of working in EY Ford Rhodes, Pakistan – a member firm of Ernst & Young Global Limited (big4) and more than six years of working experience in Industry. He founded Zain Academy in 27 February 2017 with the mission “Knowledge for ALL” and objective to “disseminate education for all candidates who wish to change the landscape of our working environment, believe in continuous education and strive for the best.” The The idea is not to live forever but to create something that will. He has trained many candidates around the globe and has helped them in attaining their true potential. for Readers are welcomed to contact him for online interactive sessions for any part of CPA, CMA or CIA. Furthermore, do visit the Zain Academy’s Academy’s YouTube channel for informative informative videos.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 4 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
11 April 2019 Dear CIAs CIAs,,
May Peace, Blessings and Mercy of Allah be upon you and in particular on the Noble Messenger Prophet Muhammad (Peace Be Upon Him), his Family and his Companions I am feeling very excited to present you the 2019 edition of Certified Internal Auditor (CIA) – Part Part 2 – Practice Practice of Internal Auditing Study Study Book. This Study Book covers all the important and relevant concepts and topics that will be tested in the exams. This book can also be used for review, revision and rehearsal purposes. After reading this book, you will be needing is the sufficient and quality practice of test bank questions. I have tried very hard to keep the materials simple, clear and concise so that the candidates enjoy reading the book. Please do check the Facebook page https://www.facebook.com/zainacademy https://www.facebook.com/zainacademy for updates. Extreme care is required when rendering professional advice to clients. Readers are encouraged to provide a review, rating, and feedback on the study book on on https://www https://www.facebook.com/zaina .facebook.com/zainacademy/reviews/ cademy/reviews/.. This review will help me and prospective candidates to benefit from improvements in the materials over time. Those candidates who wish to submit their Character Reference Forms to the Institute theback required particulars the same can andfill reply through email. and email me the same. I will attest I dedicate this work to the Prophet Muhammad (Peace Be Upon Him), Mercy to all the Creation, who has been the source of inspiration and guidance to the whole of humanity. May ALLAH, ALLAH, Creator of the Heavens and Earth, Master of the Day of Judgement and and to whom the Sovereign Sovereignty ty belongs bless you ALL you ALL in in this Life and in particular the Life Hereafter as Hereafter as well. With Love and Care, Care,
Muhammad Zain CPA, CMA, CIA From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 5 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
CIA PART 2 BASIC INFORMATION SYLLABUS S.No 1. 2. 3. 4.
Sections Section A Section B Section C Section D
Description Weightage Managing the Internal Audit Activity 20% Planning the Engagement 20% Conducting Internal Audit Engagements 40% Communicating Results and Monitoring Progress 20%
CIA Candidate Handbook is available on the link: https://na.theiia.org/certification/Public%20Documents/CIA-Exam-SyllabiChanges-Handbook.pdf CIA Exam FAQs are available on the following link: https://na.theiia.org/certification/Public%20Documents/CIA-Exam-SyllabiChanges-FAQs.pdf CIA Eligibility requirements are available on the following link: https://na.theiia.org/certification/CIA-Certification/Pages/EligibilityRequirements.aspx Requirements.aspx FORMAT OF THE EXAM There will be 100 MCQs being tested in the exam in the 120 minutes (2 hours) time period. PREPARATION TIME PERIOD CIA Part 2 requires complete two months of study and practice with the assumption that the candidates are able to give at least three hours on weekdays and five hours on weekends. weekends. PASSING SCORE The IIA will conduct a standard-setting study based on the revised CIA syllabi. The IIA’s Professional Certifications Board will use these results to determine the passing score of the exams. For each CIA exam part, a raw score (the number of items answered correctly) will be converted into a scaled score ranging from 250 to 750 points. A scaled score of 600 or higher is required to pass a CIA exam. IMPORTANCE OF CIA CERTIFICATION CIA Certification is the premium internal auditing qualification that is respected globally. Holders of CIA designation can work in Internal Auditing, Risk Management, Compliance, Forensic Auditing, Fraud Investigation functions.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 6 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
SECTION A MANAGING THE INTERNAL AUDIT ACTIVITY (WEIGHTAGE 20 ) S.No Questions 1. Define Internal Auditing ?
2. What is Internal Auditing’s nature of work?
3. What are the operational duties of CAE?
4. What does the Standard 2000 – Managing the Internal Audit Activity elaborates?
Answers Internal auditing is an indepen independent, dent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive, and their evaluations offer new insights and consider the future impact. From an operational standpoint , the chief audit executive (CAE) has to make sure that:
1. Planned engagements are carried out in a timely manner. 2. Resources needed to carry out the planned engagements engagemen ts are properly allocated. 3. Results of the engagements are properly communicated communic ated to all interested parties. The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. The internal audit activity is effectively managed when: 1. It achieves the purpose and responsibility included in the internal audit charter. 2. It conforms with the Standards. 3. Its individual members conform with the Code of Ethics and the Standards. 4. It considers trends and emerging issues that could impact the organization organization..
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 7 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance. 5. What does Standard 2040 Policies and Procedures say?
6. With whom the Internal Audit Activity policies policies and procedures must be aligned with?
4. What is generall generally y included in Internal Audit policies?
The chief audit executive must establish policies and procedures procedur es to guide the internal audit activity. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work. The size, structure, and complexity of the IAA will determine the necessary extent, depth, and formalization of the policies and procedur procedures. es. It is essential to ensure that internal audit policies and procedures are aligned with: 1. The Mandatory Guidance of the International Professional Practices Framework (IPPF). 2. The internal audit charter. 3. The organization’s strategies, policies, and processes. Internal Audit policies include the: 1. The overall purpose and responsibilities of the internal audit activity. 2. ii. Adherence to the Mandatory Guidance of the IPPF. 3. iii. Independence and objectivity.
4. iv. Ethics. 5. v. Protecting confiden confidential tial information information.. 6. vi. Record retention. 5. What is generall generally y Internal Audit procedures include the: 1. Preparing a risk-based audit plan. included in 2. Planning an audit and preparing the engagement Internal Audit procedures? work program. 3. Performing audit engagements. 4. Documenting audit engagements. 5. Communicating results/reporting. 6. vi. Monitoring and follow-up processes. 6. Who develops the The chief audit executive develops policies and policies and of procedures
procedures. Formal administrative and technical audit
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 8 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
Internal Audit Activity? 7. What is the role of Audit Committee regarding the Internal Audit Activity?
8. What is the role of Audit Committee regarding External the Auditors?
9. What does the Audit Manual covers?
manuals may not be needed by all internal audit activities. The following are other functions of the audit committee regarding the internal audit activity: 1) Selecting or removing the CAE and setting his or her compensation 2) Approving the internal au audit dit charter 3) Reviewing and approving the internal audit activity’s work plan 4) Ensuring that the internal audit activity is allocated sufficient resources 5) Resolving disputes between the internal audit activity and management 6) Communic Communicating ating with the CAE, who attends all audit committee meetings 7) Reviewing the internal audit activity’s work product (e.g., interim and final engagement communications) 8) Ensuring that engagement results are given due consideration 9) Overseeing appropriate corrective action for deficiencies deficienc ies noted by the internal audit activity 10) Making appropriate inquiries of management and the CAE to determine whether audit scope or budgetary limitations impede the ability of the internal audit activity to meet its responsibilities The following are other functions of the audit committee regarding the external auditor: 1. Selecting the external auditing firm and negotiating its fee 2. Overseeing and reviewing the work of the external auditor 3. Resolving disputes between the external auditor and management 4. Reviewing the external auditor’s internal control and audit reports The audit manual covers everything from the Internal Audit Charter to performan performance ce reviews and evaluations and provides guidance from planning the engagement to the final report.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 9 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 10. What does Standard 2010 Planning say? say?
11. What are the factors that Internal Auditor considers while developing Internal Audit plan?
The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity and to make certain that they are consistent with the organization’s goals. To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Factors the internal auditor considers when developing the internal audit plan include: • Inherent risks— Are they identified identified and assessed assessed?? • Residual risks— Are they identified identified and assessed assessed?? • Mitigating controls, contingency plans, and monitoring activities— Are they linked to individual events and/or risks? • Risk registers— Are they systematic, completed, and accurate? • Documentation— Are the risks and activities documented?
In addition, the internal auditor coordinates with other assurance providers and considers planned reliance on their work. An internal audit activity’s plan will normally focus on: • Unacceptabl Unacceptable e current risks where management action is required. These would be areas with minimal key controls or mitigating factors that senior management wants to be audited immediately. • Control systems on which the organization is most reliant. • Areas where the diffe differential rential is great between between inhere inherent nt risk and residual risk. • Areas where the inherent rrisk isk is very high. 12. What are the of characteristics
The planning process and specific work schedules for engagements engagemen ts sshould hould include the following:
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 10 10 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
Engagement Work Schedule?
13. What does the Standard 2030 - Resource Management say?
• Which engagements should be performed. • When engagements should be performed. • The time required for each engagement, taking into account the scope of the planned engagemen engagementt work aand nd
the nature and extent of related work performed by others. • Which engagements should receive priority over others. The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers refers to the quantity of resources needed to
accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. When an external service provider serves as the internal audit activity, the provider must make the organizatio organization n aware that the organization has the responsibility for maintaining an effective internal audit activity.
14. What is the responsibility responsibili ty of External Service provider for Internal Auditing? 15. What are the 1. Operational Management three lines of 2. Business Enabling Functions defenses? 16. What are the factors to consider when assigning staff to to individual assignments?
17. What is the Internal Audit Budget ?
3. Internal Auditors Some factors to consider when assigning staff to individual engagements are: • The complexity of the engagement. • The resources that are available in the IAA. • The experience experience and skill level of the staff. • The training and developmental needs of the audit staff. The size of the budget for the internal audit activity is determined by the internal audit plan, the organizational structure, and the staffing strategy. The
budget must include all of theofactivities are needed to accomplish the objectives the IAA, that including:
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 11 11 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
• Paying staff. • Training and staff developme development. nt. • Hiring external specialists as needed. • Any other expenses that the department will incur in
18. What are the repercussions of hiring candidates in IAA from inside the organization?
19. What are the repercussions of hiring candidates in IAA from outside the organization?
20. What does the Training purpose purpose serve?
21. What does the Counseling purpose serve?
the performance of its duties. Hiring from inside the organization has advantages: • It is faster because the employee is already familiar with company’s policies and procedures. • There is less risk because the CAE has already worked with the employee and is more aware of his or her capabilities and limitations. • Hiring from within provides motivation for the IAA staff to do good work and earn a promotion. If, however, the wrong people are promoted, or people are promoted because of reasons other than their work skills, then hiring from inside may have a negative effect on the entire department. Hiring from outside the organization is riskier, but it also has advantages: • The outside person could bring new ideas and new perspectives to the job and the organizatio organization. n. • The new person may have skills or experience that are not currently within the organizatio organization. n. • Management training costs could be lowered because it is assumed that the person is already qualified and will not require additional training. Training gives the staff the necessary skills to perform
their jobs in the short term and also develop and broaden their skills for their long-term development. Training should benefit the individual and also help the IAA meet its organizatio organizational nal goals. Therefore, some staff may be trained in areas where the IAA does not currently have all of the required skills, even if the staff does not have a personal interest in those areas. Also, a well-developed training program is an excellent recruiting tool for the company. Counseling , or mentoring , is an important element of staff development. In a large internal audit department, there may be a formal counseling and mentoring program and,for in the suchoversight a situation, CAE most likely is responsible andthe management of the
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 12 12 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
22. What is the purpose of Performance Evaluation?
23. What are the advantages of decentralization of Internal Audit Department?
24. What is the Audit Universe?
process. Additionally, Additionally, the CAE may be the counselor for some of the higher-level staff members in the department. Performance evaluations should be made at least annually, or more often if needed. The performance evaluations need to focus on the skills that are necessary for the individual to perform his or her work and for IAA as a whole to perform its duties. These staff evaluations should be seen as a means of giving internal audit employees the opportunity to identify their weaknesses and give them an opportunity to improve their performance. The evaluation should not be based on personal likes or dislikes or other non-employment related factors. The advantages are: a) Reduced travel time and expense, b) Improved service in the operating locations served by the field offices, c) Better morale of internal auditors as a result of increased authority, and d) The possibility of employing persons who do not wish to travel. The Audit Universe is the list of all possible engagements that could be performed, and the list will need to be refined over time with changes in management’s objectives. There are a number of sources that the CAE will use to establish the audit universe. Among them are:
25. What is the Risk
• Previously-pe Previously-performed rformed engagemen engagements. ts. • Engageme Engagements nts that were considered in the past but not performed for some reason. • New engagements that are connected to new business lines, departments, or business activities. • Engagements that are legally required, or newly required because of a new law or regulation. • New engagements that are needed because of new technology or changes in the technologies used by the company. Risk Assessment is a systematic process for assessing
Assessment ?
and integrating professional judgments about probable adverse conditions and/or events. The risk assessment
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 13 13 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
26. What are the quantitative and qualitative assessment of Risk Assessment ?
27. What are the limitations of Checklists and Questionnaires?
process should provide a means of organizing and integrating professional judgments for development of the audit plan. Risk Assessment has both quantitative (numerical) and qualitative (characteristic) factors. Quantitative assessments include the dollar value of the assets at risk or potential monetary loss, while qualitative assessments include the risk of fraudulent behavior or the importance of the section to the operations of the business as a whole. Risks are prioritized based on likelihood and impact . Checklists and questionnaires are often used as part of the risk assessment process, but they have a few limitations: 1) Staff members may get a false sense of security that
28. What are the other factors for prioritizing Audit Engagements?
all issues have been addressed when the checklist is filled out. 2) The reader of the checklist may assume that all items listed are of equal importance. 3) The use of the checklist may weaken the professional skepticism and judgment of the auditor, who may be more attentive to a specific item listed and not to the larger picture. Other factors besides risk that should be considered when prioritizing engagements include: • The length of time since the last engagement was
performed in this area and audit cycle requireme requirements. nts. Many companies establish a system in which specific engagements are conducted at set intervals (for example, every year, every two years, or every three years). How often each engagement is conducted depends largely on the assessed risk of the area. • Requests from senior management, the audit committee, or other governing and regulatory bodies. • An engagement’s relation to the external audit. • Changing circumstances in the business, operations, programs, systems, or controls. • Changes in the risk environment or control procedures procedur es in the department.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 14 14 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
• The potential benefit that could be achieved from the engagement. • Changes in the skills of the available staff (through new employees or recent training), because new skills may enable different types of engageme engagements. nts.
There are three basic levels of planning planning:: 29. What are the three levels of Planning of 1. Internal audit plan – for each period, an internal audit of Internal Auditors? plan is developed that covers the planned audits of the internal audit activity during the period. This plan would be the result of the risk assessment of the entire organization. The plan would detail what engagements are planned to be performed during the period. 2. Engagement Plan – for each engagement, the internal auditor develops an audit plan which is based on a detailed risk assessment of the engagement area and identifies the engagement objectives.
30. What are Assurance and Consulting services?
31. At what levels, Assurance Engagements can be performed?
3. Engagement Work Program – lists detailed procedures that should be conducted by the auditor to achieve specific audit objectives that will achieve the engagementt objectives. engagemen Assurance services. “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.” • Consulting services. “Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.” Assurance engagements engagements can be pe performed rformed at any of the following three levels: • Organizational department review.,
which
is
a
department-by-
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 15 15 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
• Functional, which follows a single process across organizational organization al lines. • Cycle, which is primarily a financial systems review. Cycle-level engagements engagements have been expanded to cover non-financial systems, such as HR or environmental
32. What is Risk and Control SelfAssessments?
impact. Risk and Control Self-Assessments (RCSA) examine and assess the effectiveness of a company’s risk and control system. Although auditors are presumed to have the knowledge and expertise to assess controls accurately, RCSA begins with the premise that the scope of control is so broad, and the pace of change so great, that properly assessing the control system requires the knowledge and expertise of all the employees who perform the specific work that needs to be assessed. RCSA procedures include the following: • Identifying potential risks and exposures. • Assessing the control processes that mitigate or manage those risks. • Developing action plans to reduce risks to acceptable levels. • Determining the likelihood of achieving business objectives.
The primary advantages of an RCSA program are: • It increases employee understanding of the
33. What is a Survey or Questionnaire?
company’s risks and controls. • It raises employee control consciousness. • It provides a mechanism for early risk detection. • It encourages more open communication, teamwork, and continuou continuouss improveme improvements. nts. • It empowers employees and enhances accountability. Surveys or Questionnaires can be used when budgets are limited or if individuals who would normally participate are too widely dispersed to participate in a workshop. Survey questions need to be customized for any specific circumstances or needs, including the regulatory environment. Regardless of the type or
nature the questions, they relatethey to the primaryof internal controls and controls the should way in which are
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 16 16 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
34. What are the limitations of Questionnaire?
monitored. Furthermore, the process owners themselves (that is, those who fill out the original questionnaire) should interpret the data after it is collected. • Questions can sometimes be worded to suggest or imply a “correct” or desired answer. Such manipulative questions can pressure the respondent to give an answer that the questionnaire designer prefers rather than an honest answer. Therefore, question questionss should be carefully worded. • Lack of interest may limit the number of questionnaires that are filled out and returned, potentially skewing results and rendering the entire exercise invalid. If the number of returned questionnaires is unacceptably low, supervisors might consider gathering feedback in person, because some
35. Who should perform the Third Party Audit ?
36. What is Total Quality Management ?
people may dislike questionnaires but would be forthcoming in an interview. A third-party third-party audit may be performed either by intern internal al auditors or by an independent auditor. The decision whether to audit internally or to contract for the thirdparty audit depends on a number of factors. For example, the risk assessment made by management should provide guidance as to whether internal or external auditors should conduct third-party audits. In instances where specialized knowledge is required to complete the audit, management might prefer the work of a particular external auditor with a specific skill set. Therefore, if outside auditors for a third-party audit are Therefore, employed, then the company should ensure that the independent auditor is qualified to perform the work, that the scope satisfies their own audit objectives, and that any significant reported deficienci deficiencies es are corrected corrected.. TQM pursues the approach of “right first time” and zero-tolerance of waste with the objective of both increasing revenue through improved client satisfaction and decreasing costs with improved efficiency. Continuous improvement is one of the internal audit’s key objectives, and therefore the internal audit activity has a critical role in TQM. Teamwork, training, empowerment, and innovation are key components of TQM.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 17 17 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
A quality audit engagement assesses whether or not a function or unit meets its defined quality standards. If there are no defined standards, then the auditor should coordinate with management to establish quantifiable
37. What are the advantages of a properly implemented and effective TQM?
standards before moving forward with the audit engagement. A properly implemen implemented ted and effective TQM system should result in:
a. Greater customer satisfaction b. Fewer defects and thus less waste c. Improved total productivity d. Reduced costs and thus better profitability 38. What is the scope The scope of an ISO 9000 quality audit covers a number of areas, such as physical location, organizati organizational onal units, of ISO Audit activities and processes to be audited, and the time Engagements? period to be covered. The audit will determine conformity with applicable policies, procedures, standards, laws and regulations, management requirements, contract requirements, and industry or business sector codes of conduct. Preparation for the audit should include a review of the auditee’s documentation, including management system records and previous audit reports. The audit itself includes:
39. What is Due Diligence Assurance Engagements?
• Interviews with employees. • Observations of activities, the work environmen environment, t, and work conditions. • A review of inspection records, records of monitoring programs, and results of measuremen measurements. ts. • Inquiries into the auditee’s sampling programs, control of sampling, and measurement procedures. • Customer and supplier feedback. • Information from databases and websites. Due diligence assurance engagements are often performed for a potential acquisition, joint venture, or divestiture. The purpose of the engagement is to
validate the reasons making transaction identify problems thatfor need to bethe resolved prior or to
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 18 18 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
40. What is Environmental Due Diligence Audits?
undertake the transaction. External professional advisors are normally part of the team, often leading it. Environmental due diligence audits were first developed by lenders to prevent liabilities for propertie propertiess in their loan portfolios. If undetected environmental pollution were to be passed on through the sale, the new property owner might be held responsible for contamination caused or left behind by the previous owners. Therefore, environmental audits have now become standard requirements for all loans and investments in real property. The liability assessment consists of preliminary activities, a site visit, review of records (including prior uses of the land), a regulatory review, a geological and hydrogeological review, and a report. If the liability assessment indicates possible contamination,
confirmation sampling is conducted. For any confirmed contamination, the next step is to characterize and assess the nature and extent of the contamination. It is possible that, as a result of the audit’s findings, the potential liability connected with the land acquisition might be greater than the land’s market value. A physical security audit ensures that an organization’s 41. What is a Physical Security physical facilities are properly secured and that the environment is safe for management and staff. The Audit? audit includes perimeter security, proximity security, and physical security of the premises. Perimeter security auditing requires a review of the 42. What is a Perimeter Security Auditing?
property boundaries and a boundary risk assessment, including documenting risks on a site map. Risks can include rail lines, roads, unsecured access points, improperly lighted areas, power lines, phone lines, and other service access points. All cameras and surveillance equipment should be documented. All guard stations should be identified and assessed as manned or unmanned and noted for the presence (or absence) of barriers, telephone access, emergency panic buttons, and camera surveillance. The auditor should attempt to gain unauthorized access by bypassing the guard station or through “social engineering” (for example, attempting to pass through
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 19 19 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
43. What is a Proximity Security Auditing?
44. What is a Privacy Audit Engagements?
security without credentials). Lighting should be sufficient to deter intruders. Proximity security auditing determines how vulnerable company buildings are by being near certain items or buildings. For example, a proximity security audit might assess how thoroughly vehicles are inspected for weapons or other hazardous materials, the procedures to ensure that visitors have legitimate business in the facility, how well entrances are protected, and whether there is camera surveillance. Privacy concerns exist in all aspects of an organization, from its paper-based records to its internal databases to its policies of data collection on its website. Internal auditors need to make certain that personal information is protected from unauthorized access, both from inside and outside the organization. Furthermore, policies should be in place, in line with all applicable laws, to specify the appropriate instances where disclosure can be made with or without the individual’s consent. Privacy vulnerabilities pose a number of challenges and pitfalls for companies and their customers. For companies, disclosing or losing control of private information could lead to lawsuits, penalties, fines, and (of particular importance) negative publicity. For individuals, unauthorized disclosure of private information could be embarrassing, inconvenient, and cause financial loss (such as damaged credit ratings). Therefore, organizations should spend considerable
resources avoiding these vulnerabili vulnerabilities. ties. During the process of evaluating the privacy framework, the internal auditor should be aware of the following issues: • Compliance with governmental statutory and regulatory mandates. • Documenting compliance with governmental statutory and regulatory mandates. • The organization’s existing policies and procedures. • Protection of personal information. • Cost versus benefits of additional security measures
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 20 20 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
• Ethical imperative of maintaining the confidentiality of private information. 45. What is Financial A financial audit tests the reliability and integrity of Audit reported financial information and determines the degree to which the company’s assets are properly Engagement? safeguarded.
Internal auditors may perform financial audits in areas that are not heavily tested as part of the external audit, or they may look at the efficiency of resource allocation instead of merely accounting for resource usage. Internal and external auditors should coordinate their efforts to optimize audit coverage and minimize duplicated efforts. Financial audits are often performed or arranged in connection with a transaction cycle. The main
46. What is an Audit Risk?
transaction cycles in business are: • Revenue and receivables (cash collections) • Purchasing and payables • Inventory and warehousing • Financial capital and payment • Personnel and payroll Audit risk is calculated by multiplying the chances of each of these three events happening. Each event has an associated risk, and these three associated risks in aggregate make up the complete audit risk. The three associated risks are: 1) Inherent risk (the risk that there is an error in the first place): This risk occurs naturally in a given element of the financial statements or the function being audited. That is, certain assertions are by their nature susceptible to producing or creating material misstatements (assuming that there are no controls in place). For example, pensions and financial instruments have a high level of inherent risk because pension calculations and financial instruments are, by their nature, extremely complex. In other words, the internal auditor cannot reduce the inherent riskiness of pensions or financial instruments. Cash, on the other hand, has low inherent risk.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 21 of 21 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
2) Control risk (the risk that the internal controls will fail to detect the error): No matter how well designed and operated, internal controls can provide only a reasonable assurance that they will prevent and detect every mistake, because internal controls may fail due to human error, collusion, or management override. Control risk, therefore, refers to the chance that internal controls will fail to detect an error . “High control risk” means that controls are inadequate or faulty. “Low control risk” means that controls are adequate and functional. 3) Detection risk (the risk that the auditor will fail to detect the error): Auditing is the process of reviewing policies and procedures to determine their fitness and effectiveness. However, no matter how thoroughly audits are conducted, there is always the risk that a misstatement or error in the financial statements will not be found because auditors do not test every transaction. Therefore, the presence of even one untested transaction means that there is a risk that a material misstatement will go undetected. “Low detection risk” means that there is a low chance that the auditor will fail to detect an error (meaning that auditor has done a great deal of work and testing). “High detection risk” means that there is a high risk that the auditor will not detect an error (which would be the case if the auditor did not perform a great number of tests). The formula for calculating audit risk is: Audit Risk = Inherent Risk * Control Risk * Detection Risk Inherent risk cannot be influenced because these are risks that are part of the item being tested. Control risk cannot be influenced in the current c urrent period because the audit covers events that have occurred in the past; in other words, controls were already either functioning or not functioning at the time of the transactions.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 22 22 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
Detection risk is the only one of the three risks that the auditor can directly influence. To determine the level of acceptable detection risk, the auditor should begin by assessing inherent and control risk, then solve for detection risk using the audit risk formula. Once
47. What is the relationship between Control Risk and Detection Risk?
48. What are the Financial Statement Assertions?
detection risk is calculated, then the auditor will be able to determine the nature, extent, and timing of the tests that need to be performed. If control risk is reduced, detection risk can be increased without changing the overall level of audit risk. The opposite is also true: an increased control risk means that the detection risk threshold may be lowered while still maintaining the same overall level of audit risk. In other words, control risk and detection risk are inversely related. “Assertions” are the claims that management makes when it presents financial information, and the auditor determines if the assertions are correct. Therefore, most of the work in a financial audit is spent on evaluating and forming an opinion about management assertions. There are five assertions: ass ertions: 1) Completeness. Financial statements contain all required information, and no material financial information has been omitted. 2) Rights and Obligations. Everything Everything that is reported as an asset represents something that the company has rights over, and everything reported as a liability represents a real obligation. 3) Valuation or Allocation. Items reported in the financial statements are valued at the correct amount, and income statement items have been allocated to the proper period. 4) Existence or Occurrence. All balance-sheet items exist, and all income-statement items occurred during relevant period. 5) Statement of Presentation and Disclosure. The formal organization and classification of accounts on the financial statements and disclosures in the accounts, footnotes, and accounting policies conform to generally accepted accounting principles.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 23 23 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 49. What is an Environmental Audit ?
50. What are the types of Environmental Audits?
An environme environmental ntal audit is a systematic, documente documented, d, periodic, and objective evaluation of how well an entity, its management, and its equipmen equipmentt are performin performing g with regards to safeguarding the environment through facilitating management control of environmental practices and assessing compliance with entity policies and external regulation. The IIA Research Foundation has identified seven types of environmental audits: 1) Compliance. These are site-specific reviews of the company’s past, current, and planned practices. The greater the risk from noncompliance with environmental laws to the company, the greater the scope and depth of the audit. 2) Environmental Management Systems. These audits make certain that the company can manage any future environmental risk that might result from changing legislation. 3) Transactional. This is a review of a property prior to its purchase or sale to identify any associated environmental environme ntal risks. 4) Treatment, Storage, and Disposal Facility. This audit follows the documentation of hazardous materials from their creation (or appearance) to their destruction or disposal (that is, the oversight must cover these materials from “cradle to grave”). 5) Pollution Prevention. These audits review the process of eliminating or minimizing the pollution a company generates at its source rather than controlling pollution after it has been created. 6) Environmental Liability Accrual. This process establishes the moment that an environmental liability needs to be accrued on the balance sheet and a corresponding expense entered on the income statement. This procedure is particularly difficult because the precise moment that it should be done is not always clear and the value of these liabilities is subject to interpretatio interpretation. n. 7) Product Audit. This is a review of the production process to determine whether pollutant restrictions are being met.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 24 24 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 51. What are the risk exposures that should be evaluated in Environmental Audits?
52. Define Consulting Services?
The risk exposures that should be evaluated are: • The comprehensiveness of organizational reporting structures. • The likelihood of environmental harm, fines, and
penalties. • Environment-related expenditures mandated by governmental agencies. • The history of injuries and/or deaths related to environmental environme ntal issues. • The loss of customers, negative publicity, and damage to public image and reputation due to an environmentrelated accident. The IIA glossary defines consulting services as advisory and related client service activities, the nature, and scope of which are agreed with the client and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
53. When should consulting services be provided?
54. What is the Independence and Objectivity requirement in Consulting Engagements?
The nature of consulting services must be defined in the internal audit charter. Consulting services may be conducted as either part of the internal auditor’s normal or routine activity or as a special request made by management. Each organization must first consider the type of consulting activities to conduct and then determine the specific procedures procedur es to develop for each type of activity. Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, the disclosure must be made to the engagement client prior to accepting the engagement. While internal auditors can provide consulting services relating to operations for which they have had previous responsibilities, the auditor should still act in an independent and objective manner. To assess the
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 25 25 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
impact that a previous position may have on objectivity, the auditor should consider: • The appropriate requirements and standards of the profession.
55. What is the Due Professional Care requirement in Consulting Engagements?
• Expectations of stakeholders, directors, the audit committee, and legislative bodies. • Any allowances or restrictions restrictions that are in the charter. If the charter prohibits this type of work but management insists anyway, this conflict needs to be brought to the attention of the audit committee for a final resolution. • Disclosures that may be required by standards. • Subsequent audit work, including its scope and coverage. The chief audit executive must decline the consulting engagementt or obtain competent advice and assistance engagemen
of the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Internal auditors must exercise due professional care during a consulting engagement by considering the: • Needs and expectations of clients, including the nature, timing, and communication of engagement results; • Relative complexity and extent of work needed to achieve the engagement’s objectives; and
56. What is the requirement of communicating the results of Consulting Engagements?
• Cost of the consulting engagement in relation to potential benefits. Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.
The chief audit executive is responsible for communicating the final results of consulting engagements engagemen ts to clients. During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 26 26 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
57. Why should Internal Auditors participate in Internal Control Training ?
organization, they must be communicated to senior management and the board. Internal auditors should participate in internal control training for the following reasons: • To communicate and embed a control awareness within the organization’s operations. The more employees know about the functions of internal controls; the more likely control weaknesses will be identified and corrected in a timely manner. • To decrease fraud. The training should make employees aware of what constitutes fraud and what they need to do if they suspect fraud is occurring. occurring. • To motivate employees to report control deficiencies and weaknesses. • To provide staff support for the organization’s Control Self-Assessment (CSA) program.
It is possible that the internal auditing staff could be involved in a CSA program by conducting training programs. • Financial benchmarks use monetary values to make 58. What are the Financial and comparisons, such as profitability, cost of production Non-Financial per unit, and so forth. • Nonfinancial benchmarks make comparisons using Benchmarks? non-numerical factors, such as the percentage of ontime deliveries or percentage of satisfied customers. 59. What are Internal • With internal benchmarks, a company compares its performance against its own internal divisions, and External processes, functions, or departments. Benchmarks?
60. What is Functional, Competitive and Generic Benchmark?
• With external benchmarks, a company makes an external comparison, most commonly against a competitor. • A functional benchmark is a comparison with organizations that operate within the same technological technologic al area. • A competitive benchmark is a comparison with the best of a company’s competitors. • A generic benchmark compares processes that are virtually the same, regardless of the industry or production line. This type of benchmarking is not as helpful as a comparison of processes that are exactly
the same.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 27 27 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 61. What are the limitations of Benchmarking?
• Effective benchmarks make apples-to-apples comparisons. Companies must make sure that the sources from which they collect benchmarking data are reliable, accurate, and appropri appropriate. ate. Incorrect data leads to comparison errors, causing the company to waste
time reconciling useless data. • Improper benchmarking may cause the company to lose focus on employee and customer wellbeing . Companies that use benchmarking data to produce rapid performance improvements risk causing employee burnout, errors, and low morale. Similarly, a company might anger customers and suppliers if their needs are being ignored for the sake of a benchmark objective. •
62. What is Due Diligence Consulting ?
Regardless
of
the
quality
of
benchmarking
information, the lack of a proper implementation plan will undermine the usefulness of benchmarking. The participation of management and employees is a critical componentt to the success of benchmarking. componen benchmarking. Due Diligence Consulting engagements focus on a company’s internal operation operationss such as: • Controls. • Corporate governance. • Risk assessment and risk management processes. Due diligence consulting engagement may also assess how the company’s operations would contribute to or
detract from the company’s mission and the achievement of its goals and objectives. For any systems development project there are three 63. What should be the Internal Audit basic approaches that internal auditors can take: 1) Traditional audit approach. Internal auditors monitor involvement in in how the project is progressing and report back to System management and the board. Development 2) Consulting approach. Internal auditors advise the project? systems development team on an as-needed basis regarding controls and risk management. 3) Embedded approach. The internal auditor is integrated within the systems development team,
functioning functionin g as a control and risk management expert.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 28 28 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 64. What does Section 404 of the SOX require?
Section 404 of Sarbanes-Oxley (SOX) requires companies to include in their annual reports these two t wo items: • A statement of management’s responsibility for establishing and maintaining adequate internal controls
over financial reporting. • An assessment of the effectiveness of those internal controls. To comply with Section 404, management must 65. What must management do do establish a formal, internal control testing program to to comply with determine the extent to which the design and the requirements operation of activities in the internal control process is sufficient to prevent, or detect and correct, of Section 404? significant misstatements. 66. What is the focus The internal-control evaluation should focus on establishing controls that adequately prevent or of Internal detect material misstatements in financial statements Control Evaluation? 67. Who is responsible for coordinating Internal Audit Efforts with other assurance providers? 68. Why is the coordination between Internal and External Auditors important ?
in a timely manner. The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.
Coordination between external and internal auditors is Coordination important for the following two reasons: 1) Internal auditing continues to become increasingly professionalized, with more internal auditors being full-time internal auditors or former external auditors. As a result, the scope and quality of internal auditing have increased.
69. What are the two
2) The cost of the external audit has risen, and therefore companies are looking for ways to reduce expenses in this area. Having a strong, objective, and competent internal auditor means that the work of the external auditor can be better streamlined and thus less costly. Before the external auditor relies on the internal
things that must be considered by
auditor’s work, however, he or she needs to assess the internal auditor’s competence and objectivity.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 29 29 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
External Auditors before relying on on • Competence is the measure of an IAA’s skills and Internal Auditors? abilities to perform acceptable work. • Objectivity measures the IAA’s capacity to work
70. Can Internal Auditors’ working papers be shared with the External Auditors? 71. Can Internal Auditors’ rely on the work of other assurance providers? 72. What is Assurance Mapping ?
without any influence from management or others in the organizatio organization. n. The CAE can provide copies of the internal audit working papers to the external auditor and to others within the organization. However, the external auditor should not give the internal audit working papers to anyone without the permission of the internal auditor. The decision to rely on the work of other assurance providers can be made for a variety of reasons, including to address areas that fall outside of the competence of the internal audit activity, to gain knowledge transfer from other assurance providers, or to efficiently enhance coverage of risk beyond the internal audit plan. Assurance Mapping is the grouping of all of the assurance providers together and then using the company’s risk management process to identify the “key” risks that need to be assessed. This process allows the company to identify and assess gaps in the risk management process and gives primary stakeholders the reassurance that risks are being managed and reported and that regulatory and legal obligations are being met.
73. What is the requirement of Standard 2020 Communication and Approval?
Assurance Map may may include the following: 1. The identity of the assurance providers 2. Risk 3. Level of assurance 4. Urgency or importance of the issue 5. Action to be taken The chief audit executive must communicate the internal audit activity’s plan and resource require requirements, ments, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 30 30 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 74. What is the requirement of Standard 2060?
75. What is the purpose of KPIs on Internal Audit Activity?
The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance performanc e relative to its plan and on its conformance conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board. KPIs of the internal audit activity provides a platform to discuss issues relative to the internal audit activity and potentially gain board support in making necessary changes. Establishment of KPIs should be done in a group that includes senior management, as well as the board, and there should be a consensus that the KPIs chosen are meaningful and appropriate appropriate..
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 31 31 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
SECTION B PLANNING THE ENGAGEMENT (WEIGHTAGE 20 ) S.No Questions 1. What is the of requirement Standard 2200 Engagement Planning ? 2. What is is needed for planning an engagement?
Answers
Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocation. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagemen engagement. t. The following are needed for planning an engagement: • The objectives of the audit. • The scope or extent of the audit. • The resources required to achieve the objectives (for example, financial resources and staffing). • The work program.
work program sho should: uld: What are the An effective work characteristics of effective work • State the objectives of the engagemen engagement. t. program? • Document the procedures procedures that the internal auditor will use to collect, analyze, interpret, and document information during the engagement. • Identify the technical elements, risks, transactions, and processes that will be examined. • State the nature and extent of required testing. • Be prepared prior to the commencement of engagementt work but, with the approval of the CAE, can engagemen be modified during the course of the engagement. 4. What may be the The topics of these meetings might cover: agenda of meeting between • The objectives and scope of work of the planned CAE and engagement. • The timing of the work. management team whose area • The internal auditors who will be performing the work. of responsibili responsibility ty • The communication process throughout the is being audited? engagement, including the methods, time frames, and individuals who will be responsible. • Business conditions conditions and operations of the activity being reviewed, including recent changes in management or major systems. • Any concerns concerns or reque requests sts from managem management. ent. • Any concerns concerns from the in internal ternal auditor.
3.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 32 32 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
5. What does the Standard 2201 – Planning Considerations say?
6. What are the requirements of Standard 2210 – Engagement Objectives?
7. What are the requirements of Standard 2220 – Engagement Scope?
• A description of the final reporting process and the follow-up that will be conducted. In planning the engagement, internal auditors must consider: • The strategies and objectives of the activity that is being reviewed and the means by which the activity controls its performan performance. ce. • The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. • The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model. • The opportunities for making significant improvements to the activity’s risk management and control processes. Objectives must be established for each engagement. – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing engagement objectives. – Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board. The established scope must be sufficient to satisfy the objectives of the engagemen engagement. t. – The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. – If significant consulting opportunities arise during an assurance engagement, a specific written understandin understanding g
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 33 33 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
8. What are the requirements of Standard 2240 – Engagement Work Program?
9. What the Engagement Work Program contains?
as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. – In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagemen engagement. t. – During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant contro controll issues. Internal auditors must develop and document work programs that achieve the engagement engagement objectives. – Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly. – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. The engagement work program contains the list of necessary procedures, procedures, and it also serves as a supervisory tool to make sure that all of the required and expected procedures procedur es are performe performed. d. It is important that the work program is prepared and completed before to the start of the engagement (and usually after the preliminary survey) because it is the essential roadmap for completing the audit. The audit program should include:
10. What are the characteristics
• Information about the objectives of the area that is being audited. • A description of the controls that are currently in place. • A description description of controls that should be in place. All audit evidence must be able to stand the tests of sufficiency, reliability, competency, and relevance.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 34 34 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
of Audit Evidence? 11. What is the Sufficiency of Evidence?
12. What is the Reliability of Evidence?
13. What is the Relevant Evidence?
14. What is Useful Evidence?
Sufficiency of the evidence is determined through the auditor’s professional judgment . One method to determine the appropriate level of evidence is to look at the effectiveness of the client’s internal controls and risks. More evidence is needed to determine sufficiency when: • Internal controls are not functioning effectively. • Inherent risk is high. • Materiality is high. Evidence must be reliable, meaning that the auditor can believe and trust the evidence. The most reliable evidence is any information that is obtained directly by the auditor, most often through firsthand observation. However, there is a great deal of information that cannot
be obtained directly and, as a result, the auditor will need to rely on other resources. For information to be considered relevant , it must relate specifically to the item being audited. Irrelevant information can be distracting, distort results, and waste resources. However, an auditor should not automatically disregard or ignore information that on its surface might appear to be irrelevant. Useful evidence is information that helps the organization meet its goals. Locating and identifying useful information informat ion is one of the main goals of the internal audit activity.
15. What are the two There are two main types of auditing evidence: sources of Evidence? 1) Underlying accounting data is primary information that comes from the accounting system, including original documents, journals, ledgers, supporting information,, and the output from the information accounting systems. This type of evidence by itself is not sufficient, and it will always need to be verified with corroborative evidence. 2) Corroborative evidence is secondary information that supports the primary data. It is generally evidence that is obtained from outside the accounting system, and that can be verified with a third
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 35 35 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
16. What are the four types of Evidence?
17. What are the selected Engagement Procedures?
party, such as an invoice, a check, contracts, or similar types of documen documents. ts. There are four types of evidence: 1) Testimonial evidence. Evidence obtained through direct, first-person interviews. 2) Documentary evidence. Evidence in document form. 3) Physical evidence. Evidence-based on physical objects (for example, does the asset exist). 4) Analytical evidence. Evidence that comes from comparing, computing, computing, or otherwise analyzing data. All evidence must be confirmed confirmed,, corrobora corroborated, ted, or otherwise substantiated. There are six categories of procedures: 1) Observing. Observing is a visual examination of a specific item or event by the auditor. It may involve observing a specific document or the application of an internal control procedure. All observations should be described and documented. 2) Questioning. Questioning is usually the best way to determine what a person thinks or feels about a particular subject, and so the auditor may conduct an inperson interview or send out a questionnaire. In-person interviews are the most common approach, but there are potential pitfalls. Interviews require the auditor to create effective questions, develop appropriate follow-up questions (often in immediate response to answers given in an interview), and interpret answers with insight and intelligence. Any information obtained through questioning should be confirmed, if possible, either by other individuals or by other evidence. 3) Analyzing. Analyzing means drawing conclusion conclusionss based on a careful survey of the evidence. In general, analysis involves comparing related items, noting trends in information, and looking at differences between actual and expected results. Effective auditors will be trained in many different methods of obtaining and
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 36 36 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
analyzing evidence to make the strongest, most intelligent judgments possible. 4) Verifying. Verifying is the process of checking one source of information against another. Corroborating evidence is information that supports the facts or assertions found in another piece of evidence. A single piece of evidence may not be sufficient to support a conclusion, but two or more forms of corroborating evidence can support support the conclusion that a fact has been verified. 5) Investigating. Investigating is searching for evidence or facts that are not easily or readily available. When dealing with large volumes of information, the auditor may have to carefully sift through piles of documents, examine electronic records, or conduct extensive research to find a specific piece of information. In some instances, information may have been deliberately hidden, obscured, or destroyed, especially in cases of suspected wrongdoing. In those situations, the auditor will need to employ more aggressive investigative techniques to uncover what has happened. (The search for wrongdoing is called a probe.) 6) Evaluating. In evaluating, the auditor collects all available information, organizes it, and develops a reasoned, documented supported conclusion. In preparing an evaluation, the auditor must rely on a great degree of professional judgment, because there will always be areas where suppositions and inferences must be made. In the case of internal auditing, evaluations are made in respect to financial balances, internal control procedures (whether they are functioning properly and are sufficient), and risk assessment. The process of evaluation will include a number of different consideratio considerations: ns: • The number of deviations. • The size of the deviations. • The reasons why the deviations occurred.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 37 37 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
18. What is the difference between Inductive and Deductive Reasoning?
19. What is Tracing ?
20. What is Vouching ?
• The area in which the deviations occurred. • Whether the deviations will likely occur again. Inductive reasoning begins with a specific item and then draws general, broad conclusions about it. For example, an auditor samples receivables in order to conclude that accounts receivable exist as recorded recorded.. Deductive reasoning begins with a general statement and then draws specific conclusions based on that generality. For example, an auditor performs analytical procedures in order to estimate the accuracy of a particular account balance. In tracing , the auditor starts with a piece of information from a source document and follows it through the accounting records until it reaches the final ledger. This test for completeness makes sure that every event or transaction is appropriate appropriately ly recorded recorded.. Vouching is the opposite of tracing. The auditor starts with an amount in a ledger and searches for the documentation that supports it. This is a test for existence or occurrence, and it makes certain that every event or transaction that has been recorded in the records has occurred. The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
21. What does the Standard 2030 – Resource Management say? Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan.
22. What does the Standard 2230 Engagement Resource Allocation say?
Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the engagement.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 38 38 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
23. What are the factors that need to be considered while allocating Engagement Resources?
Sufficient refers to the quantity of resources needed to accomplish the engagement with due professional care. Internal auditors consider the following when determining the appropriateness and sufficiency of resources: • The number and experience level of the internal audit staff. • Knowledge, skills, and other competencies of the internal audit staff when selecting internal auditors for the engagemen engagement. t. • Availability of external resources where additional knowledge and competencies are required. • Training needs of internal auditors as each engagement assignment serves as a basis for meeting the internal audit activity’s developmental needs.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 39 39 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
SECTION C CONDUCTING INTERNAL AUDIT ENGAGEMENTS (WEIGHTAGE 40 ) S.No Questions 1. What is a Preliminary Survey?
2. What are the objectives of the Preliminary Survey?
3. What are the factors that Internal Auditor should should consider to maximize the benefits of a preliminary survey?
Answers The preliminary survey (also called an “on -site survey”) is the first step in the audit process. This survey gives the internal auditor an opportunity to start collecting, and become familiar with, the preliminary information about the activity to be reviewed without getting into details. The preliminary survey should accomplish several objectives, allowing the internal auditor to: 1) Become familiar with the client’s • Objective and goals.
Organizational Organization al structure key staff.and supplier •• Operations, facilities, keyand customers, s uppliers. s. • Risk management, control, and governance systems. • Information systems. 2) Concentrate the audit work on significant s ignificant matters. 3) Identify low-risk areas and then reduce the audit time spent on them. 4) Create a cooperative tone for the engagemen engagement. t. The auditor should: • Read all relevant background information, including recent financial results and operational results. • Prepare the questionnaires based on this information and assessment of the risks within the area in question. • Know where or from whom to obtain additional information,, and make appropriate appointments. information • Document the information received in this process. Flowcharting and narratives are two of the more common methods. • Understand the objectives and goals of each part of the operation. • Identify the risks implicit in the areas under review. The review of prior audit reports is valuable because of it:
4. What purpose does the review of prior audit 1) Allows the auditor to become familiar with the audit reports serve? subject.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 40 40 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
2) Shows how other auditors approached the assignment. 3) Helps the auditor decide the scope of the current audit. 4) Identifies problem areas. 5) Identifies areas that may need additional evaluation. 6) Reveals whether or not the action was taken on past recommendations. There are four types of interviews for the various stages of the information information-gathering -gathering process:
5. What are the types of Interviewing for Information 1) Preliminary. This interview establishes a relationship with interviewees, helps them feel comfortable with the gathering auditor, and sets the groundwork for the importance of process? the process. 2) Fact-gathering. During this interview, facts are collected about a specific situation. 3) Follow-up. The auditor gathers additional information to clarify issues that were raised in previous interviews. 4) Exit. The auditor conducts final checks to verify the accuracy of the information. information. The auditor can decrease the anxiety commonly 6. How can the associated with the interview process by: auditor decrease • Explaining how the engagement may be helpful to the anxiety with individual. the interview • Emphasizing that everyone is on the same team and process? working toward the same goals. • Demonstrating an understanding of the individual and the situation. • Listening sympathetically and resisting the impulse to 7. When should surprise interviews be done? 8. Can Interviews be recorded?
criticize immediately or nitpick. Surprise interviews should be conducted only in the case of fraud interviews or any other circumstance in which it is critical that the interviewee does not have time to prepare. Under certain circumstances, interviews may sometimes be recorded. However, audio or video recordings should be made only if it absolutely necessary and only with the agreement and permission of the interviewee. The auditor should keep in mind that the presence of a recording device has the potential to make people uncomfortable, hesitant, and more closed with their answers.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 41 41 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 9. Define Audit Sampling ?
10.
11.
12.
Audit sampling is defined as, the application of audit procedures to less than 100 percent of items within a class of transactions or account balance such that all sampling units have a chance of selection. The population is defined as, the entire set of data from which a sample is selected and about which the internal auditor wishes to draw conclusio conclusions. ns. Define Sampling risk is defined as the risk that the internal Sampling Risk? auditor’s conclusion based on a sample may be different from the conclusion if the entire population was subjected to the same audit procedure procedure.. Internal auditors must base conclusions and engagement What is the requirement of results on appropriate analyses and evaluations. the Standard 2320 – Analysis and Evaluation? Sufficient , in that the information is factual, adequate, and Define convincing so that a prudent, informed person would Sufficient, reach the same conclusions as the auditor. Reliable, Relevant and Reliable, in that the information is the best attainable Useful Information? information through the use of appropriate engagement techniques. Relevant , in that the information supports engagement observations and recommendations recommendations and is consistent with the objectives for the engagement.
13. What is Statistical Sampling ?
Useful, in that the information helps provide assurance that the organization will meet its goals. Statistical sampling (e.g., random and systematic) involves the use of techniques from which mathematically constructed conclusions regarding the population can be drawn.
Statistical sampling allows the auditor to draw conclusions supported by arithmetic confidence levels (e.g., odds of an erroneous conclusion) regarding a population of data output. It is critical that the sample of transactions selected is representative of a population. Without ensuring that the sample represents the
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 42 42 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
14. What is NonStatistical Sampling ?
15. What are the prerequisites of Statistical Sampling?
population, the ability to draw conclusions based on the review of the sample is limited, if not erroneous. The internal auditor should validate the completeness of the population to ensure that the sample is selected from an appropriate data set . Non-Statistical sampling is an approach used by the auditor who wants to use his or her own experience and knowledge to determine the sample size. Non Statistical sampling (e.g., judgmental) may not be based objectively and, thus, results of a sample may not be mathematically supportable when extrapolated over the population. That is, the sample may be subject to bias and not representative representativ e of the population. The purpose of the test, efficiency, business characteristics, inherent risks, and impacts of the outputs are common considerations the auditor will use to guide the sampling approach. NonStatistical sampling may be used when results are needed quickly and needed to confirm a condition rather than being needed to project the mathematical accuracy of the conclusions. Statistical sampling requires the following:
1) Training the auditors in the necessary methods. 2) Designing the samples to meet the statistical requirements. 3) Selecting the items to be tested. Attributes sampling tests for the existence of a specific 16. What is characteristic. In many situations, attribute sampling is Attribute Sampling (Test (Test used to test compliance with a specific procedure or of Controls)? 17. What is Variable Sampling (Substantive Testing)? 18. What is Sampling Risk?
19. What are the two types of Sampling Risk?
control. Variables sampling is used when the auditor is testing for the amount of a certain item.
Sampling risk is defined as the risk that the internal auditor’s conclusion based on a sample may be different from the conclusion if the entire population was subjected to the same audit procedure procedure.. There are two types of sampling risk: • Incorrect acceptance — the risk that the attribute or assertion tested is assessed as unlikely when,
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 43 43 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
in fact, it is likely.
21. What are the Expected Errors? 22. Explain the Risk of Incorrect Acceptance?
• Incorrect rejection — the risk that the attribute or assertion tested is assessed as likely when, in fact, it is not likely. Tolerable errors are the maximum numbers of errors that the auditor is willing to accept and still reach a conclusion that the underlying assertion is correct. This is not always the auditor’s decision and may be determined by the nature of the business, consultation with management or best practices. In some cases, an error of one will not be tolerable. Expected errors are errors that the auditor expects in the population based on prior audit results, changes in processes, and evidence/conclusions from other sources. In attribute sampling , the risk of incorrect acceptance is the risk that the auditor will test the sample and determine that the control is working when in fact the control is not working.
23. Explain the Risk of Incorrect Rejection?
In variables sampling , the risk of incorrect acceptance is the risk that the auditor will test a sample and determine that the balance is correct when in fact it is not. In attribute sampling , the risk of incorrect rejection is the risk that the auditor will test the sample and determine that the control is not working when in reality the control is working.
20. Define Tolerable Error?
In variables sampling , the risk of incorrect rejection is
24. On what factors the Sample Size depends?
the risk that the auditor will test a sample and determine that the balance is not correct when the balance is actually correct. Some considerations for the sample size are: • Audit objectives. The auditor needs to ensure that the population and the sample of the population will help achieve the objective. • Nature of the population. The auditor must be aware of both the size and variability of the population. The larger the population, the larger the sample needs to be.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 44 44 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
• Sampling and selection methods. It is important that the methods that are used help achieve the objectives. • Level of sampling risk the auditor is willing to accept. The amount of risk the auditor is willing to accept and the size of the sample are inversely proportional. That is, the lower the acceptable risk of error, the larger the sample size will need to be. Tolerable Deviation Rate in the Population. This figure reflects the number of deviations that can be found within the sample and still conclude that it is correct. The lower the acceptable number, the larger the sample needs to be.
25. What are the methods for selecting the sample?
• Expected error in the population. The larger the expected error in the population, the larger the sample size needs to be. • Judgmental (Haphazard) Sampling. With this method, the auditor uses professional judgment to determine the size of the sample and then selects the items to be tested without any bias or particular reason for excluding or including an item. This method can be used only in nonstatistical sampling . • Random Number Sampling. With this method, the auditor uses a random number generator to select the items to be tested. Random number sampling uses tables of digits that have been scientifically randomized. This method is done without bias, and each item has an equal
chance of being selected. If random number sampling is done with replacement , the auditor puts each selected item back into the population, meaning that the same item may be selected multiple times. This method requires a larger sample size, and so most auditors prefer to do random number sampling without replacement . • Stratified Sampling. With this method, the auditor breaks the population into different levels based on the size of the items within the population . Within each of these strata, the auditor determines a separate testing
method. The primary goal of stratified sampling is to reduce the effect of variances within the population by
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 45 45 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
making more populations populations of similar items. As a result, this method is most useful when the items within the population are diversified (that is, very different from each other). • Systematic Sampling. With this method, the auditor selects a starting point within the population and then determines an interval. For example, if the auditor determines that the interval is every fifteenth item, he or she begins at the designated starting point and then selects every fifteenth item for testing.
26. What is Stratification?
27. What are the main methods of Attribute Sampling ?
• Block Sampling. With this method, the auditor chooses a block or group of items within the population. Block sampling makes it easier to locate individual items to include in the sample. Furthermore, it is best used to test the application of a new control or a control over time. Stratification is the process of segregating a population into homogenous subpopulations explicitly defined so that each sampling unit can belong to only one subpopulation depending dependin g on the criteria used for stratification. Auditors use attribute sampling to test internal controls. The main methods of attribute sampling are:
1) Acceptance Sampling. This is a quality control tool that classifies an item as either acceptable or unacceptable. For example, a document is either properly authorized (acceptable) or not (unacceptable (unacceptable). ). 2) Sequential Sampling. This is used when the sample follows a number of steps or includes a number of requirements, requirem ents, any of which would lead to a deviation if one of the steps or requireme requirements nts is not correct. For example, a document has been properly authorized and also sent to the proper recipient. 3) Discovery Sampling. Discovery sampling tests for fraud, and thus it is an investigative technique. The auditor looks for any single deviation on the assumption that there are no mistakes in the population. To this end, the auditor determines the size that the sample needs to be in order to achieve a certain level of confidence that the error rate is sufficiently low.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 46 46 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
28. What should the auditor do if an error is discovered in a sample?
29. What are the methods of Variable Sampling ?
4) Stop-or-Go Sampling. This method is used to reduce the sample size by testing only enough items to prove that the rate of deviation is less than the acceptable rate of error. If an initial sample does not support the estimation of the population, then the sample size is enlarged until the auditor has proven that the sample deviation is less than the tolerable deviation. This sampling technique minimizes the sample size whenever a low rate of noncompliance is expected. Whenever the auditor selects and tests a sample, there is the chance that the sample will contain errors. If an error is confirmed, the auditor should perform additional testing to determine: • Is the error isolated, or connecte connected d to other errors? • Are many small immaterial errors combing to create a material error? • Is there a control weakness that could allow other errors? • Is the population as a whole correct, or not? There are three methods of variables sampling:
1) Mean-per-Unit Sampling. The auditor tests a sample of items, obtains the audited value of these tested items (verified by the audit) and calculates an average amount per item. This average amount per item is then multiplied by the number of items in the population. The auditor audi tor does not need to know the book value (or recorded value) of the sample items. 2) Difference Estimation. The auditor finds the average difference between the book value (or recorded value) and the audited amount of the items in the sample (verified by the audit) and then multiplies this average error by the number of items in the population. Finally, the auditor determines if the account is reasonably stated. 3) Ratio Method. The auditor determines a ratio between the book amounts (or recorded value) of the sample and the audited amounts of the sample (verified by audit) and then apply this ratio to the population as a whole. This
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 47 47 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
30. What is Probability Proportional to size Sampling (PPS)?
method is most effective when the book and audited values are similar. Probability-Proportional-to-Size Sampling , also called dollar-unit sampling or monetary-unit sampling, is a form of variables sampling where the auditor uses the dollars within the population instead of the number of invoices or some other identifier of each account or invoice. This type of sampling is often used with very diverse values or amounts because this method automatically stratifies the population. In the case of PPS being used to test accounts receivable, the population would be made up of the number. PPS has two unique characteristics that are important to consider in determining whether or not it should be used: 1) PPS automatically stratifies the population because the largest items will have the most likelihood of being selected and the smallest items the least chance. Therefore, it is a useful method when working with a diverse population population.. 2) PPS is more effective in the detection of overstatements rather than understatements because the smaller the item is, the less likely it is to be tested. Furthermore,, a zero-balance Furthermore zero-balance item (or an item that has not been recorded) has no chance of being selected for testing. For this reason, PPS is a better test for assets than for liabilities because assets are more likely to be
31. What are Computerized Assisted Audit Techniques (CAAT)? 32. What is Data Mining and and Extraction?
overstated. 1) Generalized Audit Software (GAS) 2) Utility Software 3) Application Software for Tracing and Mapping 4) Expert Systems Software Data mining is the process of looking for patterns or other useful information, usually from an enterprise-wide database or a data warehouse. Extraction refers both to extracting data and extracting patterns or knowledge from the data to produce useful business information information..
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 48 48 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 An embedded audit module is a process built within a 33. What is an Embedded regular production program that conducts special Audit Module? auditing tasks. It is easier to develop embedded audit modules when a program is developed rather than adding it later. During the course of regular data processing, the embedded module selects and records specific data for later analysis and evaluation by an auditor. Embedded Audit Modules Modules also allow continuous monitoring . Automated working papers are computer-base computer-based d audit 34. What is Automated papers that make the audit documentation much easier Working than using written, manually-prepared work papers Papers? because the auditors will enter the results of their testing directly into the computer. By entering directly into the automated work papers, all of the work papers are automatically cross-referenced, cross-referenced, adjusted, and balanced by the computer as new information is entered. 35. What are the The advantages of automated working papers are: advantages of • A reduction in Automated in the risk of cle clerical rical and math e errors. rrors. Working • Neater and more organized working papers that are easy Papers? to review. • Easier adjustments to the work papers. • Standard work paper forms do not need to be created and prepared for each engagement. • The working papers can be easily accessed from multiple locations, making the review process much more efficient. Extended records refer to the technique of modifying a 36. What is an Extended program to tag specific transactions and then saving all of Record the processing steps in an “extended record,” which technique? 37. What is a Snapshot technique?
38. What is Mapping ?
permits an audit trail to be reconstructed from one file for those transactions. The snapshot technique “takes a picture” of a transaction as it is processed. Program code is added to the application, instructing instructing it to save the contents of selected memory areas. A snapshot is used commonly as a debugging technique. As an audit tool, snapshots can be used only for transactions that exceed predetermined limits. Mapping uses special software to monitor the execution of a program by counting the number of times each program statement in the program is executed. Originally, mapping was a technique for program design and testing, but auditors began using it to determine if program
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 49 49 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
statements were being executed. Mapping, therefore, makes sure that the program that is running matches the code that was written and has not been changed. It can also locate “dead” code that is not being used and can flag code that might be used for fraudulent purposes. In tagging and tracing , certain transactions are identified 39. What is Tagging and when they are input (tagged) and then followed through and Tracing ? the computer system until they are output (traced). This process enables the auditor to confirm that all of the procedures procedur es were applied to a specific transaction. Tracing provides a detailed audit trail of all the instructions executed by a program. A single trace can produce thousands of output records, so the auditor must take care to limit the number of transactions that are tagged. Tracing might verify that internal controls in an application are being executed as the program is processing data (either live data or test data). A trace may also reveal sections of unexecuted program code, which can indicate incorrect or unauthorized modifications made to the program. The auditor receives a verified copy of the processing 40. What is program that the auditee is using and then runs the Controlled Reprocessing ? information or transactions through the verified program. The results of this test are compared to the actual results. There are three main methods that the internal auditor 41. What are the methods to test can use to test that the computer system properly processes data: the computer system? • Test data approach • Integrated test facility (ITF) • Parallel simulation The objective of the test data approach is to verify the 42. What is Test Data processing accuracy of programs and any programming Approach? changes. Test data is information prepared by an auditor that contains both valid (correct) and invalid (incorrect) data, whether real or fictitious. Next, the input is processed manually to determine the correct output. Then the auditor tests the data processing on a client’s computer that is under the auditor’s direct control. After processing the test data electronically, the auditor compares the manually processed results with the electronically-processed electronic ally-processed results to determine accuracy.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 50 50 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 43. What is an Integrated Test Facility?
44. What is Parallel Simulation?
45. What are the requirements of Standard 2310 –
An Integrated Test Facility (ITF) is used to audit large computer systems that employ real-time processing. An ITF uses test data and fictitious test entities that are processed concurrently with real transactions. Therefore, the main difference between the test data approach and an ITF is that the test data in an ITF is processed alongside real data. By utilizing an ITF, the auditor can be sure that the test data is being processed by the same system as the “live” data. Only the auditor knows which entries are fictitious. Careful planning is required to make sure that ITF data does not become mixed in with the real data. Therefore, fictitious transactions have to be excluded from the normal outputs of the system. This exclusion may be done manually or by modifying the application programs. Either way, the fictitious transactions must be identified by special codes so they can be segregated from the real data. There are costs involved in developing an ITF; however, after the initial expenditu expenditures, res, ongoing operating costs are low because there is no special processing required and thus no interruption of normal computer activity. Parallel simulation uses real data (rather than test data) and processes it through test or audit programs. The output from the parallel simulation is then compared with the output from the real processing. Parallel simulation is expensive and time-consuming, and thus it is usually limited to sections of an audit that are of major concern and are important enough to require an audit of all transactions. Because parallel simulation is done with test programs, it can be done on a computer other than the one used for the real processing. However, the auditor should make sure that the live system used for processing is the one that is used all the time, and not one that has been swapped in for the audit (perhaps because the normal system is committing fraud or bypassing controls). Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.
Identifying Information?
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 51 51 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 46. What are some of the process mapping methods? 47. Define Flowchart ?
48. What is a Systems or Horizontal Flowchart?
Some process mapping methods are flowcharts, data flow diagrams, and narratives.
Flowcharts are diagrams that create a visual representation of processes or events, usually through text boxes and arrows representing chains of command or orders of events. Flowcharts are effective in detailing a company’s internal controls or any other related process. They also enable the auditor to identify areas where internal controls are required. A systems or horizontal flowchart. This type of flowchart shows the different departments or functions involved in a process and clearly outlines the segregation of duties. Furthermore, it documents both manual and computer processes as well as the input, output, and processing steps.
A horizontal horizontal flowch flowchart art identi identifies fies specifi specific c control points in the system. A control point is a point in a process where an error or irregularity is likely to occur, thereby creating a need for control. A program or vertical flowchart. This type of flowchart 49. What is a Program or depicts the specific steps in the process and how they are Vertical executed. It does not usually show the system components compone nts as clearly as a horizontal flowchart. This type Flowchart? of flowchart is not commonly used, having been replaced by other more effective techniques. 50. What is a Data A data flow flow diagra diagram m is a graphical notation o off the path and Flow Diagram? transformation of data as it moves through an information system (as compared to flowcharts, which focus on control flow). The five basic elements shown in a data flow diagram are:
51. What are Narratives?
1) Data Sources. Where the information comes from. 2) Data Destinations. Where the information goes. 3) Data Flows. How the data gets there. 4) Transformation Processes. What happens to the data. 5) Data Storage. How the data is stored long-term. With the narrative approach, controls and their descriptionss are written out. description Advantages of the narrative approach:
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 52 52 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
1) It can be tailored-made for each process. 2) It requires a detailed analysis and thus forces the reviewer to understand the structure of the function.
52. What are Spaghetti Maps?
53. What are the uses of Analytical Procedures?
54. What are the factors that Internal Auditors consider while using the Analytical Procedures?
55. What purpose does the
Disadvantages of the narrative approach: 1) The narrative may be time-consum time-consuming ing to create. 2) The narrative may become long and cumbersome to read. 3) Weaknesses in the system are not always obvious. 4) The reviewer may overlook important portions of internal control. Spaghetti diagrams create a dynamic visual representation of physical items moving through a system using colored lines and direction arrows to represent the way that various sites interconnect. An analyst can use a spaghetti diagram to analyze a given process to identify inefficient pathways and to suggest improvements. Analytical procedures procedures are use useful ful in identifying: identifying: • Unexpected differences. • The absence of differenc differences es when they are expected. • Potential errors. • Potential fraud or illegal acts. • Other unusual or nonrecurring transactions or events. Internal auditors may use analytical procedures to generate evidence during the audit engagement. When determining the extent of analytical procedures , the internal auditor considers the: • The significance of the area being audited. • Assessment of risk managemen managementt in the area being audited. • Adequacy of the internal control control system. • Availability and reliability of financial and nonfinanc nonfinancial ial information. • The precision with which the results of analytical audit procedures can be predicted. • Availability and comparability of informatio information n regarding the industry in which the organization operates. • The extent to which other procedures provide evidence.
Engagementt working papers generally: Engagemen
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 53 53 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
Engagement Working Papers serve?
56. What are the contents of Working Papers?
57. What risks does the Electronic Working Papers pose?
• Aid in the planning planning,, performanc performance, e, and review of engagements. • Provide the principal support for engagement results. • Document whether engagement objectives were achieved. • Support the accuracy and completeness of the work performed. • Provide a basis for the internal audit activity’s quality assurance and improvement program. • Facilitate third-party reviews. The working papers should include documentation of the following parts of the engagemen engagement: t: • Planning. • The examination and evaluation of the internal control system. • The procedures performed, the evidence obtained, and the conclusions reached. • The review process. • Communications from the engagement client. • Any necessary follow follow up. Electronic working papers present specific securityrelated issues: • Data Protection. Electronically-stored information is always at risk of being irretrievably lost. Therefore, the company needs procedures for the regular and consistent backup of electronic data. These backups should be stored in an offsite location, and proper security needs to be
maintained over both the backups and the original data source. • Data Access. Because electronic information can be accessed through internal networks and the Internet, the company needs to have sufficient identification checks and passwords to restrict access. • Changing Data. It is important that only authorized people have the ability to change files. Accordingly, there must be different levels of access, usually controlled by passwords. Some people will have read-only access, while
others will be able to change data. Generally, only the
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 54 54 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
58. What are the types of Working Paper Files?
59. What are the items that are kept in the Permanent Working Paper File?
person who created a file should have the ability to make changes to it. There are two main types of files in which working papers are stored. 1) The current file contains all documents related to the current year’s engagement. 2) The permanent file contains documents relevant to multiple engagements engagements across several years. Items that are commonly kept in the permanent file are: • Communications and reports from previous engagements. • Results of reviews done after the engagement is completed. • Chart of accounts. • Updated organizational charts. • Long-term contracts. • Debt agreements. • Share documen documentation. tation. • Historical financial information information.. • Management reports. • Corporate charter and other corporate documents. • Significant correspondence related to the engagement.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 55 55 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
SECTION D COMMUNICATING RESULTS AND MANAGING PROGRESS (WEIGHTAGE 20 ) S.No 1.
2.
3.
Questions What are the requirements of Standard 2400 – Communicating Results?
Answers Internal auditors must communicate the results of engagements. engagemen ts. Topics of discussion may include:
What are the contents of the Final Report ?
The Final Report must contain the purpose, scope, and results of the engagement. Also, where appropriate, the report should contain the internal auditor’s overall opinion.
What are the requirements of Standard 2410 – Criteria for Communicating ?
• Planned engagement objectives and scope of work. • The resources and timing of engagement work. • Key factors affecting business conditions and operations of the areas being reviewed, including recent changes in internal and external environment. • Concerns or requests from management.
The final communication may also include improvements that have been made or implemented by the auditee since the last engagement. Communications must include the engagement’s objectives, scope, and results. Final communication of engagement results must include applicable conclusions, conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk, or business unit. The
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 56 56 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
4.
5.
6. 7. 8.
9.
formulation of such opinions requires consideration of the engagemen engagementt results and their significance. Purpose Statements describe the engagement What is the objectives and may inform the reader why the objective of Purpose engagement was conducted and what it was Statements? expected to achieve. Scope Statements identify the audited activities and What is the may include supportive information such as time objective of Scope Statements? period reviewed and related activities not reviewed to delineate the boundaries of the engagement. They may describe the nature and extent of engagement work performed. What is included in Results include observations, conclusio conclusions, ns, opinions, Result Statements? recommen recommendations, dations, and action plans. Any scope limitations limitations should also be reported reported.. When the scope A “scope limitation” occurs when the auditor is limitation arises? unable to perform all of the required procedures. The internal auditor may communicate engagement Can the Internal Auditor client accomplishments, accomplishments, in terms of communicate the improvements since the last engagement or the engagement client establishment of a well-contro well-controlled lled operation. This accomplishments? information may be necessary to present the existing conditions fairly and to provide perspective and balance to the engagement final communications. Communications Communicati ons must be accurate, objective, clear, What is the requirement of the concise, constructive, complete, and timely. Standard 2420 – Quality of Accurate communications are free from errors and Communication? distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and a balanced assessment of all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, redundanc y, and wordiness.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 57 57 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and includes all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action. The person reviewing the reports should focus on 10. What is the appropriateness. teness. responsibility responsibili ty of the readability, correctness, and appropria • Readability refers to the clarity of the writing. person reviewing the reports before • Correctness refers to accurate grammar and punctuation. its release? • Appropriateness refers to the tactfulness and objectivity of the report and the correct balance given to major and minor observations. 11. What is the If a final communication contains a significant error requirement of the or omission, the chief audit executive must Standard 2421 – communicate corrected information to all parties Errors and who received the original communication. Omissions? Interim reports are communications communications that are issued 12. What purpose do before the final report . They may be written or oral the Interim Reports serve? and are used to communi communicate cate the following: • Information that requires immediate action. • A change in the scope of the engagement. engagement. • The status of the project (if it is a long-term plan).
13. What are the advantages of Oral Communication?
An interim report does not eliminate the need for a final report. there are advantages to oral communication communication:: • Timeliness. • Opportuni Opportunities ties for immediate feedback. • Clients are able to respond in real-time. • Improved relationships (due to face-to-face
interaction).
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 58 58 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
14.
15.
16.
17.
18.
19.
• Incorrect information or misunderstandings can be immediately addressed. One drawback of a strictly spoken engagement is What is the disadvantage of that, in the absence of notetaking or recording, there is no permanent record of the conversation, Oral Communication? which might lead to later discrepancies and disagreements. What are the Recommendations are based on the internal Recommendations? auditor’s observations and conclusions. They call for action to correct existing conditions or improve operations and may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. Recommendations can be general or specific. The chief audit executive must communicate results What is the to the appropriate party. requirement of Standard 2440 – Disseminating The chief audit executive is responsible for Results? reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility. Who is responsible The chief audit executive is responsible for communicating the final results to parties who can for Disseminating ensure that the results are given due consideration consideration.. Results in case of Assurance Engagements? Who is responsible The chief audit executive is responsible for for Disseminating communicating the final results of consulting Results in case of engagements engagemen ts to clients. Consulting Engagements? During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization,, they must be communicated to senior organization management and the board. There are 2 objectives of the Exit Conference: What are the objectives of the Exit Conference? • The client confirms that they understand the report. It is possible that the client may not have seen the full report before the exit conference, but its general tone and findings should not come as a
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 59 59 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
surprise. The internal auditor should keep the client updated throughout the engagement. • Action plans should be developed if the engagementt identified any problems. engagemen
20. To whom the CAE should distribute the final engagement ?
21. What are the factors that must be considered by CAE while distributing reports outside the organization? 22. What does the Standard 2600 – Resolution of the Senior Management’s Acceptance of Risks say?
The exit conference is a presentation of findings and a confirmation that everything in the report is factually correct. It is not a negotiation between the internal auditor and the client about the contents of the report. The CAE should distribute the final engagement communications to those members of the organization who will give the results all due consideration. This distribution list will usually include the manager in charge of the audited function as well as any other managers or individuals who are in a position to enact the recommended changes. In cases where senior management is guilty of wrongdoing, wrongdoin g, the report needs to go directly to the board. The CAE must: • Assess the potential potential risk to the organization. organization. • Consult with senior management and/or legal counsel as appropriate appropriate.. • Control dissemination by restricting the use of the results. When the CAE believes that senior management has accepted a level of residual risk that is unacceptabl unacceptable e to the organization, the CAE must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the CAE must report the matter to the board for resolution.
The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 60 60 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019 23. What is the requirement of Standard 2500 – Monitoring Progress?
24.
25.
26.
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. In Assurance Engagement, the chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented implemented or that senior management has accepted the risk of not taking action.
In Consulting Engagement, the internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client. What are the To effectively monitor the disposition of results, the procedures chief audit executive (CAE) establishes procedures implemented implemen ted by the to include: CAE to monitor progress? • The time frame within which management’s response to the engageme engagement nt observations and recommendations are required. • Evaluation of management’s response. • Verification of the respo response nse (if approp appropriate). riate). • Performance of a follow-up engagement (if appropriate). • A communi communications cations process that escalates unsatisfactory responses/actions, including the assumption of risk, to the appropriate levels of senior management or the board. Follow-up is a process by which internal auditors What is a Followup process? evaluate the adequacy, effectiveness, and timeliness of actions taken by management on reported observations and recommendations, including those made by external auditors and others. This process also includes determining whether senior management and/or the board have assumed the risk of not taking corrective action on reported observations. On what factors The chief audit executive (CAE) determines the does the nature, nature, timing, and extent of follow-up, considering timing, and extent the following factors: of follow-up
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 61 of 61 of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
procedures depend?
27. What are the reasons that client overlook the recommendations proposed by Internal Auditors?
• Significance of the reported observation or recommendation. • Degree of effort and cost needed to correct the reported condition. • Impact that may result should the corrective action fail. • Complexity of the corrective action. • Time period involved.
The appropriate follow-up for a consulting engagement must be discussed and agreed with the client. The extent of the monitoring effort depends on various factors, including management’s explicit interest in the engagement and the internal auditor’s assessment of the project’s risks or value to the organizatio organization. n. Clients might overlook recommendatio recommendations ns because: • More resources were needed for implementation than were expected or were available. • The expected costs of implementation may have increased. • The expected benefits of implementation may have decreased. • The client determined that the implementation would not have worked. • The client has misperceptions about the costs and/or benefits of the recommendations.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 62 62 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
BOOKS WRITTEN BY MUHAMMAD ZAIN Other books written by him in chronological order can be found on the following link: 1. Certified Management Accountant (CMA) – Part 1 – 2019 https://drive.google.com/file/d/1c0vXo5nz8cBEYJe7dJ6qhn07SC50edo3/view?usp =sharing =sharing
2. Certified Management Accountant (CMA) – Part 2 – 2019 https://drive.google.com/file/d/1BcskFUzXOYFJZVE08-kvGoaF7znUNeGu/view https://drive.google.com/file/d/1BcskFUzXOYFJZVE08-kvGoaF7znUNeGu/view
Certified Internal Auditor (CIA) – Part 3 – 2019 3. https://drive.google.com/file/d/1XFhUDWzjQIWaWtX5GwYU5xfT8kNlBTrp/view
4. Certified Internal Auditor (CIA) – Part 1 – 2019 https://drive.google.com/file/d/1qCy7evY5U09d1GVVwmwCcRZ0U-j03Equ/view
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 63 63 of of 64 64
CIA PART 2 PRACTICE OF INTERNAL AUDITING 2019 2019
QUOTES THAT WILL CHANGE YOUR LIFE I have always have been fascinated by some of the quotes which I would like to share: 1. Excellence, Creativity, and Passion are key ingredients to become a Star. 2. Get up and Hustle. Chase your dreams. Turn your dreams into reality by showing up every day. 3. Have Confidence. You can do it. You have the capacity and potential to reach the top. Just believe in your abilities and chase your dream. Dream is what seen by an open eye, not with the closed one. 4. Dreams don’t work unless you do. do. 5. What we learn becomes a part of who we are. 6. The right way to start your day is to focus on end goal. 7. Sometimes the bad things that happen in our lives put us directly on the path to the best things that will ever happen to us. 8. A creative man is motivated motivated by the desire to achieve, not by the desire to beat others. others. 9. Twenty years from now you will be more disappointed by the things that you didn’t do than by the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch winds your sails. Dream. Discover. 10. It doesthe nottrade matter h owinslow how you go.Explore. So long as you don’t stop. stop. 11. It is never too late to begin. 12. If it scares you, it might be a good thing to try. 13. There is only you and your camera. The limitations in your photography are in yourself, for what we see is what we are. 14. Creativity is Intelligence having fun. 15. All progress takes takes place out of com comfort fort zone, so when are you you starting. 16. Everything you have ever wanted is on the other side of fear. 17. The will to win, the desire to succeed, the urge to reach your full potential – these are the keys that will unlock the door to personal excellence. 18. The reason most people never reach their goals is that they don’t define them, or ever seriously consider them as believable or achievable. Winners can tell you where they are going, them. what they plan to do along the way, and who will be sharing the adventure with 19. When everything seems to be going against you, remember that the airplane takes off against the wind, not with it. 20. Unexpected kindness is the most powerful, least costly and most underrated agent of human change. 21. Sometimes courage is the quiet voice at the end of the day saying I will try again tomorrow. 22. Sometimes you win, sometimes you learn. 23. Do something today that your future self will thank you for. 24. The past has no power over the present moment. So forget about your failures and start a new day. 25. Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no help at all.
From the Desk of Muhammad Zain – Founder Founder of Zain Academy Page 64 64 of of 64 64
