Q5: What is the difference between internal insurance services and internal consulting services? The differences between internal assurance services and internal consulting services: Internal assurance services Internal consulting services An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Advisory and related customer service activities, the nature and scope of which are agreed with the customer, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Q6: What is the difference between independence and objectivity as they pertain to internal auditors? The differences between independence and objectivity as they pertain to internal auditors:
INTERNAL AUDIT CHAPTER Q-5: What is the difference between internal insurance services and internal consulting services? The differences between internal assurance services and internal consulting services: Internal assurance services An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization Internal consulting services Advisory and related [customer] service activities, the nature and scope of which are agreed with the [customer], are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility Q-6: What is the difference between independence and objectivity as they pertain to internal auditors? The differences between independence and objectivity as they pertain to internal auditors: Independence The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner Objectivity An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made Objectivity requires that internal auditors not subordinate their judgment on audit matters to others Q-11: What types of procedures might an internal auditor use to test the design adequacy and operating effectiveness of governance, risk management, and control processes? Types of procedures that an internal auditor uses to test the design adequacy and operating effectiveness of governance, risk management and control processes: Analytical procedure Q-19: Why is it imperative that internal auditors have integrity? Internal Auditors must have integrity because the users of their work products rely on the internal auditors' professional judgments to make important business decisions These stakeholders must have confidence that internal auditors are trustworthy Q-21: What are the three common ways individuals enter the audit profession? - Many individuals enter the internal audit profession directly out of school - Others switch to internal auditing after beginning their careers in another area of the organization or in public accounting - Some organizations require prospective managers to spend time working in internal auditing as part of their management trainee program D-4: Prim Rose owns five flower shops in the suburbs of a large Midwestern city Each shop is managed by a different person One of the tests Prim performs to monitor the performance of his shops is a simple trend analysis of month-tomonth sales for each shop Assume that Prim's analysis of the reported sales performance for his flower shop on Iris Street shows that monthly sales remained relatively consistent from January through June Should Prim be pleased or concerned about the sales performance report for the shop on Iris Street over this six-month period? Explain Prim should be concerned about the sales performance report for the shop on Irish Street over a month period, especially if consistency in sales is low, as this would imply that the shop is not earning and is merely returning its expenses By doing so, they could come up with the necessary strategies to improve their sales CHAPTER 12 Q-2 What are the phrases of the assurance engagement process? - Planning - Performing - Communication Q-3 What steps are included in the planning phase of an assurance engagement? Determine engagement objectives and scope Understand the audit, including audit objectives and assertions Identify and assess risks Identify key controls Evaluate adequacy of control design Create a test plan Develop a work program Allocate resources to the engagement Q-4 What is the relationship between business objectives and business assertions? While business objectives indicate what the auditee is striving to achieve, assertions are after-the-fact statements of what is achieved Q-14 What steps are included in the communication phase of an assurance engagement? Perform observation evaluation and escalation process Conduct interim and preliminary engagement communications Develop final engagement communications Distribute formal and informal final communications Perform monitoring and follow-up procedures Q-15 What is the difference between negative assurance and positive assurance? - Internal auditors express negative assurance when they conclude that nothing has come to their attention that indicates that the auditee's controls are designed inadequately or operating ineffectively - Internal auditors express positive assurance when they conclude that, in their opinion, the auditee's controls are designed adequately and operate effectively Q-17 How does internal audit consulting engagements differ from assurance engagements? - Whereas the nature and scope of an assurance engagement are determined by the internal audit function, the nature and scope of a consulting engagement are subject to agreement with the engagement customer - Consulting engagements are much more discretionary in nature than assurance engagements D-2: 1) a) Three potential adverse consequences of the accident would be: - Drivers and passengers might suffer from physical effects such as minor cuts, broken limbs, paralysis, whiplash, back or spinal injuries or even death in extreme cases - Vehicles in the accident might be damaged or need costly repairs and in extreme cases, might not be suitable for driving - Besides, people might suffer from emotional and mental distress such as posttraumatic stress for being involved or losing a loved one in the accident b) Three risk factors that make the event more or less probable are: - Factors arising from drivers are improper or erratic lane changing, sudden speed changes, not obeying traffic control devices or signs, making improper turns, driving too fast, prohibited and dangerous passing or merging and carelessness, fatigue, alcohol or sleep - Risk factors due to defects in vehicles are failure of brakes, lighting system, tire burst and steering system - Defective road designs include improper curves, improper lighting, ineffective traffic control devices, inadequate sight distance, lack of width of shoulders and others c) The city can avoid road accidents by encouraging drivers to have the right attitude about driving and practice as much as possible Besides, they must be well trained for poor conditions, strict legal actions need to be taken for traffic rule violators, cell phone use must be prohibited and encouraging the drivers to drive a safe vehicle 2) The city can reduce the risk by limiting the speed of vehicles on the road during peak hours and limiting night driving During peak hours, the number of vehicles increases, which further increases the possibility of accidents Thus, stricter speed limits must be enforced for ensuring careful and safe driving Besides, limiting the number of vehicles during the night would also help in reducing the accidents, as drivers engage in alcohol intake, become sleepy or suffer from fatigue at this time D-3: Consider the following two statements 1) Evaluating the adequacy of control design is necessary but not sufficient if the objective of an assurance engagement is to reach a conclusion regarding the overall effectiveness of controls The first statement is true Determining that controls are designed adequately is necessary, but not sufficient, for reaching a conclusion regarding their effectiveness To reach a conclusion regarding their effectiveness, adequately designed controls must be tested to determine whether they are operating as intended 2) If an internal auditor determines that a control is inadequately designed, there is no good reason to test the effectiveness of the control The second statement is generally true It typically does not make sense to determine whether a poorly designed control is operating as designed There are circumstances, however, in which internal auditors gather and document errors that have occurred as a result of control deficiencies to support their conclusions that controls are ineffective Additionally, there may be instances when internal auditors want to measure the impact of a control deficiency CHAPTER Q-2: What are the six components of the IPPF? Which components constitute mandatory guidance? Which components constitute recommended guidance? - components of the IPPF: + + + + + + Core Principles Definition Standards Code of Ethics Implementations Guidance Supplemental Guidance - Mandatory guidance: + + + + Core Principles Definition Standards Code of Ethics - Recommended guidance: + Implementations Guidance + Supplemental Guidance Q-4: What is the purpose of The IIA’s Code of Ethics? The purpose of the Code of Ethics is to promote an ethical culture in the internal audit profession Q-5: Identify the four principles of the Code of Ethics Why should internal auditors strive to comply with these principles? - Four principles of the Code of Ethics: + Integrity: The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment + Objectivity: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments + Confidentiality: Internal auditors respect the value and ownership of information they receive and not disclose information without appropriate authority unless there is a legal or professional obligation to so + Competency: Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services - Internal audit services can be performed by people who have integrity, are objective, and maintain confidentiality, but those services are of little value if such persons not have the necessary knowledge and skills to perform the work and reach valid conclusions That is why there are specific standards requiring internal auditors to be competent and continuously strive for improvement Q-6: What is the purpose of The IIA’s Standards? Explain the difference between Attribute and Performance Standards - The purpose of The IIA’s Standards: + + + + Guide adherence with the mandatory elements of the IPPF Provide a framework for performing/promoting value-added internal auditing Establish the basis for the evaluation of internal audit performance Foster improved organizational processes and operations - Attribute Standards: the attributes/behavior of the organizations and individuals in IA (1,000s) Performance Standards: nature of internal auditing & provide quality criteria against which the performance of these services can be measured (2,000s) Q-13: Identify the Performance Standards that pertain specifically to: a Engagement planning: 2200: Engagement Planning 2201: Planning Considerations 2210: Engagement Objectives 2220: Engagement Scope 2230: Engagement Resource Allocation 2240: Engagement Work Program b Performing the engagement: 2300: Performing the Engagement 2310: Identifying Information 2320: Analysis and Evaluation 2330: Documenting Information 2340: Engagement Supervision c Communicating results 2400: Communicating Results 2410: Criteria for Communicating 2420: Quality of Communications 2421: Errors and Omissions 2430: Use of "Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing" 2431: Engagement Disclosure of Nonconformance 2440: Disseminating Results 2450: Overall Opinions D-15 (không thấy sách) D-5: The CAE for Sargon Products reports administratively to the CFO and functionally to the audit committee The scope of the internal audit function assurance services includes financial, operational, and compliance engagements Is the internal auditors’ objectivity regarding accounting related matters impaired in each of the situations described below? Briefly explain your answer a The internal auditors are frequently asked to make accounting entries for complex transactions that the company’s accountants not have the expertise to handle In this situation, the internal auditors are performing the actual accounting function for the organization Making the accounting entries should be the responsibility of accounting In doing this work, the internal auditor's objectivity would be considered impaired b A staff accountant reconciles the company’s monthly bank statements An internal auditor reviews the bank reconciliations to make sure they are completed properly b The internal auditor is not performing the independent verification control of reconciling the monthly bank statements; this is being done by a staff accountant The internal auditor is testing whether the control is operating effectively, which is an appropriate internal audit task Accordingly, the internal auditor's objectivity would not be considered impaired CHAPTER Q3.2 What is the OECD’s definition of corporate governance? Corporate governance involves a set of relationships between a company's management, its board, its shareholders, and other stakeholders Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined Q3.4 What is the IIA’s definition of governance? How does this definition relate to the figure in exhibit 3-3 - Combo of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives - Governance begins with the board of directors and its committees The board serves as the "umbrella" of governance oversight for the entire organization It provides direction to management, empowers them with the authority to take the necessary actions to achieve that direction, and oversees the overall results of operations ● Set relationships between an organization's management, its BOD, shareholders, and stakeholders ● To set the organization's objectives ● To determine the means of attaining objectives and monitoring performance Q3.7 In governance, what are the key responsibilities of: a The board of directors? - Responsibilities: ● Identify key shareholders of the organization +) Shareholder characteristics: 1) Directly involved 2) Interested in the organization’s business 3) Influence ● Understand the need of the shareholders ● Identify potential outcomes that would be unacceptable to key shareholder OR The governance responsibilities for the board is: Establishing a governance committee, articulating requirements for reporting to the board and reevaluating governance expectations periodically b Senior management? The governance responsibilities for senior management is: Ensuring that the full scope of direction and authority delegated is understood appropriately, identifying the processes and activities within the organization that are integral to executing the governance direction provided by the board, Evaluating what other business consideration or factors might create a justification for delegating a lower tolerance level to risk owners than that delegated by the board and ensuring that sufficient information is gathered from the risk owners to support its reporting requirements to the board c Risk owners? The responsibilities of risk owners include: Evaluating whether the risk management activities are designed adequately to manage the related risks within the tolerance levels specified by senior management, assessing the ongoing capabilities of the organization to execute those risk management activities, determining whether the risk management activities are currently operating as designed, conducting day-to-day monitoring activities to identify whether anomalies or divergences from exited outcomes have occurred Q 3.8 What role does the internal audit function play in governance? The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: ● Promoting appropriate ethics and values within the organization; ● Ensuring effective organizational performance management and accountability; ● Communicating risk and control information to appropriate areas of the organization; and ● Coordinating the activities of and communicating information among the board, external and internal auditors, and management Q3.10 What are the three lines of defence in the Three lines of Defense model 1st- Senior Management, directly deals with risk (implement, develop, and recommend controls) 2nd- Subject area experts Will inform owners of risk and how to mitigate 3rd- Internal audit, governing body D3.1 Describe ways in which an organization’s business model may affect its approach to governance oversight Provide examples that contrast publicly help companies from privately held companies Stakeholders — Different business models may result in varying stakeholders with different expectations For example, publicly traded companies will have stakeholders with profit and growth expectations, while nonprofit organizations may have stakeholders with expectations about achieving the purpose of the organization, for example, providing for the welfare of underprivileged children The Board and its Committees — The organization, makeup, and focus of the board may vary For example, publicly traded companies are likely to have primarily independent directors, formal committees such as an audit committee and a nominating committee, and a risk appetite that is consistent with the expectations of the external stakeholders Privately held companies are more likely to have members of management serving as directors, few if any board committees, and a risk appetite that is based on the expectations of the primary owners and management Risk Management — The roles of senior management and risk owners will be affected by the business model For example, large, diverse organizations will need to rely on senior management providing direction and oversight to a variety of risk owners However, in smaller, less complex organizations, senior management may own and have to manage many of the risks themselves Assurance Activities — The internal auditors and independent outside auditors may have different approaches to carrying out their responsibilities For example, in public companies, both sets of auditors may need to provide assurance on the effectiveness of internal controls over financial reporting, while in private companies, such assurance may not be necessary or as formal