Exam Questions answers - AUI2601

Oct/Nov 2014 Oct/Nov 2014

I)

I) Internal audit Internal audit should NOT takshould NOT take on this te on this task or respask or responsibilityonsibility. . The bankThe bank

reconciliation is a routine accounting procedure that is the responsibility of the reconciliation is a routine accounting procedure that is the responsibility of the accounting department. The performance of the

accounting department. The performance of the reconciliation is, in itself, anreconciliation is, in itself, an internal control which may from time to time

internal control which may from time to time be “internally audited” to determinebe “internally audited” to determine whether the control is operating as i

whether the control is operating as it was designed to.t was designed to. II) Inter

II) Internal should nal should carry out carry out this procedurthis procedure. e. s per ss per standard !"#$." tandard !"#$." % The% The internal audit acti&ity must assist the organisation by e&aluating the ade'uacy internal audit acti&ity must assist the organisation by e&aluating the ade'uacy and e(ecti&eness of controls regarding the reliability and integrity of nancial and e(ecti&eness of controls regarding the reliability and integrity of nancial and operational information.

and operational information.

III) Internal audit should not be part of

III) Internal audit should not be part of the monthly internal control routines suchthe monthly internal control routines such as in&entory counts. Internal audit should attend and obser&e cycle counts and as in&entory counts. Internal audit should attend and obser&e cycle counts and indeed perform a sample of test counts, but this would be to e&aluate the

indeed perform a sample of test counts, but this would be to e&aluate the company*s in&entory controls.

company*s in&entory controls.

I+) Internal audit should not be in&ol&ed in “

I+) Internal audit should not be in&ol&ed in “head hunting”, because this is ahead hunting”, because this is a human resource function. t a later stage internal audit might be

human resource function. t a later stage internal audit might be re'uired tore'uired to audit work performed by the person they had “head hunted” doing the “head audit work performed by the person they had “head hunted” doing the “head hunting” themsel&es would impair their independence.

+) Internal audit could

+) Internal audit could take responsibility for this re&iewtake responsibility for this re&iew. It can . It can be conducted as be conducted as aa compliance audit.

compliance audit. +I)

+I) t most the intert most the internal audit acti&ity could assnal audit acti&ity could assist in the design of the riskist in the design of the risk management process but in a way that

management process but in a way that does not compromise independence.does not compromise independence. The The nature of an internal audit is one of “e&aluation” and “re&iew” rather than nature of an internal audit is one of “e&aluation” and “re&iew” rather than one of creating s

one of creating systems. ystems. It does this by identifIt does this by identifying and e&aluaying and e&aluating theting the organisation-s eposure to risk, assessing the risk during the course of organisation-s eposure to risk, assessing the risk during the course of engagements and

engagements and impro&ing the impro&ing the risk management process. risk management process. Internal auditInternal audit can pro&ide ad&ice to management on risk management.

can pro&ide ad&ice to management on risk management. +II)

+II) Internal audit Internal audit should conducshould conduct this t this procedure. procedure. It falls It falls under the under the consultingconsulting ser&ices pro&ided by internal audit.

ser&ices pro&ided by internal audit.

!.!." /uality audits !.!." /uality audits !.!.! 0inancial audits !.!.! 0inancial audits !.!.# 1erformance audits !.!.# 1erformance audits !.!.2 3n&ironmental audits !.!.2 3n&ironmental audits

+) Internal audit could

+) Internal audit could take responsibility for this re&iewtake responsibility for this re&iew. It can . It can be conducted as be conducted as aa compliance audit.

compliance audit. +I)

+I) t most the intert most the internal audit acti&ity could assnal audit acti&ity could assist in the design of the riskist in the design of the risk management process but in a way that

management process but in a way that does not compromise independence.does not compromise independence. The The nature of an internal audit is one of “e&aluation” and “re&iew” rather than nature of an internal audit is one of “e&aluation” and “re&iew” rather than one of creating s

one of creating systems. ystems. It does this by identifIt does this by identifying and e&aluaying and e&aluating theting the organisation-s eposure to risk, assessing the risk during the course of organisation-s eposure to risk, assessing the risk during the course of engagements and

engagements and impro&ing the impro&ing the risk management process. risk management process. Internal auditInternal audit can pro&ide ad&ice to management on risk management.

can pro&ide ad&ice to management on risk management. +II)

+II) Internal audit Internal audit should conducshould conduct this t this procedure. procedure. It falls It falls under the under the consultingconsulting ser&ices pro&ided by internal audit.

ser&ices pro&ided by internal audit.

!.!." /uality audits !.!." /uality audits !.!.! 0inancial audits !.!.! 0inancial audits !.!.# 1erformance audits !.!.# 1erformance audits !.!.2 3n&ironmental audits !.!.2 3n&ironmental audits

Engagement working papers

Engagement working papers generally:generally: 4 id in the

4 id in the planning, performance, and re&iew of engagements.planning, performance, and re&iew of engagements. 4 1ro&ide the principal support for engagement

4 1ro&ide the principal support for engagement results.results.

4 5ocument whether engagement ob6ecti&es were achie&ed. 4 5ocument whether engagement ob6ecti&es were achie&ed.

4 7upport the accuracy and completeness of the work performed. 4 7upport the accuracy and completeness of the work performed. 4 1ro&ide a basis for the internal audit

4 1ro&ide a basis for the internal audit acti&ity-s 'uality assurance andacti&ity-s 'uality assurance and impro&ement program.

impro&ement program.

4 0acilitate third%party re&iews. 4 0acilitate third%party re&iews.

#.!." 8lear %

#.!." 8lear % Clear communications are easily Clear communications are easily understood and logical,understood and logical, avoiding unnecessar

avoiding unnecessary technical language and y technical language and providing all signifcant andproviding all signifcant and relevant inormation.

relevant inormation. #.!.! ccurate %

#.!.! ccurate % Accurate communica Accurate communications are ree rotions are ree rom errors and m errors and distortionsdistortions and are aithul to the

and are aithul to the underlying acts.underlying acts. #.!.# 8oncise %

#.!.# 8oncise % Concise communications are to the point and avoidConcise communications are to the point and avoid

unnecessary elaboration, superuous detail, redundancy, and wordiness. unnecessary elaboration, superuous detail, redundancy, and wordiness. #.!.2 8onstructi&e %

#.!.2 8onstructi&e % Constructive communications are helpul to theConstructive communications are helpul to the engagement client and the

engagement client and the organisation and lead to improvements whereorganisation and lead to improvements where needed.

Objective

Objective communications are air, impartial, and unbiased and are the communications are air, impartial, and unbiased and are the result o a air-minded and balanced assessment o all relevant acts and result o a air-minded and balanced assessment o all relevant acts and circumstances.

circumstances. Complete

Complete communications lack nothing that is essential to  communications lack nothing that is essential to the targetthe target audience and include all

audience and include all signifcant and relevant inormation andsignifcant and relevant inormation and observations to support recommendations and

observations to support recommendations and conclusions.conclusions.  Timely 

 Timely  communications are opportune and  communications are opportune and expedient, depending on theexpedient, depending on the signifcance o the issue,

signifcance o the issue, allowing management to take appropriateallowing management to take appropriate corrective action.

#.#." 9isk : G %  The possibility of an e&ent occurring that will ha&e an impact on the achie&ement of ob6ecti&es. 9isk is measured in terms of impact and likelihood.

#.#.! 8hief audit eecuti&e : D % 8hief audit eecuti&e describes a person in a senior position responsible for e(ecti&ely managing the internal audit acti&ity in accordance with the internal audit charter and the 5enition of Internal uditing, the 8ode of 3thics, and the tandards.

#.#.# 8onsulting ser&ices : E % d&isory and related client ser&ice acti&ities, the nature and scope of which are agreed with the client, are intended to add &alue and impro&e an organisation-s go&ernance, risk management, and

control processes without the internal auditor assuming management responsibility.

#.#.2 8ontrol :A % ny action taken by management, the board, and other parties to manage risk and increase the likelihood that established ob6ecti&es and goals will be achie&ed.

#.#.; Ob6ecti&ity % F % n unbiased mental attitude that allows internal

auditors to perform engagements in such a manner that they belie&e in their work product and that no 'uality compromises are made.

#.#.< Independence %  % The freedom from conditions that threaten the ability of the internal audit acti&ity to carry out internal audit responsibilities in an unbiased manner.

#.#.= 8ontrol processes % ! %  The policies, procedures >both manual and

operated to ensure that risks are contained within the le&el that an organisation is willing to accept.

2.".". ttribute 2.".!. 1erformance 2.".# 1erformance

2.".2 Implementation 2.".; ttribute "ermissi#le/ Not "ermissi#le $e%erence to ""F $easons

2.!." Not permissible ""#$ : Impairment to Independence or Ob6ecti&ity

""!$ : Indi&idual Ob6ecti&ity

Impairment to organisational independence and indi&idual ob6ecti&ity may include, but is not limited to, personal

con?ict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.

""#$.8! : If internal auditors ha&e potential impairments to

independence or ob6ecti&ity relating to proposed

consulting ser&ices, disclosure must be made to the

engagement client prior to accepting the engagement.

Internal auditors must ha&e an impartial, unbiased

attitude and a&oid any con?ict of interest.

2.!.! Not permissible 8ondentiality >par #.")

Internal auditors shall be prudent in the use and protection of information

ac'uired in the course of their duties.

2.!.# 1ermissible !!$$ : 3ngagement 1lanning

Internal auditors must

de&elop and document a plan for each engagement,

including the engagement-s ob6ecti&es, scope, timing, and resource allocations.

2.!.2 Not permissible "#!! : 5isclosure of Non%conformance

@hen non%conformance with the 5enition of Internal uditing, the 8ode of 3thics, or the tandards impacts the o&erall scope or operation of the internal audit acti&ity, the chief audit eecuti&e must disclose the non%conformance and the impact to senior

management and the board.

2.!.; Not permissible "!#$ : 8ontinuing 1rofessional

5e&elopment

Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional

• ccess to the books, records, &ouchers and accounts • Obtaining information and eplanations

• ttending meetings

• Aelie&ing trusted oBcials

• Independence of the internal auditor

d&antagesC

 This le&el of reporting gi&es the internal audit acti&ity a high degree of

organisational independence and accessibility because it is reporting to a body with more authority than top eecuti&e management, and the ma6ority of

members are not in&ol&ed in the operational matters of the company >eecuti&e functions).

5isad&antagesC

". Aecause the audit committee does not meet fre'uently enough, they do not ha&e the time to support the internal audit acti&ity on a day%to%day basis as an independent reporting facility. udit committees meet on a&erage four times a year.

!. Aecause of its function, the audit committee, by its &ery nature, is apart from the main stream of business acti&ities. s a result, the internal auditor does not always recei&e necessary information and directi&es which might enable him to function e(ecti&ely.

#. The audit committee also has a functional rather than an operational role and it is, therefore, undesirable that members should be in&ol&ed with the

operational or household details of the internal audit acti&ity. Their proper

functions would include the nal authorisation of audit plans and audit ndings, the coordination of audit e(orts and the formulation of audit policy.

5ual 9eporting

4 The chief audit eecuti&e should ha&e the following dual%reporting responsibilitiesC

o functionally to the audit committee, and

o administrati&ely to the chief eecuti&e oBcer.

4 The chief audit eecuti&e should ha&e ready access to the audit committee. 4 The chief audit eecuti&e should ha&e direct and regular communication with the audit committee.

4 The chief audit eecuti&e should attend audit committee meetings. 4 The chief audit eecuti&e should regularly meet pri&ately with the audit committee >without management*s representati&es in attendance).

4 The audit committee should appro&e the appointment or remo&al of the chief audit eecuti&e.

4 The audit committee should be ad&ised by the chief audit eecuti&e concerning his or her relationship with the eternal auditors >and on how the internal and eternal audits are progressing).

 The role of the internal audit acti&ity in in&estigations needs to be dened in the internal audit charter, as well as in the fraud policies and procedures. 0or

eample, internal auditing may ha&e the primary responsibility for fraud in&estigations, may act as a resource for in&estigations, or may refrain f rom in&ol&ement in in&estigations. Internal auditing may refrain from in&ol&ement because it is responsible for assessing the e(ecti&eness of in&estigations or because it lacks the appropriate resources to be in&ol&ed in in&estigations. ny of these is acceptable, as long as the impact of these acti&ities on the

independence of internal auditing is recognised and handled appropriately. In addition to ad&ising management, internal auditors may become in&ol&ed in in&estigations byC

4 monitoring the in&estigation process to help the organisation follow rele&ant policies, procedures, and applicable laws and statutes >where internal auditing was not responsible for conducting the in&estigation).

4 locating andDor securing the misappropriated or related assets.

4 supporting the organisation-s legal proceedings, insurance claims, or other reco&ery actions.

4 e&aluating and monitoring the organisation-s internal and eternal post% in&estigation reporting and communication plans and practices.

4 monitoring the implementation of recommended control enhancement.

 &'ne/&'ly 2014 !."." ssurance !.".! consulting !.".# consulting !.".2 assurance !.".; consulting

 The personal characteristics re'uired of an internal auditor areC

• awareness of new de&elopments • good human relations

• diligence and patience • ob6ecti&ity and condence • practical approach

• professionalism

• independence and sound 6udgment • due professional care

• integrity and pleasant personality

4 ppro&ing the internal audit charter

4 ppro&ing the risk based internal audit plan

4 9ecei&ing communications from the chief audit eecuti&e on the internal audit acti&ity*s performance relati&e to its plan and other matters

4 ppro&ing decisions regarding the appointment and remo&al of the chief audit eecuti&e

4 Eaking appropriate in'uiries of management and the chief audit eecuti&e to determine whether there are inappropriate scope or resource limitations.

Eanagement is accountable to the board for designing, implementing and monitoring the process of risk management, and for integrating it into the day%to%day acti&ities of the company. The internal audit acti&ity should assist the board, directors and management through consultation and facilitation in identifying, e&aluating and assessing signicant risks and by pro&iding

independent assurance as to the ade'uacy and e(ecti&eness of related internal controls and the risk management process.

• Consider fraud risks in the assessment of internal control design and

determination of audit steps to perform.

• Have sufficient knowledge of fraud to identify red flags indicating fraud may have

been committed.

• Be alert to opportunities that could allow fraud, such as control deficiencies. • Evaluate whether management is actively retaining responsibility for oversight of

measures have been taken with respect to any noted control deficiencies or weaknesses, and that the plan for monitoring the program continues to be adequate for the program’s ongoing success.

• Evaluate the indicators of fraud and decide whether any further action is

necessary or whether an investigation should be recommended. • ecommend investigation when appropriate.

The planning steps that should be followed for each audit are:

!. "btain background information of the audit area. #preliminary survey$. %. &dentify the engagement ob'ective#s$ to be achieved.

(. Consider the audit risk.

). *etermine the allocation of engagement resources. +. Compile the detailed engagement #audit$ programme.

a) e&idence generated by the internal auditor b) physical e&idence

c) oral e&idence

d) documentary e&idence e) physical e&idence

a) 8ause. It is the reason for the di(erence between the epected and actual conditions >why the di(erence eists). The auditor epects to nd that the 5O was update regularly or when there is a change in personnel or responsibilities : this is not the case and it is the cause of the situation.

b) 8ondition. This is factual e&idence that the internal auditor has found in the course of the eamination >what does eist).

c) 3(ect. This is risk or eposure the organisation or others encounter because the condition is consistent with the criteria.

d) 8riteria. This should be the standard used to e&aluate or &erify what should eist.

he following aspects are usually included in this contractual obligation- &nternal

auditors-!. may not use confidential information obtained in the performance of their duties for their own gain, or impart such knowledge to third parties.

%. should further the interests of their employers business undertaking. (. may not perform acts of dishonesty #fraud, theft$ against their employer. ). may not perform acts which are in competition with their employer. +. may not perform acts of misconduct while performing their duties.

!he internal audit charter is a ormal document that defnes the internal audit activity"s purpose, authority, and responsibility. !he internal audit charter establishes the internal audit activity's position within the organisation, including the nature o the chie audit executive#s unctional reporting relationship with the board$ authorises access to records,

 personnel, and physical properties relevant to the performance of engagements$ and defnes the scope of internal audit activities. %inal approval o the internal audit charter resides with the board.

!. / common audit methodology. %. 0oint training programmes. (. 0oint planning of audit work.

). *irect assistance with each other’s pro'ects. +. E1change of audit reports

2. *irect support in that working papers are at each others disposal. 3. 4eriodic meetings

5. / professional attitude

6. he evaluation by internal and e1ternal auditors of the effectiveness of each others work and reporting on this to management.

2.".". 7trongly recommended guidance 2.".! 5enition

2.".# International standards 2.".2 1osition papers

"ermissi#le/ Not "ermissi#le $e%erence to ""F $easons 2.!. "

Not permissible Ob6ecti&ity >par !.#)

Integrity >par ".!)

Internal auditors shall disclose all material facts known to them that, if not disclosed, may

distort the reporting of acti&ities under re&iew.

Internal auditors shall obser&e the law and make disclosures epected by the law and the profession.

2.!. !

Not permissible 8ompetency >par 2.")

Internal auditors shall engage only in those ser&ices for which they ha&e the necessary

knowledge, skills, and eperience.

2.!. #

1ermissible 1rociency and 5ue 1rofessional 8are

3ngagements must be

performed with prociency and due professional care.

2.!. 2

Not permissible Ob6ecti&ity >par !.")

Ob6ecti&ity >par !.!)

Internal auditors shall not participate in any acti&ity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those acti&ities or relationships that may be in con?ict with the interests of the organisation. Internal auditors shall not accept anything that may impair or be presumed to impair their

professional 6udgment. This scenario falls under this

prohibition, since the auditor-s ob6ecti&ity would be impaired. 2.!.

;

1ermissible Integrity >1ar ".!)

Internal auditors shall obser&e the law and make disclosures epected by the law and the profession. Thus, the internal auditor is legally bound to respond to a court order. The re'uirement not to use

information in any manner detrimental to the legitimate and ethical ob6ecti&es of the company does NO( o&erride the legal obligation to respond to a court order.

he main ob'ective of internal auditing is determined by the needs of the board of directors and management of an organisation so as to assist them in improving the governance, risk management and control processes as well as the effective discharge of its responsibilities. he internal auditor must ensure that these needs are addressed in the internal audit report that should be issued after each audit engagement. he internal auditor seeks to advise management on whether its ma'or operations have sound systems of risk management and internal controls. he uncovering of errors and fraud is an ancillary ob'ective.

Element Mandatory/Strongly

recommended !. he *efinition of &nternal /uditing 7andatory

%. he Code of Ethics 7andatory (. he &nternational 8tandards for the 4rofessional

4ractice of &nternal /uditing #8tandards$

7andatory

). 4ractice /dvisories 8trongly recommended +. 4osition 4apers 8trongly recommended 2. 4ractice 9uides 8trongly recommended

!.# Organisational independence % The chief audit eecuti&e must report to a le&el within the organisation that allows the internal audit acti&ity to full its responsibilities. The chief audit eecuti&e must conrm to the board, at least annually, the organisational independence of the internal audit acti&ity.

Indi&idual ob6ecti&ity % Internal auditors must ha&e an impartial, unbiased attitude and a&oid any con?ict of interest.

!.2

A*vantages o% t+is level o% reporting are t+at: 4 It guarantees access to a high%le&el oBcial.

4 It pro&ides a reasonable measure of independence for the internal auditor. 4 Eanagement may feel less threatened because the accessibility of the internal auditor is at a lower le&el than if he were to report to the Aoard of 5irectors

Disa*vantages:

4 If the in?uence and authority of the internal auditor is such that audit matters recei&e the attention of the 83O, to the detriment of other management matters, the eBciency of management will su(er and distrust might increase.

4 7ince a 83O is normally &ery busy, the 83 might nd that he or she does not recei&e the guidance and support necessary to perform his or her task

!.;

he role of the internal audit activity in investigations needs to be defined in the internal audit charter, as well as in the fraud policies and procedures. :or e1ample, internal auditing may have the primary responsibility for fraud investigations, may act as a resource for

investigations, or may refrain from involvement in investigations. &nternal auditing may refrain from involvement because it is responsible for assessing the effectiveness of

investigations or because it lacks the appropriate resources to be involved in investigations.  /ny of these is acceptable, as long as the impact of these activities on the independence of

internal auditing is recognised and handled appropriately.

&n addition to advising management, internal auditors may become involved in investigations

by- monitoring the investigation process to help the organisation follow relevant policies, procedures, and applicable laws and statutes #where internal auditing was not

responsible for conducting the investigation$.

 locating and;or securing the misappropriated or related assets.

 supporting the organisation’s legal proceedings, insurance claims, or other recovery actions.

 evaluating and monitoring the organisation’s internal and e1ternal post<investigation reporting and communication plans and practices.

 monitoring the implementation of recommended control enhancement.

!.< 8oordination of internal and eternal audit work is the responsibility of the chief audit eecuti&e >83). The 83 obtains the support of the board to

No. Audit phase/step

#a$ 9ather audit evidence 4erforming the engagement #fieldwork$ #b$ &dentify opportunities for making significant

improvements to the human resource function’s risk management and control systems.

4lanning the internal audit #engagement planning$

#c$ *istribute the audit report. /udit reporting and follow up #d$ 4erform a preliminary survey for the

recruitment process to identify the ob'ectives and significant risks and evaluate the resources.

4lanning the internal audit #engagement planning$

#e$ Complete the audit working papers. 4erforming the engagement #fieldwork$ #f$ Compile a list of the auditing engagement’s

ob'ectives that must be achieved.

*etermining audit assignment.

#g$ Evaluate the recruitment process based on the risk assessment.

4lanning the internal audit #engagement planning$

#h$ *etermine the audit risk and indicate how it will influence the audit engagement.

4lanning the internal audit #engagement planning$

#i$ 4erform the audit procedures. 4erforming the engagement #fieldwork$ #'$ =rite the audit report. /udit reporting and follow up

he C/E has not complied with the >proficiency? requirement of 8tandard !%!@. &nternal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. he internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. &n the scenario given, there is no qualified internal auditor even though one person is studying towards a degree in auditing. herefore the chief audit e1ecutive must decline the

consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

he following factors directly determine the nature and scope of audit sampling or testing- the effectiveness of the system of internal control the more effective, the smaller the

sample.

 materiality of the transactions the more material, the larger the sample.

 volume of transactions #population siAe$ does not affect the siAe of the sample  method of record keeping

 relative risk associated with the transactions  nature of the evidence

 suggestion of irregularities  unusual items in the population

 /nswer- 8ufficient- 8ufficient information is factual, adequate and convincing, so that a prudent, informed person would reach the same conclusions as the auditor. Evidence is sufficient if it is so factual, adequate and convincing that it would lead a prudent, informed person to the same conclusions as the internal auditor. &t requires ob'ective 'udgement on the internal auditors part.

 eliable- eliable evidence is the best attainable through the use of appropriate engagement techniques. 8o, for e1ample, an original document is more conclusive #reliable$ than a copy, and direct evidence is more acceptable than hearsay evidence.

 elevant- elevant information supports engagement observations and

recommendations and is consistent with the ob'ectives for the engagement. he facts and opinions used to prove an issue must bear a logical relationship to that issue. :or e1ample, an original purchase order, properly approved and issued, has no relevance if the auditor wants to determine whether the goods have actually been received.

 seful- his term refers to information that helps the organisation meet its goals.

Control Type of Control

#a$ alarms *etective

#b$ personnel access cards 4reventative #c$ procedure manuals *irective #d$ use of carbon paper 4reventative

#e$ guidelines *irective

#f$ physical stock count *etective

#g$ reconciliations *etective

#h$ company policy *irective

Question Permissible/not permissible ! mar"# $eference to %PP& ' mar"s# $easons ! mar"#

).! ot permissible &ntegrity #par !.($ Confidentiality #par (.!$

&nternal auditors shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organisation.

&nternal auditors shall be prudent in the use and protection of information

acquired in the course of their duties. ).% ot permissible !%(@ D Continuing

4rofessional *evelopment Competency #par ).($

&nternal auditors must enhance their knowledge, skills, and other

competencies through continuing professional development.

&nternal auditors shall continually improve their proficiency and the effectiveness and quality of their services.

).( 4ermissible %2@@ D

Communicating the  /cceptance of

isks

=hen the chief audit e1ecutive concludes that management has accepted a level of risk that may be unacceptable to the organisation, the chief audit e1ecutive must discuss the matter with senior management. &f the chief audit e1ecutive determines that the matter has not been resolved, the chief audit e1ecutive must communicate the matter to the board.

).) ot permissible "b'ectivity #par %.%$

&nternal auditors shall not accept anything that may impair or be

presumed to impair their professional  'udgment.

).+ ot permissible !(%! D se of >Conforms with the &nternational

8tandards for the 4rofessional

4ractice of &nternal  /uditing?

he internal audit activity conforms with the 8tandards when it achieves the outcomes described in the *efinition of &nternal /uditing, Code of Ethics, and 8tandards. he results of the quality assurance and improvement program include the results of both internal and e1ternal assessments. /ll internal audit activities will have the results of internal assessments. &nternal audit activities in e1istence for at least five years will also

have the results of e1ternal assessments.

 &'ne/&'ly 201)

!." Not permissible. "!#$ : 8ontinuing 1rofessional 5e&elopment and

competencies through continuing professional development. &nternal auditors shall continually improve their proficiency and the effectiveness and quality of their services.

!.! Not permissible. "b'ectivity #par %.%$. &nternal auditors shall not accept anything that may impair or be presumed to impair their professional 'udgment.

%.( ot permissible. !!%@ D &ndividual "b'ectivity. &nternal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

!.2 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

!.; Not permissible. Ob6ecti&ity >par !.#). Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of acti&ities under re&iew.

!. he assistance rendered to the management of the organisation to help them attain their ob'ectives.

%. he internal audit report provides management with the assurance that management policy, standards and procedures are satisfactory that they are being e1ecuted and adhered to and that the risk management, control and governance processes are adequate and effective.

(. /ny deviations or discrepancies or unsatisfactory aspects from which deductions for re<organisation, adaptation or correction could be made, are timeously brought to managements attention.

). he internal auditors report assures management that management data whether operational or financial information, are compiled in a consistent, uniform and

+. here is always a possibility of discovering fraud and errors when continuous

evaluation of the internal control is carried out by internal auditors, which is of the utmost importance to management.

2. he advantages associated with the possibility of e1posing fraud and errors include the moral influence an internal audit may have on the work and behaviour of personnel.

• monitoring activities top management cant itself monitor • identifying and minimising risks

• validating reports to senior management

• protecting senior management in technical areas beyond its knowledge • providing information for the decision<making process

• reviewing for the future as well as for the past and

• helping line managers manage by pointing to violations of procedures and of management principles.

• ccess to the books, records, &ouchers and accounts • Obtaining information and eplanations

• ttending meetings

• Aelie&ing trusted oBcials

• Independence of the internal auditor

• Evaluating risk e1posure relating to achievement of the organisation’s strategic ob'ectives.

• Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.

• Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organisation.

• Evaluating the means of safeguarding assets and, as appropriate, verifying the e1istence of such assets.

• Evaluating the effectiveness and efficiency with which resources are employed. • Evaluating operations or programs to ascertain whether results are consistent with

established ob'ectives and goals and whether the operations or programs are being carried out as planned.

• 7onitoring and evaluating governance processes.

• 7onitoring and evaluating the effectiveness of the organisations risk management processes.

• Evaluating the quality of performance of e1ternal auditors and the degree of coordination with internal audit.

• 4erforming consulting and advisory services related to governance, risk management and control as appropriate for the organisation.

• eporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.

• eporting significant risk e1posures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board. • Evaluating specific operations at the request of the Board or management, as

appropriate.

4 The chief audit eecuti&e should ha&e the following dual%reporting responsibilitiesC

o functionally to the audit committee, and

o administrati&ely to the chief eecuti&e oBcer.

4 The chief audit eecuti&e should ha&e ready access to the audit committee. 4 The chief audit eecuti&e should ha&e direct and regular communication with the audit committee.

4 The chief audit eecuti&e should attend audit committee meetings. 4 The chief audit eecuti&e should regularly meet pri&ately with the audit committee >without management*s representati&es in attendance).

4 The audit committee should appro&e the appointment or remo&al of the chief audit eecuti&e.

4 The audit committee should be ad&ised by the chief audit eecuti&e concerning his or her relationship with the eternal auditors >and on how the internal and eternal audits are progressing).

".  common audit methodology. !. Goint training programmes. #. Goint planning of audit work.

2. 5irect assistance with each other-s pro6ects. ;. 3change of audit reports

<. 5irect support in that working papers are at each other*s disposal. =. 1eriodic meetings

H.  professional attitude

. The e&aluation by internal and eternal auditors of the e(ecti&eness of each other*s work and reporting on this to management.

Eanagement is accountable to the board for designing, implementing and monitoring the process of risk management, and for integrating it into the day%to%day acti&ities of the company. The internal audit acti&ity should assist the board, directors and management through consultation and facilitation in identifying, e&aluating and assessing signicant risks and by pro&iding

independent assurance as to the ade'uacy and e(ecti&eness of related internal controls and the risk management process.

• Consider fraud risks in the assessment of internal control design and

determination of audit steps to perform.

• Have sufficient knowledge of fraud to identify red flags indicating fraud may have

been committed.

• Be alert to opportunities that could allow fraud, such as control deficiencies. • Evaluate whether management is actively retaining responsibility for oversight of

the fraud risk management program, that timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, and that the plan for monitoring the program continues to be adequate for the program’s ongoing success.

• Evaluate the indicators of fraud and decide whether any further action is

necessary or whether an investigation should be recommended. • ecommend investigation when appropriate.

he planning steps that should be followed for each audit

are-!. "btain background information of the audit area. #preliminary survey$. %. &dentify the engagement ob'ective#s$ to be achieved.

(. Consider the audit risk.

). *etermine the allocation of engagement resources. +. Compile the detailed engagement #audit$ programme.

8ontrol Number

udit 1rocedure udit 3&idence

"  Tracing 5ocumentary e&idence

! Inspection 5ocumentary e&idence

# Obser&ation 1hysical 3&idence

2 3&idence generated by the internal

auditor

; 5ocumentary e&idence

Octo#er/Novem#er 2012

a) Internal auditing is an independent, ob6ecti&e assurance and consulting acti&ity designed to add &alue to and impro&e an organisation*s operations. It helps an organisation to accomplish its ob6ecti&es by bringing a systematic, disciplined approach, to e&aluate and impro&e the e(ecti&eness of risk

management, control and go&ernance processes.

b) The 8ode of 3thics states the principles and epectations go&erning the beha&iour of indi&iduals and organisations in the conduct of internal auditing, the minimum re'uirements for conduct, and beha&ioural epectations rather than specic acti&ities.

c) The 7tandards are mandatory re'uirements consisting of statements of basic re'uirements for the professional practice of internal auditing and for e&aluating the e(ecti&eness of its performance. The re'uirements are

internationally applicable at organisational and indi&idual le&els. The standards also consist of interpretations, which clarify terms or concepts within the statements.

!.!." Not permissible. Ob6ecti&ity >par !.") Internal auditors shall not

participate in any acti&ity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those acti&ities or relationships that may be in con?ict with the interests of the organisation. Internal auditors shall not accept anything that may impair or be presumed to impair their professional 6udgment. 1reparing a personal ta return for a

di&isional manager for a fee falls under this prohibition, since the auditor-s ob6ecti&ity would be impaired.

!.!.! Not permissible. 8ondentiality >par #."). Internal auditors shall be prudent in the use and protection of information ac'uired in the course of their duties. Internal auditors respect the &alue and ownership of information they recei&e and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. This auditor had no legal or professional obligation to gi&e out that information and therefore did not protect the information ac'uired in the course of his duties.

!.!.# 1ermissible. Integrity >par ".!). Internal auditors shall obser&e the law and make disclosures epected by the law and the profession. Thus, the internal auditor is legally bound to respond to a court order. The re'uirement not to use information in any manner detrimental to the legitimate and ethical

ob6ecti&es of the company does NO( o&erride the legal obligation to respond to a court order.

d&antagesC

 This le&el of reporting gi&es the internal audit acti&ity a high degree of

organisational independence and accessibility because it is reporting to a body with more authority than top eecuti&e management, and the ma6ority of

members are not in&ol&ed in the operational matters of the company >eecuti&e functions).

5isad&antagesC

". Aecause the audit committee does not meet fre'uently enough, they do not ha&e the time to support the internal audit acti&ity on a day%to%day basis as an independent reporting facility. udit committees meet on a&erage four times a year.

!. Aecause of its function, the audit committee, by its &ery nature, is apart from the main stream of business acti&ities. s a result, the internal auditor does not always recei&e necessary information and directi&es which might enable him to function e(ecti&ely.

#. The audit committee also has a functional rather than an operational role and it is, therefore, undesirable that members should be in&ol&ed with the

operational or household details of the internal audit acti&ity. Their proper

functions would include the nal authorisation of audit plans and audit ndings, the coordination of audit e(orts and the formulation of audit policy.

4 It guarantees access to a high%le&el oBcial.

4 It pro&ides a reasonable measure of independence for the internal auditor. 4 Eanagement may feel less threatened because the accessibility of the internal auditor is at a lower le&el than if he were to report to the Aoard of 5irectors

Disa*vantages:

4 If the in?uence and authority of the internal auditor is such that audit matters recei&e the attention of the 83O, to the detriment of other management matters, the eBciency of management will su(er and distrust might increase.

4 7ince a 83O is normally &ery busy, the 83 might nd that he or she does not recei&e the guidance and support necessary to perform his or her task

e(ecti&ely.

o achieve the degree of independence necessary to effectively carry out the

responsibilities of the internal audit activity, the chief audit e1ecutive has direct and

unrestricted access to senior management and the board. his can be achieved through a dual<reporting relationship. hreats to independence must be managed at the

individual auditor, engagement, functional, and organisational levels. he chief audit e1ecutive

reports-!. to the audit committee on functional responsibilities

%. to the CE" on operational/household tasks such as reviewing budgets, requests for salary increases and staff e1pansion.

he internal audit activity must assess and ma"e appropriate recommendations for improving the governance process in its accomplishment of the following ob'ectives-F 4romoting appropriate ethics and values within the organisation

F Ensuring effective organisational performance management and accountability F Communicating risk and control information to appropriate areas of the organisation and

F Coordinating the activities of and communicating information among the board, e1ternal and internal auditors, and management.

'!!(.A! ) he internal audit activity must evaluate the design, implementation, and effectiveness of the organisation’s ethics<related ob'ectives, programs, and activities.

'!!(.A' ) he internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and ob'ectives.

he internal audit activity serves as a detective control in the system of internal control, in other words, it functions as a control over other controls. he scope of the task of the internal audit activity in an organisation includes the e1amination and evaluation, of the adequacy and effectiveness of risk management, control and governance processes, and the quality of performance in carrying out assigned responsibilities. &n this capacity, the internal audit activity evaluates the general system of management control and the system of internal control, and keeps top e1ecutive management informed regarding the adequacy of the system. he aim of evaluating the adequacy of the governance, risk management and control processes is to determine whether the established system provides reasonable assurance that the ob'ectives and goals of the organisation will be achieved efficiently and economically. he aim of evaluating the effectiveness of the governance, risk management and control processes is to determine whether the

system is dependable, i.e. whether the ob'ectives and goals are being accomplished in an accurate and timely fashion with minimal use of resources.

1re&enti&e 8ontrols : to deter undesirable e&ents e.g. Internal audit report 5etecti&e controls : to detect and correct undesirable e&ents which ha&e occurred e.g. eception reports

5irecti&e controls : to bring about or encourage a desirable e&ent e.g. procedure manuals

Internal audit is responsible for assisting in the deterrence of fraud byC

3amining and e&aluating the ade'uacy and e(ecti&eness of actions taken by management to full the obligation regarding control, commensurate with the etent of the potential eposureDrisk in the &arious segments of the

entity-s operations. This includes recommending impro&ements.

 The internal auditor should determine whetherC

". The organisation en&ironment fosters control consciousness. !. 9ealistic organisational goals and ob6ecti&es ha&e been set

#. de'uate authorisation policies for transactions are established and maintained

2. 1olicies, procedures, practices, reports and other mechanisms are de&eloped to monitor acti&ities and safeguard assets especially in high%risk areas.

;. @ritten corporate policies eist that describe prohibited beha&iour and actions that must be taken whene&er a &iolation is disco&ered

<. 8ommunication channels pro&ide management with ade'uate and reliable information.

". 8andidates should be in possession of a A 5egree with Internal uditing or e'ui&alent 'ualication to enter the IT program.

!. 7uccessfully completed and passed the IT and 1I programs.

#. 7uccessfully passed all three parts of the International 8I eamination set by the International Institute of Internal uditors.

2.  good character, as attested to by a 8I or member through a character reference. This is one of the entrance re'uirements for the IT program

• knowledge and competence • awareness of new de&elopments • good human relations

• diligence and patience • ob6ecti&ity and condence • practical approach

• professionalism

• independence and sound 6udgment • due professional care

&n planning the engagement, internal auditors must

consider -F he ob'ectives of the activity being reviewed and the means by which the activity controls its performance

F he significant risks to the activity, its ob'ectives, resources and operations, and the means by which the potential impact of risk is kept to an acceptable level

F he adequacy and effectiveness of the activit ys risk management and control processes compared to a relevant control framework or model and

F he opportunities for making significant improvements to the activitys risk management and control processes.

1hysical e&idence % 1hysical e&idence is obtained through the *irect o#servation of people, property and e&ents. It can take the form of

attendance at a physical stock count andDor attendance at wage pay%outs. Oral 3&idence % Oral e&idence is gathered in the course of inter&iews or en'uiries 3amples : written and signed e&idence of oral inter&iew or minutes.

5ocumentary 3&idence % 5ocumentary e&idence comprises the documents of the auditee which relate to the auditee*s business e.g sales in&oice

3&idence generated by the internal auditor % This type of e&idence is related to analysis and conrmation. The sources of such e&idence are calculations, comparisons with imposed standards, completed operations, similar

operations and the combining of information in contet. 3.g use of the total control system.

a) 8ondition % the factual e&idence that the internal auditor has found in the course of the eamination >what does eist).

b) 3(ect. This is the risk or eposure that the organisation encounters because the condition is not consistent with the criteria.

c) 8riteria % the standards, measures or epectations used for e&aluating andDor &erifying >what should eist).

d) 8auseC the reason for the di(erence between the epected and actual conditions >why the di(erence eists).

<.2." c <.2.! g <.2.# d <.2.2 h <.2.; a <.2.< b

 &'ne/&'ly 2012

Internal auditing is an independent, ob6ecti&e assurance and consulting acti&ity designed to add &alue to and impro&e an organisation*s operations. It helps an organisation to accomplish its ob6ecti&es by bringing a systematic, disciplined approach, to e&aluate and impro&e the e(ecti&eness of risk management, control and go&ernance processes.

n e(ecti&e internal audit acti&ity should pro&ide management withC

4 assurance that the management processes are ade'uate to identify and monitor signicant risks

4 conrmation of the e(ecti&e operation of the established internal control system

4 credible processes for feedback on risk management and assurance and 4 ob6ecti&e conrmation that the board recei&es the right 'uality of assurance and information from management and that this information is reliable.

• knowledge and competence • awareness of new de&elopments • good human relations

• diligence and patience • ob6ecti&ity and condence • practical approach

• professionalism

• independence and sound 6udgment • due professional care

• integrity and pleasant personality

'!(( ) Nature of *or"

he internal audit activity must evaluate and contribute to the i mprovement of

governance, risk management, and control processes using a systematic and disciplined approach.

'!!( ) +o,ernance

he internal audit activity must assess and ma"e appropriate recommendations for improving the governance process in its accomplishment of the following ob'ectives-F 4romoting appropriate ethics and values within the organisation

F Ensuring effective organisational performance management and accountability F Communicating risk and control information to appropriate areas of the organisation and

F Coordinating the activities of and communicating information among the board, e1ternal and internal auditors, and management.

'!!(.A! ) he internal audit activity must evaluate the design, implementation, and effectiveness of the organisation’s ethics<related ob'ectives, programs, and activities. '!!(.A' ) he internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and ob'ectives. '!'( ) $is" Management

he internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

'!'(.A! ) he internal audit activity must evaluate risk e1posures relating to the organisation’s governance, operations, and information systems regarding the-F /chievement of the organisation’s strategic ob'ectives

F eliability and integrity of financial and operational information F Effectiveness and efficiency of operations and programs

F 8afeguarding of assets and

F Compliance with laws, regulations, policies, procedures, and contracts.

'!'(.A' ) he internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.

'!'(.C! ) *uring consulting engagements, internal auditors must address risk consistent with the engagement’s ob'ectives and be alert to the e1istence of other significant risks.

'!'(.C' ) &nternal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organisation’s risk management processes. '!'(.C- ) =hen assisting management in establishing or improving ri sk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

/uestio n No

 JesDNo 1rinciple 9ules of conduct 9eason I No Ob6ecti&ity !.". 7hall not

participate in any

acti&ity or relationship that may impair or be presumed to impair their unbiased

assessment. This participation includes those acti&ities or relationships that may be in con?ict with the interests of the

organisation.

Es K marriage can been seen as a

con?ict of interest and may be presumed to impair her

assessment.

II No 8ompetenc

y

2.". 7hall engage only in those ser&ices for

Es Lnowledge has the knowledge, skills and

which they ha&e the necessary knowledge, skills, and eperience.

eperience ha&ing worked pre&iously in the department but lacks auditing

eperience.

&nternal auditors are responsible for fulfilling their duties as contracted with their employer. hey should perform these duties in a capable manner and without negligence. he auditor is guilty of breach of contract if he or she contravenes the

stipulations of the contract of service, or should he or she be found to be incompetent or negligent.

&n the case of breach of contract, the employer has the following legal

remedies-!. &n terms of the general principles of the law of contract, appeal to the court to issue an order forcing the internal auditor to abide by the stipulations of the contract.

%. Claim compensation for all losses sustained from the breach of contract by the internal auditor.

(. =hen the breach of contract is considered to be very serious, summarily terminate the internal auditors contract of service.

1hase " : 5etermining audit assignment and o&erall plan 1hase ! : 1lanning the internal audit >engagement 1lanning) 1hase # : 1erforming the engagement >0ieldwork)

I @orkers can work ecessi&e o&ertime where not needed. II 8alculation errors will not be picked up.

III The che'ue amount can be increased to pay out more than the total net wages

I+ 3mployees can claim that they were not paid

I Inspection II 9ecalculation

III 9outine checkingDtransaction audit I+ Obser&ation

Standard !'!(.A' ) Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

here are references to the responsibility of internal audit regarding fraud in various &nternal /uditing 8tandards. &n this regard, the following 8 tandards are also of particular

importance-F &&/ 8tandard !%@@- 4roficiency and *ue 4rofessional Care F &&/ 8tandard !%%@- *ue 4rofessional Care

F &&/ 8tandard %@2@- eporting to 8enior 7anagement and the Board F &&/ 8tandard %!%@- isk 7anagement