audit engagement overview

Part 2 A – 1V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Audit Engagement Overview

Monitor

Develop workpapers.

CommunicatePerform

Research and apply StandardsMaintain fraud awareness

Plan

Collect, evaluate, analyze, interpret data.

Report findings, conclusions,

recommendations.

Monitor engagement outcomes.

Part 2, Section A, Overview

Assess risk

Part 2 A – 2V3.0


www.LearnCia.com

1. Research and apply appropriate international standards

2. Maintain an awareness of the potential for fraud when conducting an engagement

3. Collect data 4. Evaluate the relevance,

sufficiency, and competence of evidence

5. Analyze and interpret data 6. Develop working papers 7. Review working papers

8. Communicate interim progress

9. Draw conclusions 10. Develop recommendations

when appropriate 11. Report engagement results 12. Conduct client satisfaction

survey 13. Complete performance

appraisals of engagement staff

Section Topics

Part 2, Section A

Part 2 A – 3V3.0


www.LearnCia.com

I. Definition of internal auditingII. Code of EthicsIII. StandardsIV. Practice AdvisoriesV. Practice Guides and Position Papers

Answer: I, II, and III

Discussion QuestionWhich parts of the International Professional Practices Framework are mandatory for IIA members? (Select all that apply.)

Part 2, Section A, Topic 1

Part 2 A – 4V3.0


www.LearnCia.com

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Internal Auditing: IIA Definition


Part 2 A – 5V3.0


www.LearnCia.com

Confidentiality

IntegrityObjectivity

Competency

Which of the four principles underlying The IIA Code of Ethics is missing from the following list?

Discussion Question


Part 2 A – 6V3.0


www.LearnCia.com

Integrity Objectivity Confidentiality Competency1.1. Perform work with honesty, diligence, and responsibility.1.2. Observe the law and make disclosures expected by the law and the profession.1.3. Avoid illegal activity or acts that are discreditable to the IA profession or to the organization.1.4. Respect and contribute to legitimate and ethical objectives of the organization.

2.1. Avoid acts or relationships that impair unbiased assessment, including those that conflict with the organization’s interests.2.2. Accept nothing that might impair professional judgment.2.3. Disclose all material facts known that, if undisclosed, may distort reporting.

3.1. Be prudent in use and protection of information acquired in the course of duties.3.2. Do not use information for personal gain, contrary to the law, or to the detriment of legitimate and ethical objectives of the organization.

4.1. Engage only in services for which you have the knowledge, skills, and experience.4.2. Perform internal auditing services in accordance with the Standards.4.3. Continually improve proficiency and effectiveness and quality of services.

IIA Code of Ethics


Part 2 A – 7V3.0


www.LearnCia.com

Answer: Apply the four principles to determine an ethical course of action.

What should you do when confronted by an ethical dilemma that can’t be resolved by reference to any of the specific Rules of Conduct?

Discussion Question


Part 2 A – 8V3.0


www.LearnCia.com

The IIA’s Standards: 3 Types

Characteristics of organizations and parties performing internal audit services

Descriptions of the nature of internal audit services and quality criteria for service performance measurement

Attribute Standards

Performance Standards

Implementation Standards

Mandatory instructions for implementing Attribute and Performance Standards for assurance and consulting engagements


Part 2 A – 9V3.0


www.LearnCia.com

• Objective assessment of evidence.

• Independent opinion or conclusions about a process, system, etc.

• Internal auditor determines nature and scope.

• Three parties generally involved.

Assurance Consulting

Which list describes assurance audit services and which describes consulting audit services?

• Advisory engagement.• Requested by client.• Nature and scope

subject to client-auditor agreement.

• Two parties generally involved.

Discussion Question


Answer:

Part 2 A – 10V3.0


www.LearnCia.com

• Financial assurance• Controls assurance• Information technology (IT)• Compliance• Operations• Integrated

• Management requests• Due diligence assignments

in mergers and acquisitions

Engagement Examples

Assurance Engagements Consulting Engagements


Part 2 A – 11V3.0


www.LearnCia.com

IIA Nonmandatory Guidance: Three Types

Practice Advisories

Detailed guidance for internal audit activities (e.g., processes and procedures—tools and techniques, programs, andapproaches)

• IIA-sanctioned best practices• Address approach,

methodology, and considerations

Practice Guides

Position PapersStatements to assist a wide range of interested parties


Part 2 A – 12V3.0


www.LearnCia.com

Other Relevant Standards

US Racketeer Influenced and Corrupt Practices Act (RICO)

20041970

1977

COSO Enterprise Risk Management—Integrated Framework

Sarbanes-Oxley Act

1992

Treadway Commission Report (COSO)

1987

US Foreign Corrupt Practices Act (FCPA)

2002

COSO Internal Control—Integrated Framework (revised 1994)

2007

COSO for small business

2006

• Revised Yellow Book standards

• Auditing Standard Number 5 (AS5)


Part 2 A – 13V3.0


www.LearnCia.com

Sarbanes-Oxley Act’s Impact• Outside auditor may not also do internal audits; co-

sourcing is acceptable.

• Audit committee shall:– Appoint, compensate, etc., the outside auditor.– Contain only independent members (no consulting fees

accepted).– Contain at least one financial expert (or disclose as to why not).– Establish procedures for monitoring controls, handling

complaints, etc.

• All SEC filings must contain an internal control report.


Part 2 A – 14V3.0


www.LearnCia.com

Auditing Standard Number 5 (AS5)

“Top-down, risk-based approach”• Clarifies how entity level controls should be used in performing

an integrated audit• Broadens the expected use of the work of other external

auditors beyond internal auditors• Allows increased use of work of others by external auditors as

the level of risk decreases • Requires that an understanding of the flow of transactions be

obtained • Excuses walkthroughs if external auditors can rely on the work

performed by internal audit in this area


Part 2 A – 15V3.0


www.LearnCia.com

Committee of Sponsoring Organizations (COSO)

Control environmentRisk assessmentControl activitiesInformation and communicationMonitoring

Enterprise Risk Management—Integrated Framework

Internal Control—Integrated Framework*

Internal environmentObjective settingEvent identificationRisk assessmentRisk responseControl activitiesInformation and communicationMonitoring

1123

2

43

7

4

5

8

5

*Same components for 2006 “Internal Control Over Financial Reporting” for smaller public companies

6


Part 2 A – 16V3.0


www.LearnCia.com

The COSO Challenge:Take a Broader View of Control Environment

Financial statements +

“Tone at the top”EthicsCompetencyHuman resource policiesCorporate culture


Part 2 A – 17V3.0


www.LearnCia.com

Are there sets of standards similar to COSO that apply outside the US?

Sample answer: Yes, for example, CoCo in Canada and the Cadbury Commission’s model in the UK.

Discussion Question


Part 2 A – 18V3.0


www.LearnCia.com

Name at least four specific actions every internal auditor should be able to accomplish regarding fraud.

Answer:• Notice indicators of fraud.• Design appropriate steps to address

significant risk of fraud.• Employ audit tests to detect fraud.• Determine if any suspected fraud merits

investigation.

Discussion Question


Part 2 A – 19V3.0


www.LearnCia.com

IPPF Glossary Definition of Fraud

“Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”


Part 2 A – 20V3.0


www.LearnCia.com

Discussion Question

Fraud perpetrated to the detriment of the organization

Fraud perpetrated on behalf of the organization

What are some examples of the two major types of fraud listed below?

Sample answer:• Improper payments to

government officials• Intentional, improper

valuations• Intentional, improper

transfer pricing• Sale or assignment of

fictitious assets

Sample answer:• Bribes and kickbacks• Diverting profitable transactions• Embezzlement• Intentional concealment of

events, etc.• Submitting claims for goods or

services not provided


Part 2 A – 21V3.0


www.LearnCia.com

What are some examples of red flags indicating the potential for fraud?

Sample answer: Loose internal controls, poor management philosophy, poor financial position, low employee morale, confusion about ethics, lack of background checks in hiring, lack of employee support programs.

Discussion Question


Part 2 A – 22V3.0


www.LearnCia.com

What three conditions suggest the possibility of fraud?

Answer:• Opportunity (e.g., poor control design)• Motive (e.g., desire for power, greed,

pressure)• Rationalization (“I’m entitled.”)

Discussion Question


Part 2 A – 23V3.0


www.LearnCia.com

Design Appropriate Engagement Steps

What would tempt employees here?

How about managers?

What controls pass a cost-

benefit analysis?

What are the e-commerce

implications?


Part 2 A – 24V3.0


www.LearnCia.com

The internal auditor needs authority to take necessary engagement steps. What are some specific powers the internal auditor should seek from management?

Sample answer: Authority to review annual reports, audit consulting contracts, review executive-approved transactions, have access to the board’s actions, review transactions with subsidiaries and associated organizations, test documentation supporting financial reports, monitor compliance of record-retention policies, ask about political contributions, review expense accounts, monitor conflicts of interest.

Discussion Question


Part 2 A – 25V3.0


www.LearnCia.com

Analytical Tools for Fraud Tests

What’s the ratio of A to B? (proportional analysis)

Does this change in a trend have a reasonable explanation? (trend analysis)

Will computer analysis make testing more efficient and effective? (verifying transactions with computers)

Outcome B

Condition A


Part 2 A – 26V3.0


www.LearnCia.com

A. Research to identify a root causeB. Software that runs on an ongoing basisC. Ratio analysis of high risksD. Comparative transactions

Answer: B. Continuous auditing (or continuous monitoring) uses computerized techniques to perpetually audit the processing of business transactions.

Discussion QuestionWhich of the following statements best describes continuous auditing?


Part 2 A – 27V3.0


www.LearnCia.com

Name several major types of audit evidence and give examples of each.Sample answer:

Physical evidence (e.g., stored media, security system in operation)Documentary evidence (e.g., letters, e-mails, memos,invoices)Representations or testimonial evidence (responses to inquiries supported by documentation)Analytical evidence (e.g., computations, reasoning,analytical audit tests)

Discussion Question


Part 2 A – 28V3.0


www.LearnCia.com

Persuasive EvidenceRelevant Reliable Sufficient

Must be pertinent to audit objective and logically support internal auditor’s conclusion or advice

Must come from credible source

Should be enough evidence; different but related pieces of evidence should corroborate each other


Part 2 A – 29V3.0


www.LearnCia.com

Match the type of legal evidence on the left with its description on the right.

A. Generally documentaryB. Copy of a document or oral evidence of contentsC. Eyewitness testimony, for exampleD. Leads to only one conclusionE. Proves an intermediate factF. Supplemental supporting evidenceG. Usually admissible only when

provided by expertsH. Secondhand; generally ruled inadmissible in

court

Best

Hearsay

Opinion

Corroborative

Circumstantial

Conclusive

Direct

Secondary

C

FADH

GE

B

Discussion Question


Part 2 A – 30V3.0


www.LearnCia.com

Other Concerns About Evidence

Can I use the evidence without violating confidentiality (Code of Ethics)?

Will I have access to the evidence without interference?

Will the evidence be available when I need it for testing?


Part 2 A – 31V3.0


www.LearnCia.com

Define sufficiency, competence (reliability), and relevance in regard to audit evidence.Sample answer: Sufficient evidence—Factual, adequate, and convincing so that a prudent, informed person would reach the same conclusion as the auditor.Competent (called “reliable” in Standards) evidence—Reliable and best obtainable through the use of appropriate techniques.Relevant evidence—Supports engagement observations and recommendations and is consistent with engagement objectives.

Discussion Question


Part 2 A – 32V3.0


www.LearnCia.com

Evidence-Gathering Techniques

What are appropriate times to use:• Inquiry?• Observation?• Inspection?• Vouching?• Tracing?• Re-performance?• Analytical procedures?• Confirmation?


Part 2 A – 33V3.0


www.LearnCia.com

Reinforcing Activity 2-1Part 2, Section A, Topic 4

Evaluate the Relevance, Sufficiency, and Competence of Evidence


Part 2 A – 34V3.0


www.LearnCia.com

Assumed: Variety of techniques for gathering data; solid basis for determining conclusions.

Question: What are some conditions the internal auditor discovers by using analytical procedures?Sample answer:• Unexpected differences• Absence of expected differences• Potential errors• Potential irregularities or illegal acts• Other unusual or nonrecurring transactions and

events

Discussion Question


Part 2 A – 35V3.0


www.LearnCia.com

The heart of analysis is comparison. What are some types of comparisons used to analyze and interpret audit evidence?Sample answer:• Comparison of current to prior period• Comparison of current period to budget or forecast• Comparison of financial data to nonfinancial data• Study of relationships among elements of information (e.g.,

interest expense to debt balance)• Comparison of one organizational unit’s performance to

another unit’s• Comparison of organization to industry benchmark

Discussion Question


Part 2 A – 36V3.0


www.LearnCia.com

Define and provide examples of two types of ratio analysis.

Sample answer: Two commonly used types of ratio analysis are 1) common-size statements, with all statement items formulated as ratios with a common denominator, and 2) financial ratios used to evaluate organizational structure and performance (debt/equity, price/earnings, etc.).

Discussion Question


Part 2 A – 37V3.0


www.LearnCia.com

Provide a definition and some examples of trend analysis.

Sample answer: Trend analysis traces relationships over time and is the analytical technique most commonly used by internal auditors. Some trends analyzed includerevenues, expenses, same-store sales,store openings; trends in ratios are also subject to analysis.

Discussion Question


Part 2 A – 38V3.0


www.LearnCia.com

Give a brief definition of regression analysis.

Sample answer: Statistical technique used to measure the amount of change in one value caused by change in another.

Discussion Question

4020 60 80 100 120

Sales Revenues

(USD)

140

70,00060,000

50,000

40,000

30,000

20,000

10,000

0

Marketing Expenditures (USD)


Part 2 A – 39V3.0


www.LearnCia.com

What are some common types of analytical comparisons?

Sample answer:Period-to-period comparisons of performance—quarter to quarter, etc. Comparisons of actual revenues, profits, etc.to budgets and forecastsComparisons with other causal factors such as benchmarks or best practices

Discussion Question


Part 2 A – 40V3.0


www.LearnCia.com

Other Analytical Considerations• Significance of the area under examination• Degree of risk in the area under examination• Availability and reliability of information• Prediction of analytical results• Availability and comparability of information

regarding the industry in which the organization operates

• Extent to which engagement procedures support results


Part 2 A – 41V3.0


www.LearnCia.com

“Internal auditors must document relevant information to support the conclusions and engagement results.”

Standard 2330

2330.A1—CAE controls access to engagement records and obtains approval of senior management and/or legal counsel prior to releasing records.

2330.A2—CAE must develop retention requirements consistent with organization and regulatory requirements.

2330.C1—CAE must develop policies for retention and release of records (internal and external).


Part 2 A – 42V3.0


www.LearnCia.com

What are the purposes of working papers?

Engagem

ent

working

papers

Support engagement communications.

Aid engagement planning, performance, and review.

Document achievement of engagement objectives.

Facilitate third-party reviews.

Provide basis for quality assurance and improvement program.

Demonstrate compliance with Standards.

Discussion Question


Part 2 A – 43V3.0


www.LearnCia.com

Engagem

ent

working

papers

The organization, design, and content of engagement working papers depend on the engagement’s nature and objectives and the organization’s needs.

Working papers document all aspects of the engagement process from planning to communicating results.

Documenting the Engagement (PA 2330-1)

Internal audit activity determines the media used.


Part 2 A – 44V3.0


www.LearnCia.com

Necessary Working Paper Contents

Engagem

ent

working pap

ers

• Should contain all the work done during the engagement

• Should document the audit’s objectives and methods so thoroughly that a new auditor, added to the project at any point, could fully comprehend the engagement from the working papers and bring the audit to a successful conclusion


Part 2 A – 45V3.0


www.LearnCia.com

Working Paper Format

Engagem

ent

working

papers

Magnetic

disk

Engagement identification; description of contents or purpose

Signature or initials of IA performer and date

Index or reference number of the working paper

Explanation of verification (tick marks, etc.)

Clear identification of datasourcesSummaries


Part 2 A – 46V3.0


www.LearnCia.com

Who is responsible for control of working papers, and why is control a significant concern?

Answer: CAE is responsible for retention policies (2330.A1).

Issues: Crucial to engagement success or survival and may contain confidential information.

Discussion Question


Part 2 A – 47V3.0


www.LearnCia.com

Engagement Supervision

Assures that engagement has been carried out according to high quality standards, objectives achieved, staff evaluated for professional development.

Span of CAE Engagement Supervisory Responsibility

Planning

preparation

Data

analy

sisFraud

aware

ness

Data

gatheri

ng

Findings

Communicatio

n

Follow-up

Staff

develo

ped

CAE

dd/mm/yy

yy


Part 2 A – 48V3.0


www.LearnCia.com

Elements of Proper Engagement Supervision

• Trained auditor—knowledge, skills, and competencies to perform.

• Proper instructions during the planning and approval of engagement program.

• Program is completed and modified using accepted practices.

• Working papers support observations, conclusions, and recommendations.

• Communications are accurate, objective, clear, concise, constructive, and timely.

• Engagement objectives are met.

• Opportunities for developing auditors’ knowledge, skills, and competence.


Part 2 A – 49V3.0


www.LearnCia.com

What are some reasons for filing an interim report?

Sample answer: To alert management to information too important to put on hold, including information that requires immediate attention, a change in scope, and strong suspicion of fraud. (See PA 2410-1.)

Discussion Question


Part 2 A – 50V3.0


www.LearnCia.com

Discussion QuestionFindings should be based on solid facts. What are the five parts of a finding?

Fact

s

Fact

s

Fact

s

Fact

s

Fact

s

Fact

s

Criteria Condition Cause Effect Recommendation

Internal Audit Finding

Answer:


Part 2 A – 51V3.0


www.LearnCia.com

The course of action that is most practical and economical in correction of the disparityThe objectives that should be kept in mind when recommending corrective actionThe considerations for management in setting forth an improved course of actionThe open choices and how they measure up when compared with the objectivesThe best choice with the least unsatisfactory side effectsThe mechanism that should be suggested to control the corrective action after it is taken

Recommendation Considerations


Part 2 A – 52V3.0


www.LearnCia.com

The Nature of Audit Opinions (PA 2410-1)

The activity reviewed in this internal audit is/is not functioning as intended.

Your program objectives do/do not conform to organizational objectives.

Your organizational objectives are/are not being met.

Audit Opinion

Audit Opinion

Audit Opinion


Part 2 A – 53V3.0


www.LearnCia.com


Draw Conclusions


Part 2 A – 54V3.0


www.LearnCia.com

Recommendation Do’s & Don’ts

Tell management how to manage.

Incorporate audit conclusions and opinions.Call for action.Suggest options to achieve desired results.Make either general or specific suggestions.Consult with management.Obtain agreement on results and action plan to improve operations.Document disagreement.

Do Don’t

Do

Do

Do

Do

Do

Do


Part 2 A – 55V3.0


www.LearnCia.com

SMART Model for Composing Recommendations

SMART

Specific Measureable Action-oriented

Relevant Time-based


Part 2 A – 56V3.0


www.LearnCia.com


Develop Recommendations When Appropriate


Part 2 A – 57V3.0


www.LearnCia.com

The Engagement’s Finale

Final reportDiscuss conclusions and

recommendations.

Resolve misunderstandings or misinterpretations.

Agree on possible solutions to identified problems.

Express appreciation to client for cooperation in the audit.

Exit conferenceRough draft


Part 2 A – 58V3.0


www.LearnCia.com

Ensure the right people attend.Provide the necessary documents in advance.Set the agenda and manage the meeting.Explore and resolve as many issues as possible.Provide clear messages, even about difficult issues.Thank the audit customer for cooperation.Hold a post-meeting debriefing with the audit team.

Exit Conference Best Practices


Part 2 A – 59V3.0


www.LearnCia.com

According to PA 2440-1, you should obtain management response before issuing final communications. What are some reasons for doing so?

Sample answer: Improves chances ofserious discussion, resolving misunderstandings, and ultimately gaining positive action onrecommendations.

Discussion Question


Part 2 A – 60V3.0


www.LearnCia.com

What are some suggestions for making delivery of the final report successful?

Sample answer:• Assume partnership with the client.• Move from general to specific.• Start and end on a positive note.• Present opportunities—but be realistic.• Emphasize the “effects” aspect of findings.

Discussion Question


Part 2 A – 61V3.0


www.LearnCia.com

Final Report Format (PA 2410-1)

Background

Engagement purposeEngagement scope

Results

SummariesClient accomplishments

Client views

May include

Must include

M

ust i

nclu

de

May

incl

ude


Part 2 A – 62V3.0


www.LearnCia.com

Who should approve the final report and to whom should it be distributed?

Answer:• CAE should approve and sign report and be

responsible for distribution.• Recipients should include those who can

take corrective action. Higher-ups may receive summaries, and communications can go to external auditors, the board, and appropriate others.

Discussion Question


Part 2 A – 63V3.0


www.LearnCia.com

What are some questions the internal auditor should ask the engagement client?Sample answer:• Were your expectations positive or negative?• Did we confirm, exceed, or fail to meet expectations?• Was the audit conducted professionally? • Was the audit disruptive? Did we honor your schedule requests?• Was the audit performed in a timely manner?• Did your staff and management have good relations with audit staff?• Did you request assistance? Was it provided?• Did the audit findings help you improve in desired areas?• How could we improve our engagement performance?

Discussion Question


Part 2 A – 64V3.0


www.LearnCia.com

Dual Track for Performance Appraisals (Standard 1300—Quality Assurance)

Annual performance appraisal (CAE)

Annual performance appraisal (CAE)

Post-audit appraisal (auditor-in-charge)




Part 2 A – 65V3.0


www.LearnCia.com

Internal Audit Designated Competencies


Part 2 A – 66V3.0


www.LearnCia.com

What are some strong and weak points of post-engagement performance reviews?

Discussion Question

StrongImmediate, based on fresh impressions

WeakWide variation for different audits, different reviewers

Sample answer:


Part 2 A – 67V3.0


www.LearnCia.com

What are some issues that should be discussed in the post-engagement performance review?

Discussion Question

Sample answer:• Quantity of work• Quality of work:

— Accurate computations— Appropriate tests— Thorough fieldwork— Useful final working papers— Written and oral

presentations

• Grasp of procedures• People skills• Technical skills• Business knowledge


Part 2 A – 68V3.0


www.LearnCia.com

Begin with an outline.

Face-to-Face Meeting Guidelines

Schedule in advance.

End with a summary.

Give honest appraisal.

Ask for self-assessment.

“How’s Thursday at 4:00 p.m.?”

“You did a very professional job, for the most part…”

“What do you think were your strong points and what are your areas for development?”

“Can we talk about a few more effective techniques you can use in the future?”

“Let’s review main points and commitments for development.”


Part 2 A – 69V3.0


www.LearnCia.com

End of Section A

Questions?

Part 2, Section A

audit engagement overview

Documents