Professional Documents
Culture Documents
Page 1
Internal Audit Process
Page 2
Planning
Monitoring Performing
Communicating
Page 3
ISPPIA
Performance Standards
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination
2060 Reporting to Senior Management and the Board
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program
Page 4
ISPPIA
Performance Standards
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Professional
2430
Practice of Internal Auditing”
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks
Page 5
ISPPIA
Page 6
ISPPIA
• The results of the internal audit activity’s work achieve the purpose and
responsibility included in the internal audit charter;
• The internal audit activity conforms with the Definition of Internal Auditing and the
Standards; and
• The individuals who are part of the internal audit activity demonstrate conformance
with the Code of Ethics and the Standards.
The internal audit activity adds value to the organization (and its stakeholders) when
it provides objective and relevant assurance, and contributes to the effectiveness and
efficiency of governance, risk management, and control processes.
Page 7
ISPPIA
2010 – Planning
The chief audit executive must establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Page 8
ISPPIA
2010 – Planning
Accounting Liquidity
Capital
and and Market Tax
structure
reporting credit
Market Sales and
Dynamics Marketing
Major Supply
initiatives Financial Chain
reporting
Mergers,
Acquisitions, Information
and Technology
divestiture
Strategic Audit Universe Operations
Planning
People/
and
Human
Resource
Resources
Allocation
Compliance
Governance Hazards
Communication Physical
and investor Code of Assets
Relations Regulatory Legal
Conduct
Page 9
ISPPIA
2010 – Planning
Audit Universe
- List of all the possible audits that could be performed
- Include components of strategic plan
- Based to audit plan
- Should be assessed at least annually
Page 10
ISPPIA
2010 – Planning
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The chief
audit executive takes into account the organization’s risk management framework,
including using risk appetite levels set by management for the different activities or
parts of the organization. If a framework does not exist, the chief audit executive uses
his/her own judgment of risks after consideration of input from senior management
and the board. The chief audit executive must review and adjust the plan, as
necessary, in response to changes in the organization’s business, risks, operations,
programs, systems, and controls.
Page 11
ISPPIA
2010 – Planning
Enterprise Risk Management
A process, effected by an entity’s board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.
Page 12
ISPPIA
2010 – Planning
2010.A1 – The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of senior
management and the board must be considered in this process.
2010.A2 – The chief audit executive must identify and consider the expectations of
senior management, the board, and other stakeholders for internal audit opinions
and other conclusions.
Page 13
ISPPIA
2010 – Planning
2010.C1 – The chief audit executive should consider accepting proposed consulting
engagements based on the engagement’s potential to improve management of
risks, add value, and improve the organization’s operations. Accepted engagements
must be included in the plan.
Page 14
Page 15
Page 16
Page 17
Page 18
ISPPIA
Page 19
ISPPIA
Page 20
ISPPIA
Page 21
ISPPIA
Page 22
ISPPIA
Page 23
ISPPIA
Page 24
ISPPIA
2050 – Coordination
The chief audit executive should share information and coordinate activities with
other internal and external providers of assurance and consulting services to
ensure proper coverage and minimize duplication of efforts.
Page 25
ISPPIA
2050 – Coordination
Three Classes of Assurance Provider
1. Report to/part of management – control self-assessment, quality auditors,
environmental auditors and other management-designated
2. Report to the Board – internal audit
3. Report to external stakeholders – external audit
Page 26
ISPPIA
Page 27
ISPPIA
Page 28
ISPPIA
Page 29
ISPPIA
Page 30
THE CORRECT
ANSWER IS..
Practice Question
Page 31
THE CORRECT
ANSWER IS..
Practice Question
Page 32
THE CORRECT
ANSWER IS..
Practice Question
Page 33
THE CORRECT
ANSWER IS..
Practice Question
Page 34
THE CORRECT
ANSWER IS..
Practice Question
You are the chief audit executive of a parent organization that has foreign
subsidiaries. Independent external audits performed for the parent are not
conducted by the same firm that conducts the foreign subsidiary audits. Because
the internal audit activity occasionally provides direct assistance to both external
firms, you have copies of audit programs and selected working papers produced by
each firm.
The foreign subsidiary’s auditors would like to rely on some of the work performed
by the parent organization’s audit firm, but they need to review the working papers
first. They have asked you for copies of the working papers of the parent
organization’s audit firm. What is the most appropriate response to the foreign
subsidiary’s auditors?
A. Provide copies of the working papers without notifying the parent’s audit firm.
B. Refuse to provide the working papers under any circumstances.
C. Notify the parent’s auditors of the situation and request that they either provide
the working papers or authorize you to do so.
D. Provide copies of the working papers and notify the parent’s audit firm that you
have done so.
Page 35
THE CORRECT
ANSWER IS..
Practice Question
You are the chief audit executive of a parent organization that has foreign
subsidiaries. Independent external audits performed for the parent are not
conducted by the same firm that conducts the foreign subsidiary audits.
Because the internal audit activity occasionally provides direct assistance to
both external firms, you have copies of audit programs and selected working
papers produced by each firm.
Page 36
ISPPIA
Audit Cycle
Planning
Monitoring Performing
Communicating
Page 37
ISPPIA
Page 38
Performance Standards
Page 39
Performance Standards
Page 40
Performance Standards
Page 41
Performance Standards
Page 42
Performance Standards
Page 43
Performance Standards
Page 44
ISPPIA
Page 45
ISPPIA
Page 46
ISPPIA
Page 47
ISPPIA
Page 48
ISPPIA
2210.A2 – Internal auditors must consider the probability of significant errors, fraud,
noncompliance, and other exposures when developing the engagement objectives.
Page 49
Performance Standards
Page 50
ISPPIA
Page 51
Performance Standards
Page 52
ISPPIA
Page 53
ISPPIA
Page 54
ISPPIA
Page 55
ISPPIA
2220.C2 – During consulting engagements, internal auditors must address controls consistent
with the engagement’s objectives and be alert to significant control issues.
Page 56
ISPPIA
Page 57
Performance Standards
Page 58
ISPPIA
Page 59
ISPPIA
Audit Methodologies/Procedures
Page 60
ISPPIA
Page 61
ISPPIA
Page 62
THE CORRECT
ANSWER IS..
Practice Question
Page 63
THE CORRECT
ANSWER IS..
Practice Question
Page 64
THE CORRECT
ANSWER IS..
Practice Question
Page 65
THE CORRECT
ANSWER IS..
Practice Question
Page 66
THE CORRECT
ANSWER IS..
Practice Question
Page 67
THE CORRECT
ANSWER IS..
Practice Question
Page 68
Planning
Monitoring Performing
Communicating
Page 69
ISPPIA
Page 70
Engagement Work Program
Collecting
➢The process of - Analyzing - - information –
Interpreting
Documenting
needs to supervised - to provide – reasonable
assurance that:
✓Engagement objective are met
✓Internal Auditor objectivity is maintained
ISPPIA
Page 72
ISPPIA
Page 73
GATHERING AUDIT EVIDENCE
Sufficient – information is factual, adequate, and
convincing so that a prudent, informed person would
reach the same conclusions as the internal auditor
➢ Evidence is sufficient if there is enough of it to
support the auditors’ findings
➢ In determining the sufficiency of evidence, it may be
helpful to ask: Is there enough evidence to persuade
a reasonable person of the validity of the findings?
➢ Sufficiency deals with the persuasiveness of the
evidence
GATHERING AUDIT EVIDENCE
Sufficient evidence
➢Statistical methods may be used to establish
sufficiency. When sampling methods are used, the
concept of sufficiency of evidence means that the
samples selected provide reasonable assurance
that they are representative of the sampled
population
➢Interviewing the auditee is not enough to provide
sufficient evidence.
GATHERING AUDIT EVIDENCE
Example: Sufficient evidence
o Verifying the quantity of fixed assets on hand by physical
observation would provide the most persuasive evidence of
quantity on hand.
o Using test data, an auditor has processed both normal and
atypical transactions through a computerized payroll system
to test calculations of regular and overtime pay amounts.
Sufficient competent evidence of controls exists if test data
results are compared to predetermined results or
expectations.
o The audit procedure that provides the most persuasive
evidence about the loan’s collectibility is to examine the
documentation of a recent, independent appraisal of the
real estate that was used a security.
GATHERING AUDIT EVIDENCE
Example: Sufficient evidence
o The most persuasive evidence that the incoming supply counts
are made by the receiving department is a periodic observation
by the internal auditor over the course of the audit.
o “A positive confirmation received directly from the customer” is
the most persuasive evidence
concerning the existence and valuation of a receivable.
o If the audit objective is to gain evidence that payment has actually
been made for a specific invoice from a vendor, the most
persuasive evidence would be obtained by a canceled check,
made out to the vendor and referenced to the invoice, included in
a cutoff bank statement, which the auditor received directly from
the bank.
o If an auditor wants assurance of the existence of inventory stored
in a warehouse, the most persuasive evidence is to physically
observe the inventory in the warehouse.
GATHERING AUDIT EVIDENCE
Example: Sufficient evidence
o Externally prepared documents (e.g., invoice) would provide
the most persuasive evidence regarding an asset value that
was acquired.
o A physical examination would provide the most persuasive
evidence for testing the existence of an asset.
GATHERING AUDIT EVIDENCE
Reliable/Competent evidence – competent and best
attainable using appropriate methods.
➢ Information is reliable when the internal auditor’s result
can be verified by others
➢ Information should consist of what may be collected using
reasonable efforts subject to such inherent limitations as
the cost-benefit constraint
➢ Competent” evidence is satisfied by an original signed
document, but copies do not provide
competent evidence.
➢ Evidence that is both available and reliable is competent.
➢ Competent information is reliable and the best available
through the use of appropriate audit functions.
GATHERING AUDIT EVIDENCE
➢Evidence is more reliable if it is
✓ Obtained from sources independent of the
engagement client
o Confirmation of receivables
o Expert appraisals
Page 86
Performance Standards
Page 87
ISPPIA
Page 88
ISPPIA
Page 89
ISPPIA
2330.A2 – The chief audit executive must develop retention requirements for engagement
records, regardless of the medium in which each record is stored. These retention
requirements must be consistent with the organization’s guidelines and any pertinent
regulatory or other requirements.
Page 90
ISPPIA
Page 91
TYPES OF AUDIT EVIDENCE
A. Observed processes and existence of physical
items
B. Documentary audit evidence
C. Representations
D. Analysis
TYPES OF AUDIT EVIDENCE
A. Observed processes and existence of physical
items:
✓Observation of:
o Activities
o Property
o Information System functions
✓ Example
o Inventory of media in an offsite storage location
o Computer room security system in operation
TYPES OF AUDIT EVIDENCE
B. Documentary audit evidence – recorded on
paper or other media
✓ Results of data extraction
✓Records of transactions
✓Program listings
✓Invoices
✓Activity and control logs
✓ System development documentation
TYPES OF AUDIT EVIDENCE
C. Representations –of those being audited
✓Written policies and procedures
✓System flowcharts
✓Written or oral statements
TYPES OF AUDIT EVIDENCE
D. Analysis – the results of analyzing information
through the following can also used as audit
evidence:
✓Comparisons
✓Simulations
✓Calculations
✓Reasoning
➢ Example:
✓ Benchmarking IS performance against other organizations or
past periods
✓ Comparison of error rates among applications, transactions,
and users
SELECTION OF AUDIT EVIDENCE
SELECTION OF AUDIT EVIDENCE
A. Primary information - is first hand
information from an original source. Primary
information is usually expensive to gather
B. Secondary information - is second hand and
inexpensive.
SELECTION OF AUDIT EVIDENCE
C. Internal sources - involve facts about an
organization (sales data, customer data,
financial data, and product data).
➢Internal sources are used in planning and
performance measurement.
D. External sources - are facts about the world
outside the organization.
➢ This information involves facts about
competitors, markets, demographics, the
environment, and the economy.
EVALUATE OF AUDIT EVIDENCE
Audit evidence - is information that provides a
factual basis for audit opinions.
EVALUATE OF AUDIT EVIDENCE
A. Physical evidence - obtained by direct inspection
or observation of people, property, or events.
➢Such evidence may be documented in the form of
memoranda summarizing the matters inspected or
observed, photographs, charts, maps, or actual
samples.
➢An auditor’s observation of the functioning of an
internal control system produces physical evidence.
➢Example
o taking a photograph of the auditees’ workplace
o observing conditions
o test counting a batch of inventory
o testing the existence of an asset
EVALUATE OF AUDIT EVIDENCE
B. Documentary evidence - consists of created
information, such as letters, contracts, accounting
records, invoices, and management information on
performance.
➢Example
o a page of the general ledger containing irregularities
placed there by perpetrator of a fraud
o determining whether erroneous billings occurred when the
auditor for a construction contractor finds material costs
increasing as a percentage of billings and suspects that materials
billed to the company are being delivered to another contractor.
o A contract is the most appropriate evidence for the auditor to
obtain and review when evaluating the propriety of a payment to
a consultant.
EVALUATE OF AUDIT EVIDENCE
C. Testimonial evidence - obtained from others through statements received
in response to inquiries, through interviews, or through responses to
questionnaires.
➢ Example:
o a written, signed statement from an interviewee in response to a
question asked by an auditor during an interview.
o written statement by or a letter from an auditee in response to a specific
inquiry made by an auditor
o letter from the company’s attorney in response to inquiries about
possible litigation
EVALUATE OF AUDIT EVIDENCE
C. Analytical evidence - includes computations,
comparisons, reasoning, and separation of
information into components
➢Example:
o to evaluate the reasonableness of the quantity of
scrap material resulting from a certain production
process compared to industry standards
o to evaluate the reasonableness of account balances
o concluding that there was an adequate separation of
duties in the counting and recording of cash receipts
Performance Standards
Analytical Procedures
- Studying and comparing relationships among both financial and nonfinancial information
- Efficient and effective means of obtaining evidence
Useful in identifying
- Potential errors
- Potential fraud
- Other unusual transactions
Page 105
ANALYSIS AND EVALUATION
➢ Analytical auditing procedures – may include
✓ Comparison of current period information with similar
information for prior periods
✓Comparison of current period information with budgets or
forecasts
✓Study of relationships of financial information with the
appropriate nonfinancial information (for example, recorded
payroll expense compared with changes in average number of
employees)
✓Study of relationships among elements of information (for
example fluctuation in recorded interest expense compared with
changes in related debt balances)
✓Comparison of information with similar information for
organizational units
✓Comparison of information with similar information for the
industry in which the organization operates
ANALYSIS AND EVALUATION
➢Analytical auditing procedures – may be
performed using:
✓ monetary amounts
✓Physical quantities
✓Ratios
✓Percentages
➢ Specific analytical auditing procedures –
✓ Ratio
✓ Trend
✓ Regression analysis
✓ Reasonableness test
✓ Period to period comparisons
✓ Comparison with budgets, forecast, and external economic information
AUDIT PROCEDURES
A. Interviewing
B. Recomputing
C. Detail Listing
D. Observation
E. Scanning
F. Statistical sampling
G. Verification
AUDIT PROCEDURES
A. Interviewing – means of gathering vital information
✓ Vital Skill – Standards requires auditors to be skilled in interviewing
✓ Helpful in obtaining an understanding of client operations – opportunity to
ask questions to clarify preceding answers or to pursue additional
information
✓ The results should be promptly and accurately recorded to provide
documentation
o Avoids the ill effects of memory lapses by both internal auditors
and clients
✓ Given the inherent unreliability of client testimony – it should be
corroborated whenever possible
o Testimonial information provided by an independent third party
may sometimes be sufficient
AUDIT PROCEDURES
B. Recomputing – means of gathering information that is reliable but
limited in value
✓ A computation done directly by the internal auditors provides
strong and unbiased information regarding accuracy
✓One limitation of recomputation is that it does not provide
information about the reliability of the input
o Recomputing interest income may be of little use if the underlying
receivables are unlikely to be collected
AUDIT PROCEDURES
C. Detail testing – examination of documents created as part of the
activities and transactions being reviewed
✓ Vouching – verifying recorded amounts by examining the
underlying documents from final documents to the original
documents
o Working backward
o Provide information that recorded amounts reflect valid transactions
o Supports existence or occurrence assertion
Page 118
ISPPIA
Page 119
THE CORRECT
ANSWER IS..
Practice Question
Page 120
THE CORRECT
ANSWER IS..
Practice Question
Page 121
THE CORRECT
ANSWER IS..
Practice Question
Page 122
THE CORRECT
ANSWER IS..
Practice Question
Page 123
THE CORRECT
ANSWER IS..
Practice Question
Page 124
THE CORRECT
ANSWER IS..
Practice Question
Page 125
Planning
Monitoring Performing
Communicating
Page 126
ISPPIA
Page 127
ISPPIA
Page 128
Performance Standards
Interpretation:
Opinions at the engagement level may be ratings, conclusions, or other descriptions of the
results. Such an engagement may be in relation to controls around a specific process, risk, or
business unit. The formulation of such opinions requires consideration of the engagement
results and their significance.
Page 129
ISPPIA
Page 130
Performance Standards
Page 131
ISPPIA
Page 132
➢ Observation and Recommendation should be
based on the following attributes:
✓ Criteria – standards, measures, or expectations
used in making an evaluation and or verification
(what should exist)
✓Condition – The factual evidence that the internal
auditor found in the course of the examination
(what does exist)
✓Cause – the reason for the difference between the
expected and actual conditions (why the
difference exist)
✓Effect – The risk or exposure the organization or
others encounter because the condition is not
consistent with the criteria( impact of the
difference)
ISPPIA
2410.A3 – When releasing engagement results to parties outside the organization, the
communication must include limitations on distribution and use of the results.
Page 134
ISPPIA
Page 135
ISPPIA
Page 136
➢ The FINAL COMMUNICATION at a minimum
should contain the following
✓ Purpose
✓Scope
✓Result
➢ It should include background information and summaries
✓ Background Information - includes activities reviewed and status
of Observation, Conclusion and , Recommendation from prior
reports
o It may show indication of whether the report covers a
scheduled engagement or is responding to request.
✓ Summaries – balanced representation of the engagement
communication’s content.
➢ Purpose statement – should describe the
engagement objective and may, if necessary
inform the reader why the engagement was
conducted and what it was expected top
achieve
➢Scope – should identify the reviewed activities
and include, when appropriate, supportive
information such as time period reviewed.
✓ Related activities not reviewed should be identified if
necessary to delineate the boundaries of the
engagement.
✓The nature and extent of engagement work performed
should also be described.
➢ Results –should include:
✓ Observation
✓Conclusion (opinions)
✓ Recommendations
✓Action plans
➢ Observations – pertinent statement of fact
✓ Also know as findings
✓ Observations necessary to support or prevent
misunderstanding of the internal auditor’s
conclusions and recommendations- should be
included in the final engagement communications.
✓Less significant observations or recommendations
may be communicated informally
✓Whether or not there is a difference - the internal
auditor has a foundation on which to build a
report
o When conditions meet the criteria , acknowledgment
in the engagement communications of satisfactory
performance may be appropriate.
➢Conclusions (Opinions) – internal auditors
evaluations of the effects of the observation
and recommendations on the activities
reviewed
✓ If included in the engagement report, should be
clearly identified
✓Example:
o Whether operating or program objectives and goals
conform with those of the organization
o Whether the organization’s objective and goals are
being met
o Whether the activity under review is functioning as
intended.
➢Recommendations – based on the internal
auditor’s observations and conclusions
✓ Include recommendations for potential
improvements, acknowledgment of satisfactory
performance, and corrective actions
✓They call for action to correct existing conditions
or improve operations
✓It may suggest approaches to correcting or
enhancing performance as a guide for
management in achieving desired results
➢Engagement client accomplishments may be
included in the engagement final
communications
✓ This information may be necessary to fairly
present the existing conditions and to provide a
proper perspective and appropriate balance to the
engagement final communications
Page 159
ISPPIA
Page 160
ISPPIA
• Principle or rule of conduct of the Code of Ethics or Standard(s) with which full
conformance was not achieved;
• Reason(s) for nonconformance; and
• Impact of nonconformance on the engagement and the communicated engagement
results.
Page 161
ISPPIA
Page 162
ISPPIA
Page 163
ISPPIA
Page 164
ISPPIA
2440.C2 – During consulting engagements, governance, risk management, and control issues
may be identified. Whenever these issues are significant to the organization, they must be
communicated to senior management and the board.
Page 165
ISPPIA
Page 166
ISPPIA
• The scope, including the time period to which the opinion pertains;
• Scope limitations;
• Consideration of all related projects including the reliance on other assurance providers;
• The risk or control framework or other criteria used as a basis for the overall opinion; and
• The overall opinion, judgment, or conclusion reached.
Page 167
THE CORRECT
ANSWER IS..
Practice Question
Page 169
THE CORRECT
ANSWER IS..
Practice Question
Page 170
THE CORRECT
ANSWER IS..
Practice Question
Page 171
Planning
Monitoring Performing
Communicating
Page 172
ISPPIA
Page 173
ISPPIA
Page 174
ISPPIA
Page 175
ISPPIA
Page 176
ISPPIA
Page 177
THE CORRECT
ANSWER IS..
Practice Question
Page 178
THE CORRECT
ANSWER IS..
Practice Question
Page 179
THE CORRECT
ANSWER IS..
Practice Question
A follow-up review found that a significant internal control weakness had not
been corrected. The chief audit executive (CAE) discussed this matter with
senior management and was informed of management’s willingness to accept
the risk. The CAE should
A. Assess the reasons that senior management decided to accept the risk and
inform the board of senior management’s decision.
B. Inform senior management that the weakness must be corrected and
schedule another follow-up review.
C. Do nothing further because management is responsible for deciding the
appropriate action to be taken in response to reported engagement
observations and recommendations.
D. Initiate a fraud investigation to determine if employees had taken
advantage of the internal control weakness.
Page 180
Questions
Page 184