CHAPTER 2

1. List three reasons management may ask for an operational audit to be performed, and
explain how the audit program would be impacted by each of them.

 Poor performance - Inefficiencies, waste, rework, or complaints from customers and

vendors may trigger management involvement, resulting in their request to have the
matter reviewed by internal audit.
 Compliance issues - These can be the result of internal quality control initiatives that
identify anomalies. In the case of regulators and inspector reviews that identify
instances of noncompliance at other organizations, the internal audit department may
investigate conditions at their organization to determine if a similar problem exists at
home, help to monitor the situation, and verify that follow-through on corrective
actions take place in anticipation of future additional compliance reviews by external
parties, such as regulators.
 Anomalous revenues or expenses - While increases in sales is always welcome news, if
these figures appear dubious, internal audit may review the related transactions to
verify they are all legitimate, they have been recorded in the correct amount, and
posted during the correct period. Similarly, unusually high or low, or otherwise
questionable expenses, are likely to result in the request for a thorough review.

2. Explain the importance of identifying risk factors and using them during the planning
phase.

Risk factors play an important role during planning, and in particular, during risk assessments.
Risk factors are conditions and other variables that in their present, or absence, as the case may
be, either exacerbate or diminish the underlying risk. The presence of some factors increases
the likelihood or impact of the underlying risks. On the other hand, the presence of some
factors actually decreases the likelihood or impact of the underlying risks.

3. Explain how an auditor would perform each of the following procedures:

 Trace - This involves tracing a transaction from the source (e.g., a cash receipt, file
creation) to its destination, which could be a financial, operational, or regulatory report
 Vouch - This involves the “reverse-trace” of a transaction from the destination (e.g.,
financial, operational, or regulatory report) to its source (e.g., sales order, purchase, and
time sheet)
  Reconcile - Tie information from two separate sources to verify the accuracy or
expected discrepancies
 Foot - Add the items in a column
 Cross-foot - Add the items in a row

4. What is testimonial evidence and how is it gathered?

Testimonial evidence consists of verbal or written statements or assertions given by someone

as proof regarding the matter being discussed. In the case of internal audits, anyone being
audited may be asked to give testimonial evidence during interviews about a variety of topics.
Examples include the steps performed while processing a loan application, how the employee
pays incoming invoices, the procedures to record the purchase of inventory in the accounting
system, or the steps followed when notified that an employee has been hired and access needs
to be granted to the computer systems.

5. Give two examples where observation is a useful technique to examine operational risks
and related controls.

 Observe the security measures to prevent unauthorized individuals from entering the
facility
 Observe the customer service area layout to better understand the flow of customers

6. Give two examples where document inspection is a useful technique to examine

operational risks and related controls.

 Policy statements
 Procedures documentation

7. Explain professional skepticism and why it is important for all auditors.

Although internal auditors are encouraged to use a conversational and participative approach
when conducting their reviews, they must also remember that they are tasked with verifying
the integrity of the information gathered and make sure their conclusions are sound. When
obtaining and using evidence, internal auditors should display healthy professional skepticism
and verify the quality of the information gathered and used. Internal auditors should be
sufficiently suspicious of data received and reasonably verify that the information is free from
manipulation or modification in ways that can compromise its quality. When there are doubts,
the auditor must determine if those conditions make the evidentiary matter too unreliable for
use. Similarly, internal auditors should approach interviews and meetings with sufficient
skepticism, always attempting to verify the information provided, corroborate the testimony
received, and observing behavioral changes that could indicate deceit.

8. Provide three benefits of drawing process maps (flowcharts or value stream maps, as some
would rather call them.

 A teaching tool
 Managerial tool for discussion and analysis
 Errors may stand out and be obvious

9. What is an internal controls questionnaire and how can auditors use it during the planning
and fieldwork phases of audits?

An internal control questionnaire (ICQ) helps to evaluate internal controls in specific areas by
asking key questions. Internal auditors often use ICQs as a starting point and then supplement
them with other information gathering and control evaluation techniques such as flowcharts
and document reviews. They are used by process owners to help them assess their
operation.ICQs can also be very helpful when the auditor needs to collect large amounts of
information. This can be the case when the audit involves multiple locations, or there are many
individuals with information that the auditor needs, but interviewing each person individually
and sequentially will delay the completion of the audit. In those cases, preparing and sending a
questionnaire can be very helpful to collect large amounts of data quickly

10. Explain the acronym CCCER.

 Criteria - What was expected? It consists of what should exist or occur

 Condition - What actually exists? What the auditor discovered as a result of the
performance of audit procedures
 Cause - The reason the condition exists and why it is different from the criteria.
Auditors - should focus on the root cause of the problem and avoid focusing on
symptoms
 Effect - Also referred to as the consequence. It consists of the impact of the condition
 Recommendation - This is the action item necessary to correct the condition so
performance is consistent with the criteria