Oct/Nov 2014 QUESTION 2 20 marks You are an intemal auditor at Priceless Memones Ltd You have been working together well as a team and management seems to be very supportive of the internal audit actvty. ‘The Chief Executive Officer (CEO), Mr Douglas requests the internal audit actiuity to assist with the followang tasks as other departments have too much work to do |. Performing the monthly bank reconciliations on the company’s bank account | Evaluating the adequacy and effectiveness of the controls in the Sales, Recatvables and Cash Receipts cycle |. Performing inventory counts every month as part of the company’s internal control over its perpetual inventory 1V, Searching for suitable financial staff. VV Conducting a review of the extent to which the marketing department ‘complies with the policy and procedures laid down by the company \VI__ Designing the nsk management process for the company Vil Conducting @ contro} self-assessment training for management of the company REQUIRED Marks 21 Indicate for each of the tasks (I-VI) above whether it should be (14) performed by the internal audit activity or not Give reasons for your answer |) Internal audit should NOT take on this task or responsibility. The bank reconciliation is a routine accounting procedure that is the responsibility of the accounting department. The performance of the reconciliation is, in itself, an internal control which may from time to time be “internally audited” to determine whether the control is operating as it was designed to, I) Internal should carry out this procedure. As per standard 2130.A1 - The internal audit activity must assist the organisation by evaluating the adequacy and effectiveness of controls regarding the reliability and integrity of financial and operational information. Il) Internal audit should not be part of the monthly internal control routines such as inventory counts. Internal audit should attend and observe cycle counts and indeed perform a sample of test counts, but this would be to evaluate the company's Inventory controls. IV) Internal audit should not be involved in “head hunting”, because this is a human resource function. At a later stage internal audit might be required to audit work performed by the person they had “head hunted"; doing the "head hunting” themselves would impair their independence. \V) Internal audit could take responsibility for this review. It can be conducted as a compliance audit. VI) At most the internal audit activity could assist in the design of the risk management process but in a way that does not compromise independence. The nature of an internal audit is one of“evaluation” and “review” rather than one of creating systems. It does this by identifying and evaluating the organisation's exposure to risk, assessing the risk during the course of engagements and improving the risk management process. Internal audit can provide advice to management on risk management. Vil) Internal audit should conduct this procedure. It falls under the consulting services provided by internal audit. 2.2 The CEO has requested additional information on the types of audits (6) (such as fraud audits, IT audits, etc) that intemal auditors can perform Identify the type of audit from the following definitions 221 Thistype of audit entails a systematic and independent examination to determine whether quality-related activities are implemented effectvely and are complying with the quality systems and standards 222 In this type of audit, the auditor looks for evidence relating to the reliabilty and integnty of financial information 223 This type of audit involves firstly determining management's objectives, followed by establishing whether the existing management controls wall lead to effectiveness, efficiency and economy 224 In this type of audit, a comprehensive examination of the facility 1s conducted to determine whether it 1s complying with environmental laws and regulations 2.2.1 Quality audits 2.2.2 Financial audits 2.2.3 Performance audits 2.2.4 Environmental audits QUESTION 3 18 marks You act as a mentor to juntor internal auditors in the internal audit department Your responsibilities include assisting junior auditors with their studies and other aspects of ther training as internal auditors ‘Answer the following quenes posed to you by a new junior internal auditor during a mentonng sessionREQUIRED 3.1 The intemal audit process consists of four (4) phases The third (5) phase is audit fieldwork List the benefits of compiling audit working Papers during this phase Engagement working papers generally: + Aid in the planning, performance, and review of engagements. * Provide the principal support for engagement results. ‘+ Document whether engagement objectives were achieved, + Support the accuracy and completeness of the work performed, + Provide a basis for the internal audit activity’s quality assurance and improvement program. * Facilitate third-party reviews. 3.2 According to IIA Standards 2420, communication must be accurate, (6) objective, clear, concise, constructive, complete and timely Define the terms: 32.1 clear 322 accurate 3.2.3 concise 324 constructive 3.2.1 Clear - Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. 3.2.2 Accurate - Accurate communications are free from errors and distortions and are faithful to the underlying facts. 3.2.3 Concise - Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. 3.2.4 Constructive - Constructive communications are helpful to the engagement client and the organisation and lead to improvements where needed. Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.33 There 1s a glossary of internal auditing terms Match column A (term) with its corresponding definition in column B Your answer should look as follows 331 Risk-@ ‘Column A - term ‘Column B - definition 337 Risk ‘a, Any action taken by management, the board, and other parties to manage nsk and increase the likelihood that established objectives and goals will be achieved 332 Chief Audit Executive An objective examination of evidence for the purpose of providing an independent assessment on governance, tisk management, and control processes tor the organisation 333 Consulting services c. A process to identify, assess, manage, and control potential ‘events oF situations to provide reasonable assurance regarding the achievement of the organisation's objectives 334 Control dA person in a Senior position responsible for effectively managing the internal audit activity in accordance with the ”internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards 335 Objectivity ‘Advisory and related chant service activities, the nature and scope of which are agreed with the client, are Intended to add value and improve an organisation's governance, risk management, and contro! processes without the internal auditor assuming management responsibilty. 336 Independence An unbiased mental attitude that allows internal auditors to perform engagements in such ‘a manner that they believe in their work product and that no quality compromises are made 3.37 Control processes The possibilty of an event occurring that will have an impact on the achievement of objectives.h_ The policies, procedures, and activites that are part of a control framework, designed to ensure that msks are contained within the risk tolerances established by the nsk management process. 1. The freedom from conditions that threaten the ability of the Internal audit activity to carry out internal audit responsibilities in an unbiased manner 3.3.1 Risk~G- The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. 3.3.2 Chief audit executive ~ D - Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. 3.3.3 Consulting services -E- Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organisations governance, risk management, and control processes without the internal auditor assuming management responsibility, 3.3.4 Control-A- Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. 3.3.5 Objectivity -F- An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made, 3.3.6 Independence -|- The freedom from conditions that threaten the ability of the internal, audit activity to carry out internal audit responsibilities in an unbiased manner. 3.3.7 Control processes -H- The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organisation is wiling to accept.QUESTION 4 25 marks All internal auditors are requifed, in the course of their duties, to adhere to the elements of the International Professional Practices Framework (IPPF) established by the Institute of Internal Auditors (IIA) ane \ Standards The Intemational Standards consists of Attnbute, Performance and Implementation Standards. REQUIRED Marks 4.1 Identify which Standard (Attnbute, Performance or Implementation) 1s (5) being referred to from the following characteristics 411 These Standards comprise the 1000 senes 412 These Standards describe the nature of internal audit services and provide quality cntenia against wich the performance of these services can be measured 413 These Standards compnse the 2000 senes 414 These Standards provide guidance applicable in specific types of engagements 415 These Standards address the characteristics of the internal audit activity and the mdividuals performing the internal audit activities 4.1.4, Attribute 4.1.2, Performance 4.1.3 Performance 4.1.4 Implementation 4.1.5 Attribute42 Conclude and explain, with reference to the IPPF, whether each of the unrelated scenarios below 1s permissible or not. Please provide reasons for each of your conclusions Your answer should be structured as follows Permissible/not permissible (1 mark) marks) Reference to IPPF (@ Reasons (7 mark) aaa 424 4.2.2 423 424 Some of the work on an audit engagement in the procurement 4) section is assigned to an internal auditor whose father 1s heading the section Dunng an audit, you overheard that the chief executive officer (CEO) (4) of the company might be resigning due to fraud allegations against him. You know people who have shares in the company and you decided to inform them about the possibilty that the share price may fall Dunng the planning of an audit of engneenng projects, the auditor's (4) informed that the company’s first project for a mining company 1s amongst the projects completed for the penod to be audited. The auditor includes the audit in the audit scope and makes provision in his planning to consult with mining sector specialists for the audit ‘An intemal auditor accepts an excuse from a manufactunng site (4) ‘manager for ignonng regulations on the treatment of hazardous waste and mentions nothing in his final report 4.2.5 Owing to work and personal constraints, an internal auditor has not (4) attended any internal audit traning for the past two years Permissible/ Not Reference to IPPF | Permissible Reasons 424 Not permissible 1130 = Impairment to Independence or Objectivity 1120 Individual Objectivity Impairment to organisational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding, 1130.C2 ~ if internal auditors have potential impairments to independence or objectivity relating. to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. 422 Not permissible Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties. 423 Permissible 2200 —Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing, and resource allocations. 424 Not permissible 1322 = Disclosure of Non- conformance When non-conformance with the Definition of internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the non-conformance and the impact to senior management and the board 425 Not permissible 1230 — Continuing Professional Development Internal auditors must enhance their knowledge, skill, and other ‘competencies through continuing professional development.QUESTION 5 22 marks ‘The Chief Audit Executive (CAE) requests a private meeting with the audit ‘committee to discuss the internal audit charter, the internal audit activity’s position in Priceless Memones Ltd and tts contribution to the company (One of the audit committee members also wants to discuss the possibility of the CAE reporting to the audit committee 5.1 Mention the five (5) necessary aspects that have to be included in the (6) internal audit charter to grant the internal audit activity the necessary authority. + Access to the books, records, vouchers and accounts + Obtaining information and explanations + Attending meetings * Believing trusted officials 4 Independence of the internal auditor 5.2 Discuss the advantages and disadvantages of the CAE reporting to (3) the audit committee Advantages: ‘This level of reporting gives the internal audit activity a high degree of organisational independence and accessibility because itis reporting to a body with more authority than top executive management, and the majority of members are not involved in the operational matters of the company (executive functions). Disadvantages: 1. Because the audit committee does not meet frequently enough, they do not have the time to support the internal audit activity on a day-to-day basis as an independent reporting facility. Audit committees meet on average four times a year. 2. Because of its function, the audit committee, by its very nature, is apart from the main stream of business activities, As a result, the internal auditor does not always receive necessary information ‘and directives which might enable him to function effectively. 3, The audit committee also has a functional rather than an operational role and itis, therefore, undesirable that members should be involved with the operational or household details of the internal audit activity. Their proper functions would include the final authorisation of audit plans and audit findings, the coordination of audit efforts and the formulation of audit policy.5.3 According to the IIA Standards, recommend what type of reporting is. (2) preferred for independence purposes Dual Reporting 5.4 Lst seven (7) practices that would enhance a good relationship (7) between the audit committee and the intemal audit activity * The chief audit executive should have the following dual-reporting responsibilities: (© functionally to the audit committee, and © administratively to the chief executive officer. ‘The chief audit executive should have ready access to the audit committee. ‘The chief audit executive should have direct and regular communication with the audit committee. * The chief audit executive should attend audit committee meetings. ‘The chief audit executive should regularly meet privately with the audit committee (without management's representatives in attendance). ‘The audit committee should approve the appointment or removal of the chief audit executive. +The audit committee should be advised by the chief audit executive concerning his or her relationship with the external auditors (and on how the internal and external audits are progressing) 5.4 _ Explain the internal auditor's role in investigating fraud ©) ‘The role of the internal audit activity in investigations needs to be defined in the internal audit charter, as well as in the fraud policies and procedures. For example, internal auditing may have the primary responsibility for fraud investigs refrain from involvement in investigations. Internal auditing may refrain from involvement because itis responsible for assessing the effectiveness of investigations or because it lacks the appropriate resources to be involved in investigations. Any of these is acceptable, as long as the impact of these activities on the independence of internal auditing is recognised and handled appropriately. ions, may act as a resource for investigations, or may In addition to advising management, internal auditors may become involved in investigations by: ‘* monitoring the investigation process to help the organisation follow relevant policies, procedures, ‘and applicable laws and statutes (where internal auditing was not responsible for conducting the investigation). + locating and/or securing the misappropriated or related assets. * supporting the organisation's legal proceedings, insurance claims, or other recovery actions. ‘* evaluating and monitoring the organisation’ internal and external post-investigation reporting and communication plans and practices. ‘+ monitoring the implementation of recommended control enhancement.June/July 2014 Question 2 24 marks. You nave been im Iating students The tome tor your ‘audhore® REQUIRED Marks In your lecture, discuss the following topics 2.1 Internal auditing consists of assurance and consulting services For (5) the following services to the audiee, identily whether it is an assurance oF consulting service 211 Assessing whether management's policies and procedures are ‘adhered to 2.1.2 Conducting control self-assessment training 2.1.3 Advising dunng the development of policies and procedures 214 Examining whether control procedures are mitigating the risks identified 215 Providing advice to management on certain enterprise nsk management activities 2.4.4 Assurance 2.1.2 consulting 2.1.3 consulting. 2.1.4 assurance 2.1.5 consulting, 2.2 List ten (10) personal characteristics required of an internal auditor 6) ‘The personal characteristics required of an internal auditor are: + knowledge and competence «awareness of new developments © good human relations © diligence and patience * objectivity and confidence + practical approach * professionalism * independence and sound judgment © due professional care © integrity and pleasant personality2.3 Organisational independence 1s effective when the chief audit (5) executive reports functionally to the board List five (5) responsibilities of the board that would constitute functional reporting ‘+ Approving the internal audit charter; ‘+ Approving the risk based internal audit plan; * Receiving communications from the chief audit executive on the internal audit activity's performance relative to its plan and other matters; ‘+ Approving decisions regarding the appointment and removal of the chief audit executive ‘+ Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. 2.4 Explain the roles of management and the internal auditor with regard (8) to risk management ‘Management is accountable to the board for designing, implementing and monitoring the process of risk management, and for integrating it into the day-to-day activities of the company, The internal audit activity should assist the board, directors and management through consultation and facilitation in identifying, evaluating and assessing significant risks and by providing independent assurance as to the adequacy and effectiveness of related internal controls and the risk management process. 2.5 — Descnbe the intemal auditor's responsibilities regarding detection of (4) fraud * Consider fraud risks in the assessment of intemal control design and determination of audit steps to perform. + Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed. - Be alert to opportunities that could allow fraud, such as control deficiencies. Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program, that timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, and that the plan for monitoring the program continues to be adequate for the program's ongoing success. + Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. + Recommend investigation when appropriate.QUESTION 3 36 marks You act as a mentor to junior internal auditors in the internal audit department Your Tesponsibilities include assisting junior auditors with their studies and other aspects regarding their training as internal auditors Answer the following quenes posed to you by a new junior intemal auditor dung a mentoring session REQUIRED Marks 3.1 The internal audit process consists of four (4) phases The second (5) phase 1s planning the internal audit (engagement planning) List the five (5) planning steps that shou'd be followed for each audit The planning steps that should be followed for each audit are: Obtain background information of the audit area. (preliminary survey) Identify the engagement objective(s) to be achieved. Consider the audit risk. Determine the allocation of engagement resources. ‘Compile the detailed engagement (audit) programme. sens 3.2 There are different kinds of audit evidence, namely physical, oral, (5) documentary and evidence generated by the internal auditor Examine each of the following items and identify each item as physical evidence, oral evidence, documentary evidence or evidence generated by the internal auditor @ Recalculation of auditee-prepared bank reconciliation to test whether they were completely correctly b Attendance at a wage payout © Whitten statements of auditee personnel in response to inquiries or interview questions 4 Letter of contrmation from the bank in respect of a fixed Gepost hela by tne company (audtes) 2 Inspection of selected assets to confirm their existence a) evidence generated by the internal auditor ) physical evidence ©) oral evidence 4) documentary evidence e) physical evidence3.3 The following data was gathered dunng one of the recent audits of (8) the Cash Disbursements Section One of the findings was on the outdated Delegation of Authonty policy In preparing a report of the findings, each of the items should be classified as crtena, cause, condition and effect Examine the following items and state each item as the Criteria, Condition, Cause and Effect Give reasons for each classification (1 mark per classification and 1 mark for reason) a The delegation of authority 1s updated biannually and not when changes in personne! or responsibilities of authorised individuals occur b The delegation of authority policy list three individuals who are no longer with the company Additionally, four individuals were identified who are new in their positions that should have disbursement authority, but are not listed in the policy ¢ Disbursements may be made that are not in accordance with management's or board's direction d Authority over the disbursement of funds should only be delegated to individuals whose responsibilities justify such authority a) Cause. tis the reason for the difference between the expected and actual conditions (why the difference exists). The auditor expects to find that the DOA was update regularly or when there is @ change in personnel or responsibilities — this is not the case and it is the cause of the situation. 'b) Condition. This is factual evidence that the internal auditor has found in the course of the examination (what does exist) ©) Effect. This is risk or exposure the organisation or others encounter because the condition is consistent with the criteria 4) Criteria. This should be the standard used to evaluate or verify what should exist. 3.4 Internal auditors have an obligation toward their employer to act in (5) good faith in fulfilment of their duties List the duties of an internal auditor towards his or her employer? The following aspects are usually included in this contractual obligation: Internal auditors: 1, may not use confidential information obtained in the performance of their duties for their own gain, or impart such knowledge to third parties 2. should further the interests of their employer's business undertaking. 3. may not perform acts of dishonesty (fraud, theft) against their employer. 4, may not perform acts which are in competition with their employer. 5, may not perform acts of misconduct while performing their duties.3.5 Define the internal charter and also list its elements (4) The internal audit charter is a formal document that defines the internal audit activity’s purpose, ‘authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organisation, including the nature of the chief audit executive's functional reporting relationship with the board; authorises access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board. 3.6 List those actions that could be conducive to good cooperation and (9) coordination between external and internal auditors 1, Acommon audit methodology. 2. Joint training programmes. 3. Joint planning of audit work. 4. Direct assistance with each other's projects. 5. Exchange of audit reports 6. Direct support in that working papers are at each other's disposal 7. Periodic meetings 8. A professional attitude 9. The evaluation by internal and external auditors of the effectiveness of each other's work and reporting on this to management. QUESTION 4 25 marks Read the following statement and the accompanying diagram below and answer the questions that foliow All intemal auditors are required, in the course of their duties, to adhere to the elements of the International Professional Practices Framework (IPPF) established by the Institute of Internal Auditors (IIA) IPPF (International Professional Practices Framework) Practice ‘Gurdos REQUIRED MarksREQUIRED Marks 4.1. The figure above depicts the IPPF and its components Fill in all the (5) missing items in it 4.1.1. Strongly recommended guidance 4.1.2 Definition 4.1.3 International standards 4.1.4 Position papers 4.1.5 Practice Advisories 4.2 Conclude and explain, with reference to the IPPF, whether each of the unrelated scenarios below t= permissible or not Please provide reasons for each of your conclusions. ‘Your answer should be structured as follows, 4.2.1 Simon, an internal auditor conducted an audit on the procurement (4) processes of the organisation He confirmed that suppliers that had failed to deliver any goods to the organisation were still paid The Procurement manager threatened to have him fired if he reported on this Because he could not afford to lose his job, he omitted this finding from the report 4.2.2 The audit plan requires an extensive evaluation of the integrity of the (4) information systems used by the organisation Due to budget constraints, the internal audit activity cannot appoint someone with the necessary experience to perform the required evaluation and nobody in the activity has proper experience for this engagement You then, offered to conduct the audit to the best of your ability At the annual award function of your company, you were presented (4) with the “Employee of the year” award For this, you received a trophy and a cash price of 2 000 4.2.4 John Khumaio, an internal auditor at Skhumbuso (Pty) Ltd, (4) informed you that he purchased a new laptop for his own personal use at great discount He used one of the approved company suppliers through his friend who is the procurement manager at ‘Skhumbuso (Pty) Lid 4.2.5 An internal auditor discloses confidential, engagement-related (4) information that 1s potentially damaging to the organisation in response to a court order (Gleim CIA Review Adapted)Permissible/ Not Permissible Reference to IPPF Reasons 42d Not permissible ‘Objectivity (par 2.3) Integrity (par 1.2) Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. Internal auditors shall observe the law and make disclosures expected by the law and the profession. 422 Not permissible Competency (par 4.) Internal auditors shall engage onl those services for which they have the necessary knowledge, skills, and experience. Permissible Proficiency and Due Professional Care Engagements must be performed with proficiency and due professional care. Not permissible Objectivity (par 2.1) Objectivity (par 2.2) Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This parti includes those activities or relationships that may be in conflict with the interests of the organisation. Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment. This scenario falls under this prohibition, since the auditor's objectivity would be impaired. 425 Permissible Integrity (Par 1.2) Internal auditors shall observe the law and make disclosures expected by the law and the profession. Thus, the internal auditor is legally bound to respond to a court order. The requirement not to use information in any manner detrimental to the legitimate and ethical objectives of the company does NOT override the legal obligation to respond to a court order.Oct/Nov 2013 QUESTION 2 30 marks You are the chief audit executive (CAE) for Infemo Limited, a company listed on the Johannesburg Stock Exchange (JSE) Recently from your interaction with senior management, you realised that they are not well informed of the roles and responsibilities of internal audit You compiled a presentation and presented it to the senior management at the next management meeting At the meeting, some of the managers asked you to explain some issues REQUIRED Marks 2.1 Describe the objective of the internal audit activity (@) The main objective of internal auditing is determined by the needs of the board of directors and management of an organisation 80 as to assist them in improving the governance, risk management and control processes as well as the effective discharge of its responsibilties. The internal auditor must ensure that these needs are addressed in the internal audit report that should be issued after each audit engagement. The internal auditor seeks to advise ‘management on whether its major operations have sound systems of risk management and internal controls. The uncovering of errors and fraud is an ancillary objective. 2.2 The International Professional Practices Framework (IPPF) consists of (8) sx (6) elements Name each element and state whether each is mandatory or strongly recommended (One mark for each element and ¥ mark for classification) Element Mandatory/Strongly recommended Element Mandatory/Strongly recommended 7. The Definition of internal Auditing Mandatory 2. The Code of Ethics Mandatory 3, The International Standards for the Professional | Mandatory Practice of Internal Auditing (Standards) 4, Practice Advisories Strongly recommended 5. Position Papers: Strongly recommended [6 Practice Guides Strongly recommendedFor the following questions, explain your answers with reference to the IPPF. 23 Independence consists of organisational independence and individual (6) ‘objectivity Define the terms ‘organisational independence” and “individual objectivity” 2.4 The Chief Fxecutiva Officer (CFO) enquires why the Internal Audit (4) cannot report administratively and functionally to him List two (2) advantages and two (2) disadvantages as to why this reporting line 1s not recommended 25 One of the senior managers enquires what happens if a fraud has (5) been detected and management wants internal audit to assist with the investigation Describe the internal auditor's responsibilities in investigating fraud 2.6 Identify who is responsible for the coordination of the internal and — (2) external auditor's work 2.3 Organisational independence - The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. The chief audit executive must confirm to the board, at least annually, the organisational independence of the internal audit activity. Individual objectivity - Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. 24 ‘Advantages of this level of reporting are that: + It guarantees access to a high-level official. + It provides a reasonable measure of independence for the internal auditor. + Management may feel less threatened because the accessibility of the internal auditor is at a lower level than if he were to report to the Board of Directors Disadvantages: + If the influence and authority of the internal auditor is such that audit matters receive the attention of the CEO, to the detriment of other management matters, the efficiency of management will suffer and distrust might increase. + Since 2 CEO is normally very busy, the CAE might find that he or she does not receive the guidance and support necessary to perform his or her task effectively28 ‘The role of the internal audit activity in investigations needs to be defined in the internal audit charter, as well as in the fraud policies and procedures. For example, internal auditing may have the primary responsibilty for fraud investigations, may act as a resource for investigations, of may refrain from involvement in investigations. intemal auditing may refrain from involvement because it is responsible for assessing the effectiveness of investigations or because it lacks the appropriate resources to be involved in investigations. Any of these is acceptable, as long as the impact of these activities on the independence of internal auditing is recognised and handled appropriately. In addition to advising management, internal auditors may become involved in investigations by: * monitoring the investigation process to help the organisation follow relevant policies, procedures, and applicable laws and statutes (where internal auditing was not responsible for conducting the investigation). + locating and/or securing the misappropriated or related assets ‘= supporting the organisation's legal proceedings, insurance claims, or other recovery actions. = evaluating and monitoring the organisation's internal and external post-investigation reporting and communication plans and practices. ‘monitoring the implementation of recommended control enhancement. 2.6 Coordination of internal and external audit work is the responsibility of the chief audit executive (CAE). The CAE obtains the support of the board to coordinate audit work effectively. QUESTION 3 35 marks The internal audit activity plans to perform an audit on the human resource process of Inferno Limited The audit team that will conduct the engagement consists of one internal auditor who 1s studying towards a degree in internal auditing and one person who has no expenence in internal auditing at all Because of other urgent business, you as CAE will not be available to assist the team during the conduct of the audit You explained their duties to them, instructed that audit sampling should be used and all audit evidence should be sufficient, competent, relevant and useful. Al! audis must be conducted according to the StandardsThe following 1s the list of audit activities the aust team followed The list 15 inno specific order Improvements to human (a) Gather audit evidence (b) Identity opportunities for making significant resource’s risk management and control systems (2) Distnbute the auait report (d) Perform a preliminary survey for the recruitment process to identify the objectives and significant nsks and evaluate the resources (@) Complete the audit working papers () Compile a list of the actvity’s objectives that must be achieved (9) () engagement () Perform the audit procedures 0) Whie the audit report Evaluate the recruitment process based on the risk assessment Determine the audit risk and indicate how it will influence the audit REQUIRED Marks 31 Theinternal audit process consists of the following phases/steps (10) Determining audit assignment, Planning the ternal audit (engagement planning), Performing the engagement (fieldwork) and Audit reporting and follow up Slate in which phase/step of the internal audit process each of the activities listed in the scenan falls No. ‘Audit phase/step [(a) Gather audit evidence Performing the engagement (fieldwork) (b) Identity opportunities for making significant improvements to the human resource function's risk management and control systems. Planning the internal audit (engagement planning) (c) Distribute the audit report. | Audit reporting and follow up (d) Perform a preliminary survey for the recruitment process to identify the objectives and significant risks and evaluate the resources. Planning the internal audit (engagement planning) (e) Complete the audit working papers. Performing the engagement (fieldwork) (f) Compile a list of the auditing engagements objectives that must be achieved. Determining audit assignment. (9) Evaluate the recruitment process based on the risk assessment. Pianning the internal audit (engagement planning) (h) Determine the audit risk and indicate how it will influence the audit engagement. Planning the internal audit (engagement planning) ) Perform the audit procedures. ‘Write the audit report Performing the engagement (fieldwork) ‘Audit reporting and follow up3.2 Evaluate and conclude on whether the “Proficiency” requirements of (3) Standard 1210 are complied with by the CAE Base your answer on the information provided in the question The CAE has not complied with the “proficiency” requirement of Standard 1210. Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. In the scenario given, there is no qualified internal auditor even though one person is studying towards a degree in auditing. Therefore the chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 3.3 List the factors that determine the nature and scope of audit (5) sampling The following factors directly determine the nature and scope of audit sampling or testing: = the effectiveness of the system of internal control the more effective, the smaller the sample. = materiality of the transactions the more material, the larger the sample. volume of transactions (population size) does not affect the size of the sample ‘+ method of record keeping relative risk associated with the transactions = nature of the evidence = suggestion of irregularities ‘= unusual items in the population 34 The audit team was instructed to ensure that all the audit evidence (8) they gather should be sufficient, competent, relevant and useful Define these terms as per the International Standards for the Professional Practice of Internal Auditing (Standards) Answer: «Sufficient: Sufficient information is factual, adequate and convincing, so that a prudent, informed person would reach the same conclusions as the auditor. Evidence is sufficient ifit is so factual, adequate and convincing that it would lead a prudent, informed person to the same conclusions as the internal auditor. It requires objective judgement on the internal auditor's part. = Reliable: Reliable evidence is the best attainable through the use of appropriate ‘engagement techniques. So, for example, an original document is more conclusive (reliable) than a copy, and direct evidence is more acceptable than hearsay evidence. = Relevant: Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. The facts, and opinions used to prove an issue must bear a logical relationship to that issue. For‘example, an original purchase order, properly approved and issued, has no relevance if the auditor wants to determine whether the goods have actually been received. = Useful: This term refers to information that helps the organisation meet its goals. 3.5 Identify the following controls as detective, preventative or (8) directive (a) Alarms (b) Personnel access cards (c) Procedure manuals (d) Use of carbon paper (e) Guidelines (f) Physical stock count (g) Reconsiliations (h) Company policy () Training programmes yeede) Controt ‘Type of Control (a) alarms Detective (b) personnel access cards Preventative (©) procedure manuals Directive (d) use of carbon paper Preventative (e) guidelines Directive (f) physical stock count Detective (g) reconciliations Detective (h) company poli Directive () training programmes Directive QUESTION 4 20 marks All internal auditors are required in the course of their duties to adhere to the elements of the International Professional Practices Framework (IPPF) established by the Institute of Internal Auditors (IIA) You came across the following ethical issues while conducting different audits REQUIRED Marks Conclude and explain, with reference to the IPPF, whether each of the scenarios below is permissible or not Please provide reasons for each of your conclusions Your solution should be structured as follows Permissible/not permissible (i mark) Reference to IPPF (2 marks) Reasons (1 mark) at4.1 Dunng an audit, you overheard that the chief executive officer (GEO) (4) of the company might be resigning due to fraud allegations against him You know people who have shares in the company You decided to inform them about the possibility that the share price may decrease 4.2 Due to work and personal constraints, Sandra, a senior internal (4) auditor, has not attended any training for the past two years 4.3 Simon, the Chief Audit Executive (CAE) disagrees with the (4) engagement client about the observations and recommendations in a sensitive area The senior management accepts the risk and wants the findings removed from the report However, Simon reports the matter to the board 44 The human resource manager's children are going to a school to (4) which you would like to send your own children as well The school has a very long waiting list because it 1 so popular The human resource manager has offered to use her influence as a board member of the school to help gain admission for your children to this, ‘school 4.5 The internal audi reports prepared by an internal audit activity have (4) for the past seven years always stated that their internal audit activities are concluded in accordance with the Standards for the Professional Practice of Internal Auditing Regular internal \sessments have been performed and recorded The internal audit activity has never been subjected to an independent assessment of ts quality improvement programme (Gloim CIA Review Adapted) Question | Permissibleinot | Reference to IPF Reasons (1 mark) permissible (1 (2 marks) mark) a4 Not permissible | Tntegrity (par 7.3) | internal auditors shall not knowingly be a party to any illegal activity, or engage Confidentiality (par | in acts that are discreditable to the 3.1) profession of internal auditing or to the organisation. Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.42 Not permissible | 1230 Continuing | Internal auditors must enhance their Professional knowledge, skills, and other Development competencies through continuing professional development. Competency (par 43) Internal auditors shall continually improve their proficiency and the ettectiveness and quality of their services. 43 Permissible 2600 = ‘When the chief audit executive Communicating the | concludes that management has Acceptance of accepted a level of risk that may be Risks unacceptable to the organisation, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board. 44 Not permissible | Objectivity (par 2.2) | Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment. 45 Not permissible | 1321 — Use of ‘The internal audit activity conforms with “Conforms with the | the Standards when it achieves the International ‘outcomes described in the Definition of Standards for the _| internal Auditing, Code of Ethics, and Professional Standards. The results of the quality Practice of Internal Auditing” assurance and improvement program include the results of both internal and extemal assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments, June/July 2013 QUESTION 2 The International Professional 45 marks Practices Framework (IPPF) contams three mandatory elements, namely (a) the Definition of Internal Auditing, (b) the Code of Ethics, and (c) the International Standards for the Professional Practice of Internal ‘Auditing (Standards) REQUIRED MarksWith reference to the Institute of Internal Auditors (IIA) Code of Ethics, conclude and explain, whether each of the scenanos below 1s permissible or not. Please provide reasons for each of your conclusions 2.4 To save organisational costs, the chief audit executive has cancelled (3) all staff training for the next two years on the basis that all internal audit staff is too new to benefit from such training 2.2 An intemal auditing team has made observations and (3) fecommendations that should significantly improve a department's operating efficiency As a token of appreciation, the department manager presents James, the internal audit manager with a gift of moderate value Since it shows appreciation for the work and because itis the holiday season, James accepts the gift 2.3. Simon, an intemal auditor has been assigned to audit the human (3) resources department which is managed by his wife 2.4 Matthew, an internal auditor for a manufacturer of office products, has (3) recently completed an engagement to evaluate the marketing function Based on this experience, Matthew spends several hours one ‘Saturday working as a paid consultant to a local hospital that intends conducting an engagement to evaluate its marketing function 2.5 An intemal auditor did not report significant findings about illegal (3) activity to the audit committee because management had indicated they would handle the tssue (Gleim and Wiley CIA Review adapted) 2.1 Not permissible. 1230 ~ Continuing Professional Development and Competency (par 4.3). Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development. intemal auditors shall continually improve their proficiency and the effectiveness and quality of their services. 2.2 Not permissible, Objectivity (par 2.2). Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3 Not permissible. 1120 ~ Individual Objectivity. Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. 2A 29P2PPPPPIRIIREDIATIIAITI? 2.5 Not permissible. Objectivity (par 2.3). Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.QUESTION 3 44 marks You have recently been appointed as the chief audit executive (CAE) of a newly formed internal audit division at Data Magic (Pty) Limited The company specialises in software training and has grown substantially over the last five years The managing director, who appointed you, believes that your appointment and the establishment of an internal audit department would assist her to better improve contro! in this fast growing company After your first few weeks, the internal audit department is slowly shaping up You are planning to present a workshop for all the departments of the organisation, to present the internal audit department and its workings REQUIRED Marks In your presentation, discuss the following topics. 3.1 Describe six (6) advantages of having an internal audit function inthe (6) organisation 1. The assistance rendered to the management of the organisation to help them attain their objectives. 2. The internal audit report provides management with the assurance that management policy, standards and procedures are satisfactory; that they are being executed and adhered to; and that the risk management, control and governance processes are adequate and effective. 3, Any deviations or discrepancies or unsatisfactory aspects from which deductions for re-organisation, adaptation or correction could be made, are timeously brought to management's attention. 4. The internal auditor's report assures management that management data whether operational or financial information, are compiled in a consistent, uniform and standardised manner. 5. There is always a possibility of discovering fraud and errors when continuous evaluation of the internal control is carried out by internal auditors, which is of the utmost importance to management 6. The advantages associated with the possibility of exposing fraud and errors include the moral influence an internal audit may have on the work and behaviour of personnel. 32 An internal auditor 1s also an adviser in the organisation Give seven (7) (7) examples of how internal audit can assist management monitoring activities top management can't itself monitor; identifying and minimising risks; validating reports to senior management; protecting senior management in technical areas beyond its knowledge; providing information for the decision-making process; reviewing for the future as well as for the past; and+ helping line managers manage by pointing to violations of procedures and of management principles. 3.3. Explain the aspects that should be included in the internal audit (5) charter that grant internal audit the necessary authority ‘© Access to the books, records, vouchers and accounts ‘© Obtaining information and explanations ‘© Attending meetings © Believing trusted officials ‘¢ Independence of the internal auditor 34 List seven (7) responsibilites of the internal audit activity as per the (7) internal audit charter + Evaluating risk exposure relating to achievement of the organisation's strategic objectives. * Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information. + Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organisation. + Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets ‘+ Evaluating the effectiveness and efficiency with which resources are employed. + Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned ‘+ Monitoring and evaluating governance processes * Monitoring and evaluating the effectiveness of the organisation's risk management processes. «Evaluating the quality of performance of external auditors and the degree of coordination with internal audit. * Performing consulting and advisory services related to governance, risk management and control as appropriate for the organisation ‘+ Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. + Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board + Evaluating specific operations at the request of the Board or management, as. appropriate. 3.5 List seven (7) practices that would enhance a good relationship (7) between the audit committee and the internal audit activity '* The chief audit executive should have the following dual-reporting responsibilities: (© functionally to the audit committee, and (© administratively to the chief executive officer.‘= The chief audit executive should have ready access to the audit committee. + The chief audit executive should have direct and regular communication with the audit committee. ‘= The chief audit executive should attend audit committee meetings. + The chief audit executive should regularly meet privately with the audit committee (without management's representatives in attendance). «The audit committee should approve the appointment or removal of the chief audit executive. ‘+ The audit committee should be advised by the chief audit executive concerning his or her relationship with the external auditors (and on how the internal and external audits are progressing) 3.6 Mention nine (9) actions which can contribute to good co-operation (9) and co-ordination between the internal and external auditors 1. A common audit methodology. 2, Joint training programmes, 3. Joint planning of audit work. 4, Direct assistance with each other's projects. 5, Exchange of audit reports 6, Direct support in that working papers are at each other's disposal. 7, Periodic meetings 8. A professional attitude 9, The evaluation by internal and external auditors of the effectiveness of each other's work and reporting on this to management. QUESTION 4 40 marks You recently attended a conference jointly organised by the Association of Certified Fraud Examiners and the Institute of Internal Auditors The theme of the conference was “The diverse roles of internal auditors in today's world” The Chief Audit Executive has asked you to prepare a bref presentation as a way of sharing with your colleagues what you learnt at the conference He has asked that your presentation should cover at least a discussion of fraud and risk management REQUIRED Marks 4.1. Explain the roles of management and the internal auditor with regard (5) to nsk management Management is accountable to the board for designing, implementing and monitoring the process of risk management, and for integrating it into the day-to-day activities of the company. The internal audit activity should assist the board, directors and management through consultation and facilitation in Identifying, evaluating and assessing significant risks and byproviding independent assurance as to the adequacy and effectiveness of related internal controls and the risk management process. 4.2 Explain the internal auditor's role in the detection of fraud (5) * Consider fraud risks in the assessment of internal control design and determination of audit steps to perform. * Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed. Be alert to opportunities that could allow fraud, such as control deficiencies. Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program, that timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, and that the plan for monitoring the program continues to be adequate for the program's ongoing success. ‘+ Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended, «Recommend investigation when appropriate. QUESTION 5 19 marks You have just been promoted to the position of senor internal auditor and your new responsibilities include providing training to internal audit trainees As you go through the training fle that was used by your predecessor you come across a comprehensive list of possible internal controls that can be performed in an organisation 1 Payments received in the post are opened by two people The payments are recorded in a remittance register by those responsible for opening the post 2 The accounting clerk performs bank reconciliations monthly and the reconciliations are reviewed and signed by the supervisor 3 At the wages payout, employees should provide proof of identification and acknowledge receipt of their wages by signing the payroll register 4 The financial director reviews and signs exception reports every month before releasing payment to suppliers 5 — Cheque signatories cancel (by stamp or crossing) all supporting documentation so that these cannot be presented again for payment REQUIRED Marks 5.1 Explain to the trainees, the steps an auditor would follow when (4) planning an audit‘The planning steps that should be followed for each audit are: 41. Obtain background information of the audit area. (preliminary survey). 2. Identify the engagement objective(s) to be achieved. 3. Consider the audit risk 4. Determine the allocation of engagement resources 5. Compile the detailed engagement (audit) programme. 52 Foreach of the internal controls listed 1n the scenario above {a) Descnbe one (1) audit procedure (test of control) that may be (10) used to determine whether the control is working as intended, and (b) Indicate the kind of audit evidence obtained (5) Your solution to 5 2 should be structured as follows. [Control number | Audit Procedure (5.2 (a)) | Audit Evidence (5.2 (b)) Control ‘Audit Procedure ‘Audit Evidence Number October/November 2012 QUESTION 2 20 marks The Intemational Professional Practices Framework (IPPF) contains three mandatory elements, namely (a) the Definition of Internal Auditing, (b) the Code of Ethics, and (c) the International Standards for the Professional Practice of Internal Auditing (Standards)REQUIRED Marks 24 Bnefly define and explain each of the following terms" a) the Definition of Internal Auditing @ b) the Code of Ethics @) ©) the Intemational Standards for the Professional Practice of Intemal (4) ‘Auditing (Standards) (TUT Exam February 2012 adapted) a} Internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organisation's operations. It helps an organisation to accomplish its objectives by bringing a systematic, disciplined approach, to evaluate and improve the effectiveness of risk management, control and governance processes. b) The Code of Ethics states the principles and expectations governing the behaviour of individuals and organisations in the conduct of internal auditing, the minimum requirements for conduct, and behavioural expectations rather than specific activities. ¢) The Standards are mandatory requirements consisting of statements of basi for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organisational and individual levels. The standards also consist of interpretations, which clarify terms or concepts within the requirements statements, 2.2 Conclude and explain, with reference to the Institute of Internal Auditors (IIA) Code of Ethics, whether each of the scenarios below 1s permissible in terms of the IA Code of Ethics. Please provide reasons for each of your conclusions 22.1 Martin, an internal audit manager, engages in the preparation of (3) income tax forms dunng the tax season He prepared the personal tax retum, for a fee, for one of the company’s divisional managers. 2.2.2 James, a senior intemal auditor told his frend to start looking fora (3) new job as an audit of the executive office indicated that the fnend's division was going to be closed down in about six months 2.2.3 An intemal auditor disclosed confidential, engagement-related @) Information that was potentially damaging to the organisation, in response to a court order (Glem CIA Review adapted) 2.2.1 Not permissible. Objectivity (par 2.1) Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation. Internal auditors shall not accept anything that may impair or be presumedto impair their professional judgment. Preparing a personal tax return for a divisional manager for a fee falls under this prohibition, since the auditor's objectivity would be impaired. 2.2.2 Not permissible. Confidentiality (par 3.1). Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. This auditor had ‘no legal or professional obligation to give out that information and therefore did not protect the information acquired in the course of his duties. 2.2.3 Permissible. Integrity (par 1.2). Internal auditors shall observe the law and make disclosures expected by the law and the profession. Thus, the internal auditor is legally bound to respond toa court order. The requirement not to use information in any manner detrimental to the legitimate and ethical objectives of the company does NOT override the legal obligation to respond to a court order. QUESTION 3 10 marks Dreams Discovered Ltd manufactures and sells children’s toys You are the newly appointed Chief Audit Executive (CAE) for the recently established intemal audtt acti in the company. The board and Chief Executive Officer (CEO) are in dispute ‘over who the CAE should report to and have asked for your guidance in the matter REQUIRED Marks 3.1 Discuss the advantages and disadvantages of reporting to the Audit (3) Commuttee Advantages: This level of reporting gives the internal audit activity a high degree of organisational independence and accessibility because it is reporting to a body with more authority than top executive ‘management, and the majority of members are not involved in the operational matters of the company (executive functions}. Disadvantages: 1. Because the audit committee does not meet frequently enough, they do not have the time to support the internal audit activity on a day-to-day basis as an independent reporting facility. Audit committees meet on average four times a year. 2. Because of its function, the audit committee, by its very nature, is apart from the main stream of business activities. As a result, the internal auditor does not always receive necessary information and directives which might enable him to function effectively. 3. The audit committee also has a functional rather than an operational role and itis, therefore, undesirable that members should be involved with the operational or household details of the