Professional Documents
Culture Documents
________________________________________________________________________________
INFORMATION/INSTRUCTIONS:
___________________________________________________________________________
1. This documentation represents the multiple choice questions as well as the
scenario for the long questions.
2. Thirty minutes (30) minutes of reading time is given for the paper, making the
assessment session 4 hours and 15 minutes.
3. During the 30 minutes reading time, you may:
Highlight the information presented in this document; and
Make such annotations on this document as you consider appropriate.
4. At the close of the 30 minute reading period, you will be given the question
(required) and stationery packs.
5. You will have 3 hours and 45 minutes in which to answer the required
section.
6. No questions may be asked during the assessment.
7. Please write your name and student number clearly on your answer sheet.
8. Make assumptions if you are uncertain regarding the interpretation of the
scenario.
_________________________________________________________________________________
Page 1 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
QUESTION 1 30 MARKS
1. Which of the following is not true with regard to the internal audit charter?
a. It defines the authorities and responsibilities for the internal audit activity
b. It specifies the minimum resources needed for the internal audit activity
c. It provides a basis for evaluating the internal audit activity
d. It should be approved by senior management and the board
3. According to the IPPF, the independence of the internal audit activity is achieved
through
a. Staffing and supervision
b. Continuing professional development and due professional care
c. Human relations and communications
d. Organisational status and objectivity
5. Which of the following tools and techniques are the least appropriate for the
planning stage of the engagement?
a. Walk-through tests
b. Statistical sampling
_________________________________________________________________________________
Page 2 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
c. Analytical procedures
d. Flowchart
_________________________________________________________________________________
Page 3 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
9. A code of ethics for senior financial officers is also required. The code should
include standards that promote:
i. Honest and ethical conduct, including the ethical handling of actual or
perceived conflicts of interest between personal and professional
relationships;
ii. Full, fair, accurate, timely and understandable disclosure in reports filed
by the company; and
iii. Compliance with applicable governmental rules and regulations.
a. All of the above
b. i and iii
c. i and ii
d. ii and iii
11. Red flags are conditions that indicate higher likelihood of fraud. Which of the
following is not considered a red flag?
a. Management has delegated the authority to make purchases under a certain
value to subordinates.
b. An individual has held the same cash handling job for an extended period
without any rotation of duties.
c. An individual handling investments is responsible for making the purchases,
recording any discrepancies and gains/losses to senior management.
d. The assignment of responsibility and accountability in the accounts receivable
department is not clear.
_________________________________________________________________________________
Page 4 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
13. Which of the following is a role that internal audit should not undertake?
a. Giving assurance that risks are correctly evaluated
b. Setting the risk appetite
c. Evaluating the reporting of key risks
d. Facilitating identification and evaluation of risks
14. Which of the following are components of the enterprise risk management
framework?
i. Internal environment
ii. Objective setting
iii. Event identification
iv. Risk assessment
v. Risk response
vi. Control activities
vii. Information and communication
viii. Monitoring
a. All of the above
b. None of the above
c. iv, vi, vii and viii
d. i, ii, iii, vi and viii
15. Which one of the following is not a step in establishing an ERM organisation?
a. Determine a risk philosophy
b. Survey risk culture
c. Avoid risk management
d. Consider ethical organisational integrity and ethical values
_________________________________________________________________________________
Page 5 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
16. When the risk management maturity level is risk enabled, which internal audit
approach should be followed?
a. Audit risk management processes and use management assessment of risks
as appropriate
b. Promote enterprise wide approach to risk management and rely on own risk
assessment
c. Audit risk management processes and rely on own risk assessment
d. Promote risk management and rely on internal audit activity’s own risk
assessment
17. Which one of the following statements regarding performance auditing is false?
a. Performance auditing provides a focus advantage, as it is by definition always
structurally focused on the entity under review.
b. Performance auditing is not necessarily based on a financial year.
c. Performance auditing does not focus on questioning policy.
d. The effectiveness of a performance audit relies on the extent of research
performed during the audit.
18. Which of the so-called ‘3 E’s’ is/are under review when a performance auditor is
investigating the extent to which goods procured are being used to their full extent?
a. Economy.
b. Effectiveness.
c. Efficiency.
d. Economy and efficiency.
19. Which one of the following attributes of economy is under review when a
performance auditor is investigating the extent to which a competitive bidding
process have been followed in terms of the acquisition of goods and services?
a. Place.
b. Quality.
c. Quantity.
d. Lowest possible cost.
_________________________________________________________________________________
Page 6 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
20. Which one of the following criteria best applies the ‘quality’ attribute of economy to
the recruitment of staff?
a. The amount of overtime worked.
b. The minimum number of years of work experience that a candidate should have
to be short listed for a position.
c. The relationship between the cost to company of staff and their experience and
skills.
d. The extent to which staff is fully utilised.
21. Which one of the following standards does not relate to an environmental audit
engagement?
a. ISO14000.
b. ISO14001.
c. AA1000.
d. ISO19011.
22. Can a compliance audit form part of an environmental audit when requirements of
laws and regulations must be considered?
a. Definitely.
b. Sometimes.
c. Maybe.
d. Not at all.
23. Which one of the following statements best defines the term “environmental
management system”?
a. Organisational structure of responsibilities, policies and practices for the
protection of the environment.
b. The resources in place to manage environmental issues.
c. The directive approach followed by the executive management of a corporate
entity ensure the sustainability of the organisation.
d. The calculation of historical carbon emissions profiles and the reduction of
future emissions
_________________________________________________________________________________
Page 7 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
24. Which one of the following statements with regard to the Accountability Assurance
Standard 1000 (AA1000AS) is false?
a. Eskom is one of its current users.
b. It is the world’s first sustainability assurance standard.
c. It cannot be used as a stand-alone standard, but must be used as an integral
element of other standards.
d. It is developed to ensure the credibility and quality of sustainability reporting.
25. There are many benefits for an auditor in using data analytics during an audit. A
few benefits are listed below, which one is not correct:
a. The auditor can test the entire population, which increases the possibility of
uncovering issues that may otherwise have gone undetected and allows for
focusing on areas where exceptions are found.
b. It enables the auditor to perform tests that cannot be done manually, such as
complex calculations that increases the level of assurance.
c. The ability to obtain views of data that cannot be obtained through the
performance of manual procedures, improving risk assessment and the value
contribution to the organisation.
d. Tasks that are usually performed manually can be processed automatically
however, it takes time.
26. Which one of the following controls will best assist in addressing the risk that the
business continuity plan is inadequate to facilitate quick recovery?
a. An appropriate recovery point objective.
b. An appropriate recovery time objective.
c. Documented by-pass procedures.
d. Firewalls.
27. Which one of the following controls will best assist in addressing the risk of loss of
data due to a disaster, such as a natural disaster or a systems crash?
a. An appropriate recovery point objective.
b. An appropriate recovery time objective.
c. Documented by-pass procedures.
d. Firewalls.
_________________________________________________________________________________
Page 8 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
28. Which of the following sections of the business continuity management lifecycle
can be categorised as part of governance?
a. Project initiation and management.
b. Risk assessment and business impact analysis.
c. Solutions deployment and enhancement.
d. Training and awareness programs.
29. Which one of the following business continuity planning activities directly influence
the frequency of data backups?
a. Recovery time objective.
b. Recovery point objective.
c. Risk assessment.
d. Testing of the business continuity plan.
30. Which one of the following actions may most likely expose a computer to trojan
horse malicious software?
_________________________________________________________________________________
Page 9 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
QUESTION 2 80 MARKS
You are a senior internal auditor at House of BNG Limited (hereafter BNG), a retail
clothing company with 72 branched country-wide. The company's internal audit
charter requires that all audit engagements performed must be risk-based. You are
currently in charge of the procurement engagement and the following system (only a
section) is recorded after the preliminary investigation:
A formal list of authorised suppliers exists. When the inventory level is low or
a specific need arises, buyers negotiate with fashion houses (on the
authorised list) for the purchase of a specific item. When an agreement is
reached, the buyer completes a pre-numbered triplicate order form and the
purchase manager authorises the order. The original is sent to the supplier,
one copy is sent to the warehouse (blank quantity column) and the third is
kept in the order book.
All empty order books are kept in a safe place. An authorised person issues
new order books to buyers when they return the old ones. Buyers need to
sign for a new book.
Goods received at the warehouse are checked against the order form with
regard to the supplier and item description. A pre-numbered goods receive
note (GRN) is issued including the following information: supplier, date,
description of item(s) and quantity. A copy of the GRN is send to the
accounting department.
BNG recently implemented a new enterprise resource planning (ERP) system with a
single operational database to enhance their information technology infrastructure.
BNG will also launch an on-line web portal for customers in the coming weeks.
Customers need to register as a user on the website and part of the registration screen
requires the following from them:
_________________________________________________________________________________
Page 10 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
Customer e-mail
Password ************
Re-Enter Password ************
Verification code
Pinky Ghel is BNG’s cash disbursement clerk and has the following database access
privileges on the new operational database:
BNG will also be implementation a data warehouse in the next few weeks which will
be linked to the operational database.
The South African student population remains a key market segment for BNG. The
student population has always been one of the early adopters of technology and
research shows that almost 70% of students in the country have access to smart
phones. BNG’s board of directors have requested you to assist with a strategy to use
technology to better service this market segment of the organisation.
_________________________________________________________________________________
Page 11 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
BNG developed an information technology (IT) system to process the entrants via the
website and to provide each entrant with a unique entrant number. Entrants were
required to capture the above information on the website and the IT system was also
connected to a database file to store all the information. An extract from this file
appears below.
According to the above file a total of 554 entrants (numbered 001-554) were received
and a shortlist of 20 was compiled by the BNG adjudication committee during October
_________________________________________________________________________________
Page 12 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
2019. You were requested to oversee the competition and specifically to achieve the
following two engagement objectives:
You have a generalized audit software (GAS) package on your laptop and you have
already extracted the above file into the software.
_________________________________________________________________________________
Page 13 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
QUESTION 3 40 MARKS
You are an internal auditor at the South African Civil Aviation Authority (hereafter
SACAA), a Schedule 3 Public Entity, as listed by the Public Finance Management Act,
No 1 of 1999 (PFMA). The main mission of the SACAA is to regulate civil aviation
safety and security in support of sustainable development of the aviation industry. The
SACAA’s brand promise is: “Keeping you safe in the sky”.
In order to accomplish this mission, the SACAA consist of various departments. One
of these departments is known as the “Flight Operations Department”. This
department’s main objective is to ensure the safety of all aviation flights in South Africa
by enforcing regulations and conducting safety oversight within the industry. This is
mainly done by means of reviews conducted by trained mechanic, avionics and flight
operations inspectors who then carry out inspections on valid operators who hold an
Aircraft Operation Certificate (AOC) to conduct business. The members of flight
operations also conduct inspections at various airports or facilities to ensure safety
and compliance.
The SACAA also engage in various contractual agreements in order to meet its
mandate. These agreements range from the appointment of inspectors to normal day
to day agreements with suppliers. The executive management is currently
investigating ways to improve contract management processes. Internal audit has
been requested to conduct a consulting engagement on this matter. The objective of
the audit is to recommend a structure of internal controls regarding general contract
management processes.
According to the annual internal audit plan, you have been tasked with the following
three audit engagements:
_________________________________________________________________________________
Page 14 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
INFORMATION/INSTRUCTIONS:
_______________________________________________________________________
9. This documentation represents the multiple choice questions as well as the
scenario for the long questions.
10. Thirty minutes (30) minutes of reading time is given for the paper, making the
assessment session 4 hours and 15 minutes.
11. During the 30 minutes reading time, you may:
Highlight the information presented in this document; and
Make such annotations on this document as you consider appropriate.
12. At the close of the 30 minute reading period, you will be given the question
(required) and stationery packs.
13. You will have 3 hours and 45 minutes in which to answer the required
section.
14. No questions may be asked during the assessment.
15. Please write your name and student number clearly on your answer sheet.
16. Make assumptions if you are uncertain regarding the interpretation of the
scenario.
_________________________________________________________________________________
Page 15 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
QUESTION 1
(a) Select and indicate the correct answer with an X on the “multiple choice” (30)
answer sheet provided. For example:
101 A B C D
QUESTION 2
(a) Explain the difference between the traditional approach to a compliance (4)
engagement and the new risk-based approach.
(b) Identify and briefly discuss the methods that can be applied to reduce the (6)
residual risk to equal the target risk when the residual risk is higher than the
target risk.
(c) With regards to House of BNG’s procurement system, complete the table (20)
below, addressing the following:
risk factors
current controls in place
residual risks
engagement procedures that must be performed during this
engagement;
engagement findings identified without further investigation.
(*) H = High
M = Medium
L = Low
_________________________________________________________________________________
Page 16 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
(d) Identify at least three (3) programmed controls clearly present in the account (6)
registration screen above and explain the purpose of each control.
(e) Discuss the appropriateness of the access privileges assigned to Pinky Ghel. (5)
What, if any, internal control problems may result.
(f) Explain why House of BNG also needs a separate data warehouse if the (5)
organisation already has an operational database and explain three common
analytical operations that will likely be performed on the content of the data
warehouse.
(g) Explain the importance for BNG of having presence on social media platforms (5)
such as Facebook and Twitter.
(h) Describe five risks associated with BNG have a Facebook page and, for each (10)
risk, recommend an appropriate control to manage the risk.
(i) Draft six (6) relevant engagement procedures that you would perform in order (12)
to achieve the above two engagement objectives by using the GAS package
on your laptop.
(j) Provide two examples of engagement procedures that must be performed in (4)
order to achieve the above two engagements objectives, but will not be
possible to perform with GAS.
QUESTION 3
(a) Prepare an engagement work programme, in working paper format, listing (10)
ten (10) relevant engagement procedures you would conduct to ensure that
the SACAA is in compliance with Sections 51(1), (a), (b) and (c) of the PFMA
regarding the general responsibilities of accounting authorities.
_________________________________________________________________________________
Page 17 of 18
FAO MODULE CODE IAU8X00
________________________________________________________________________________
(b) Formulate three (3) appropriate engagement procedures that you perform to (9)
achieve each of the following engagement objectives, as part of the
performance audit:
To determine the effectiveness of the Flight Operations Department;
To determine the efficient utilisation of resources within the Flight
Operations Department; and
To determine the economic acquisition of resources within the Flight
Operations Department.
(c) Draft an internal audit report wherein you document the outcome of the (18)
above-mentioned consulting engagement on internal controls regarding
general contract management processes.
_________________________________________________________________________________
Page 18 of 18