INTERNAL AUDITING & CONTROLS REVIEW QUESTIONS MODULE 6 MULTIPLE CHOICE

Select the best answer for each of the following unrelated items. Answer each of these items in your examination booklet by giving the number of your choice. For example, if the best answer for item (a) is (1), write (a)(1) in your examination booklet. If more than one answer is given for an item, that item will not be marked. Incorrect answers will be marked as zero. Marks will not be awarded for explanations. a) As a main objective, an audit report should accomplish which of the following? 1) Outline the plan used in the audit engagement 2) Describe the results of the risk assessment 3) Describe the procedures used in the audit 4) Provide a basis for follow up

b)

Which of the following guidelines are a part of the framework for the reports issued by internal auditors? 1) Adequate evidence that an effective risk assessment was carried out should be provided. 2) The auditees views about recommendations should only be presented if relevant to the conclusions reached by the audit. 3) Final approval for the audit report should come from the auditee. 4) A signed, written report should be issued when the audit examination is complete. Performance Standard 2500 indicates which of the following statements? 1) The chief audit executive is responsible for establishing and maintaining a system to monitor the corrective actions to be taken by management as a result of recommendations made during an audit. 2) The audit committee is responsible for establishing and maintaining a system to monitor the corrective actions to be taken by management as a result of recommendations made during an audit. 3) Senior management is responsible for establishing and maintaining a system to monitor the corrective actions to be taken by management as a result of recommendations made during an audit. 4) The auditee is responsible for establishing a system to monitor if the corrective actions taken as a result of audit recommendations were effective. Which of the following is part of the approach to effective audit interviewing? 1) Scheduling, opening, and monitoring 2) Planning, closing, and reporting 3) Scheduling, opening, and reporting 4) Planning, scheduling, and evaluating Which of the following is part of the follow-up process to monitor and ensure that management actions have been implemented? 1) An assessment of whether the action taken has corrected the problems identified by the audit 2) A review of recommendations made by auditors to determine if they were reasonable 3) A verbal confirmation of results of follow-up reviews to the audit committee only

c)

d)

e)

4) f)

A verbal confirmation of results of follow-up reviews to senior management only

Which of the following describes information typically contained in an internal audit report? 1) Risk assessment, audit plan, and a summary of major observations 2) Summary of major observations, audit plan, and management comments 3) Purpose and scope of the examination, management comments, and acknowledgement 4) Management comments, acknowledgement, and outline of risk assessment

Solutions to multiple choice questions:

a) b) c) d) e) f) 4 4 1 4 1 3

ESSAY QUESTIONS
Question 1 (26 marks) You are the new chief audit executive (CAE) for a large government institution. As part of the duties of the internal audit department, you are required to conduct follow-up audits to ensure that management has implemented actions based on previous audit recommendations. The last chief audit executive was terminated because he did not do the follow-up. The audit committee has asked you to address the issue of instituting an effective follow-up audit program. In particular, the recommendations from the last audit of the payroll department were never followed up by the internal audit department. The committee would like to know if the recommendations for this audit, which occurred approximately 8 months ago, have been addressed. The following table lists the recommendations as well the agreed-upon time for implementation of corrective action. Issue Payments for casual employees (hourly-rate employees) are processed through a user-driven application (Casual Payroll System (CAS)), with no clear policy regarding supporting documentation requirements. Users of CAS can submit payments to themselves with no approval necessary from an immediate supervisor. Payments in the CAS application are being processed prior to the start date. For example, an employee will be paid in January for work to be completed during the last two weeks of February. Recommendation A clear policy must be developed for documentation requirements regarding payments made to casual employees. Supporting documentation must demonstrate that proper approval was given and all relevant terms of payment, such as hourly rate and hours worked, are recorded. A conflict of interest policy should be developed prohibiting users from submitting payments to themselves or any related party. Furthermore, automated controls should be included in the software to prevent users from processing payments to themselves. System controls need to be implemented to prevent payments from being processed and paid out in advance of work being done. If required by special circumstances, payments made in advance must only be processed once approval has been given by the appropriate supervisor and is properly documented either on paper or in the system. Agreed time for completion 6 months

3-6 months

6-12 months

Required 20 a. Write a memo to the audit committee in which you explain the reasoning for monitoring recommendations and describe the six-step process to developing a follow-up audit program. Include in your memo the audit objective(s), criteria, and procedures that you will be using in the follow-up audit of the payroll department. Note:
4 marks will be awarded for clarity, logic, and persuasiveness.

b. In light of the termination of the previous CAE, briefly describe the standards by which internal auditors must abide in exercising proficiency and due professional care.

Solutions to Essay Questions Question 1

a) In the monitoring phase of the internal auditing process, monitoring by the internal auditor is required to determine whether management has implemented measures to correct deficiencies identified in the audit. The result of this phase is usually a follow-up report. The previous phase, reporting, provides a basis for the follow-up. Follow-up enables the auditor to inform senior management whether managers are taking appropriate steps within a reasonable period of time to improve control of their operations. The auditor can also evaluate whether previously reported deficiencies are being adequately dealt with. Management is responsible for taking corrective action, but the auditor is responsible for assessing the extent to which appropriate corrective action has been taken. Such an assessment can also help to determine the nature, extent, and timing of future audit work. Follow-up clarifies managements responsibility and accountability, closing the audit cycle loop. Managements failure to address audit recommendations in a timely manner results in increased risk exposure for the organization. Increased risk will increase the likelihood of the occurrence of a potentially costly event for the organization. Following is the six-step process of an effective follow-up program: 1. Determine the scope of follow-up For auditors to determine the scope of follow-up, they must assess if the reported observations and recommendations are relevant for follow-up and determine the corrective action to be taken by management. Between the time the observations and recommendations are reported and the time that the follow-up is implemented, circumstances may have changed and the original concerns may no longer apply. The auditor must decide whether the original observations are still valid or whether they require revisions. If still valid, the auditors determine what corrective action, if any, has been taken, by ascertaining whether management has responded positively or negatively to the initial observations, whether any actions have been taken or planned, and, where applicable, whether any deadlines for implementation have been set. They then identify any matters for which follow-up is appropriate and any matters where future followup is not needed. 2. Prepare the follow-up program A follow-up audit program includes:

Specific objectives for the follow-up project Audit criteria to be applied

Evidence to be collected Procedures for collecting the evidence The name of the auditor performing the work Where the work can be found in working paper files (reference) Other necessary instructions

3. Carry out the follow-up program By performing the audit procedures in the follow-up program, the auditor assesses whether the recommendations have been implemented and are working effectively. 4. Assess the extent of corrective action taken and progress made The auditor assesses the results of follow-up reviews and tests to reach an overall conclusion on the adequacy of corrective action taken and the progress made in mitigating the identified risk or exposure. Corrective measures are evaluated for relevance (action directed to the cause), completeness (all key aspects included), and timeliness (action taken at the time needed). Where deficiencies have not yet been corrected, the auditor briefly reviews whether the planned action is likely to correct the deficiency in a relevant, competent, and timely manner. Progress of remedial action is monitored at regular intervals as long as necessary. Where no action has been taken or planned, the auditor finds out why from management. If management believes that the cost of taking action is likely to be greater than the benefits, the auditor may have to do further work to help validate or refute such a position. Paragraph 3 of Practice Advisory 2060-1: Reporting to Board and Senior Management states that managements responsibility is to make decisions on the appropriate action to be taken regarding significant engagement observations and recommendations. Senior management may decide to assume the risk of not correcting the reported condition because of cost or other considerations. The board should be informed of senior managements decisions on all significant observations and recommendations. Sometimes management will decide not to address the issues raised by the auditor. When this occurs, the responsibility of the auditor is to determine that the decision was taken at the appropriate level of management. The chief audit officer should ensure that the decision was made with the knowledge and support of the next higher level of management. When the auditor believes that the issue is significant enough that such a decision should be made at the highest level of management, the auditor should inform the board of the issue and the decision. 5. Review follow-up files As for any other audit files, follow-up files must be reviewed by management of the internal audit department to ensure that conclusions are well supported and that internal audit standards have been met. 6. Report results of follow-up The follow-up report deals with the scope of the work carried out, as well as its overall observations, conclusions, and detailed comments. It also identifies matters for further attention from management or follow-up by the auditor. It is distributed to management of the audited unit, senior management, and the audit committee. Results of follow-up work are often included in regular audit reports. Note:
1 mark for each step, to a maximum of 6 marks 2 marks for an objective 1 mark for each criterion, to a maximum of 2 1 mark for each procedure, to a maximum of 2

MEMORANDUM Date: December 6, 2009 To: Audit Committee From: John Smits, CGA Re: Follow-up of Payroll Department Audit In response to a request from the audit committee, I have prepared this memo to outline the importance of monitoring recommendations as well as describe the process for developing a follow-up program. The description of the follow-up program will be specifically geared towards reviewing the recommendations from the recent payroll department audit to ensure that corrective action has been taken. Follow-up enables internal audit (IA) to inform senior management whether managers are taking appropriate steps within a reasonable period of time to improve control of their operations. IA can also evaluate whether previously reported deficiencies are being adequately dealt with. Management is ultimately responsible for taking corrective action, but IA is responsible for assessing the extent to which appropriate corrective action has been taken. Followup clarifies managements responsibility and accountability, closing the audit cycle loop. The implication of managements failure to address audit recommendations in a timely manner is increased risk exposure for the organization. Increased risk will directly increase the likelihood of the occurrence of a loss of reputation, transactional errors, or even worse, fraud, each of which will have a negative financial effect on the organization. With respect to the development of a follow-up program for the audit of the payroll department, IA would proceed in the following manner: 1. Determine the scope of follow-up For auditors to determine the scope of follow-up, they must assess if the reported observations and recommendations are relevant for follow-up and determine the corrective action to be taken by management. The auditor must decide whether the original observations are still valid or whether they require revisions. If still valid, the auditors determine what corrective action, if any, has been taken, by ascertaining whether management has responded positively or negatively to the initial observations, whether any actions have been taken or planned, and, where applicable, whether any deadlines for implementation have been set. In the case of the payroll department, there were three major recommendations that were issued in the previous audit report. Since the timing of the follow-up audit is about 8 months after the issuance of the audit report, we can observe: Two of the recommendations should have been addressed as the agreed time to completion with management was less than 8 months. One of the recommendations should be in progress; however, it may not be complete at this point in time as the agreed completion date was estimated at 6-12 months.

2. Prepare the follow-up program A follow-up audit program includes: Specific objectives for the follow-up project Audit criteria to be applied Evidence to be collected Procedures for collecting the evidence

In the case of the payroll department, the following applies: 1. Objectives:

To determine if management in the payroll department has taken corrective action to address recommendations from the audit report in a timely manner. 2. Criteria: According to previous agreements, two of the recommendations should be completed with the third in progress. Therefore, the criteria would be: All payments to casual employees are processed in compliance with the set policies and procedures and have adequate supporting documentation. Monitoring of CAS payments is performed on a regular basis. Segregation of duties is present with respect to the CAS payment submission and approval processes. System controls are in place to prevent unauthorized and non-compliant payments from being processed.

3. Procedures: Review a sample of CAS payments from the relevant period to check for adequate supporting documentation and ensure the appropriate approval was obtained; that is, other than the submitter Obtain documentation and reports from the monitoring program as evidence of routine verification Run test transactions through the application to verify if system controls are in effect and functioning within established parameters

3. Carry out the follow-up program By performing the audit procedures in the follow-up program, IA assesses whether the recommendations have been implemented and are working effectively. 4. Assess the extent of corrective action taken and progress made IA assesses the results of follow-up review to reach an overall conclusion on the adequacy of corrective action taken by the payroll department. Corrective measures are evaluated for relevance (action directed to the cause), completeness (all key aspects included), and timeliness (action taken at the time needed). Where deficiencies have not yet been corrected, IA will briefly review whether the planned action is likely to correct the deficiency in a relevant, competent, and timely manner. Where no action has been taken or planned, IA will find out why. If the payroll department believes that the cost of taking action is likely to be greater than the benefits, IA may have to do further work to help validate or refute such a position. 5. Review follow-up files As for any other audit files, follow-up files must be reviewed by management of IA to ensure that conclusions are well supported and that internal audit standards have been met. 6. Report results of follow-up The follow-up report deals with the scope of the work carried out, as well as its overall observations, conclusions, and detailed comments. It also identifies matters for further attention from management or follow-up by IA. It is distributed to management of the audited unit, senior management, and the audit committee. Results of follow-up work are often included in regular audit reports. I trust that this memo has provided adequate information as to the importance of monitoring recommendations and has made clear the steps that IA will take to conduct the follow-up audit of the payroll department. If you have any further questions please do not hesitate to contact me. 4 marks for clarity, logic, and persuasiveness.

b. To comply with the standard on proficiency, individual internal auditors must: Comply with the Code of Ethics of the IIA Have the knowledge and skills to perform internal audits in an efficient and effective manner, including sufficient oral and written communication skills Understand human relations and maintain satisfactory relationships with auditees Maintain their technical competence through continuing education Exercise due professional care in performing their audits

The responsibility of the individual internal auditor with respect to knowledge is similar to that of the department to have expertise in audit methodology and to recognize the limitations of his or her specific subject knowledge. The standards require that internal auditors exercise due professional care in carrying out audit work. Due professional care sets as a standard the care and skill that would be expected of a reasonably competent internal auditor in similar circumstances. PA 1220-1 (Reading 2-11) states that exercising due professional care does not imply infallibility. However, it requires more than simply following rules. As well as a good understanding of the specific context, due professional care requires the auditor to exercise good judgment and have appropriate knowledge and skills. In exercising due care in specific situations, the auditor should consider the extent of work required to achieve the audit objectives, the relative significance of the matters reviewed, the adequacy and effectiveness of internal controls, and the cost of the audit work in relation to the potential benefits.

ESSAY QUESTIONS
Question 2 (24 marks) Pinecrest University is an educational institution with a focus on the faculties of science and engineering. As a result, research grants are a very important component to the universitys total funding. Professors are strongly encouraged to supplement their research by applying for grants from government and private sources. To assist in this, the university has a vice president of research (reporting directly to the president) who is responsible for maintaining strong working relationships with government agencies as well as private foundations and corporations. In addition, the vice president of research is responsible for providing administrative support for professors who develop technologies that can be taken to market. Any resulting royalties are to be divided between the involved parties (usually the professor, the university, and a third-party corporation). There are currently 3 departments reporting directly to the vice president of researchs office: 1. Canadian research office. This office is responsible for assisting professors in the application process for Canadian-funded research grants from public and private sectors. It processes grants of $100 million annually. The office has 12 employees, only 2 of whom have an academic background to provide consulting to professors. The director, who has been with the university for 25 years, is close to retirement, and his experience is considered to be of extreme importance to the functioning of the office. To date, the university has not begun searching for a qualified replacement. International research office. This office is responsible for assisting professors in the application process for internationally-funded research grants from both public and private sectors. In addition, as this office often deals with the international community, it has recently been helping arrange the presidents itinerary for strategic meetings while travelling abroad. It processes grants of $200 million annually. There are 7 employees, all of whom have an academic background, which is crucial for understanding the needs of the academic community. Office of marketable technology. This office is responsible for assisting in the transfer and development of technologies discovered at Pinecrest that can be implemented and sold on the general market. The office establishes agreements with corporations to market recently discovered technologies. This results in royalty

2.

3.

and licensing agreements from which corporations must pay a portion of any profits from sales to the university and professors. The tracking of these agreements is recorded on Excel spreadsheets and is the responsibility of the office administrator. There are 15 employees and the office generates $35 million in annual funding. The vice president of research has asked the internal audit department to conduct an operational audit to review the 3 offices to identify any potential weaknesses or inefficiencies. The vice president has indicated that he would like to merge the offices to provide a single point of contact for the academic community. In addition, he is concerned that the office of marketable technology is not properly tracking the royalty agreements and that money owed to the university may be left uncollected. Required 16 a. You are a CGA and an internal auditor in the department. The chief audit executive has asked you to write a preliminary memo to identify any weaknesses in the departments reporting to the vice president of researchs office and describe how you would plan for this audit engagement. Be sure to address the 7 design areas that are considered when preparing an engagement plan. Note: 4 4
4 marks will be awarded for clarity, logic, and persuasiveness.

b. The end result of any audit is the internal audit report. Describe the purpose and functions of internal audit reporting.

Solutions to Essay Questions Question 2

a. Engagement planning 1. Obtaining specific knowledge about the unit to be audited The internal auditor must become familiar with the operation of the unit to be audited, particularly its specific role and objectives, its significant (and sometimes unique) risks, the adequacy and effectiveness of its controls, and the potential for improvement. To assist the auditor in gaining this familiarity, a lot of information is normally available in the internal audit permanent files or can easily be obtained elsewhere within the organization. The internal auditor often undertakes a fact-finding exercise by meeting with staff of the unit to be audited to supplement that information. Useful documents to review before an audit are: Organization charts Documents outlining the delegation of authority Mission statement Policies and procedures Systems descriptions Earlier internal audit reports External auditors management letters Consultants reports Management reports

2. Establishing audit objectives and scope In practice, setting engagement objectives often involves a preliminary risk assessment of items such as significant errors, irregularities, and non-compliance. Engagement objectives are broad statements

developed by internal auditors and define what the engagement is intended to accomplish. Engagement objectives and procedures should address the risks associated with the activity under review. The purpose of the risk assessment during the planning phase of the engagement is to identify significant areas of activity that should be examined as potential engagement objectives. The scope of the audit defines the function or organizational unit to be reviewed and the activities and period to be covered by the audit. The scope must be sufficiently broad to enable engagement objectives to be accomplished. In limited engagements, objectives may relate only to compliance with policies and procedures (if the likelihood and potential impact of non-compliance are considered to be of significant risk to warrant an audit engagement), while the audit objectives of an operational audit include an assessment of effectiveness and efficiency. Here is an example of an audit objective and scope: Audit objectives 1. To determine if the departments reporting to the vice president of researchs office are adequately staffed with individuals who have the appropriate skill set to aid in accomplishing each departments goals. 2. To determine if each department is efficient in reaching their respective objectives and identify areas for improvement. 3. To provide a basis for the vice president to make a decision on whether a merger of the three offices would result in value added to the university. Audit scope Review all documentation (including management reports, mission statements, policies and procedures) pertaining to the operations of each department for fiscal years 2007 and 2008. Conduct interviews with department directors and validate any findings through supporting documentation when possible. 3. Designing an appropriate overall audit methodology With a view to focusing the plan, the internal auditor first asks questions about the key goals and results of the activity, function, or organizational unit. The auditor then plans the examination of the activities, and related management systems and practices, to identify possible strengths and weaknesses, particularly those that can have a major impact on the effectiveness, efficiency, or economy of operations. The auditors focus is on systems and practices that support the achievement of the organizations goals. The objective is to assess the extent to which systems and procedures that should be in place are, in fact, in place, and how well they are designed and are functioning. Evidence of actual circumstances must be obtained during the examination for comparison to these criteria as a basis to support content of the internal auditors report. 4. Setting audit criteria Criteria may consist of the companys stated procedures and policies. If such procedures or policies have not been established or documented, the auditor will look to find the procedures, systems, or results that he or she would expect to find in a well-managed operation. Actual performance or conditions are assessed against criteria agreed between management and the auditor. It is important that the criteria used be agreed to by both the auditor and management before the audit work begins. If not, consideration of the auditors assessment and recommendations may focus on the appropriateness of the criteria selected and not on the need to take measures to address the weaknesses and risks identified in the audit. Audit criteria 1. Staff have the adequate skill set to be effective in the discharge of their duties. 2. Succession planning is done to ensure the continuity of important university functions. 3. Department resources are being assigned to tasks relevant to employees skill sets. 4. Departments are adequately staffed in order to fulfill their objectives and achieve their goals. 5. Important data is accurately tracked and securely stored to ensure data integrity.

5. Preparing staffing plans and time budgets The project plan should specify the required number and level of auditors, and the time required to complete the work. The nature and complexity of the engagement will influence the selection of personnel for the audit. To determine the resources necessary to perform the engagement, it is important to evaluate the skills and competencies of the internal audit staff as well as consider if any external resources or specialized training of staff is required. 6. Communicating with management The auditor should contact management of the audited unit before the audit begins, to discuss planning matters such as the purpose of the audit, scope and timing, audit criteria, impact on personnel time, reporting process, and other matters such as space and equipment. The internal auditor should plan for ongoing communications and liaison with management throughout the project 7. Preparing the audit program Engagement procedures, including the testing and sampling techniques employed, should be selected in advance where practical, and expanded or altered if circumstances warrant. The preparation of the detailed audit program, a major part of the planning phase, is closely linked to the first part of the examination phase. The audit program can be viewed as a road map; it is a specific set of instructions, listed in the order in which they will be performed to carry out a specific audit project. MEMO Date: December 6, 2009 To: Natasha Brown, Chief Audit Executive From: Dominic Segreto, CGA Re: Audit Engagement Plan for Office of the Vice President of Research In preparation for the audit of the office of the vice president of research (VPR), I have prepared this memo to identify potential weaknesses with the research office operations and describe how the internal audit department should prepare in planning this audit engagement. Throughout this process, I have identified what I believe to be the audit objectives, scope, and relevant audit criteria based on the information obtained to date. To accomplish this goal, I will describe the seven design areas typically considered in preparing an engagement plan. In reviewing the operations of the various departments reporting to the vice president of researchs office, I noted several weaknesses: 1. Canadian research office Lack of any clear succession plan for a director in a department that generates a significant portion of the universitys research revenues. 2. International research office Inefficient deployment of resources as the staff is currently being used to plan travel itineraries instead of assisting professors with their applications for research grants. 3. Office of marketable technology Tracking of royalty and licensing agreements is performed using Excel spreadsheets that are not secure and can be easily modified and/or deleted. 1. Obtaining specific knowledge about the unit to be audited The first step is to become familiar with the operation of the office of the VPR, particularly its specific role and objectives, its significant (and sometimes unique) risks, the adequacy and effectiveness of its controls, and the potential for improvement. To assist in this endeavour, we should obtain all information available either through previous audit files or elsewhere within the organization. Internal audit (IA) should undertake a fact-finding exercise by meeting with staff of the different departments to be audited to supplement that information. Useful documents to review before an audit are: Organization charts

Documents outlining the delegation of authority Mission statement of each department reporting to the office of the VPR Policies and procedures of each department reporting to the office of the VPR Consultants reports (if available) Management reports

2. Establishing audit objectives and scope IA should establish the engagement objectives, keeping in mind that these are broad statements used to define what the engagement is intended to accomplish. Engagement objectives and procedures should address the risks associated with the activity under review. The purpose of the risk assessment during the planning phase of the engagement is to identify significant areas of activity that should be examined as potential engagement objectives. The following are a list of potential audit objectives: Audit objectives 1. To determine if the departments reporting to the vice president of researchs office are adequately staffed with individuals who have the appropriate skill set to aid in accomplishing each departments goals. 2. To determine if each department is efficient in reaching its respective objectives and identify areas for improvement. 3. To provide a basis for the vice president to make a decision on whether a merger of the three offices would result in value added to the university. The scope of the audit must be sufficiently broad to enable engagement objectives to be accomplished. The audit objectives of an operational audit include an assessment of effectiveness and efficiency. The following is the audit scope that I have defined based on the audit objectives and the preliminary information available: Audit scope Review all documentation (including management reports, mission statements, policies and procedures) pertaining to the operations of each department for fiscal years 2007 and 2008. Conduct interviews with department directors and validate any findings through supporting documentation when possible. 3. Designing an appropriate overall audit methodology With a view to focusing the plan, IA first must consider the key goals and results of each department reporting to the office of the VPR. IA then must plan the examination of the activities, and related management systems and practices, to identify possible strengths and weaknesses, particularly those that can have a major impact on the effectiveness, efficiency, or economy of operations. The objective is to assess the extent to which systems and procedures that should be in place are, in fact, in place, and how well they are designed and are functioning. For example, a perceived weakness is whether the office of marketable technology is in fact properly tracking and actively collecting all revenue due to the university. Audit criteria should be established to validate this assumption. 4. Setting audit criteria Criteria may consist of the companys stated procedures and policies. IA must then compare actual performance or conditions against this criteria. It is important that the criteria used be agreed to by both IA and management before the audit work begins. If not, consideration of the auditors assessment and recommendations may focus on the appropriateness of the criteria selected and not on the need to take measures to address the weaknesses and risks identified in the audit. The following is a list of identified audit criteria: Audit criteria 1. Staff have the adequate skill set to be effective in the discharge of their duties.

2. Succession planning is done to ensure the continuity of important university functions. 3. Department resources are being assigned to tasks relevant to the employees skill sets. 4. Departments are adequately staffed in order to fulfill their objectives and achieve their goals. 5. Revenue to be received is accurately tracked and collected and the format for maintaining this data is securely stored to ensure data integrity. 5. Preparing staffing plans and time budgets The project plan should specify the required number and level of auditors, and the time required to complete the work. The nature and complexity of the engagement will influence the selection of personnel for the audit. To determine the resources necessary to perform the engagement, it is important to evaluate the skills and competencies of the internal audit staff as well as consider if any external resources or specialized training of staff is required. 6. Communicating with management IA must then contact the office of the VPR before the audit begins, to discuss planning matters such as the purpose of the audit, scope and timing, audit criteria, impact on personnel time, reporting process, and other matters such as space and equipment. IA should plan for ongoing communications and liaison with management throughout the project. 7. Preparing the audit program Engagement procedures, including the testing and sampling techniques employed, should be selected in advance where practical, and expanded or altered if circumstances warrant. These procedures will be used to test against established audit criteria. Consider the audit program like a road map; it is a specific set of instructions, listed in the order in which they will be performed to carry out a specific audit project. I trust that his report has fulfilled your requirements in providing an audit engagement plan. If you wish to proceed with the audit based on the information provided then I will begin developing the audit program immediately. If you require any additional information please do not hesitate to contact me. Note:
1 mark for each weakness to a maximum of 2 marks; 2 marks for each design area to a maximum of 14 marks.

4 marks for clarity, logic, and persuasiveness for clarity, logic, and persuasiveness. b. Purpose and functions of internal audit reporting The end product of an internal audit is the audit report. No matter how well the auditor has planned and conducted the audit, how significant the observations, or how much the organizations effectiveness and efficiency could be improved by implementing the auditors recommendations, the audit will not serve its purpose if the report is of substandard professional quality and fails to motivate management to correct the noted deficiencies. An internal audit reports functions are the following: 1. Document the results of audit work The report should summarize the scope, nature, and extent of the audit work performed; the evidence obtained; and the auditors observations, conclusions, and recommendations. In effect, it should summarize the audit work done and the auditors findings. 2. Provide a framework for management action The audit report is often viewed as an evaluation of current operational practices and the performance of various organizational units or functions. It shows which areas are operating well and which need improvement, identifying causes and effects of deficiencies. It also recommends actions that management

should take. It should motivate management to take action, or satisfy senior management and the board of directors that no action is required, and explain why. 3. Present the auditees views Usually, managers of audited units agree with the auditor on all important points in the report. However, auditees sometimes want to mention mitigating circumstances or clarify an issue. If the auditee disagrees with the auditors observations or recommendations, the auditee should be allowed to express opposing views, stating his or her reasons. This method helps senior management by providing a basis for deciding what actions to take. It indicates that the audit reporting process is fair and unbiased. 4. Provide a basis for follow-up The report provides a basis for following up on audit recommendations to determine whether management has adequately considered the auditors recommendations and implemented appropriate corrective action. Note:
1 mark for each objective