Académique Documents
Professionnel Documents
Culture Documents
Ch 9
1. Professional skepticism means that internal auditors take nothing for granted;
they continuously question what they hear and see and critically assess audit
evidence.
5. The nature of audit procedures relates to the types of tests the internal auditor
performs to achieve his or her objectives. The extent of audit procedures pertains to
how much audit evidence the internal auditor must obtain to achieve his or her
objectives. The timing of audit procedures pertains to when the tests are conducted
and the period of time covered by the tests.
10. The types of operations that internal auditors can perform with generalized audit
software (GAS) include:
• Examining files and records for validity, completeness, and accuracy.
• Recalculating recorded values and calculating other values of audit interest.
• Selecting and printing samples and calculating sample results.
• Comparing information in separate files.
• Summarizing, resequencing, and reformatting data.
• Creating pivot tables for multidimensional analysis.
• Searching for anomalies in data that may indicate errors or fraud.
• Preparing and printing reports.
• Automatically generating a historical log of data analyses performed.
11. The two most widely used commercially available audit software programs are
ACL (Audit Command Language) and IDEA (originally an acronym for Interactive Data
Extraction and Analysis).
5. The following are potential sources of useful process information from process
owners:
a. Policies relating to the process.
b. Procedures manuals.
c. Organizational charts or similar information outlining the number of employees
and key reporting relationships.
d. Job descriptions for people involved in the process.
e. Process maps or flowcharts depicting the overall flow of the process.
f. Narrative descriptions of key tasks or portions of the process.
g. Copies of key contracts with customers, vendors, outsourcing partners, etc.
h. Relevant information regarding laws and regulations affecting the process.
i. Other documentation that may have been developed to support required
reporting on the effectiveness of the system of internal controls.
6. Why IA perform Analytical Procedure?
Understanding the tasks in a process is an important step in planning an
engagement. However, these tasks describe the way a process is designed to
perform, but provide little indication regarding how effectively they are carried
out. Performing analytical procedures is one way internal auditors conduct high-
level assessments that may reveal process activities that warrant closer attention
and, accordingly, more detailed testing.
Ch 14
8. The closing conference (also referred to as an exit conference) allows the internal
audit function to confirm the preliminary facts relative to any observations indicated
by testing done during the assurance engagement with the appropriate
management representatives of the area that was audited prior to distribution of
the final engagement communication. It also allows all parties to review the form
and content of what is anticipated to be included in the final (formal and informal)
audit engagement communications and provides an opportunity for any
misunderstandings to be resolved. Additionally, it provides management of the
targeted functional areas a way to present their thoughts and planned actions
regarding the items to be covered in the final engagement communication and to
give feedback regarding how well the engagement team executed the assurance
engagement. Management’s action plan to address and resolve control weaknesses
identified during the assurance engagement is also agreed upon in the closing
conference. This provides another check point on the completeness and accuracy of
the draft final communication prior to distribution to management representatives
of the area that was subject to the assurance engagement.
9. All final (formal and informal) communications should include the following
information: the purpose and scope of the audit, the time frame of the audit, the
observations and recommendations (results) of the audit, the conclusion (opinion or
rating, if applicable) of the internal audit function, and management’s response
(action plan) to the recommendations.
10. If an internal audit function chooses to state that the controls are designed
adequately and operating effectively, it has given positive assurance. If, on the other
hand, the internal audit function chooses to communicate that nothing has come to
their attention that leads them to believe that the controls are not designed
adequately and operating effectively, it has given negative assurance.
5. The three ways that potential consulting engagements are identified are:
• Engagements are proposed during the annual risk assessment process and, if
identified as highpriority, included in the annual internal audit plan.
• Specific engagements are requested by management.
• New or changing conditions warrant internal audit attention.