Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 5: Examination phase of the internal audit

Overview
Module 5 covers the main aspects of the examination phase of the internal audit. You learn how the auditor organizes and carries out the work needed to obtain sufficient, appropriate evidence to assess the quality of management systems and practices in areas selected for audit. In this module and in Modules 8 and 9, you develop competence in using technological tools in the workplace by gaining exposure to generalized audit software packages such as ACL. This type of software is used to obtain evidence for internal audits, including fraud investigations. Finally, you consider the responsibility of the internal auditor in the event of fraud.

Test your knowledge

Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.

Learning objectives
5.1 Overview of the examination phase Identify the main steps in the examination phase of an internal audit. (Level 1) Preparing the audit work program Identify the purpose of an internal audit program, and explain its components and format. (Level 1) Testing and evidence Demonstrate how audit evidence is gathered, selected, and assessed, and the importance of the decisions involved. (Level 1) Developing audit criteria and preparing an audit program Case study Develop appropriate criteria and prepare an audit program for a risk-based audit. (Level 1) Computer-assisted audit techniques Distinguish between systems-oriented and data-oriented computer-assisted audit techniques (CAATs). (Level 1) Generalized audit software Demonstrate how data are analyzed using generalized audit software such as ACL. (Level 1) Evaluating audit results Assess conditions within an audited unit against audit criteria, and analyze the causes and effects of any observed deficiencies. (Level 1) Completing and reviewing audit files Explain the standards for preparing audit working papers and the importance of the internal auditors role in supervising the engagement. (Level 2) Internal auditing and fraud Identify the roles and responsibilities of management and the internal auditor in the deterrence and detection of fraud. (Level 1) Conducting a fraud investigation Identify the main steps in a fraud investigation and the auditors responsibility in following up on the results of such an investigation. (Level 1) Fraud in a technological environment Identify computer fraud and outline current practices for how internal auditors deal with it; examine how ACL can be used to conduct a payroll fraud investigation. (Levels 1 and 2) Module summary Print this module

5.2

5.3

5.4

5.5

5.6

5.7

5.8

5.9

5.10

5.11

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 5: Test your knowledge

1. Which quality of audit evidence pertains to the consistency of evidence obtained from different sources? a. b. c. d. Authoritativeness Corroboration Replication Objectivity

2. For which of the following evidence-gathering techniques or processes is the use of computerized audit programs least likely to be useful? a. b. c. d. Re-performance Selecting random samples Analytical review Vouching of transactions

3. Which of the following best describes the responsibility of the internal auditor for deterring and detecting fraud? a. No responsibility; fraud detection and deterrence is the responsibility of management b. Responsible for detecting all material frauds c. Responsible for preventing all material frauds d. Responsible for assessing managements efforts to deter and detect frauds 4. Which of the following is more likely to be a motive for management fraud than for employee fraud? a. b. c. d. Company image Concern about company performance and stock price Resentment about being passed over for promotion Boredom

5. Which of the following is required before audit evidence is considered to be relevant? a. b. c. d. It It It It must must must must be derived through random sampling methodologies. be objective and unbiased. be obtained from a reliable source and be convincing. relate directly to the audit objectives.

6. Which of the following is least likely to be considered an indicator of a higher than usual likelihood of fraud? a. b. c. d. Delegation of authority limits to subordinates Lack of rotation of duties for those handling cash Staff responsible for custody and accountability of assets Unclear assignment of responsibility

7. Which of the following would be the most persuasive evidence of the existence and valuation of a trade receivable? a. Evidence of credit approval granted after completion of a credit check b. Duplicate copy of the sales invoice for the amount outstanding

c. Original of the customers purchase order supporting the sale d. Positive accounts receivable confirmation received directly from the customer 8. Generalized audit software packages such as ACL are not well suited for obtaining evidence in support of which of the following control objectives? a. Completeness of accounting for transactions b. Appropriate authorization of transactions c. Accuracy of financial information (such as agreement of sub-ledgers with control accounts) d. Valuation of assets (such as inventory or fixed assets) 9. Which of the following statements is true when considering the persuasiveness of audit evidence? a. All other things being equal, evidence created inside the organization is more persuasive than externally created documents. b. All other things being equal, confirmations from independent third parties are more persuasive than direct observation by the auditor. c. Evidence that has passed through the operational department being audited is more persuasive than that obtained directly by the auditor. d. Internally generated evidence produced from systems where the controls are known to be strong can be considered persuasive by the internal auditor. Solutions

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 5: Test your knowledge solutions

1. a. Incorrect. Authoritative evidence is more persuasive but may be from the same source. b. Correct. Corroborated evidence is the same or similar evidence acquired from two or more independent sources. c. Incorrect. Replication refers to re-performance of work carried out by the auditee. d. Incorrect. Objective evidence is arrived at when two auditors arrive at the same results, which is not related to consistency of audit evidence. 2. a. Incorrect. The computer can be used to re-perform tasks carried out by the auditee. b. Incorrect. The computer can be used to select statistical samples for verification. c. Incorrect. The computer can be used to perform a variety of analytical calculations and comparisons. d. Correct. Generalized audit software cannot be used to examine documents. a. Incorrect. The auditor has a responsibility for assessing managements efforts in this regard. b. Incorrect. This comes closest to describing the responsibility of the external auditor. c. Incorrect. Deterrence of fraud is principally managements responsibility. d. Correct. This best describes the responsibilities of the internal auditor under the Standards. a. Incorrect. This is unlikely to be a motive for management fraud. b. Correct. This would more likely lead to management fraud (that is, deliberate falsification of financial results). c. Incorrect. This is the revenge motive for employee fraud. d. Incorrect. This is the challenge motive for employee fraud. a. b. c. d. Incorrect. This may relate to competence or sufficiency, but not relevance. Incorrect. This relates to competence of the evidence. Incorrect. This also relates to the competence or appropriateness of the evidence. Correct. Audit evidence is only relevant when it relates to the specific audit objective for which it is used.

3.

4.

5.

6.

a. Correct. Some delegation of authority is normal in all companies. b. Incorrect. This might allow a fraud to go undetected for a long period of time. c. Incorrect. This would allow the staff member to remove the asset and cover up its disappearance. d. Incorrect. This would increase the likelihood that a fraud would not be detected. a. Incorrect. This is some evidence of collectibility, but not of existence of the receivable. b. Incorrect. The invoice may have been paid, may be in dispute, or may be fictitious. c. Incorrect. This does not mean that the sale was made, or that the customer will be able to pay if the amount is owed; perhaps the sale was valid but already paid. d. Correct. This is persuasive as to the existence of the receivable and the customers acknowledgment of the amount owing. It is not completely satisfactory as to collectibility, but is the best choice of those offered. a. Incorrect. They can easily be used to identify gaps in the sequences of sequentiallynumbered documents. b. Correct. This information is seldom contained in the computer files. Evidence of

7.

8.

c. d. 9. a. b. c. d.

approval will usually be found on the underlying documents such as purchase requisitions or invoices. Incorrect. This could be done, for example, by using the program to calculate the sub-ledger total and comparing it with the control total. Incorrect. It can be used to compute standard costs or depreciation to assist in verifying the valuation of inventory or capital assets. Incorrect. The exact opposite is true. Incorrect. Direct observation by the auditor is the strongest type of evidence. Incorrect. Evidence is considered more persuasive if the auditor obtains it directly from its source. Correct. Evidence produced from systems with strong controls can be considered persuasive for some audit purposes; this applies to most payroll systems, for example.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.1 Overview of the examination phase

Learning objective

Identify the main steps in the examination phase of an internal audit. (Level 1)
Required reading

Reading 2-1, Performance Standards 2300 to 2340 (Level 1)

LEVEL 1

In the planning phase of the internal audit (covered in Module 4), auditors prepare audit programs outlining the main steps they will follow to collect enough evidence to assess what is actually happening against the audit criteria. Then, in the examination (or field work ) phase of the internal audit, they examine operations and transactions and analyze the results. If the criteria are not met, the auditors must determine the specific causes and effects and make recommendations to correct any deficiencies noted. Exhibit 5.1-1 shows the step for preparing the audit program in the planning phase and the main steps in the examination phase.

Exhibit 5.1-1: Preparing the audit program in the planning phase and the examination phase

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.2 Preparing the audit work program

Learning objective

Identify the purpose of an internal audit program, and explain its components and format. (Level 1)
Required reading

Reading 5-1, Components of an audit program (Level 1) Reading 5-2, Practice Advisory 2320-1: Analysis and Evaluation (Level 1) Reading 5-3, Leonardo and the auditor (Level 1) Reading 5-4, Sample audit program (Level 1) Online reading 5.2-1, ERH , Unit A9, Making moral choices using an analytical approach (Available under the Resources tab) (Level 1)
LEVEL 1

Engagement procedures, including testing and sampling techniques, should be selected in advance and expanded or modified if circumstances warrant. An audit work program is a detailed plan of tasks to be performed during the audit. It documents the logical relationship between audit objectives and criteria and the procedures for testing actual performance against the criteria. It is an important tool for planning, organizing, directing, and controlling audit work. The audit program has several purposes: Ensure that auditing standards are met. Clearly communicate objectives, audit criteria, and procedures. Aid in understanding the activities being audited. Outline the work to be done, and ensure that essential procedures for meeting audit objectives and checking audit criteria are not overlooked. Provide a basis for allocating time and resources, as well as scheduling and controlling audit work. Provide for an orderly review of the work performed. Provide a checkpoint for approval of planned audit work and subsequent audit review. Ensure the most efficient procedures are followed in the proper order to gather audit evidence to support an observation. Confirm an audit finding, observation, or conclusion with management. The audit work program is usually prepared in the audit office and, after approval, is taken to the audit site to carry out the audit project. It is a documented plan of the auditors approach to each specific audit engagement. The overall purpose of the audit program is to guide the auditor in gathering evidence to determine the extent to which the audit criteria have been met by the unit being audited. This allows the auditor to arrive at conclusions, and to report specific findings and recommendations. The scope of the audit is not always indicated in the audit program because the scope has been documented as part of the planning notes for each audit and must also be stated in the audit report. The audit program usually includes the names of the auditors assigned to the project, the specific procedures assigned to each, and the following sections: Audit objectives Audit criteria

Audit procedures Performance Standard 2240 governs audit work plans as follows: 2240.A1 Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly. 2240.C1 Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. The following readings for this topic provide more detail on the purpose, components, and use of audit programs. Reading 5-1 explains the components of an audit program. Reading 5-2, Practice Advisory 2320-1 1 ,outlines how internal auditors can use analysis and evaluation at the fieldwork stage of an engagement. Reading 5-3 describes how auditors need to consider many subjective issues when performing work plans. Internal audit work goes beyond scientific, factual considerations. Reading 5-4 is an example of an audit program. Notice that there are general and specific procedures to satisfy each audit criterion. Reporting and monitoring are also considered to be part of the audit procedures and are included as the last subheading in the audit program.

1 Practice Advisory 2320-1, although withdrawn in January 2009, includes relevant information for

MU1.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.3 Testing and evidence

Learning objective

Demonstrate how audit evidence is gathered, selected, and assessed, and the importance of the decisions involved. (Level 1)
Required reading

Reading 5-5, Evidence requirements in an internal audit (Level 1)

LEVEL 1

Gathering and selecting audit evidence

In this step of the examination phase, which is usually quite time-consuming, internal auditors examine detailed operations and transactions as specified in the audit program. They decide whether each activity or transaction was performed in accordance with stated policies and procedures. The auditor may examine a sample of purchase transactions to determine whether each is properly supported by a purchase order, competitive bids were requested if required, a proper contract was signed with the supplier, goods were inspected upon receipt, and settlement was made in accordance with agreed-on conditions. This allows the auditor to determine the actual conditions in a particular segment of operations in the organization and forms the basis for the analysis of audit results. The auditor may also perform analysis on the organizations data files, if required by the audit program. Such analysis may include analytical review, comparison of data from different internal and external sources, and comparison of results with prior periods and with other units within the enterprise and other organizations (or industry standards) for the activity being audited. Reading 5-5 describes how auditors obtain the evidence they require.

Assessing the quality of audit evidence

Information should be collected on all matters related to the engagement objectives and scope. The information should be sufficient, competent, relevant, and useful and provide a sound basis for the engagement observations and recommendations. Sufficient information is factual, adequate, and convincing, so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate auditing techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives of the engagement. Useful information helps the organization by contributing to the improvement of its governance, risk management and control processes so that it is more likely to achieve its objectives. In determining the nature of evidence required, the auditor should consider general principles of fairness and respect for persons, which goes beyond the specific concerns of management. For example, the auditor would respect confidentiality requests of individuals providing information, even if management would like to know

who supplied the information. Information supplied to the auditor anonymously should, however, never be taken as fact and should only be used as evidence if the auditor has substantiated the information.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.4 Developing audit criteria and preparing an audit program Case study
Learning objective

Develop appropriate criteria and prepare an audit program for a risk-based audit. (Level 1)
No required reading LEVEL 1

The case study in this topic is a continuation of Case study 4.8-1 from Module 4. Refer to the background information and risk analysis for Connon Chemicals use of toll manufacturers in Topic 4.8.

Case study 5.4-1: Connon Chemicals Inc. (continued)

Required

Part a For each risk identified in the solution to the case study given in Topic 4.8, determine the method of mitigation (control, diversify, or insure) you would expect to find. Solution (a) Part b State appropriate criteria to evaluate the companys efforts to address each risk, and develop an audit program for your audit. Remember that the criteria and audit program must be designed to achieve the scope and objectives set out in the solution to the first part of this case in Topic 4.8. Solution (b)

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.5 Computer-assisted audit techniques

Learning objective

Distinguish between systems-oriented and data-oriented computer-assisted audit techniques (CAATs). (Level 1)
Required reading

Reading 5-6, Two types of computer-assisted audit techniques (Level 1)

LEVEL 1

Internal auditors must be efficient and effective. To help achieve efficiency and effectiveness, auditors use computer-assisted audit techniques. Standard 1220.A2 states that in exercising due professional care internal auditors must consider the use of a technology-based audit and other data analysis techniques. There are three prerequisites to be met before the internal auditor can consider using computer-assisted audit techniques (CAATs): 1. The information to be analyzed must be stored in computer records. CAATs can be used only where the record-keeping is computerized. 2. Computer facilities must be available, and appropriate software to perform the CAATs must either be available or can be developed cost-effectively. 3. The auditor must have the technical competence to perform the audit procedures or can supervise the specialist who carries out the computer-assisted procedures. In addition, the auditor must consider the effectiveness and efficiency of using CAATs compared to using manual techniques. There are two types of CAATs: those used to study systems controls (systems-oriented techniques) and those used to examine data (data-oriented techniques). Reading 5-6 describes these two types of computer-assisted audit techniques.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.6 Generalized audit software

Learning objective

Demonstrate how data are analyzed using generalized audit software such as ACL. (Level 1)
Required reading

Online reading 5.6-1, Doing the Internal Audit-Management Dance (Level 1) Online reading 5.6-2, Global Technology Audit Guide (GTAG) 13: Fraud Prevention and Detection in an Automated World, pages 9 to 15(Level 1) Online reading 5.6-3, Module 5 ACL Computer Illustrations (Level 1): Computer illustration 1: Basic table management using ACL Computer illustration 2: Analyzing field contents and sorting a table Computer illustration 3: Creating new fields and analyzing a field Computer illustration 4: Aggregating the values of a field Computer illustration 5: ACL procedures for fraud investigation
LEVEL 1

The type of software most frequently used by internal auditors is called generalized audit software. It has been suggested (in best practice and benchmarking studies in internal auditing) that increased use of such software would make the greatest contribution to the increased efficiency of most internal auditing departments. Generalized audit software is designed to work independently of any particular file structure. Most programs require commands that specify the name and type of the input file, the layout of the records, the processing desired (such as multiplying one field with another field), and the format of the output report. Usually, the auditor enters these commands either on coding sheets or online. Generalized audit software runs on mainframes, minicomputers, and microcomputers, depending on the particular programs. The functions provided vary from program to program, but in general, most programs can do the following: Read data files in a variety of file structures including sequential, indexed sequential, and direct access files; the more advanced programs can also read and process information from multiple files concurrently. Merge records from multiple files. Sort records according to specifications from the auditor, including alphabetic sequence, numeric sequence, and date sequence. Perform selection of records based on logical criteria specified by the auditor; for example, select all invoices in December that are more than $1,000. Perform numeric computations such as adding one field to another, subtracting one field from another, multiplying two fields to create a new field, and dividing one field by another to generate a new field. Perform statistical sampling such as selecting every n th record, or selecting randomly; data can also be stratified into different groups before sampling. Perform frequency analysis; data can also be stratified into different groups before frequency counts are performed.

Perform summation of data records, such as footing of all outstanding invoices. Generate reports that summarize the result of the operations requested by the auditor. (Some generalized audit programs provide report formatting commands to the auditor to customize the output report.) Regardless of the software used, the auditor performs these steps: 1. Define the specific audit objectives to be carried out with the assistance of the generalized audit software. 2. List the tests the generalized audit software will use to assist in reaching the audit objectives. 3. Obtain copies of the data files to be tested. 4. Enter the audit commands or parameters in the generalized audit software. 5. Check the output and draw audit conclusions.

Audit Command Language (ACL)

ACL is an example of a generalized audit software package that is available commercially. One of the major advantages of ACL is its ability to read files of many different formats created by different accounting and financial programs. Operations with ACL can be accomplished either by the universal audit control language proposed by Professor Will, the developer of ACL, or by choosing items from menus provided in ACL. ACL commands can be entered interactively. ACL performs computer-assisted auditing functions, specifically the following: Counting, footing, extensions, scanning, and listing of data Performing recalculations and aging Exception reporting Extraction and file processing Sampling (attribute and dollar unit sampling) Sorting, indexing, and summarizing File merging, matching, and multi-file processing Creating reports and confirmation letters. Online reading 5.6-1 describes how a biotherapy firm used ACL for a continuous controls monitoring program which is credited with creating numerous benefits to two diverse sections of the company. Work through the following computer illustrations (see Online reading 5.6-3) to gain some hands-on experience using ACL. Computer Computer Computer Computer Computer illustration illustration illustration illustration illustration 1: 2: 3: 4: 5: Basic table management using ACL Analyzing field contents and sorting a table Creating new fields and analyzing a field Aggregating the values of a field ACL procedures for Fraud Investigation

GTAG 13: Fraud Prevention and Detection in an Automated World

Online reading 5.6-2, Global Technology Audit Guide (GTAG)-13, explains how internal auditors use data analysis software, such as ACL, to test large data files for indications of fraud. These sections of the GTAG provide examples of analysis for various types of frauds.

ACL Analysis
The MU1 exam typically has one in-depth question on ACL analysis. Review and practise the ACL questions from past MU1 exams (accessible under the Exam Preparation tab) for an understanding of how to analyze and answer such questions .

To extend your knowledge, an ACL software guide (in PDF) is located in the ACL folder installed on your computer for further reference (not examinable).

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.7 Evaluating audit results

Learning objective

Assess conditions within an audited unit against audit criteria, and analyze the causes and effects of any observed deficiencies. (Level 1)
No required reading LEVEL 1

The internal auditor must determine whether the audited unit purchasing, for example meets the audit criteria. Such evaluation is the most important step of the examination phase. If the auditor does not carry out the evaluation properly, he or she may reach erroneous conclusions and adversely affect the credibility of the internal audit department. Evaluation consists of two parts: the assessment of conditions against criteria, and the analysis of causes and effects of noted deficiencies.

Assessing conditions against criteria

The evidence should accurately reflect the conditions within the audited unit. Existing conditions (what is) are compared with the audit criteria (what should be). Assessing conditions against criteria is one of the most difficult parts of the internal audit, but one that must be done to produce audit findings. To make such an assessment, the auditor must set an acceptable level of deviation from internal controls, keeping in mind that no system of internal control is effective 100% of the time. The audit criterion established for an internal audit of a purchasing department is provided below: The appropriate quantity of goods and services of a given quality should be acquired on time and at the best possible price. To determine whether this criterion is being met, the auditor identifies the following questions to ask as part of the audit procedures: Are purchasing procedures designed so that goods and services will be acquired at the best price? For example, are competitive bids requested from suppliers? Is the right quantity of goods acquired? How are such quantities determined? Is the right quality of products acquired? How is such quality determined and subsequently assessed? Are goods and services acquired at the right time? How is the timing of deliveries determined? After identifying the controls that management claims have been implemented, the auditor must test the effectiveness of the controls in reducing residual risk to an acceptable level. To do so, the auditor uses the techniques outlined in Topics 5.3 and 5.4 to determine the actual performance and to compare it against the criteria. How does the auditor assess the actual conditions? If, for example, a sample of purchase transactions was reviewed and the auditor found that competitive bids were not requested in three cases, has the criterion been met? Is it acceptable if goods were ordered ahead of time in two cases? Such decisions rest with the auditor, who will take into consideration particular circumstances in the organization, such as the number of suppliers available (and the risk limits established by management). The number of acceptable deviations also varies with the nature of the operation. For example, few internal auditors would consider it acceptable if even one cheque had been issued without proper authorization;

however, the omission of a credit check in one sales transaction out of a sample of one hundred would not necessarily be considered a significant deviation.

Analyzing causes and effects of noted deficiencies

The purpose of the audit is to identify weaknesses that pose a continuing threat to the organization. The auditor must be able to state the continuing risk that the organization will be subject to if it does not take action to rectify the identified weakness. This is the effect of the weakness. (If the auditor is unable to identify and communicate the effect to management, it is unlikely that management will be motivated to take the actions necessary to address the weakness.) In order to suggest appropriate action to eliminate the weakness (so that the organization is no longer subject to this risk), the auditor usually attempts to identify why the weakness occurred. This is the cause of the weakness. When the existing conditions fall short of the audit criteria, the auditor has to investigate the causes and effects of the audit finding by doing the following: Define the problem (not merely citing symptoms) and collect information on the causes of deficiencies. Evaluate the appropriateness of the evidence to substantiate the findings. Collect additional evidence on the causes and effects of deficiencies to show the significance of the matter to be reported. Then the auditor must discuss with the appropriate level of management in the audited unit the reasons for non-adherence to the criteria and their implications before developing recommendations to address the cause of the weakness.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.8 Completing and reviewing audit files

Learning objective

Explain the standards for preparing audit working papers and the importance of the internal auditors role in supervising the engagement. (Level 2)
Required reading

Reading 5-7, Practice Advisory 2330-1: Documenting Information (Level 2) Reading 5-8, Practice Advisory 2340-1: Engagement Supervision (Level 2) Reading 5-9, Effective Audit Supervision (Level 2)
LEVEL 2

Standards for preparing audit working papers

Audit files document the audit objectives and audit criteria used, procedures followed, tests performed, information obtained, and conclusions reached during an examination. The internal auditor uses them as a source of substantiation for the audit findings, conclusions, recommendations, and opinions to be reported. Audit files should therefore contain the following: Clear statements of audit objectives, scope, and criteria The reasons for performing specific audit procedures or tasks, and the relationship of these tasks and procedures to the audit objectives and criteria Appropriate documentation of matters examined (for example, the audited units policies, systems, controls, related procedures, and results) and the reasons for selecting them for examination The audit programs and the nature and extent of the work done in the audit Drafts of audit reports Details of discussions with management, including dates and the names and titles of persons present The response of management, including details and date of any corrective action taken to remedy identified weaknesses Copies of photographs and captions Evidence that a supervisory review of the auditors work was completed. The IIA has issued Practice Advisory 2330-1 (Reading 5-7) on documentation of work done in internal audit engagements. The purposes, contents, and some working paper techniques of documentation are outlined in that advisory. The internal audit department must use a standard structure for all the files to ensure consistency and facilitate their review. The use of electronic working papers can help achieve a standard structure and improve audit department efficiency. Audit files must meet the following criteria: They must be complete and accurate: show the nature and extent of the audit work done, and provide proper support for audit decisions, findings, conclusions, recommendations, and opinions. They must be clear and concise, requiring no supplementary oral explanations. They must be pertinent, containing only information that is relevant, important, and useful with respect to the objectives established for the examination.

They must be systematically organized, indexed, neat and orderly, with adequate space for additional data, notes, and comments. Disorderly, crowded working papers are inefficient and reflect badly on the underlying work. Exhibit 5.8-1 shows an internal audit working paper index for an audit file.
Exhibit 5.8-1: Sample working paper index

Engagement supervision
Reviews of the audit file must be done to ensure that work performed has been documented and conforms to the standards of the internal audit department. Practice Advisory 2340-1 (Reading 5-8) sets out the auditors responsibilities in supervising the audit work and in reviewing the working paper files. In practice, audit files are reviewed at various levels. Audit supervisors first review files prepared by audit staff. Review notes are prepared. Such notes may question unclear conclusions or items for which information is inadequate. The staff who performed the audit respond to the notes by seeking additional information as required and by modifying the working papers accordingly. Review notes prove that the work has been properly supervised and documented and that the standards of the internal audit department (and the International Standards for the Professional Practice of Internal Auditing) have been adhered to. Audit files are later reviewed by senior members of the internal audit department, such as audit managers and directors. The main purpose of their review is to verify that there is adequate support for the main observations and recommendations. In addition, working paper files are reviewed as part of both internal and external quality assurance reviews. Reading 5-9 explains the importance of internal audit supervision, with examples of the problems which can result from inadequate supervision. The right amount and type of audit supervision is essential to ensure quality internal audit work for the audit committee, management, and the external auditors.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.9 Internal auditing and fraud

Learning objective

Identify the roles and responsibilities of management and the internal auditor in the deterrence and detection of fraud. (Level 1)
Required reading

Reading 5-10, IPPF Practice Guide: Internal Auditing and Fraud, pages 1-22 and 32-36 (Level 1) Online reading 5.9-1, ERH , Unit C9, Fraud and other high-risk situations (Available under the Resources tab) (Level 1)
LEVEL 1

Roles and responsibilities regarding fraud

The IIA defines fraud as any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Fraud has also been defined as any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain. Fraud has always been a threat to organizations, but in recent years, both the dollar amounts and the frequency of fraud have increased. Today, both senior management and boards of directors are concerned about potential and actual fraud and its effect on the organization. Management has the primary responsibility for preventing and detecting fraud. However, management needs assistance from the internal auditor. To what extent is the internal auditor directly or indirectly responsible for detection of fraud? The responsibility for identifying all risks and reducing identified risks to an acceptable level is that of management, not the internal (or external) auditors. In its risk management and control processes, management should consider the risk of fraud along with other risks and should implement operational controls to reduce the risk of fraud to within the organizations risk limits. Management also has the responsibility (in its operation of controls) to have controls in place to detect fraud if it does occur. Unfortunately, not all fraud can be detected. Even if complete testing (100%) is performed, fraud can prevail through forgeries, unrecorded transactions, and collusion. Furthermore, the cost-benefit aspect of complete testing must be considered. Thus, judgment becomes an important factor in determining the extent to which fraud can be controlled and deterred. The Standards require that internal auditors exercise due professional care in performing internal audits. In carrying out audit engagements, they should do the following: Consider fraud risks in the assessment of the design of controls and in the determination of audit steps to perform. Have sufficient knowledge of fraud to identify warning signs (red flags) that fraud may have been committed. Be alert to opportunities, such as control weaknesses, that could allow fraud.

Evaluate the indicators that fraud may have been committed and determine if further action is warranted. Notify the appropriate authorities within the organization if there are sufficient indicators of fraud to recommend an investigation. Reading 5-10, the IIAs practice guide on internal auditing and fraud, provides an overview of the responsibilities of the internal auditor and others in preventing and detecting frauds. It also provides an outline of how auditors might perform and document a fraud risk assessment. The following points highlight the role of management and of the internal audit activity with respect to the deterrence and detection of fraud: Management is responsible for the deterrence and detection of fraud. The principal mechanisms for deterring fraud are management and internal controls. Internal auditors are responsible for examining and evaluating the adequacy and effectiveness of controls that are established by, and are the responsibility of, management. Internal auditors must have sufficient knowledge of fraud to be able to identify indicators that fraud might have occurred. If significant control weaknesses are detected, additional tests should be performed to look for other indicators of fraud. Audit procedures by themselves, even if carried out with due professional care, do not guarantee that fraud will be identified.

Indicators of potential fraud

One of the internal auditors responsibilities is to assess whether management practices and internal controls are adequate and effective, and whether assets are safeguarded. Consequently, the internal auditor must watch for situations that increase the risk of fraud, such as those listed below: Control being held by a few individuals, lack of segregation of duties Unexplained significant variances of certain accounts as well as unfavourable trends in one or more key ratios for example, inventory turnover, accounts receivable to sales ratio, and average collection period Decrease in performance, loss of major clients to competitors, branch closure, and discontinuance of product lines (these indicate operating difficulties which may provide a motivation for management to overstate the financial results) Late reporting (as a result of time taken to alter results) Unexplained shortages in physical assets Existence of a number of bank accounts, cash shortages, overages, and other unexplained conditions Staff not taking vacations or not rotating duties If any of these situations causes sufficient concern that fraud might have been committed, the internal auditor must recommend that a fraud investigation be carried out. Because of the high level of judgment and discretion required in a fraud investigation, the investigation should be carried out by those with sufficient training and experience to ensure the following criteria are met: Any investigation is carried out with due regard for the rights of all involved. Any evidence that may be needed for police or court purposes is properly obtained, documented, and retained.

The Association of Certified Fraud Examiners has provided a useful fraud prevention checklist for organizations (not examinable).

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.10 Conducting a fraud investigation

Learning objective

Identify the main steps in a fraud investigation and the auditors responsibility in following up on the results of such an investigation. (Level 1)
Required reading

Reading 5-10, IPPF Practice Guide: Internal Auditing and Fraud, pages 23-29 (Level 1) Reading 5-11, Taming the Beast: Reining in Health-care Fraud (Level 1)
LEVEL 1

When conducting a fraud investigation, the internal auditor should consider the following matters: 1. 2. 3. 4. 5. Be alert to indications of the existence of fraud. Inform management. Conduct the investigation by performing audit steps. Reappraise internal controls and audit procedures. Report on the fraud investigation.

Reading 5-10, Internal Auditing and Fraud, provides guidance on the auditors responsibilities relating to fraud investigation, reporting, resolution, and communication. Every fraud investigation must be customized to the specific fraud risks of the operating area. Reading 5-11 gives insight into some specifics of health-care fraud, including areas that would be covered by internal auditors in trying to reduce health-care fraud.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

5.11 Fraud in a technological environment

Learning objective

Identify computer fraud and outline current practices for how internal auditors deal with it; examine how ACL can be used to conduct a payroll fraud investigation. (Levels 1 and 2)
Required reading

Online reading 5.6-3: Computer illustration 5: ACL procedures for payroll fraud investigation (Level 1)
LEVEL 2

In the past quarter century, almost all aspects of business recordkeeping have been computerized. While computerization of accounting and other records could potentially result in a net strengthening of controls, it has also created new and different threats of fraud and other inappropriate acts. There are three main categories of inappropriate computer activity (computer fraud): Theft of information such as customer lists, market research information, cost and pricing data, and launch plans for new products Theft of assets by means such as unauthorized electronic funds transfers or improper write-offs of accounts receivable Malicious destruction or corruption of information or programs by disgruntled employees or former employees, competitors, or hackers Because the use of computers has increased so dramatically over the past 25 years, the frequency and cost of computer fraud have increased apace. Only a small proportion of computer fraud is detected. Therefore, the only effective defence against computer fraud is prevention. Some of the preventive measures aimed at averting computer fraud are identical to those found in manual systems: appropriate screening of personnel, adequate segregation of duties, fear of the consequences of detection, and so on. Additional controls are needed in electronic environments. These include controlling access to hardware, programs, and data. The computer can also be used to implement limit checks and other edit processes to prevent processing of unauthorized and improper transactions. When employees or others use computers to commit inappropriate acts, internal auditors may well become involved in dealing with the problem. Online reading 5.6-3, ACL Computer illustration 5: ACL procedures for fraud investigation, explains the procedures and tools available to the internal auditor in dealing with such situations.

Internal auditing in practice

The roles of the internal auditor, forensic accountant, and police are considered with respect to a fraud investigation in this excerpt from an interview with Norman Inkster, then President of KPMG Investigation and Security Inc. Inkster talks with Yves Gauthier, former commissioner of the Royal Canadian Mounted Police and past president of Interpol, about the realities of fraud.
LEVEL 1

Existing and potential fraud is a significant concern in the business community and must be prevented and detected to the extent practicable. The IIA Implementation Standard 1210.A2 states that the internal auditor

must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Now work through Computer illustration 5 to gain some hands-on experience in a payroll investigation using ACL.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

KPMG interview
Q:When, then, is the best time to bring the police into a fraud investigation? A: There is an argument that all matters where criminal wrongdoing is suspected should be brought to the attention of the police. This is not always done. In practical terms, however, if the company is seeking criminal prosecution, its best to give the file to the police early so they can get to work on it particularly if there is any chance that evidentiary material might be destroyed or disappear. Once the file goes to the police, however, there is a risk that the company will lose control of it. It can be difficult to get it back for other purposes, like civil proceedings or insurance. The whole criminal process, including appeals, may first have to run its course. This means that, for practical purposes, if the company is mostly interested in recovering the money, it may be best for it to keep control of the file. Police do not see themselves as bill collectors and will simply suggest that the company seek other remedies, including civil court. Its important for companies to decide from the outset what their objectives and motivations are because the outcome of criminal proceedings may be influential in civil court. Q:What should be the role of the internal auditor in fraud investigations? A: Fraud is always a concern for an internal auditor. If a company has been defrauded or management suspects that it has been, the first question always is, Where was the internal auditor? So all internal auditors want to demonstrate to the audit committee that they have dealt properly with risk analysis, preventive measures, integrity testing, and controls. I often think that the role of the internal auditor is not well understood by the CEO. If someone is going to defraud a company, that person may well know exactly how the internal control systems work and will work very hard at hiding the crime. So the fraud may not be obvious to even the very best of internal auditors. In many cases, all the internal auditor can do is say: Yes, we were, as always, concerned. This is what we looked at, this is where we identified the risk, and this is the material that we examined in conducting our audit. Given how well most internal frauds are hidden, the first indication may be curious transactions or unusual expenditures that set off the alarm bells as the internal auditor does his or her work. Internal auditors obviously cannot stop all fraud, but they must demonstrate diligence with their audit plans and assure stakeholders that appropriate explanations were sought for the unusual. Rarely will a look at the books tell the whole story. Q:Do you see a changing role for directors and audit committee members of a company? A: As the world becomes ever more complex, it will be increasingly important for the board of directors and the audit committee to understand what their company does and how it functions, including the role of the internal auditor. Good governance will be the watchword. Because of heightened awareness among directors about new codes of best practice that may be used in court in the future, there is an understanding that they will have to become more accountable toward the business. Ignorance will not be a defense. Directors will have to demonstrate that they did everything they could to manage the company prudently. Directors should assume stewardship responsibility for the integrity of the corporations internal control, particularly where risks exist. The audit committee members should have direct communication with the internal auditors in this regard. These developments place a greater burden on internal auditors, who must examine their overall crime prevention and risk management initiatives, including their forensic accounting resources. Q:What is expected of an internal auditor during a forensic investigation? A: An internal auditor must understand that regardless of how he or she perceives the auditors role, a routine investigation can turn into a criminal investigation. This means that the internal auditor is increasingly likely to be called upon as a witness, providing evidence that will be important for setting up a prima facie case. An internal auditor will have to be at ease in this situation and must understand that, once a case is underway, testifying in court will be a distinct possibility.

Q:How should the relationship between an internal auditor and a forensic accountant evolve? A: There has always been a sense of rapport between the internal auditor and the forensic accountant. But as we move into cases involving unfamiliar offshore jurisdictions and other complexities, that rapport must deepen. An experienced forensic accountant can also help a company become more comfortable in instituting controls in other countries, learning about foreign business practices, and making management aware that all foreign jurisdictions dont necessarily share the same business values and ethics. The forensic accountant can also act as an advisor to the internal auditor in reviewing the audit plans, the risk analyses, and the audit approach, thus providing additional assurance that due diligence was applied in planning and executing the internal audit function.

Source: Copyright 1995, Institute of Internal Auditors. Adapted from Forever Fraud by Yves Gauthier (Interview with KPMG Investigation and Security President Norman Inkster), Vol. 52, Internal Auditor , 10-011995, p. 26(4). Copyright 1999 Infonautics Corporation. All rights reserved. Reproduced with permission.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 5 summary
Examination phase of the internal audit
This module covers the main aspects of the examination phase of the internal audit. You learn how the auditor organizes and carries out the work needed to obtain sufficient, appropriate evidence to assess the quality of management systems and practices in areas selected for audit. You develop competence in using technological tools in the workplace by gaining some exposure to the use of generalized audit software packages such as ACL to obtain evidence for internal audits, including fraud investigations. Finally, you consider the responsibility of the internal auditor in the event of fraud.

Identify the main steps in the examination phase of an internal audit.

There are three main steps in the examination phase of an internal audit: 1. Examining and testing operations and transactions involves selecting samples for review and carrying out appropriate audit tests. 2. Analyzing audit results involves assessing the conditions found during the audit against the criteria to be used, and analyzing the causes and effects of any weaknesses identified. 3. Completing and reviewing the working papers involves ensuring that the audit has been conducted in accordance with appropriate standards and that audit conclusions are supported by competent, sufficient, and relevant evidence.

Identify the purpose of an internal audit program and explain its components and format.
The main purposes of an internal audit program include the following: Ensuring that auditing standards are met Clearly communicating objectives, procedures, and criteria used Outlining the audit work to be done and ensuring that all necessary work is completed Providing a basis for allocating time and ensuring that all necessary work is completed Providing for an orderly and efficient review of the work performed Providing a checkpoint for approval of planned audit work and subsequent audit review Ensuring the most efficient procedures are followed in the proper order to gather audit evidence to support an observation Confirming an audit observation, finding, or conclusion with management The components of an audit program are the following: The audit objectives summarize why the audit is being performed. The audit scope defines the function or organizational unit to be reviewed, and the activities and period to be covered by the engagement. The audit criteria are the standards used by the auditors to check operations and determine if the actual performance is acceptable. The audit procedures are the general and specific techniques carried out to ensure that the scope of the audit is covered and that sufficient and appropriate audit evidence is accumulated. The procedures include the following: Inspection

Analysis Interview Replication Physical observation Computation Sampling Confirmation The format of an audit program is demonstrated in Reading 5-4, Sample Audit Program.

Demonstrate how audit evidence is gathered, selected, and assessed, and the importance of the decisions involved.
The examination of specific transactions and operations forms the evidence upon which the audit report is based. The audit must test a sufficient number of transactions to be able to draw a valid conclusion about the population from which the sample was selected. The auditor must decide the purpose of the audit test, determine the method used to select sample items, determine what constitutes an exception or compliance deviation, select the sample, test for the desired attribute, evaluate the results, and draw conclusions about the population. The internal auditor must determine what kind of evidence is needed, how much is needed, and how it will be obtained. Evidence should be appropriate, timely, relevant, sufficient, and useful. The quality of evidence is enhanced when it is relevant, objective, documented, external to the organization, derived from a large, random, statistical sample, corroborated by other evidence, timely, authoritative, direct, and from a well-controlled system. Audit techniques for gathering evidence include inspection (vouching), analysis, interviewing, observation, confirmation, and re-performance.

Develop appropriate criteria and prepare an audit program for a risk-based audit.
In risk-based auditing, the auditor must first identify the significant risks faced by the organization in terms of the activities being audited. The auditor must consider the means available to management to mitigate the significant risks. This process provides the auditor with the audit criteria against which to compare the actual conditions observed. The audit program is developed to acquire the evidence necessary to assess whether the organization is meeting the criteria.

Distinguish between systems-oriented and data-oriented computerassisted audit techniques (CAATs).

Systems-oriented CAATs are used to verify the controls of the computer system being tested. They include the following: Test data method Integrated test facilities System control audit review file (SCARF) Logic analysis programs Code comparison programs Audit expert systems

Data-oriented CAATs are used to examine and test data that are held in a computer system. They can be grouped in the following categories: Generalized audit software System utilities Custom-written programs Industry-specific audit programs

Demonstrate how data are analyzed using generalized audit software such as ACL.
1. Define the specific audit objectives to be carried out with the assistance of the generalized audit software. 2. List the tests the generalized audit software will use to assist in reaching the audit objectives. 3. Obtain copies of the data files to be tested. 4. Enter the audit commands or parameters in the generalized audit software. 5. Check the output and draw audit conclusions. The features of ACL, in common with most generalized audit software packages, are as follows: Counting, footing, extensions, scanning, and listing of data Performing recalculations and aging Exception reporting Extraction and file processing Sampling (attribute and dollar unit sampling) Sorting, indexing, and summarizing File merging, matching, and multi-file processing Production of reports and confirmation letters

Assess conditions within an audited unit against audit criteria, and analyze the causes and effects of any observed deficiencies.
The auditor must use the evidence collected to determine whether the activities audited have met the audit criteria. This must be done objectively using criteria agreed with the auditee management. Where the auditor believes that the conditions do not conform to the criteria, the auditor should determine both the cause and the effect of the non-compliance. This may require obtaining additional evidence. Identified weaknesses and their causes and potential effects should be discussed with the management of the unit reviewed before the audit report is issued.

Explain the standards for preparing audit working papers and the importance of the internal auditors role in supervising the engagement.
The purpose of audit working papers and audit files is to provide evidence of the audit work carried out and support for the audit conclusions. They also facilitate review of the work performed and assist in the planning of subsequent audits. Audit files must have the following characteristics: Completeness and accuracy, showing proper support for decisions Clarity and concision Pertinence (that is, containing only relevant, useful information) Systematic organization

Identify the roles and responsibilities of management and the internal auditor in the deterrence and detection of fraud.

Management has the primary responsibility to prevent and detect fraud. They accomplish this through an effective system of internal controls. Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the effectiveness of the controls in place to prevent fraud. They are also responsible for identifying indicators of potential fraud and should be alert to the possibility of fraud when carrying out their audit work.

Identify the main steps in a fraud investigation and the auditors responsibility in following up on the results of such an investigation.
When conducting a fraud investigation, the internal auditor should do the following: 1. 2. 3. 4. 5. Be alert to indications of the existence of fraud. Inform management. Conduct the investigation by performing audit steps. Reappraise internal controls and audit procedures. Report on the fraud investigation.

Identify computer fraud and outline current practices for how internal auditors deal with it; examine how ACL can be used to conduct a payroll fraud investigation.
The main categories of computer fraud are Theft of information Theft of assets and their cover-up Malicious destruction of information or programs Proper policies, procedures, and tools must be in place for internal auditors to be able to deal with fraud situations: Policies available to the internal auditor are those designed to prohibit misuse of computer resources, to provide penalties for such misuse, and to authorize appropriate investigations where such misuse is suspected. Procedures should be designed to result in working papers that might be used in subsequent court action. All potential evidence must be subject to an appropriate chain of custody from the time of acquisition. Software tools available to the internal auditor include backups of files, utilities to recover deleted files, search utilities, sorting and extraction tools, and so on.

The data extraction, sort, compare, merge, and calculation functions within ACL can be used in a variety of fraud investigation applications. In a payroll fraud investigation, for example, The payroll or employee data can be downloaded and sorted for duplicate bank account or address information. Comparisons can be done between actual amounts paid to employees and those approved in data obtained from the personnel department. Calculations can be independently verified to test for possible fraudulent manipulation of the payroll software.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 5: Self-test
1. Multiple choice a. Which of the following is an essential factor in evaluating the sufficiency of evidence? 1. 2. 3. 4. The evidence must be well documented in the working papers. The evidence must be based on reliable information and sources. The evidence must bear a direct relationship to the audit objective. The evidence must be convincing enough that a trained person would reach the same conclusion as the auditor.

b. Which of the following would be the best evidence of the effectiveness of a companys credit-checking process? 1. 2. 3. 4. Observation Analysis of the trend of bad debt write-offs and aging of receivables Inquiry of the credit manager Verification of credit approval on a sample of customer orders

c. Which of the following is more likely to characterize a perpetrator of an employee fraud, such as embezzlement, compared with the perpetrator of a management fraud (deliberate falsification of financial statements)? 1. 2. 3. 4. Rationalizes fraudulent behaviour Reward system tied to financial results Life style beyond that supported by ones income Works in an organization with high secrecy and an autocratic management style

d. In carrying out an audit of sales representatives entertainment expenses, the internal auditor used ACL to determine which sales representatives had the highest ratio of entertainment costs to sales. Which type of audit procedure was used? 1. 2. 3. 4. Documentation Analysis Inquiry Re-performance

e. After carrying out the procedure set out in part (d), the auditor then reviewed the expense claims and attached receipts for those with the highest ratios of entertainment costs to sales. Which type of audit procedure was used in this step? 1. 2. 3. 4. Solution 2. CASE STUDY T5-1: Senior officers statements During a convention of a professional managers association, you heard the following comment from RayAnne Sugarbaker, a senior officer of a large Canadian company: Documentation Analysis Inquiry Re-performance

Internal auditors should not make recommendations to improve management systems and practices. This is outside the scope of their work and can be detrimental to their independence. Their job is to identify the problems; operational managers are to find the solutions. Managers, not auditors, are morally responsible for the operation of their divisions. Besides, auditors do not have the expertise to determine what corrective action should be taken by management. By making recommendations, auditors also hinder their effectiveness. How can they subsequently review, in an objective manner, systems and practices that they recommended be implemented? This is a direct threat to their independence. I heard a lot about auditors trying to determine the causes and effects of deficiencies in management systems and practices. They cannot and should not do that. In our company, internal auditors are forbidden to make recommendations. As I have always said, let the managers manage and the auditors audit.
Required

Write a response to RayAnnes statement. In your response, discuss why you agree or disagree with each of the points she raised. Solution 3. CASE STUDY T5-2: Doran Ltd. Jack Newcombe, CGA, is CAE of Doran Ltd., a large Canadian manufacturing company. The president of the company walked into Jacks office this morning and made the following statement: Jack, I just got a phone call from the vice-president of finance concerning a major fraud that has been committed by one of the purchasing agents in our procurement department. It seems that the agent has misappropriated over $200,000 in the last three years. The details on how the fraud has been committed are unknown. I am disappointed that your department has not detected this fraud. The procurement department is one of the most important departments of the company, and you perform a detailed audit of these activities every year. In fact, the last audit was conducted only six months ago. I will have to bring this matter to the attention of the audit committee, which meets in two days. The committee members will certainly be interested to know why the internal audit department has not detected this fraud. Some members consider that the detection of fraud is one of the most important responsibilities of your department and may believe that you are not doing your job well. I think that you should attend the audit committee meeting and prepare yourself to answer their questions. We will not have time to obtain more details about this fraud before the meeting. It would be a good idea, for now, to stick to general points. I would like you to make a short presentation to the committee members on the responsibilities of the internal audit department regarding the deterrence, detection, investigation, and reporting of fraud and present any other relevant points to explain why the fraud has not been detected through internal audits carried out in the procurement department. Before the meeting, I would like to review with you the main elements of your presentation. Prepare your notes, and lets meet in my office at 10 oclock tomorrow.
Required

Assume the role of Jack Newcombe and prepare your notes for the meeting with the president. Solution

4. CASE STUDY T5-3: Big City You are a supervisor in the internal audit department of Big City. Your department has included the fleet management division of Big City in its audit plan for the current year. Big City owns over 3,500 cars and trucks. Every year, approximately 700 vehicles are traded or disposed of. The fleet management division is entirely responsible for the management of all vehicles from their acquisition to their disposal. During the planning phase of the audit, you noted that the divisions policies and procedures manual included a section on disposal of vehicles. The policy states that the division should determine the estimated useful life of each vehicle, in kilometres, and that each vehicle should be disposed of when a certain number of kilometres travelled is reached, providing that the accumulated repair costs of the vehicle (excluding normal maintenance) are equal to or greater than 50% of its original acquisition cost. Repair costs and kilometres travelled for each vehicle should be ascertained and recorded in the vehicle service ledger of Big City. Vehicles not required for continuing service should also be disposed of. The objective of the audit of the fleet management division is to determine whether dispositions of vehicles are made in such a way as to maximize the benefits to Big City that is, with due regard for economy, efficiency, and effectiveness. The audit criteria for the audit have been established as follows: Dispositions of vehicles should be made in accordance with Big City policies and procedures. The vehicle service ledger should be complete and accurate. Dispositions of vehicles should yield maximum benefits to Big City.
Required

Prepare an audit program for Big City. Be sure to follow the format provided to you in Reading 54 in identifying division, audit objective, the three audit criteria, and audit procedures. In identifying audit procedures, consider first the type of evidence required by the auditor to determine whether the criteria are being met. This will enable you to determine the appropriate audit procedures. Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 5 Solution 1
a. 1. 2. 3. 4. Incorrect. Sufficiency refers to amount of evidence, not documentation. Incorrect. These are attributes of competence of evidence, not sufficiency. Incorrect. This relates to its relevance, not its sufficiency. Correct. The evidence must be adequate in quantity to convince a trained, objective person.

b. 1. Incorrect. This may determine if credit checks are made, but not their effectiveness. 2. Correct. This will assist in an assessment of whether the credit policy is effective in reducing bad debt losses, which is its objective. 3. Incorrect. The credit manager is unlikely to be objective about the effectiveness of the work of the credit department. 4. Incorrect. Even if credit is checked, this does not mean that the limits are set at appropriate levels. c. 1. Incorrect. This is common to all frauds. 2. Incorrect. This is more likely to be a sign of a management fraud. 3. Correct. This usually results from employee fraud; perpetrators of management fraud seldom benefit directly in this way. 4. Incorrect. These characteristics are more commonly associated with management fraud. d. 1. 2. 3. 4. Incorrect. The auditor has not yet looked at any underlying documents. Correct. Relating entertainment costs to sales is an analytical process. Incorrect. This is not a form of inquiry. Incorrect. The auditor is not reperforming processes carried out earlier by other staff.

e. 1. 2. 3. 4. Correct. The auditor is now examining supporting documents. Incorrect. The review of supporting documents is not an analytical procedure. Incorrect. This is not inquiry. Incorrect. The auditor is not carrying this out as an exercise in re-performance.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 5 Solution 2
CASE STUDY T5-1: Senior officers statements

You should comment on the following points included in RayAnne Sugarbakers statement: To make recommendations is outside the scope of the work of internal auditors. You should disagree with this statement. It is generally recognized and accepted that internal auditors should make recommendations to improve management systems and practices; this is in fact the best way to contribute to the organization and serve management. Internal auditing is a way of ensuring managerial accountability and protecting the legitimate interests of all stakeholders. As well, an internal audit brings independent professional judgment to bear on managerial practices. Cost-effective recommendations are also key to the cost-effectiveness of audits. You may have other valid points to add. To make recommendations can be detrimental to the independence of internal auditors. You should partially agree with this statement. When making recommendations, auditors act as consultants to management. Auditors make recommendations, but management can accept or reject them; management is ultimately responsible for determining how a particular problem should be corrected. Management is also responsible for implementing corrective action. Auditors do not hinder their independence by making recommendations. To remain independent, internal auditors should report to the CEO and the board or its audit committee. You may have other valid points to add. Auditors do not have the expertise to determine what corrective action should be taken by management. You should disagree with this statement. Through practice, auditors have acquired considerable knowledge of the organization and of management and control principles and practices. Auditors can apply knowledge obtained in various situations to a particular problem. Many auditors have acquired expertise in various kinds of activities through education and experience. Many internal auditors have developed skills similar to those of management consultants.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 5 Solution 3
CASE STUDY T5-2: Doran Ltd.

You should prepare notes for a presentation to the audit committee regarding two specific elements: Responsibilities of the internal audit department for fraud Relevant points that a specific fraud had not been detected by internal audits performed in the procurement department Regarding responsibilities of an internal audit department for fraud, you should discuss the following points: Deterrence of fraud This is the responsibility of management. Internal auditors are responsible for examining and evaluating the adequacy and the effectiveness of actions taken by management to fulfil this obligation. Detection of fraud Internal auditors should have sufficient knowledge of fraud to be able to identify signs that fraud might have been committed. Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is to detect and investigate fraud. Audit procedures alone, even when carried out with due professional care, cannot guarantee that fraud will be detected. Investigation of fraud Internal auditors may participate in a fraud investigation. Auditors should assess all facts known about fraud investigations to do the following: Determine if controls need to be implemented or strengthened. Design audit tests to help disclose the existence of similar frauds in the future. Help meet the auditors responsibility to maintain sufficient knowledge of fraud. Reporting of fraud A written report should be issued after the investigation is completed and must include all observations, conclusions, recommendations, and corrective action taken. You should record additional points to explain why the fraud has not been detected through internal audits carried out in the procurement department. The following points are relevant: Additional details on how the fraud was committed must be obtained before a conclusion can be drawn about the effectiveness of internal audits in detecting fraud. The objective(s) and scope of internal audits carried out might not have been related to fraud detection. No audit procedures can guarantee that fraud will be detected. No internal control system can guarantee that no fraud will be committed. Some types of frauds are very hard to detect. You may have other valid points to add.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 5 Solution 4
CASE STUDY T5-3: Big City audit program

See Reading 5-4 for an example of an acceptable audit program. Big City Audit program Fleet management division Disposal of vehicles
Audit objective

To determine whether dispositions of vehicles are made in such a way as to maximize the benefits to Big City, that is, with due regard for economy, efficiency, and effectiveness.
Audit criteria

Dispositions of vehicles should be made in accordance with Big City policies and procedures. The vehicle service ledger should be complete and accurate. Dispositions of vehicles should yield maximum benefits to Big City.
Audit procedures

General 1. Review the fleet management divisions policies and procedures manual regarding disposal of vehicles. Compliance with policies and procedures 2. Review the vehicle service ledger concerning the reasonableness of the estimated useful life of a sample of vehicles. 3. Select a sample of sales invoices for vehicles disposed of at the end of their useful lives. Replicate the comparison of repair costs and check that the accumulated repair costs have exceeded 50% of the vehicles original acquisition cost. General 4. Ask how vehicles not required for operations are identified. 5. Review usage of vehicles and inquire about vehicles with low kilometres. 6. Conclude as to compliance with disposal policies and procedures. Vehicle service ledger 7. Select a sample of repair expenditures (invoices) and trace them to the vehicle service ledger; determine whether repair costs are correctly recorded for the right vehicle. 8. Select a sample of vehicles from the vehicle lot and determine whether the vehicles and their kilometres travelled are correctly recorded in the vehicle service ledger. Select a sample of vehicles from the ledger and determine whether the kilometres travelled recorded in the ledger agree with those of the vehicle. 9. Conclude as to the completeness and accuracy of the vehicle service ledger. Disposal of vehicles

10. Document what is being done to maximize the return on disposition of vehicles for example, are bids requested from potential buyers, or are vehicles sold by auction? 11. Select a sample of vehicles disposed of in the last year and determine whether disposal procedures were adequately followed. 12. Draw a conclusion about the adequacy of, and compliance with, disposal procedures.