AUI4861/201/0/2012

Tutorial Letter 201/0/2012

POSTGRADUATE DIPLOMA INTERNAL AUDITING AUI4861: INTERNAL AUDIT APPLICATIONS TUTORIAL LETTER 201/0/2012 KEY TO ASSIGNMENT 01/2012

AUI4861 Semester 2
Department of Auditing
This tutorial letter contains important information about your module.

Bar code

-2-

AUI4861/201

CONTENTS
1. 2. 3. 4. GENERAL ...........................................................................................................................3 PLANNING AND LAYOUT OF ANSWERS .........................................................................3 HOW TO ANSWER MULTIPLE-CHOICE QUESTIONS ......................................................4 KEY TO ASSIGNMENT 01 ..................................................................................................6

-3-

AUI4861/201

1.

GENERAL The key to the assignment serves only as a guideline on the structure and content of your assignment answers and should not be regarded as a model answer to the questions. You should always remember that internal auditors provide value-added services to others in a dynamic, complex, expanding and constantly changing business environment. You need to develop lifelong learning skills, to think critically (ie to grasp the meaning of complex concepts and principles), and to evaluate concepts and principles and apply them to specific issues. Please note: As postgraduate students in Internal Auditing, you are expected to be familiar with the content of the Internal Auditing course material you received at undergraduate level. In order to do well in the assignments and examinations, you will need to consult the study material and textbooks that were prescribed for your undergraduate studies. However, given the dynamic nature of internal auditing, textbooks frequently become outdated. We therefore encourage you to read widely on the subject and to refer to internet sources to supplement your studies.

2.

PLANNING AND LAYOUT OF ANSWERS Please note the following important principles before you work through the answers to the various questions:

Obtain your submitted Assignment 01 from Unisa.

Take note of the markers comments made on your assignment as well as the mistakes/omissions you made. When working through the suggested solutions, you must not study the solutions off by heart. Instead, try to understand how we got to that solution. You will then be able to apply the principles to other questions as well.

-4-

AUI4861/201

Make notes in the study guide at the end of each study unit of the mistakes made and the topics you need to concentrate on.

3.

HOW TO ANSWER MULTIPLE-CHOICE QUESTIONS In this section we give you some tips on answering multiple-choice questions. When you are taking a multiple-choice test, the first thing you need to do is read the question CAREFULLY. Make sure you understand what kind of information you are looking for. If you know the answer right away, you should mark the correct answer and move on to the next question. If you do not know the answer, you might be able to figure it out. The first thing to do is to cross out answers you know are wrong. If you end up with two answers and you are not sure which is correct, you should probably take a guess. You are just as likely to guess the right answer as the wrong one. Now give it a try! Directions: Use the map below to answer the question.

The best title for this map would be: A B C D North America The Atlantic and Pacific oceans Continents and oceans of the world Rivers in the United States

-5-

AUI4861/201

The following steps help you to analyse this multiple-choice question: Step 1: The first thing to do is to read the question carefully. You have to supply the best title for this map. A map title gives the general topic of the map, so you need to look closely to find the answer that best describes this map. Decide if the question is singular or plural. Singular questions have only one correct answer, whereas plural questions could have more than one correct option. Plural questions normally require the best, most, primary or major aspect of the topic involved. Circle reverse logic, for example: indicate the least important alternative. Underline keywords. Step 2: If you do not know the correct answer, you will have to try out all the answers. A. B. North America: The map shows North America, but it also shows other continents. So you can cross out this answer. The Atlantic and Pacific oceans: Both the Atlantic and Pacific oceans appear on the map, but you may be unsure whether this is the best answer. Keep this answer as a possibility. Continents and oceans of the world: You know this map shows the outlines of continents and oceans, so this is a better answer than answer B. Still, you need to check if the last answer is even better. Rivers in the United States: You do not see any rivers in the United States marked on the map, so you can cross out this answer.

C.

D.

Now you can see that both answers B and C are possibilities, but answer C is better. Therefore you will choose Continents and oceans of the world as your answer.

-6-

AUI4861/201

4.

KEY TO ASSIGNMENT 01 QUESTION 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 3 (Wiley CIA Review) 1 (Wiley CIA Review) 1 (Wiley CIA Review) 1 (Wiley CIA Review) 4 (Wiley CIA Review) 4 (Gleim CIA Review) 4 (Wiley CIA Review) 1 (Wiley CIA Review) 1 (Wiley CIA Review) 4 (Wiley CIA Review) 3 (Wiley CIA Review) 1 (HIAU0L Nov Exam 2008) 2 (HIAU0L Nov Exam 2008) 4 (Wiley CIA Review) 4 (HIAU0L Nov Exam 2009) 2 (HIAU0L Nov Exam 2008) 1 (HIAU0L Nov Exam 2008) 4 (HIAU01L Nov Exam 2010) 3 (HIAU0L Nov Exam 2008) 1 (HIAU0L Nov Exam 2008) 4 (Wiley CIA Review) 3 (HIAU0L Nov Exam 2008) 4 (HIAU0L Nov Exam 2008) 1 (Gleim CIA Review) 3 (HIAU0L Nov Exam 2008) 1.26 1.27 1.28 1.29 1.30 1.31 1.32 1.33 1.34 1.35 1.36 1.37 1.38 1.39 1.40 1.41 1.42 1.43 1.44 1.45 1.46 1.47 1.48 1.49 1.50 50 marks 1 (HIAU0L Nov Exam 2008) 2 (Gleim CIA Review) 4 (Gleim CIA Review) 1(Gelim CIA Review) 1 (HIAU0L Nov Exam 2009) 3 (HIAU0L Nov Exam 2009) 4 (HIAU0L Nov Exam 2009) 4 (HIAU0L Nov Exam 2009) 2 (HIAU0L Nov Exam 2009) 2 (Gleim CIA Review) 2 (HIAU0L Nov Exam 2009) 1 (HIAU0L Nov Exam 2009) 1 (Wiley CIA Review) 1 (Wiley CIA Review) 4(Gleim CIA Review) 4 (HIAU01L Nov 2010) 3 (Gleim CIA Review) 1 (Wiley CIA Review) 4 (Wiley CIA Review) 2(HIAU01L Nov Exam 2010) 1 (Wiley CIA Review) 3 (Gleim CIA Review) 3 (HIAU01L Nov Exam 2010) 1 (Wiley CIA Review) 4 (Wiley CIA Review)

-7-

AUI4861/201

COMMENTS ON ASSIGNMENT 01
1.1 3 (Learning Unit 1.2) Option 1 is incorrect. Consulting services do not necessarily impair objectivity. Decisions to implement recommendations made as a result of a consulting service are made by management. Thus, decision making by management does not impair the internal auditors objectivity. Option 2 is incorrect. Assurance and consulting services are not mutually exclusive. One type of service may be generated from the other. Option 3 is correct. According to Standards 1000.C1, the nature of consulting services must be defined in the charter. Internal auditors have traditionally performed many types of consulting services, including the analysis of controls built into developing systems, analysis of security products, serving on task forces to analyse operations and making recommendations. The board (or audit committee) empowers the internal audit activity to perform additional services if they do not represent a conflict of interest or detract from its obligation to the board. This empowerment is reflected in the internal audit charter. Option 4 is incorrect. A primary internal audit value is to provide assurance to senior management and the audit committee. Consulting engagements cannot be rendered in a manner that masks information which in the judgement of the CAE should be presented to senior executives and board members. 1.2 1 (Learning Unit 5.5) Option 1 is correct. The CAE must report periodically to senior management and the board on the IAAs purposes, authority, responsibility and performance relative to its plan. Reporting must also include significant risk exposures and control issues (including fraud risks), governance issues, and other matters needed or requested by senior management and the board (Standard 2060). The frequency and content of reporting are determined in discussions with senior management and the board, and depend on the importance of the information to be communicated and the urgency of the related action to be taken by senior management or the board (Interpretation of Standard 2060). Option 2 is incorrect. Reports must be presented to senior management. Option 3 is incorrect. The report is not restricted to expenditures and financial budgets. Information about significant deviations from the approved audit plan and staffing plans also is included. Option 4 is incorrect. The information need not be limited to completed engagements and observations available in published engagement communications. 1.3 1 (Learning Unit 1.2) Option 1 is correct. Four rules are stated under the integrity principle. According to Rule of Conduct 1.1 of the IIA Code of Ethics, Internal auditors shall perform their work with honesty, diligence and responsibility. Option 2 is incorrect. Timeliness, sobriety and clarity are not mentioned in the Code. Option 3 is incorrect. Knowledge, skills and competencies are mentioned in the Standards for the Professional Practice of Internal Auditing. Option 4 is incorrect. Punctuality is not mentioned in the Code.

-8-

AUI4861/201

1.4 1 (Learning Unit 5.5) Option 1 is correct. This would not have to be communicated. The audit work was done. The director of internal auditing would have to determine that there was no impairment of the independence of the seniors work. If there was none, the report could be issued without reporting the personnel change. Option 2 is incorrect. This is a standard part of the required reporting to senior management and the board. Option 3 is incorrect. This is a standard part of the required reporting to senior management and the board. Option 4 is incorrect. The audit plan had been approved by both senior management and the board. The change dictated by senior management should be reported to the board. 1.5 4 (Learning Unit 4.1) Option 1 is incorrect. Not only is the frequency of audits not included in the charter, according to Standard 1000, but also such information is not related to the operational effectiveness of the internal audit department. Option 2 is incorrect. The manner of reporting audit findings (how they are reported, to whom they will be reported, etc) is not included in the charter and is not related to the operational effectiveness of the internal audit department. Option 3 is incorrect. The procedures to be employed by internal auditors in investigating and reporting fraud are not included in the charter. Option 4 is correct. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter with the Definition of Internal Auditing, the Code of Ethics and the Standards (Standard 1000). The internal audit charter establishes the internal audit activity's position within the organization, (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Interpretation: Standard 1000). Having limitations on such access would impact the operational effectiveness of the internal audit department because the internal auditor would not be able to conduct the audit in accordance with the approach that he designed. 1.6 4 (Learning Unit 4.1) Option 1 is incorrect. The Standards do not require each internal auditor to possess knowledge in all the relevant subjects. Option 2 is incorrect. The IAAs needs may be for additional resources in economics and computer sciences. Option 3 is incorrect. Encouraging the candidate to obtain additional training does not address the IAAs current needs. Option 4 is correct. The internal audit activity collectively must possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities (Standard 1210). The IAA may use internal resources or external service providers that are qualified in such disciplines as accounting, auditing, economics, finance, statistics, IT, law, environmental affairs and other areas as required to meet the IAAs responsibilities (PA 1210.A1-1). Each member of the IAA, however, need not be qualified in ALL of these disciplines Therefore the candidate can be offered the position if other members of the IAA possess the knowledge in economics and computer sciences.

-9-

AUI4861/201

1.7 4 (Learning Unit 4.2) Option 1 is incorrect. The facts do not indicate the existence of staffing problems. Option 2 is incorrect. Decision making and staffing are not problems. Option 3 is incorrect. Nothing indicates the structure of the entity is a problem. Option 4 is correct. The lack of feedback indicates the CAE has problems in planning and allocating internal audit resources to communicate the necessary information to management. The CAE must establish risk-based plans to determine the priorities of the IAA, consistent with the organisations goals (Standard 2010). Furthermore, internal auditors must communicate engagement results (Standard 2400), including applicable conclusions, recommendations and action plans (Standard 2410). 1.8 1 (Learning Unit 4.2) Option 1 is correct. The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organizations goals (Standard 2010). Input from senior management and the board is necessary to develop the IAAs riskbased plan of engagement (Standard 2010.A1). Option 2 is incorrect. The scheduled work is the first consideration in determining the number and qualifications of the staff required. Review of the staffs education and training records is a subsequent step. Option 3 is incorrect. The staffing plan must consider the unique needs of a particular organisation. The review of the staff size and composition of similarly size organisations in the same industry may not satisfy the engagement objectives for a particular organisation. Option 4 is incorrect. The scheduled work is the first consideration in determining the number and qualifications of the staff required. Interviews with existing staff occur later. 1.9 1 (Learning Unit 4.2) Option 1 is correct. A survey is a process for gathering information without detailed verification. If appropriate, a survey should be conducted to be familiar with the activities, risks and controls to identify areas for engagement emphasis and to invite comments and suggestions from the engagement client (PA 2210.A1-1). This is the optimal time since detailed work has not started yet. Option 2 is incorrect. When a risk exposure has been substantiated, no further work is required. Option 3 is incorrect. The assignment of inexperienced staff to the audit should have no effect on the decision to revise the time budget. Option 4 is incorrect. Expanded tests should have no effect on the time; the budget would have already been expanded as necessary. 1.10 4 (Learning Unit 4.2) Option 1 is incorrect. The CAE, not a staff internal auditor, has the responsibility to determine that the engagement objectives have been met. Option 2 is incorrect. The CAE, not the audit committee, has the responsibility to determine that the engagement objectives have been met. Option 3 is incorrect. The CAE, not the internal audit supervisor, has the responsibility to determine that the engagement objectives have been met.

- 10 -

AUI4861/201

Option 4 is correct. The CAE (or designee) provides appropriate engagement supervision. Supervision is a process that begins with planning and continues throughout the engagement (PA 2340.1). 1.11 3 (Learning Unit 4.2) Option 1 is incorrect. Supervision should be carried out continually and not just on a periodic test basis. Option 2 is incorrect. Internal reviews should be conducted by internal auditors and should focus on specific audit projects. Option 3 is correct. External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization (Standards 1312). Option 4 is incorrect. Periodic rotation of audit managers is not required. 1.12 1(Learning Unit 1) Option 1 is correct. A true professional has an academic qualification and experience. In addition, he must be able to demonstrate that he is able to competently perform all activities related to a specific profession. For an internal auditor, adherence to the mandatory guidance of the IPPF (IIA Standards, Definition of Internal Auditing and Code of Ethics) is required to show his competence and professionalism. Option 2 is incorrect. The internal auditing profession is not limited to review of operational systems for efficiency and effectiveness. Although it is one aspect of internal auditing, it is not the best option for the question. Option 3 is incorrect. ISO 9000 is a set of standards related to quality management systems and designed to help organisations ensure that they meet the needs of customers and other stakeholders. Therefore it is not limited to application by internal auditors, but should be applied by the organisation as a whole. Option 4 is incorrect. There may be cases where internal auditors do not meet deadlines on audits performed due to external and internal factors. This does not mean that they did not demonstrate professionalism in their duties. 1.13 2 (Learning Unit 4.1) Option 1 is incorrect. Every organisation is different in terms of its size, industry, structure, etc. Therefore the internal audit charter should be customised to the organisation and cannot be a standard document. This would hinder the effectiveness of the charter. Option 2 is correct. The internal audit charter is a formal document that defines the internal audit activity's purpose, authority and responsibility. The internal audit charter establishes the internal audit activity's position within the organization (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board (Interpretation of Standards 1000). Therefore the charter should be customised to the organisation. Option 3 is incorrect. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for

- 11 -

AUI4861/201

approval (Standards 1000). The CAE, and not the CEO, should draft the internal audit charter. Option 4 is incorrect. The internal audit charter is required as per the IIA Standards 1000. The IIA Standards are mandatory guidance and it is therefore not optional. 1.14 4 (Learning Unit 5.1) Option 1 is incorrect. Senior management can best use engagement communications that convey information that has organisation-wide significance. Option 2 is incorrect. Details of operations are most useful to operating management. Option 3 is incorrect. Information should be discussed with the engagement client before the report is written. Option 4 is correct. An engagement communication must be objective, clear, accurate, concise, constructive, complete and timely (Standard 2420). Furthermore, to best fulfil their responsibilities of effective communication of the results of their work, internal auditors should provide engagement communications that address the expectation, perceptions and needs of both operational and senior management. Thus, the engagement communication should contain general concepts that are concerned with matters of significance to the organisation as a whole for the benefit of senior management. The engagement communication should also emphasise the details of operations for the benefit of operating management. 1.15 4 (Learning Unit 4.1) Option 1 is incorrect. This should be included in the internal audit charter, but is just one of the required sections of the internal audit charter. Option 2 is incorrect. Terms of reference (which means the purpose or scope) should be included in the internal audit charter, but is just one of the required sections of the internal audit charter. Option 3 is incorrect. The definition and key objectives should be included in the internal audit charter, but is just one of the required sections of the internal audit charter. Option 4 is correct. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing (Option 3), the Code of Ethics and the Standards (Standards 1000).The internal audit charter is a formal document that defines the internal audit activity's purpose (Option 2), authority (Option 1) and responsibility. The internal audit charter establishes the internal audit activity's position within the organization, (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Interpretation of Standards 1000). Option 4 is correct since it has all three options and therefore is the best answer. 1.16 2 (Learning Unit 1) Option 1 is incorrect. Practice Advisories are strongly recommended and not mandatory. According to the IIA, mandatory guidance is the Definition of Internal Auditing, Code of Ethics and International Standards (IIA Standards). Option 2 is correct. Compliance with the Practice Advisories is strongly recommended. They describe practices to implement the Code of Ethics and Standards effectively. Therefore compliance is not compulsory. Option 3 is incorrect. Compliance with the Practice Advisories is strongly recommended and not mandatory.

- 12 -

AUI4861/201

Option 4 is incorrect. The Practice Advisories form part of the International Professional Practices Framework (IPPF) and therefore are not restricted to the USA. 1.17 1 (Learning Unit 4.2) Option 1 is correct. IIA Standards 1311 states: Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. Therefore internal assessments should be performed by the internal audit staff themselves. Option 2 is incorrect. Internal assessments should be performed through self-assessment or by persons within the organisation. External auditors are independent and external to the organisation and therefore cannot perform internal assessments. Option 3 is incorrect. Internal assessments should be performed through self-assessment or by persons within the organisation who have sufficient knowledge of internal audit practice. The IIA is the guidance-setting body for internal auditors and therefore cannot perform internal assessments for an organisation. Option 4 is incorrect. Internal assessments should be performed through self-assessment or by persons within the organisation who have sufficient knowledge of internal audit practice. Outside consultants are independent and external to the organisation and therefore cannot perform internal assessments. 1.18 4 (Learning Unit 3) Option 1 is incorrect. The in-house internal auditors are more likely to have a better knowledge of the organisation than the external auditors, given the continuous nature of their responsibilities. Option 2 is incorrect. The in-house internal auditor can also hire experienced, knowledgeable and qualified staff. Option 3 is incorrect. The in-house internal auditor is likely to be continuously available. The external audit firms auditors will have other client responsibilities. Option 4 is correct. Large organisations that are geographically dispersed may find outsourcing internal audit functions to external auditors effective. A major public accounting and auditing firm usually has operations that are national or worldwide in scope. 1.19 3 (Learning Unit 4.2) Option 1 is incorrect. The planning and preparation for the Quality Assurance Review (QAR) and the reporting of the evaluation of the internal audit activity are missing in this process. Therefore it is not a complete QAR. Option 2 is incorrect. The actual review or evaluation of the internal audit activity is missing in this process. Therefore it is not a complete QAR. Option 3 is correct. A typical assessment, whether internal or external, would follow the methodology outlined below: 1) Planning; 2) Understanding internal audit objectives (which would include interviewing stakeholders for their input); 3) Reviewing and evaluating the internal audit process; 4) Delivering findings. Option 3 is correct since it provides the stages of the quality assurance review from start to finish. Option 4 is incorrect. Planning and understanding internal audit objectives (which would include interviewing stakeholders for their input), are missing from this process. Therefore it is not a complete QAR.

- 13 -

AUI4861/201

1.20 1 (Learning Unit 2.2) Option 1 is correct. King III Report Principle 3.7: The audit committee should be responsible for overseeing of internal audit. The audit committee should play a key role in ensuring that the companys internal audit function is independent and has the necessary resources, standing and authority within the company to enable it to discharge its functions. Therefore the audit committee is responsible for ensuring that the internal audit activity is able to effectively discharge its duties and is independent. Option 2 is incorrect. The King III Report states that one of the audit committees duties is to oversee internal audit (which includes the appointment/dismissal and performance management of the Chief Audit Executive (CAE)). However King III Principle 3.2 states: Audit committee members should be suitably skilled and experienced independent nonexecutive directors. The CAE cannot be a member of the audit committee since he is not independent or a non-executive of the organisation. Option 3 is incorrect. King III Principle 3.2 states: Audit committee members should be suitably skilled and experienced independent non-executive directors. The CEO cannot be a member of the audit committee since he is not independent nor is he a non-executive of the organisation. Option 4 is incorrect. Identifying and screening suitable candidates for the board of directors are functions of the nominations committee. 1.21 4 (Learning Unit 5.5) Option 1 is incorrect. The audit committee is likely to receive a summary report of the findings. Option 2 is incorrect. The CAE should distribute the audit reports to the management of the audited activity and to those members of the organisation who can ensure that the engagement results are given due consideration and can take corrective action or ensure corrective action is taken. Sending the audit report to the auditee manager only may not fully ensure that the engagement results are given due consideration. Option 3 is incorrect. The CAE should distribute the audit reports to the management of the audited activity and to those members of the organisation who can ensure that the engagement results are given due consideration and can take corrective action or ensure corrective action is taken. The internal audit manager did not have the power or responsibility to take action in terms of the findings or ensure that corrective action is taken. Option 4 is correct. The CAE distributes the audit reports to the management of the audited activity and to those members of the organisation who can ensure the engagement results are given due consideration and can take corrective action or ensure corrective action is taken. Therefore the management responsible for that function would have the power to take effective action. If appropriate, the CAE may send a summary communication to higher-level members in the organisation. If required by the internal audit charter, the CAE also communicates to other interested or affected parties, such as external auditors and the board (PA 2440-1). 1.22 3 (Learning Unit 2.2) Option 1 is incorrect. Internal auditors need to be alert to the signs and possibilities of fraud within an organisation. Specifically, internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of internal controls. Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which

- 14 -

AUI4861/201

it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud (IIA Standards 1210.A2).The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk (IIA Standards 2120.A2). Therefore internal auditors cannot be liable for corporate fraud. It is the responsibility of management to ensure effective and responsible corporate fraud governance since they are liable for corporate fraud. Option 2 is incorrect. Internal auditors review all types of risks and not only financial risk. Option 3 is correct. Previously, the practice of managing risk was done at business unit level and the focus was mainly on financial risk. Now the focus shift is to enterprise risk management (ERM), which takes a broader approach, affected by an entitys board of directors and management across the entire entity/enterprise. Option 4 is incorrect. Control Self-Assessment (CSA) has always been department-focused or unit-focused and the introduction of corporate governance has not changed the way CSA is implemented in the organisation. 1.23 4 (Learning Unit 5.5) Option 1 is incorrect. The area of the engagement is irrelevant to decisions about whether an overall opinion is appropriate. Option 2 is incorrect. Whether the internal auditors work is to be used by external auditors is irrelevant. The external auditors cannot depend on an overall opinion, but must examine details and form their own opinions. Option 3 is incorrect. An overall opinion is not mandatory. Option 4 is correct. Conclusions and opinions are the internal auditors evaluations of the effects of the observations and recommendations on the activities reviewed (PA 2410-1). Final communication of engagement results must, where appropriate, contain the internal auditors opinion and/or conclusions (Standard 2410 A1). 1.24 1 (Learning Unit 4.2) Option 1 is correct. The CAE is responsible for the supervision of the engagement. Supervision includes: 1) ensuring designated auditors collectively possess the required knowledge, skills, and other competencies to perform the engagement; 2) providing appropriate instructions during the planning of the engagement and approving the engagement program; 3) ensuring the approved engagement program is completed unless changes are justified and authorized; 4) determining engagement working papers adequately support engagement observations, conclusions, and recommendations; 5)ensuring engagement communications are accurate, objective, clear, concise, constructive, and timely; 6) ensuring engagement objectives are met; 7) providing opportunities for developing internal auditors knowledge, skills, and other competencies (PA 2340-1). Execution of the work programme requires supervision during the fieldwork. The other supervisory tasks generally are carried out before or after fieldwork. Option 2 is incorrect. At the outset of the engagement is not during the fieldwork phase of the engagement. Option 3 is incorrect. An annual performance appraisal is not specific to a particular engagement. Option 4 is incorrect. Engagement communications are prepared at the conclusion of the fieldwork.

- 15 -

AUI4861/201

1.25 3 (Learning Unit 4.2) Option 1 is incorrect. Ensuring the quality of engagement communications is only one facet of supervision for which the CAE has ultimate, although perhaps not immediate, responsibility. Option 2 is incorrect. Approval of the engagement work program prior to the commencement of work by the CAE or a designee (PA 2240.A1-1) is only one facet of supervision for which the CAE has ultimate, although perhaps not immediate, responsibility. Option 3 is correct. The CAE is responsible for assuring the appropriate supervision is provided for all internal auditing assignments, whether performed by or for the IAA. Supervision is a process that begins with planning and continues throughout the engagement. (PA2340.1) Option 4 is incorrect. The CAE is responsible for all work performed by or for the IAA. 1.26 1 (Learning Unit 4.1) Option 1 is correct. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval (Standards 1000). The internal audit charter establishes the internal audit activity's position within the organization (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Interpretation of Standards 1000). If questions arise, the charter provides a formal, written agreement with management about the organizations internal audit activity (PA1000-1). Option 2 is incorrect. Adoption of policies for the functioning of the IAA does not protect its organisational position. Option 3 is incorrect. The establishment of an audit committee does not ensure the status of the IAA without its involvement in matters such as approval of the charter. Option 4 is incorrect. Written policies and procedures serve to guide the internal auditor but have little effect on management. 1.27 2 (Learning Unit 1) Option 1 is incorrect. The board of directors need to determine the CAEs compensation. Option 2 is correct. Internal auditors must have an impartial attitude and avoid any conflict of interest (Standard 1120). Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest (Interpretation of Standard 1120). Thus, objectivity may be impaired if the bonus, a competing personal interest, is based on monetary amounts recovered or recommended future savings as a result of engagements. A bonus based on either of the criteria could unduly influence the type of engagements performed or the recommendations made. Option 3 is incorrect. The IAAs scope of work includes evaluating and contributing to the improvements of risk management, control and governance processes. Option 4 is incorrect. Objectivity is not impaired if the board determines the directors compensation or if the scope of work is evaluating control rather than account balances.

- 16 -

AUI4861/201

1.28 4 (Learning Unit 1) Option 1 is incorrect. This review is a standard procedure. Option 2 is incorrect. Sampling is permissible. Detailed reviews of all transactions are often not required or feasible. Option 3 is incorrect. In exercising due professional care, internal auditors should be alert to inefficiency (reduction of staff may adversely affect staff morale). Option 4 is correct. Internal auditors do not guarantee absence of fraud. They are responsible for exercising due professional care, which includes evaluating the risk management, control and government processes that prevent or detect fraud and being alert to the significant risks that might affect the objectives, operations or resources (Standards 1220.A1 and 1220.A2). Moreover, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist (PA 1220.1). 1.29 1 (Learning Unit 1) Option 1 is correct. An internal auditor must be proficient in applying internal auditing standards, procedures and techniques in performing engagements. Proficiency means the ability to apply knowledge to situation likely to be encountered and to deal with them without extensive recourse to technical research and assistance (PA1210-1). Option 2 is incorrect. An appreciation of the fundamentals of, not proficiency in, information technology is required. Proficiency in accounting principles and techniques is required only if the internal auditor works extensively with financial records and reports. Option 3 is incorrect. Proficiency in (not an understanding of) internal auditing standards, procedures and techniques is required. Option 4 is incorrect. Proficiency in, not an appreciation of, accounting principles and techniques is required when the internal auditor works extensively with financial records and reports. 1.30 1 (Learning Unit 4.1) Option 1 is correct. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (Standards 1000). Therefore objectivity and independence are not formally defined in the charter. Option 2 is incorrect. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (Standards 1000). The internal audit charter establishes the internal audit activity's position within the organization (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Interpretation of Standards 1000). Option 3 is incorrect. The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (Standards 1000). The internal audit charter establishes the internal audit activity's position within the organization (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Interpretation of Standards 1000). Option 4 is incorrect. The purpose, authority and responsibility of the internal audit activity

- 17 -

AUI4861/201

must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (Standards 1000). The internal audit charter establishes the internal audit activity's position within the organization (including the nature of the chief audit executives functional reporting relationship with the board); authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Interpretation of Standards 1000). 1.31 3 (Learning Unit 2.2) Option 1 is incorrect. Discipline is not one of the ethical values according to King III. Option 2 is incorrect. Social responsibility is not one of the ethical values according to King III. Option 3 is correct. Good governance is essentially about effective leadership. Such leadership is characterised by the ethical values of responsibility, accountability, fairness and transparency (Introduction and background: King III Report). Option 4 is incorrect. Auditability is not one of the ethical values according to King III. 1.32 4 (Learning Unit 2.4) Option 1 is incorrect. The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope and is not a reporting requirement according to the SOX Act. Option 2 is incorrect. According to Section 404 of the Sarbanes-Oxley Act: The internal control report must include the following: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Therefore use of professional IS auditors is not one of the requirements according to the SOX Act. Option 3 is incorrect. According to Section 404 of the Sarbanes-Oxley Act: The internal control report must include the following: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company. Therefore it is managements responsibility and not the Information Systems Managers responsibility to establish and maintain adequate internal control over financial reporting for the company. Option 4 is correct. According to Section 404 of the Sarbanes-Oxley Act: The internal control report must include the following: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting.

- 18 -

AUI4861/201

1.33 4 (Learning Unit 2.2) Option 1 is incorrect. The primary corporate objective of any company is the generation of economic profit. Additional secondary objectives would be focus on environmental and societal interest of the communities within which the organisation operates. Option 2 is incorrect. The board and management are responsible for the organisations performance. Option 3 is incorrect. Even though SOX is a legislative requirement and contains some corporate governance topics, compliance is only mandatory for US companies. Option 4 is correct. The seven characteristics of good corporate governance are: discipline transparency, independence, accountability (the existence of mechanisms to ensure accountability), responsibility - processes that allow for corrective action and acting responsibly towards all stakeholders, fairness and social responsibility. Therefore management has to take all stakeholders into consideration when pursuing objectives to ensure good corporate governance. 1.34 2 (Learning Unit 2.1) Option 1 is incorrect. Reading and understanding the relevant reports would be subsequent steps in understanding the reality of corporate governance. Option 2 is correct. The initial step for governance is leadership. King III states: Good governance is essentially about effective leadership. A company has to look at their ownership/leadership structure before being able to understand the reality of corporate governance in their company. Option 3 is incorrect. Reading the statement of internal control would be a subsequent step in understanding the reality of corporate governance. Option 4 is incorrect. Consulting with external auditors on compliance with SOX would not assist in understanding the reality of corporate governance. 1.35 2 (Learning Unit 5.5) Option 1 is incorrect. An interim engagement communication would have been used to obtain immediate action on a recommendation. Option 2 is correct. The internal auditor discusses conclusions and recommendations at appropriate levels of management before issuing a final engagement communication. Discussion with the engagement client not only provides a quality control review but is also a courtesy that enhances the internal auditclient relationship. Option 3 is incorrect. The distribution of communication is not a secondary purpose of an exit conference. Option 4 is incorrect. Ordinarily, senior management should be given a summary of results. 1.36 2 (Learning Unit 4.2) Option 1 is incorrect. The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts (IIA Standards 2050). Therefore this would minimise disruption to the auditee but it would not ensure that internal and external audit have the same objectives, since they have different objectives. The objective of internal auditing is to aid members of the organisation in effectively discharging their duties. The

- 19 -

AUI4861/201

broad scope of the internal auditing department encompasses operational, compliance and financial work and it involves assessment of the effectiveness, efficiency and economy of operations. An external audit is concerned only with the financial aspects of the entity; normally compliance and operational issues are not examined. Option 2 is correct. The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimise duplication of efforts (IIA Standards 2050). Therefore this is required by the IIA Standards. Option 3 is incorrect. The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts (IIA Standards 2050). Therefore this is required by the IIA Standards. Option 4 is incorrect. Internal and external auditors do have different objectives, but coordinating internal and external audit work would promote proper audit coverage. 1.37 1 (Learning Unit 2.2) Option 1 is correct. Internal controls cannot ensure success. Bad decisions, poor managers or environmental factors can negate controls. Also, dishonest management may override controls and ignore or stifle communications from subordinates. However, with an active board and proper communication from management, management should be able to identify problems and provide effective oversight. Option 2 is incorrect. Profit making cannot be ensured by an active and independent board and open and truthful communication from management. Profit making is dependent on internal and external factors (customer satisfaction, market changes, etc). Option 3 is incorrect. Even though there might be truthful communication from management, dishonesty cannot be completely prevented as it is an inherent characteristic of any person. Option 4 is incorrect. Internal controls are managements responsibility, but it requires the participation of all persons within the organisation for it to be effective. 1.38 1 (Learning Unit 4.2) Option 1 is correct. A QAIP is designed to provide reasonable assurance to the various stakeholders of the IAA, that it: (1) performs in accordance with its charter; (2) operates effectively and efficiently; and (3) is perceived by stakeholders as adding value and improving operations. The programme includes appropriate supervision, periodic internal assessment and ongoing monitoring of quality assurance and periodic external assessments (PA 1300-1). Option 2 is incorrect. External reviews are part of the quality assurance and improvement programme (QAIP). Option 3 is correct. Proper supervision, which is the ongoing monitoring of the effectiveness of the internal audit department, forms part of the QAIP Option 4 is incorrect. Performance reviews are not part of the QAIP. 1.39 1 (Learning Unit 4.1) Option 1 is correct. Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources (Standard 2230). Thus the knowledge, skills and other competencies of the internal audit staff must be considered when selecting internal auditors for the engagement (PA2230-1). Therefore, for an engagement in

- 20 -

AUI4861/201

a foreign country, the language skills of the internal auditor and knowledge of local customs must be considered. For example, gender and ethnic issues may be important in some countries because of religious restrictions and incompatibilities. As always, experience levels are relevant in making staff assignments. Option 2 is incorrect. The exchange rate is irrelevant in determining the required traits of the team members. Option 3 is incorrect. The language skills of the internal auditor must also be considered. Option 4 is incorrect. The experience of the internal auditor must always be considered. 1.40 4 (Learning Unit 4.1) Option 1 is incorrect. The policy might result in better engagement relating to financial and accounting systems. Option 2 is incorrect. Setting minimum professional standards promotes professionalism. Option 3 is incorrect. This requirement does not affect the use of external service providers. Option 4 is correct. The IAA collectively must possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities (Standards 1210). The IAA may use internal resources or external service providers that are qualified in the disciplines needed to meet its responsibilities. (PA1210.A1-1) Each member of the IAA, however, need not be qualified in all of these disciplines. Thus the IAA should have an appropriate balance of experience, training and skills to permit the performance of a range of services. However, internal auditors are encouraged to obtain professional certification and qualification (Interpretation of Standard 1210). 1.41 4 (Learning Unit 1) Option 1 is incorrect. The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (IIA Standards 2130 Control). The internal audit is not installing/implementing the controls, but only recommending controls for implementation this is their responsibility (assist in maintaining control and promoting improvement; recommending improvements are part of their scope). It is managements responsibility to implement the controls. Option 2 is incorrect. In this audit, the IAA is requested to perform an operational audit of the marketing department and recommend improvement for the management control of the department. So it is not only on the marketing aspects, but they are auditing the operational effectiveness and efficiency of the department. The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (IIA Standards 2130 Control). In addition, for marketing aspects, the IAA may provide a consulting service (by obtaining a marketing expert to assist). Option 3 is incorrect. Independence would not be impaired since the internal audit is not installing/implementing the controls, but only recommending controls for implementation this is their responsibility (assist in maintaining control and promoting improvement; recommending improvements is part of their scope). It is managements responsibility to implement the controls. Option 4 is correct. Organisational independence would not be compromised since the IAA would still be reporting to the audit committee on its findings.

- 21 -

AUI4861/201

1.42 3 (Learning Unit 5.1) Option 1 is incorrect. The internal auditor should be able to convey the engagement objectives effectively. Option 2 is incorrect. The internal auditor should be able to convey the engagement evaluations effectively. Option 3 is correct. Internal auditors must be skilled in oral and written communication so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions and recommendations (PA 1210-1). However, the risk assessment is not necessarily a matter that must be communicated to an engagement client. Option 4 is incorrect. The internal auditor should be able to convey the engagement recommendations effectively. 1.43 1 (Learning Unit 1) Option 1 is correct. Since the auditor reports directly to the audit committee, he has organisational independence but does not exercise objectivity because he is trying to avoid conflict and adjust his opinion. Option 2 is incorrect. Since the auditor reports directly to the audit committee, he has organisational independence but does not exercise objectivity because he is trying to avoid conflict. Option 3 is incorrect. The auditor has organisational independence because he reports directly to the audit committee. He is not exercising objectivity because he is trying to avoid conflict. Option 4 is incorrect. The auditor has organisational independence because he reports directly to the audit committee. 1.44 4 (Learning Unit 4.2) Option 1 is incorrect. Adopting the full set of quality standards for the internal audit activity would duplicate functions within the organisation. Option 2 is incorrect. The issue is the reporting relationship of internal auditing and not the qualifications of the audit staff. Option 3 is incorrect. Sufficient information is not given in the question to conclude that the IAA should be eliminated. Option 4 is correct. The coordination of audit efforts and the efficiency of audit activities should be primary responsibilities of the CAE. 1.45 2 (Learning Unit 1) Option 1 is incorrect. The auditors should not conduct an audit of compliance with criteria that have never been communicated to the auditees. Option 2 is correct. Management is responsible for establishing criteria to determine whether objectives have been accomplished. If the internal auditors believe that the established criteria are inadequate, they should report such conditions to the appropriate levels of management and recommend appropriate courses of action. Option 3 is incorrect. Conducting the audit is appropriate since management wants feedback about the implementation of its code. Option 4 is incorrect. The auditor must communicate the deficiencies to management.

- 22 -

AUI4861/201

1.46 1 (Learning Unit 1) Option 1 is correct. The Standards state that the effectiveness of the system of internal control is to ascertain whether the system is functioning as intended. Option 2 is incorrect. This option refers to the efficiency and economical objectives rather than the effectiveness objective. Option 3 is incorrect. It defines the purpose of the review of the quality of performance. Option 4 is incorrect. This option only defines one of the objectives of internal control. 1.47 3 Learning Unit 5.5) Option 1 is incorrect. This action does not fully satisfy the internal auditors responsibility. Option 2 is incorrect. This action does not fully satisfy the internal auditors responsibility. Option 3 is correct. According to Standards 2500: The CAE must establish and maintain a system to monitor the disposition of results communicated to management. In addition, Standard 2500.A1 states: The CAE must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. Internal auditors determine whether the desired results were achieved or if senior management or the board has assumed the risk of not taking action or implementing the recommendation (PA 2500. A1-1). Option 4 is incorrect. Such reporting may be contrary to the Code of Ethics, which requires the internal auditor to be prudent in the use and protection of information acquired in the course of his duties (Rule of Conduct 3.1). 1.48 3 (earning Unit 1) Option 1 is incorrect. Sufficient information is factual, adequate and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Option 2 is incorrect. Reliable information is the best attainable information through the use of appropriate engagement techniques. Option 3 is correct. Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagements objectives (Standards 2310). Relevant information supports the engagement observations and recommendations and is consistent with the objectives of the engagement. Option 4 is incorrect. Useful information helps the organisation to meet its goals (objectives). 1.49 1 (Learning Unit 4.2) Option 1 is correct. This is not an objective of the IIA Standards. Options 2, 3 and 4 are incorrect. Each one is an objective of a quality assurance review according to the Standards.

- 23 -

AUI4861/201

1.50 4 (Learning Unit 2.2) Option 1 is incorrect. Review and approval of the audit programmes are the responsibilities of the internal audit supervisors. Option 2 is incorrect. Whether the external auditor will make use of the work of the internal auditor is not for the audit committee to decide. Option 3 is incorrect. Review and approval of internal audit engagement communications are the responsibility of the CAE or his/her designee. Option 4 is correct. The CAE reporting functionally to the board (audit committee) and administratively to the CEO facilitates organisational independence. At a minimum, the CAE has to report to an individual in the organisation with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of the engagement communication and appropriate action regarding engagement recommendations.

---x--Unisa