Documente Academic
Documente Profesional
Documente Cultură
SECTION A
COMPLY WITH THE IIAS ATTRIBUTE STANDARDS
2 2
Section A
Section A comprises approximately 15% to 25% (15 to 25 questions) of the Part 1 exam. There are six primary sections in Section A, including:
1) 2) 3) 4) 5) 6) Purpose, Authority and Responsibility, Organizational Independence & Objectivity, Proficiency and Due Professional Care, Continuing Professional Development, Quality Assurance & Improvement Program, and The IIAs Code of Ethics.
3 3
Railroad executives felt that the external auditors did not adequately address this issue because of a focus on the financial statements.
4 4
5 5
6 6
7 7
Professional Standards
The professional Standards consist of Attribute Standards, Performance Standards and Implementation Standards.
Attribute Standards are concerned with the characteristics of the organization and the parties who will be performing the auditing activities. Performance Standards describe the internal audit activities and criteria against which the performance of these services can be evaluated. Implementation Standards apply to the specific types of engagements, whether assurance or consulting.
8 8
The IAA should encompass every part of the organizations operation, and should have access to the companys documents, records or properties. Internal auditing has developed to assist management in carrying out its monitoring responsibilities effectively and efficiently. The IAA should promote effective control at a reasonable cost.
9 9
Along with organizational status the IAA must also have organizational independence.
This means that the IAA should not have relationships with the various departments it will be auditing.
Status and independence can be achieved by having a properly designed Internal Audit Charter.
10 10
11
12 12
The Charter
The IAA should report to an organizational level that is high enough to be effective, and independent of the functions that will be audited.
This means that the Chief Audit Executive (CAE) should report to the Chief Executive Officer (CEO), or board of directors. The accounting department, chief accountant or finance director would not normally be a good level to report to.
13 13
14 14
15 15
16 16
17
Consulting Services
18 18
Consulting Services
As we have seen in the beginning, internal auditing has expanded to include consulting services. Consulting services are defined as advisory and related client services, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization's operations. Examples include counsel, advice, facilitation, process design and training.
19 19
20 20
21 21
22 22
23 23
24 24
25 25
In addition, the acceptance of a gift or money from a client will impair the objectivity of the auditor, even if the auditor maintained objectivity.
26 26
27 27
28 28
29 29
30
31 31
32 32
1210: Proficiency
Proficiency is when an individual possesses the knowledge, skills and other competencies needed to perform their individual responsibilities.
The skills and knowledge necessary for the internal auditor to perform his or her job will depend on the work needed to be performed. For example, if an internal auditor does a lot of financial statement work, then he or she needs skills related to the appropriate GAAP (IFRS, US GAAP). On the other hand, if an internal auditor works in the area of internal controls, then detailed knowledge of GAAP would probably not be necessary.
33 33
Proficiency, continued
Related to proficiency are two other terms that you have to understand. These terms are understanding and appreciation. Understanding is the ability to
Apply broad knowledge to situations likely to be encountered, Recognize material deviations, and Be able to perform research to arrive at conclusions.
34 34
Proficiency, continued
If the internal auditor does not have the needed skills and competencies to perform the engagement, the CAE has to either decline the engagement or go outside the department to get the skills. If using the services from an outside service organization, the CAE also needs to consider the independence and objectivity of the outside organizations. Any work done by an outside organization needs to be reviewed by either the CAE or other internal person with sufficient experience and understanding to review the work.
35 35
36
37 37
38
39 39
40 40
41 41
42 42
43 43
44
External Assessments
External assessments are performed by an external party. It is recommended that an external assessment is conducted at least once every five years. External reviewers must be independent of the organization and of the IAA. External assessor will tend to focus on:
The adequacy of the IAA charter, The goals, objectives, policies and procedures of the IAA, Whether or not the IAA complies with the Definition of Internal Auditing, Code of Ethics, and
Standards,
The skills and work performed by the individuals in the IAA, and Whether or not the IAA adds value and improves operations.
45 45
46 46
47 47
48 48
49
50 50
51 51
Principles
There are four principles that internal auditors are expected to follow:
1. Integrity The integrity of the internal auditors establishes trust and thus provides the basis for reliance on their judgment. 2. Objectivity The internal auditors are expected to exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. 3. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. 4. Competency - Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing.
52 52
Rules of Conduct
1. Integrity - Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility. [In other words, the
53 53
Rules of Conduct
2. Objectivity Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. [For example, a material gift (use of beach house) is considered to impair
objectivity.]
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. [For example, there may be some items that were
capitalized instead of expensed. This fact needs to be disclosed to management and the Audit Committee.]
54 54
Rules of Conduct
3. Confidentiality Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
55 55
56
SECTION B
MANAGING THE INTERNAL AUDIT ACTIVITY
57 57
Section B
Section B covers the topics of planning, communications, resource management, policies and procedures, and coordination. This section will account for approximately 15 25% (15 25 questions) of the Part 1 Exam. The main topics within this section are:
Planning and Communication, Resource Management, Policies and Procedures, and Coordination.
58 58
59 59
2010: Planning
The CAE must establish risk based plans to determine the priorities of the IAA, and make certain that they are consistent with the organization goals. Planning includes the establishment of:
Goals, Engagement work schedules, Staffing plans and financial budgets, and Activity reports.
60 60
Goals
The goals that are set for the IAA should be:
Specific - Goals should be specifically defined. Measurable - The method of measuring the goals should be defined. Agreed to All interested parties should agree on the stated goals. Interested parties include senior management and the board. Realistic and Achievable Goals must realistic and they should be attainable. If theyre not, then they are superfluous. Timely - Goals should be specific as to when they are to be achieved. As we can see, the goals of the IAA should be SMART.
61 61
Once these questions have been answered, it is then possible for the individual work program for a specific engagement to be developed.
62 62
63 63
Long-term Planning
The CAE needs to look beyond the short or immediate term. The CAE needs to establish a longer term strategic plan. The purpose of this plan is to make sure that all areas of the business are audited at least periodically. Some areas (based on risk assessment) might need annual auditing, or even more often, while other areas may be addressed once every two or three years. Without a long-term plan, it could be possible that one area of the business would never be audited because it would never meet the requirements for the short-term audit.
64 64
65
66 66
67 67
68 68
69 69
An important basis for recruitment and promotion of staff is the job description. The job description lists the necessary skills and requirements for the position. Having detailed and complete job descriptions makes it easier for the CAE to determine if the IAA is properly staffed.
70 70
71 71
72 72
73
74 74
Activity Reports
The CAE must submit and activity report to senior management and the board at least once a year. This should be done if the work volume or nature of the work requires closer involvement of the board. This may be the case if there are high-risk areas that are being audited. Activity reports should:
Be communicated in writing (preferably), Highlight significant engagement observations, Identify recommendations that have arisen from the engagement, Compare actual performance with the IAAs goals, Compare expenditures to financial budgets.
75 75
76 76
77 77
78 78
79 79
80 80
81
82 82
83 83
84
85 85
86 86
Even if the the external auditor relies on the work done by the IAA, the external auditor will still need to review the work of the IAA.
87 87
88 88
89 89
90
91 91
92 92
93
Sarbanes-Oxley Act
94
Sarbanes-Oxley Act
The Public Company Accounting Reform and Investor Protection Act of 2002, or more commonly referred to as the Sarbanes-Oxley Act (SOX) was enacted in response to the accounting scandals of Enron, WorldCom and others. The primary purpose of SOX is to:
Improve quality and transparency of financial reports. Enhance the standard setting process for accounting practices. Strengthen the independence of public accounting firms. Increase corporate responsibility. Protect the objectivity and independence of securities analysts.
95 95
SOX provisions
Many of the acts provisions had to do with the external auditor, but many had to do with internal control issues, particularly in regard to the audit committee and board. These provisions include:
Audit committees are to be directly responsible for the appointment (subject to shareholder approval), compensation, and supervision of the registered public accounting firm. This overview includes resolution of any disagreements between management and the auditor regarding financial reporting. Audit committees are to be provided with the proper authority and funding to engage independent counsel and advisors. Auditors (both internal and external) are required to report to the audit committee. Members of audit committee have to be independent.
96 96
SOX provisions
The audit committee should have at least one financial expert. If not, then the fact should be disclosed. Audit committee should adopt written procedures to receive and address complaints regarding accounting, internal controls and auditing issues, including procedures to maintain the confidentiality of the whistle blower. It is unlawful for any corporate officers or director to knowingly to manipulate or mislead any accountant engaged in preparing an audit for the purpose or rendering the audit report materially misleading. There should be a statement saying management is responsible the companys internal controls. The company is required to disclose whether it has adopted a Code of Ethics.
97 97
98
SECTION C
NATURE of the INTERNAL AUDITORS WORK
99 99
Section C
In Section C we start to discuss the nature of the internal auditors work, including what it entails and how it contributes to the improvement of an organizations risk management, control and governance processes. Control and control processes will be discussed in Section D. This section will account for approximately 15 25% (15 25 questions) of the Part 1 Exam.
100 100
101 101
Nature of Work
Management is responsible:
For the sustainability of the whole organization, and Accountability for the organizations actions, conduct and performance to the owners, other stakeholders, regulators, and general public.
102 102
103 103
104
Information Security
It is managements responsibility to ensure that company information is properly safeguarded. Internal auditors should also work to ensure that any potential problems related to information security will be reported to management and the board. The CAE has to make certain that the IAA has the necessary skills and resources to evaluate the information security. Internal auditors need to assess the effectiveness of the controls in place. This assessment should be made periodically, including recommendations for improvement.
105 105
106 106
107 107
Compliance Programs
All companies in all countries have to be in compliance with something. Compliance programs provide guidance for individuals within the organization to prevent inadvertent employee violations, detect illegal activities and discourage intentional employee violations. In addition, these compliance programs can also help prove insurance claims, determine director and officer liability, create or enhance corporate identity, and decide the appropriateness of punitive damages. Regarding compliance, organizations should develop a written business code of conduct.
108 108
109 109
110
111 111
E-commerce, continued
The CAE needs to assess whether the IAA has the necessary skills and capacity to conduct an E-commerce engagement. Factors that constrain the IAA are:
Does the IAA have the sufficient skills to conduct the engagement? Are training or other resources necessary? Is the staffing level sufficient for the near-term and long-term? Can the expected audit plan be delivered?
112 112
E-commerce, continued
The difference between auditing a regular business system and an e-commerce system are that
There may not be any hard copies, Some data may exist for a very short period of time, or There is no paper trail at all.
The critical risk and control issues that the IA must address are:
General project risk, Specific security threats, such as denial of service, physical attacks, viruses, identity theft, and unauthorized access or disclosure of data, Maintenance of transaction integrity under complex network of links to legacy systems and data warehouses,
113 113
E-commerce, continued
Website content review and approval when there are frequent changes and sophisticated customer features and capabilities that offer around-the-clock service, Rapid technology changes, Legal issues, such as increasing regulations throughout the world to protect individual privacy; enforceability of contracts outside of the organizations country; and tax and accounting issues, and Changes to surrounding business processes and organizational structures.
114 114
115 115
116
Environmental Risks
Internal auditors should include risks in the areas of the environment, health and safety (EH&S). This is particularly important where there are very high fines and penalties for environmental damages, employees rights lawsuits, and safety liability. The CAE needs to determine that these risks have been assessed and addressed as needed. In larger companies, this may be done by a separate environmental audit function. When there is a separate function, the org. needs to make sure that it does not report to the group or individuals responsible for these areas.
117 117
Privacy
Privacy includes individuals rights to be left alone and for any pertinent information of an individual not to be disclosed by other parties that happen to possess such information. This means that a company must keep control over the personal information it has about its customers and may not release this information to third parties without parties without the individuals agreement. The privacy of information is also maintained and not distributed to unauthorized people, even within the organization. Example, the companys database should not be disclosed to a third party without the proper consent of the customer.
118 118
Privacy, continued
Implications to the organization for these vulnerabilities are numerous. To the individual, this could be embarrassment, inconvenience, unfairness, and others. To the organization, these negative implications could include lawsuits, penalties, fines and of particular importance, negative goodwill and negative publicity. There are no guarantees, but organizations have the responsibility to ensure that all reasonable measures have been enacted to safeguard data and information.
119 119
120 120
121 121
Roles, continued
Internal Auditors assist management, board, and/or committee by examining, evaluating, testing, reporting and recommending improvements in the adequacy of the organizations risk management system. The IAAs role in the risk management process can range from:
No role, to Auditing the risk management process as part of the internal audit plan, to Active, continuous support and involvement in the risk management process. Managing and coordinating the risk management process. In this case, the IA is not taking ownership of the risk, only the process.
122 122
123 123
The IAA needs to assess whether or not these five objectives have been met in order to form an opinion on the adequacy of the risk management processes. Internal auditors need to continuously look for things that may indicate a problem or cause for concern related to risk management.
124 124
Assessing the Adequacy of Risk Management Processes for Formal Consulting Services
Consulting service is defined as advisory and related client service activities, the nature and scope of which are agreed upon with the client, i.e., counsel, advise, facilitation and training. Internal auditors should address risk consistent with the engagements objectives and should be alert to the existence of other significant risks. With consulting services, the internal auditor should:
Determine the significance of exposures or weaknesses and the actions taken or contemplated to mitigate or correct these exposures or weaknesses; and Ascertain the expectations of management, the audit committee and board in having these matters reported.
125 125
126
127 127
128 128
129 129
130
2130: Governance
The IIA defines governance as the system by which organizations are directed and controlled. Governance also includes the rules and procedures for making decisions on corporate affairs to ensure success while maintaining the right balance with the stakeholders interest. The four cornerstones of corporate governance are the board, management, internal auditors and external auditors. Effective governance means making sure that inappropriate and unethical behavior is not tolerated. Review the 10 basic principles necessary in the development of sound corporate governance (pg. 72).
131 131
132 132
134 134
135 135
136
SECTION D
CONTROL
137 137
Section D
In Section D we will be covering topic of control, what it is, what are the components of control, and what are the tools used for controlling. This section will account for approximately 20 30% (20 30 questions) of the Part 1 Exam.
138 138
2120: Control
It is through control that management is able to accomplish its wishes. As defined by the IIA, control is any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
139 139
Defining Control
Control can also be defined as any action taken by management to enhance the likelihood that established objectives and goals would be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organization to achieve its objectives and goals.
140 140
Benefits of Control
Controls are meant to provide assurance on the following:
Reliability and integrity of financial and operational information, Effectiveness and efficiency of operations, Safeguarding assets, and Compliance with laws, regulations, and contracts.
141 141
142 142
143 143
During the course of the internal auditors own engagement, the internal auditor should communicate to the appropriate level of management any, and all control discrepancies and weaknesses.
If discrepancies or weaknesses are found, this does not necessarily mean that it is pervasive and poses an unacceptable risk to the company.
144 144
145 145
146 146
147
148
149 149
CSA, continued
Assessments are performed through a series of workshops or meetings or by means of questionnaires. Assessments can be applied to any area of the organization: projects, processes, business units, or functions. Whatever format is used, the goal is to help organizations assess the likelihood of achieving their objectives by using the knowledge of the workers who are responsible for making it happen.
150 150
CSA Procedures
CSA procedures include the following:
Identifying potential risks and exposures, Assessing the control processes that mitigate or manage those risks, Developing action plans to reduce risks to acceptable levels, and Determining the likelihood of achieving the business objectives.
151 151
Advantages of CSA
For an organization the primary advantages of a CSA program are that it:
Enhances employee understanding of the companys risk and controls. Enhances employee control consciousness. Provides a mechanism for early risk detection. Encourages more open communication, teamwork and continuous improvement. Empowers the employees and enhances accountability.
152 152
Approaches to CSA
Each CSA program that is implemented by an organization should be customized to fit that organization. This means that the program should be dynamic and be able to change as the organization changes. The three primary approaches to CSA are:
Facilitated team workshops, Surveys / Questionnaires, and Management-produced, or self-auditing/self certification.
Organizations often combine more than one approach to accommodate their selfassessment.
153 153
154 154
155 155
156 156
157 157
Management-produced Analysis
This approach does not use a facilitated meeting or survey. Through this approach, management produces a staff study of the organizational processes. The CSA specialist (who is generally an internal auditor) combines the results of the study with information gathered from sources such as other managers and key personnel. The specialist then synthesizes the information and develops an analysis that process owners can use in their CSA efforts.
158 158
Internal Auditors Role in Quarterly Financial Reporting, Disclosures, and Management Certification
159
160 160
161 161
162
163 163
164 164
165 165
Measuring Performance
Every product or service can be measured in some way against some standard. It is managements job to determine what measurement is to be used. For example, if management is simply trying to increase production, then efficiency measurements might not be appropriate.
Another important part of the measuring process is determining who is going to do the measurement.
Self-measurement is preferable in it builds employee morale and empowerment and it is cheaper. Second party measurement is more expensive, but may lead to better and more pertinent results.
166 166
167 167
168 168
169 169
Systems of Control
A control system is designed so it will help the company achieve or maintain the desired actions, behaviors or results. There are three elements to any control system: input, processing, and output. Systems may be classified as either open or closed.
Open system is impacted by its environment. System may receive uncontrollable input information from the outside and this information will affect the system. Closed system does not receive any uncontrollable inputs. Example of a closed system is the one to regulate the temperature in your house.
170 170
171 171
172 172
173
174 174
175
176 176
177 177
Reengineering
Reengineering is when a company is determined to find a new way of doing something. Reengineering is NOT simply improving an existing system, but developing a completely new system or approach. Because of effort and time involved, reengineering should only be done for the most important processes.
178 178
179
180
181 181
Personnel is making sure that good people are hired and there is a high standard of supervision.
Employees should be trained and reviewed on a periodic basis.
Accounting is a crucial part of the system because this is where the financial information is accumulated and produced. Budgeting is done so actual results can be compared with anticipated results.
People who will be held responsible for the achievement of the budget should be involved in creating it.
182 182
183 183
184
185
For the most part, these controls have the same goal as to provide management with a better understanding of their control systems so they can make judgment about their effectiveness.
186 186
187 187
You can remember these components by the mnemonic CRIME (bolded letters).
188 188
189
190
191 191
192
Risk Assessment
This is managements assessment of the risks that the agency faces. Risks may be internal or external.
Internal Risks include employee embezzlement accompanied by falsification of records to conceal theft; lack of compliance with governmental regulations; or other illegal acts by employees, such as taking a bribe. These risks can include disruption in computer systems, poor management decisions, errors, or accidents. External Risks include changes in technology, changes in federal legislation, natural disasters, economic changes, or being defrauded, or robbed.
193 193
If management is unable to identify the risks that the agency faces, they are much less likely to be able to address those risks.
194 194
Control Activities
These are the policies that are developed to address the risks of the agency. These risks may be fraudulent reporting or theft (misappropriation of assets). Control activities should be designed to mitigate risk, wherever risk exposure is determined to exist, for the purpose of protecting the organizations ability to achieve its objectives. Controls that are implemented must have a benefit that is greater than the cost of that control.
Because of this, not all controls are implemented and the control environment cannot provide a guarantee that all risks are eliminated.
195 195
196 196
Compensating controls attempt to address a weakness in controls in one place by setting up additional controls in a related area. We look at compensating controls in more detail a bit later.
197 197
198 198
Segregation of Duties
By dividing specific duties (listed on the next slide) between different individuals, the likelihood of errors or inappropriate behavior (theft or fraud) is greatly reduced. The separation of duties can be done in the following steps:
Identify a function that is indispensable, but potentially subject to abuse. Divide that function into separate steps, each of which is necessary for the function to work, or for the power that enables that function to be abused. Assign each step (or duty) to a different person or organization.
199 199
Duties to be Segregated
The following duties need to be segregated between different people:
The authorization of a transaction, The recording (record keeping) of the transaction, Keeping physical custody of the asset, and The periodic reconciliation of the records of the asset (how much there should be) to the actual amount of the asset (how much there is).
200 200
201 201
203 203
204
Information needs to be available before a decision needs to be made. Duties and responsibilities need to be communicated to all effected parties. Communication needs to be both internal and external.
205 205
206 206
Monitoring
Monitoring is the process of reviewing the controls over time to make sure that they are still relevant and still functioning as they were intended to function. As technologies change and business operations change, some of the controls that had been relevant may no longer be relevant. Monitoring needs to be undertaken on a regular (if not relatively constant) basis.
207 207
208
These 4 components are then broken down into 20 criteria, shown on the next few pages.
209 209
Purpose
Objectives should be established and communicated. Significant internal and external risks should be identified and assessed. Policies to support the achievement of the organizations objectives should be designed, communicated and implemented. Plans should be established and communicated to assist in the achievement of objectives. There should be measurable performance targets in the objectives and plans.
210 210
Commitment
Ethical values should be established and practiced at all levels in the organization. Human resources policies should be consistent with the firms ethical values. Authority, responsibility and accountability should be clearly defined and consistent with the organizations objectives. An atmosphere of mutual trust should be supported through the flow of information and communication.
211 211
Capability
People should have the needed knowledge, skills and tools to support the achievement of the organizations objectives. Communication should support the values and achievement of objectives. Sufficient and relevant information should be identified and communicated to the appropriate party in a timely manner. Decision-making in the company should be coordinated between departments. Control activities should be designed and implemented.
212 212
213 213
214 214
Control Techniques
215
Control Techniques
The following are the tools and techniques that contribute to the control process. Budgets are the more common control device used by businesses.
A budget is a realistic plan for the future expressed in quantitative terms. The budget is a way for management to communicate the goals of the company as well as linking the goals of the present with the strategy of the future. By understanding how much is expected to be made or spent, the company creates a series of ground rules for people within the organization to follow throughout the year. Comparing actual results with budget gives the company an idea of the efficiency (or lack of) of the company.
216 216
Gantt Charts
In the Gantt chart, the project is divided into parts, activities, or tasks which are plotted on a chart that has tasks listed on the left side and time across the top or bottom. The tasks are then placed into the time frame during which they need to be completed. The chart shows when the different steps need to be completed. However, Gantt charts have two weaknesses:
It does not show the interconnection between the different steps of the project, and It is does not show the critical path of the project.
217 217
PERT / CPM
Program Evaluation and Results Technique (PERT) takes the Gantt one step further and shows the interconnection between the different steps of the project. PERT and CPM were developed separately but in fact are very similar. These methods are very similar and for the purposes of the materials are used interchangeably.
218 218
A PERT/CPM Diagram
A PERT/CPM diagram looks as follows:
B 4 S 2 A 3 C 2 D 8 5 E 6 2 F
The diagram is read from left to right and you do not go backwards on the diagram
219 219
220 220
Slack Time
Slack time is any activity that is not on the critical path has slack time. Slack time means that the completion of this task may be delayed without delaying the completion of the project as a whole.
221 221
222 222
Histograms
A histogram is a bar graph that represents the frequency of events in a set of data. Patterns that might not be apparent when looking at a set of numbers can become clear with a histogram.
If one particular production line is experiencing most of the difficulty, a histogram detailing the types of problems and their frequency can help determine what types of problems are causing the problems most often.
223 223
Pareto Diagrams
A Pareto Diagram is a specific type of histogram. It is based on the 80-20 observation (20% of the population causes 80% of the problems, or 20% of the population is doing 80% of the good things). This is useful because management can then focus its efforts on improving the areas that are likely to have the greatest overall impact.
224 224
Cause-and-Effect Diagrams
Also known as the Ishikawa Diagram, or fishbone diagram. This is a method to visually sort out root causes and identify relationships between causes. The diagram consists of a spine, ribs and bones, therefore looking like a fishbone. At the end of the horizontal spine is a the problem. Bones pointing to each rib are contributing factors to the cause. In manufacturing, the typical main causes for problems are 4 Ms: machines, materials, methods, and manpower.
225 225
Flowcharting
Flowcharting is a useful tool for better understanding internal controls and systems development. A flowchart is a pictorial diagram which describes operations, data flow, equipment and etc. Advantages of flowcharts is that it gives the internal auditor the ability to get a visual grasp of the system. Another advantage is that it can help highlight areas of audit emphasis. The different flowcharts you need to understand are:
Horizontal flowchart shows the different departments or functions involved in a process.
226 226
Flowcharting, continued
A horizontal identifies specific control points in the system.
Control point is a point in a process where an error or irregularity is likely to occur, creating a need for control. For example, in the invoicing department, the supervisor may be required to review the invoices for completeness and accuracy before they are sent.
Vertical flowchart depicts the specific steps in a process and how they are executed.
It does not show the system components as clearly as a horizontal flowchart.
A data flow diagram is a graphic illustration (symbolic) of a systems processes and data flows. It shows data flow instead of control flow.
It includes the data source, data flow transformation processes, data destination, and data storage.
227 227
Correlation Analysis
Correlation analysis is a method used in internal auditing to measure the linear relationship of two or more variables.
Can be shown by plotting their values on a graph (scatter diagram). A high correlation is indicated if the points tend to form a straight-line. A random pattern indicates little correlation.
From an internal auditing standpoint, the numbers must stand the test of reason.
This means that even though there is a high correlation between numbers, it may be based on coincidence, and the numbers, in fact, may not be related.
228 228
229 229
Management must play a role in this process. There are two approaches:
Imposed control This is where the goals are set. Self-control This is where the employees are encouraged to take a more active role in prevention of defects.
230 230
231 231
232 232
233
234
The relationship between the individuals, groups and departments needs to be considered. These relationships are to varying degrees based upon authority, responsibility, and accountability.
235 235
Accountability is the duty to account for the completion of the responsibility. Responsibility is delegated downwards, but the person who did the delegating is still ultimately responsible for the task that has been delegated.
236 236
Complexity The type of differentiation that exists within the organization will determine how complex the company is.
Vertical differentiation the more levels there are in the company, the more complex it is and the slower and less effective it will be in adapting to changing conditions. These will be Tall Organizations. Horizontal differentiation this relates to the special skills and knowledge required to complete a tasks. These are flat org. Spatial differentiation this relates to the geographical separation of the organizations activities.
237 237
238 238
In a decentralized organization, responsibility for decisions is delegated to lower level managers on the theory that they are closest to what is going on.
This structure permits action to be taken more quickly to solve problems. Furthermore, input used for decision-making comes from a greater number of people, and employees feel less separated from the people who are making the decisions that affect them.
239 239
Advantages of Decentralization
Some of the advantages for a company to have a more decentralized organization are:
Greater speed in making operational decisions. Encourages better communication and imitative among employees. Requires the understanding of company goals throughout the organization. Identifies and trains good decision-making at lower levels. Gives responsibility and authority to lower level managers. Frees top management from operations duties and enables them to focus on strategic goals. Enables the financial measurement of a particular unit.
240 240
Disadvantages of Decentralization
Some of the drawbacks of decentralization are:
Tendency to focus on short-term local issues rather than long-term success of the larger organization. Increased risk due to the loss of control by top management. More difficulty in coordinating interdependent units.
Lower levels of management may make conflicting decisions.
241 241
Delegation
A key part to decentralization is make sure there is proper delegation of authority. Delegation is the process of passing power downward from one individual to his or her subordinate.
Under classical approach, this process of delegation should be avoided because it is a reduction of power of the manager. The behavioral approach sees this as a useful step because no one has time to make every decision and subordinates like to be involved in the process.
Delegation can help subordinates develop confidence and initiative in situations where there are proper controls in place.
242 242
Delegation, continued
Delegation is part of the process of becoming a manger. In order to successfully delegate the following must exit:
The necessary skills and a sound knowledge of the organization objectives, A feedback system that allows assessment of performance, A faith in the abilities of the subordinate, A recognition of the need to delegate, A willingness to accept risk, and The desire to develop and train subordinates.
243 243
Delegation, continued
The delegation process involves the following steps:
1) 2) 3) 4) 5) 6) Determination of the expected results, Assignment of tasks and responsibilities, Delegation of the necessary authority to complete those tasks, Recruitment of responsible subordinates, Clear communication of what is responsible, and Follow-up on process because ultimate authority still remains with the manger.
244 244
245
Organic structure has low complexity, a low amount of formulation and a high participative decision-making structure.
Organic structures tend to be more flexible than mechanistic. They are also more adaptive to change and are better in more dynamic (changing) and complex environments. Is better for product development or for high-tech companies.
246 246
247 247
Components of an Organization
Henry Mintzberg identified five components to any organization:
1. 2. 3. 4. 5. Strategic Apex These are the top managers. Middle Line These are the managers who connect the strategic apex to the operating core. Operating Core These are the employees who perform the basic production tasks. Technostructure This is made up of analysts who make certain that there is a level of standardization in the organization. Support Staff Provide indirect support services.
248 248
249 249
250 250
251
Departmentalization
Departmentalization is grouping tasks together in order to coordinate those that have something in common. It can be accomplished in various ways, and large organizations often use all of the forms:
By function performed, such as engineering, accounting, manufacturing, personnel and marketing. By geographical territory, such as the sales divided according to sales territory. By product or service, with all functions for that product or service placed under the authority of a senior manager. By type of customer served, such as the consumer market, small businesses or large corporate customers. By project, such as ship building, military contracts, etc.
252 252
Matrix Organization
The matrix organization actually violates the unity of command principal; but, in certain situations, it is useful. A typical matrix organization combines product or project departmentalization with functional departmentalization (such as accounting, marketing, etc.).
Each employee has two supervisors: one for the product or project, and one for the function.
253 253
254 254
255
Span of Control
Span of control refers to the number of subordinates one manager can effectively supervise. The span of control governs the number of levels and the number of managers an organization will have. Up to a point, larger spans are more efficient.
A wider span will require fewer managers and will save on managerial salaries. Beyond a certain point, the span can become too large and supervisors cannot provide the necessary support to employees.
256 256
A manager can handle a wider span of control if his or her employees are all well trained in their jobs. Thus, when organizations have wide spans of control, they need to invest more in employee training.
257 257
258
Leadership
Leadership is the process of influencing others so they are willing to work toward the achievement of goals of the group. The classical view is holds that even though authority and decision-making may be decentralized, the characteristic of leadership is a characteristic of an individual and cannot be subdivided and transferred to others. Some of the characteristics of an effective leader are:
Intelligence, Maturity, Social participation, and Socioeconomic status.
259 259
Styles of Leadership
The different styles of leadership that have been identified by behaviorist:
Autocratic the manager dictates instead of allowing input from the employees. Consultative the manger makes the decisions, but does take into account the opinions of the employees. Participative the manager makes the decision, but must take into account the opinions of the other members of the team or group. Free-rein (laissez-faire) employees make their own decisions. Bureaucratic manages by rules and policies. Transformational this is a leader who is a supporter and implementer of change.
260 260
Transformational Leader
The transformational leader is able to inspire others in the company in order in the company in order to achieve more than he or she thought possible. There are many characteristics of a transformational leader, including:
A person who emphasizes vision, is able to articulate a vision, and can challenge traditional assumptions. Encourages individual development, provides workers with regular feedback, and gives individualized consideration. Has charisma, is inspirational and able to motive employees.
261 261
Leadership Studies
Studies have found two behavioral patterns: initiator of structure and initiator of consideration.
Initiator of structure is geared toward the completion of tasks and includes defining duties, establishing procedures and planning and organizing the work. Initiator of consideration is the establishment of a personal relationship between the manager and the subordinate.
Which pattern is present will depend on situation, but in most cases both patterns will be present.
262 262
Contingency Approach
The contingency approach is focused on finding a better answer to the questions, What is an effective leader? How do we train them? Fred Fiedler developed the earliest contingency model, proposing that effective group performance is a function of a good match between the leaders style and the situation.
This means that the right person at the right time will be a good leader, but the same person in a different situation may be very ineffective.
263 263
264 264
Style of leadership should complement, but not duplicate the factors in the environment and should be consistent with the characteristics of the subordinates.
265 265
The theory assumes that the leader can be flexible and need not behave in the same manner at all time but may behave differently in different situations.
266 266
Vroom-Yetton-Jago Model
This model of leadership focuses on helping the leader to determine how best to arrive at, communicate, and execute a decision. The Vroom-Yetton-Jago model is a decision-making tree that attempts to determine an appropriate leadership style for various situations and assumes a leader may use different leadership styles. The model identifies five styles, ranging from autocratic to group-based. By asking oneself a series of questions about the nature of the problem, etc., the leader can decide how much to involve others in the decision and also the style.
267 267
268 268
269
Influence
Influence is the attempt to change the behavior of someone in the workplace. The different tactics used to influence someone are:
Consultation allows the other person to participate in the change. Rational persuasion tries to convince others by relying on logic. Ingratiating tactics attempts to be nice to the person. Coalition tactics getting others to support you in this project. Pressure tactics intimidation, threats and demands. Upward appeals this uses the formal structure of management. Exchange tactics offer a trade of I do this, now you do that.
270 270
271
Negotiations
Negotiating is the process of bargaining an agreement for the exchange of goods or services at an agreed upon rate of exchange. The two main approaches to negotiating are:
Distributive bargaining occurs when there is a zero-sum situation. It is unlikely that a true win-win situation will come out. Each party will create a desired result and a minimum acceptable result. If the two ranges overlap, then there will be chance of a successful negotiation. Integrative bargaining occurs when there is a possibility for both sides to win.
There is another type of negotiation called subordination bargaining. This is when the person who is in the position of the subordinate agrees to anything that is reasonable.
272 272
273 273
Conflict
Conflict can arise from many different situations. The more common conflict triggers are:
Unclear job boundaries and unclear responsibilities. Competition for scarce resources. Differences between people in the their status. Personality clashes. Unrealistic expectations. Communication problems.
274 274
Conflict, continued
Whether conflict is healthy or not depends on how it is handled.
Competition generally does not help the company. With competition one person must win. Collaboration is generally helpful. This is the process of all of the people in the conflict trying to find a satisfactory solution for all. Avoidance of the conflict does not help. Compromise may help at times. Accommodation may be helpful in the short-run, but in the long-run it may cause greater problems.
275 275
Conflict, continued
Smoothing is a short-term avoidance process whereby the parties are asked to forget their differences for the short-term. Forcing occurs when the superior position uses its position to solve the conflict. Superordinate goals are those goals that are above the goals of the individual. Compromise is where both parties have to give up something. Expanding resources is a possible solution but only if the conflict was the result of insufficient resources. Changing the human element attempts to change the behavior of the individual involved.
276 276
Conflict, continued
Diffusion is the process of trying to solve the smaller, less critical issues in order to build a feeling of success and cooperation before dealing with the larger issue. The public media at times can become the venue in which the conflict is played out.
This is risky thing because public opinion may not always be as expected, but the pressure of the media attention may force people to solve their differences.
277 277
278
Change Management
279
Change Management
Organizational change is the process of changing the organization structure of the company. All organizations at some time go through change as the business changes, the environment changes and as the people in the business change. Individuals may resist these changes for many reasons. The main reason may be fear fear of the unknown and fear that the change is simply the first part of larger changes that will lead to an individuals termination.
Another cause of fear may be an apparent disregard by management about the way management treats employees, and possible disruption to the way that things were.
280 280
281 281
282 282
When the change is Anticipatory and Strategic in scope, it is called Reorientation. Causes the organization to be significantly redirected.
When the change is Reactive and Incremental in scope, it is called Adaptation. Changes are made in reaction to external problems, events, or pressures. When the change is Reactive and Strategic in scope, it is called Re-creation. This is an intense and risky decisive change that reinvents the organization.
283 283
SECTION E
ENGAGEMENT PLANNING
284 284
Section E
Section E covers the topics of engagement planning, engagement supervision, audit procedures and fraud. This section will account for approximately 15 25% (15 25 questions) of the Part 1 Exam. An engagement has to do with the planning, performing, communicating and monitoring the results of the engagement. This section describes the planning process and provides criteria for evaluating the process.
285 285
These steps are similar to external auditing, except external auditors do not monitor progress.
286 286
287 287
288
Engagement Objectives
289
290 290
291 291
Surveys
Sometimes surveys are used to become familiar with activities. They are particularly useful in the first engagement when little information is known about activity. Surveys can assist in:
Understanding the activity. Identifying areas requiring special attention. Obtaining information for use in the performance of the engagement. Determining where further work is necessary. Developing a good relationship with the staff of the activity being audited.
292 292
293
Engagement Scope
294
295 295
Engagement Resources
296
297 297
298
Work programs may be pro forma or individualized. Approval of the work program should come from the CAE, and in writing. Any adjustments made to the work program should be approved in a timely manner. It is possible for approval to be oral, if warranted.
299 299
Preliminary Survey
300
301 301
302 302
303 303
In addition, the auditor should explain that any corrective action taken by the client prior to circulation would be acknowledged by the auditor. Another result of the meeting is to collect as much relevant documentation as possible. Conduct a walk-through of the premises.
304 304
Further Meetings
If the client wishes, a further meeting can be arranged to discuss initial impressions and the general thrust of the engagement work program. The cost of further meetings should be a consideration in planning the additional meetings.
305 305
306 306
307
Engagement Supervision
308
309 309
310 310
311
Engagement Procedures
312
Engagement Procedures
The engagement work is made up of a series of procedures that are to be performed by the auditor.
Procedures may be as simple as checking to see if a particular document was signed, or something more complex as the valuation of a derivative.
Procedures that are to be performed are written in the work program. For any engagement, the auditor will need to perform procedures to gather evidence. This evidence will provide the support for the opinion that the auditor concludes. Auditors must collect information until they have collected sufficient and competent evidence.
313 313
Sufficiency of Evidence
The question of how much evidence is enough evidence cannot be answered definitively or quantitatively. The question has be answered using the professional judgment of the auditor and it depends on many factors.
Main factor depends on the effectiveness of the clients internal controls. If controls are working, then the amount of evidence required by the auditor will be less than if controls are not working.
Though, need to remember that no matter how well controls are working, the auditor must always obtain some amount of direct evidence to confirm the numbers by the client.
314 314
315 315
Competence of Evidence
For evidence to be competent, the evidence must be both valid and relevant.
Relevance of data is related to how closely related the evidence is to what the auditor is testing. The validity of evidence relates to the extent to which the auditor can believe and trust the evidence.
The most valid evidence is evidence that is obtained directly by the auditor. The auditor obtains this evidence may times through observations. The next best source is from a 3rd party that does not have a direct interest in the client, e.g., bank statements, account receivable confirmations. The least valid evidence is any information obtained by the client.
316 316
Sources of Evidence
There are two main types of auditing evidence:
Underlying accounting data this is the information that is part of the accounting system.
It includes the original documents, journals, ledgers, supporting information and the output from the accounting systems.
317 317
318 318
Vouching is the opposite of tracing. Start with an amount in a ledger and find the supporting documentation for it.
Vouching is testing for existence. This makes sure that every event or transaction that has been recorded in the records has actually occurred.
319 319
320
Understanding Fraud
321
Fraud
The IIA defines fraud as any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or service; to avoid payment or loss of service; or to secure personal or business advantage.
322 322
323 323
Types of Fraud
There are two main classifications of fraud:
1) Misstatements from fraudulent financial reporting.
These are intentional misstatements in the financial statements that are made to mislead users. This includes omission of information from the financial statements and a misapplication of accounting principles.
3) Corruption.
Corruption includes illegal gratuities, brides and kickbacks, conflict of interest, economic extortion.
324 324
When fraud is suspected, the internal auditor should determine the possible effects and discuss the matter with the appropriate level of management.
It is generally not the internal auditors place to report the matter outside the organization, although they may in some cases report the event to the SEC, a predecessor auditor, a court, or to a governmental agency.
325 325
326 326
327 327
328