Exam 2 (Internal Auditing) v4

Which of the following would be a typical consulting engagement activity performed by the internal audit function?

a. Testing compliance iwht accounts payable policies and procedures.

b. determinig the scope of an engeagement to test IT application controls.

c. reviewing and commenting on a draft of a new ethics policy created by the company

e. testing the design adequacy of controls over the termination of employees.

c. reviewing and commenting on a draft of a new ethics policy created by the company

which of the following is not a required consideration regarding proficieny and due profewsional care whne xhosing to performa consutling engagement?

a. availabilityy of adequtae skills and resources to conduct the engagement.

b. needs and expectations of the engagement customer.

c. cost of the engagement relative to the ptoential beneits.

d. potential impact on the independent outside autidor's financial statement audit.

d. potential impact on the independent outside autidor's financial statement audit.

Senior management of an organization has requested that the internal audit function help eduate employees about internal control concepts. This work is an example of which type of engagement:

a. an assurance engagement

b. a training consulting engagement

c. a faciliattive sonsulting engagement

d. an advisory consulting engagement

b. a training consulting engagement

It would be appropriate for the internal audit function to perform which of the following?

a. design controls for a process

b. develop a new whistleblower policy

c. review a new IT application before implementation

d. lead a process reengineering project

c. review a new IT application before implementation

Which of the following is not likely to be a step during a consulting engagement?

a. understanding the objectives of a process

b. assessing the risks in a process

c. flowcharting the key steps in a process

d. expressing a conclusion on the desing adequacy and operating effectiveness of a process

d. expressing a conclusion on the desing adequacy and operating effectiveness of a process

The chief operating officer has requested that the internal audit function advise her regarding a new incentive plan being developed for sales representatives. Which of the following tasks should the CAE decline with respect to providing advice to the COO?

a. researching and benchmarking incentive plans provided by other companies in the industry.

b. determining the appropriate bonus formula for inclusion in the plan

c. recommending monitoring procedures so that appropriate amounts are paid under the plan

d. determining how to best document the support for amounts paid to provide a sufficient audit trail.

b. determining the appropriate bonus formula for inclusion in the plan

When conducting a consulting engagement to improve the efficiency of a production process, the internal audit team is faced with a scope limitation because several months of the production data has been lost or is incomplete. Faced with this scope limitation, the CAE should:

a. halt the consutling engagement and conudct a separate assurance engagement to determine why the datea was not available.

b. discuss the problem with the customer and together evaluate whether the engagement should be continued

c. complete the analysis without the data but include a scope limiatiation in the engagement report.

d. report teh scope limiatation to the independent outside auditors.

b. discuss the problem with the customer and together evaluate whether the engagement should be continued

The audit committee has requested thtat the internal audit function assist with the annaual risk assessment process. What type of consulting engagement does this assistance represent?

a. an assurance engagement

b. a training consulting engagement

c. a facilitative consulting engagement

d. an advisory consulting engagement

c. a facilitative consulting engagement

Positioning the I/A Function in the Organization(To conform with the Standards) Two options

1. on Sr. manager level or 2. lower

Option 1: placed on the Sr. management level: CAE ( with direct assess to BOD Audit Committee)

Give I/A function the visibility, authority, and responsibility to

Independently evaluate management's assessment of I/C

Assess the organization's ability to

achieve business objectives and

manage, monitor, and mitigate related risks

Provide consulting services

I/A Charter how CAE fulfill the responsibilities outlined above:

A formal written document that defines the I/A function's purpose, authority, and responsibility

Is subordinate to the audit committee's charter

I/A Charter

A formal written document that defines the I/A function's purpose, authority, and responsibility

Is subordinate to the audit committee's charter

Standard 2000: CAE's management responsibilities:

The results of the internal audit [function's] work achieve the purpose and responsibility included in the internal audit charter;

The internal audit [function] conforms with the Definition of Internal Auditing and the Standards; and

The individuals who are part of the internal audit [function] demonstrate conformance with the Code of Ethics and the Standards."

Organizational independence vs. individual objectivity:

CAE reports to BOD (so that to allow I/A function to fulfil its responsibility) Organizational Independence (Structure)

Internal auditors have an impartial, unbiased attitude and avoid conflicts of interest Individual Objectivity (Unbiased mental attitude)

Option 2: I/A functions can be positioned lower in the organizational hierarchy (Under Sr. Management)

Often to perform nonaudit activities:

Quality assurance, compliance, operational, & other transaction processing activities

Lack of objectivity to independently evaluate the organization's operations and offer impartial suggestions for improvement

Unable to provide management with an evaluation of the design adequacy and operational effectiveness of operational controls (i.e., RM, Control, and Governance processes)

IIA Standard 1130: Impairment to Independence or Objectivity:

May include:

personal conflict of interest,

scope limitations,

restrictions on access to records,

personnel, and properties, and resource limitations, such as funding

If impaired in fact or appearance then what?

the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment

Reporting: I/A to CAE, CAE to BOD

A Scope Limitation

a restriction on the applicability of an auditor's report that may arise from the inability to obtain sufficient appropriate evidence about a component in the financial statements. Auditing standards suggest that when restrictions imposed by the client significantly limit the scope of the engagement the auditor should consider disclaiming the opinion.

I/A engagements must be performed with

Proficiency and Due Professional Care

Proficiency

Standard 1210: internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities

Due Professional Care

Standard 1220: internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

The positioning of the I/A function affects

the degree to which it can remain objective.

Ideally, how will the function will be positioned?

high enough within the organization with direct access to the board audit committee to allow conformity with The IIA's requirements and recommendations

So, what are the advantages of placing I/A function on Sr. Management level?

To better maintain independence when evaluating management's assessment ( of the org.'s system of I/C, ability to achieve objectives, and mitigate risks associated with achievement of those objectives)

Minimizes the possibility of Sr. Management exerting undue influence on CAE

I/A's professional expertise used in consulting on initiatives and projects

I/A plan (CAE's responsibility)

An outline of the specific assurance and consulting engagements scheduled for a period of time (typically a year) based on an assessment of the organization's risks.

Developed through a process that identifies and prioritizes possible audit entities (business units or processes) responsible for mitigating key risks to acceptable level

Top-down, risk-based approach (most effective)

Top-down, risk-based approach (most effective)

A risk assessment process completed annually at the beginning of, or prior to fiscal year

Provide the CAE with a definitive list of audit entities related to the prioritized risks

CAE aligns audit resources for the upcoming year with the conclusions drawn by management during the risk assessment process.

What should CAE present regarding the I/A plan to Sr. Management and BOD for approval :

Requirements, significant interim changes, and the potential implications of resource limitations (--required by Standard 2020)

A summary of the internal audit plan, work schedule, staffing plan, and financial budget (--recommended by Practice Advisory 2020-1: Communication and Approval

Key elements taken into consideration:

Organizational structure and staffing strategy

Right sizing

Staffing plan/ Human Resources

Hiring practices

Strategic sourcing

Training and mentoring goals

Career planning and professional development

Scheduling (I/A schedule and annual I/A Plan)

Financial budget

Flat organizational structure:

consist of internal auditors who all have more or less the same level of skills, experience, and seniority.

Internal audit functions employing flat structures tend to be:

stable, highly knowledgeable, and very collaborative,

higher cost base due to the higher salaries necessary to retain auditors who all have a high degree of knowledge and experience.

Two kinds of organizational structures

Flat and hierarchal

Hierarchical organizational structure:

include internal auditors with varying degrees of knowledge and experience.

Internal auditors with less knowledge and experience report to internal auditors with more knowledge and experience.

These I/A functions can be more dynamic than flat functions due to the fact that positions are often rotating with internal auditors promoting into higher positions as those in higher positions move up in the function or into positions outside of the function.

Due to their dynamic nature hierarchically organized functions can experience frequent change that, if not managed, can threaten the efficient achievement of the internal audit plan

Examples of positions within the hierarchal function:

Staff auditor (or IT Staff auditor)

Senior auditor (or IT senior auditor)

Audit manager (or IT audit manager)

Audit director ( or IT audit director)

CAE

Right Sizing

To achieve and maintain balance of competent staff without overloading workload within reasonable financial budget

Strategic Sourcing

Supplements the in-house I/A function through the use of 3rd party vendor services

Staffing plan and hiring

CAE's responsibility

Do all I/A activities need formal administrative and technical audit manuals?

No

Small internal audit activity

may be managed informally

Audit staff may be directed and controlled through daily, close supervision and memoranda

Large internal audit activity

More formal and comprehensive policies and procedures are necessary to guide the I/A staff in the execution of the I/A plan.

What are the three lines of defense?

Management, different functions within the organization, other than the internal audit function, I/A function

1st line of defense: management

Management owns and takes responsibility for assessing and mitigating risk and for maintaining effective internal controls.

2nd line of defense: different functions within the organization, other than the internal audit function

that work together to assist in risk mitigation by facilitating and monitoring the risk management efforts of the organization and communicating risk-related information.

Such functions include, for example, quality assurance, corporate responsibility, corporate security, and health and safety.

3rd line of defense: I/A function

works in partnership with management and the other functions involved in risk mitigation

The key difference between this line of defense and the first two is that the internal audit function is independent of management

Coordination between the 3 lines of defense may vary among organizations:

In smaller, less regulated organizations: coordination efforts can be less formal and, therefore, less costly.

In larger, more heavily regulated organizations: coordination can be quite formal and involved.

Large organizations typically begin by creating an assurance map that identifies:

where within the organization risk mitigation coverage exists,

who is providing the coverage,

what professional standards the different assurance providers adhere to, and

the frequency and timing of the assurance activities provided

The most notable external sources of assurance that organizations use to augment their internal lines of defense

independent outside auditors and applicable regulators

Matters of mutual interest discussed during coordination efforts with independent outside auditors include

Audit coverage.

Access to each others' audit programs and workpapers.

Exchange of audit reports and management letters.

Common understanding of audit techniques, methods, and terminology.

CAE's responsibilities when reporting to the board

The internal audit function's purpose, authority, responsibility, and performance relative to its annual internal audit plan.

Identified significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.

Standard 2110: Governance states that the internal audit function "must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the organization;

Ensuring effective organizational performance management and accountability;

Communicating risk and control information to appropriate areas of the organization; and

Coordinating the activities of and communicating information among the board, external and internal auditors, and management."

I/A functions carries out governance responsibilities largely through the

assurance services

Risk management:

Refers to the administration and oversight processes typically performed by senior management to monitor efforts to minimize risk exposures or steps taken to exploit competitive advantages.

These administrative procedures are designed to help establish a common language for use when considering possible risk events or scenarios.

More concisely, risk management is a participatory process designed to identify, document, evaluate, communicate, and monitor the most significant risk events facing an organization requiring risk mitigation to achieve business objectives.

Risk mitigation

Refers to the tactical efforts undertaken by line management and operational employees to either reduce risk exposures or exploit competitive opportunities (advantages) that manifest themselves in day-to-day operations.

Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:

Organizational objectives support and align with the organization's mission;

Significant risks are identified and assessed;

Appropriate risk responses are selected that align risks with the organization's risk appetite; and

Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.

Core internal audit risk management activities include:

Giving assurance on the risk management processes.

Giving assurance that risks are correctly evaluated.

Evaluating risk management processes.

Evaluating the reporting of key risks.

Reviewing the management of key risks

Risk management activities that the internal audit function may perform, if appropriate safeguards are applied to protect its independence and objectivity, include:

Facilitating identification and evaluation of risks.

Coaching management in responding to risk.

Coordinating ERM activities.

Consolidating reporting on risks.

Maintaining and developing the ERM framework.

Championing establishment of ERM.

Developing ERM strategy for board approval.

Risk management activities that the internal audit function should avoid include:

Setting the risk appetite.

Imposing risk management processes.

Assuming management's risk management assurance role.

Making decisions on risk responses.

Implementing risk responses on management's behalf.

Assuming accountability for risk management

The I/A activity must assist the organization in maintaining effective controls by

evaluating their effectiveness and efficiency and

promoting continuous improvement

I/A functions evaluate "the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the:

Achievement of the organization's strategic objectives;

Reliability and integrity of financial and operational [non-financial] information;

Effectiveness and efficiency of operations;

Safeguarding of assets; and

Compliance with laws, regulations, and contracts

Quality Assurance and Improvement Program

Ensures I/A function operates in accordance with established professional standards.

covers all aspects of the internal audit activity

is designed to enable:

an evaluation of the I/A activity's conformance with the Definition of Internal Auditing and the Standards and

an evaluation of whether internal auditors apply the Code of Ethics.

(IPPF mandatory guide)

assesses the efficiency and effectiveness of the I/A activity and identifies opportunities for improvement

Per IIA Standards, internal audit functions must establish:

Both internal and external quality assurance and improvement program assessments.

Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:

Accept the audit engagement because independence would not be impaired.

Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?

The CAE

Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?

a. To emphasize the importance of the internal audit function to the organization.

b. To make recommendations to improve the strategic plan.

c. To ensure that the internal audit plan supports the overall business objectives.

d. To provide assurance that the strategic plan is consistent with the organization's values.

To ensure that the internal audit plan supports the overall business objectives.

The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement?

a. A small internal audit function may be managed informally through close supervision and written memos.

b. Formal administrative and technical audit manuals may not be needed by all internal audit functions.

c. The CAE should establish the function's policies and procedures.

d. All internal audit functions should have a detailed policies and procedures manual.

All internal audit functions should have a detailed policies and procedures manual.

When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:

Discuss the problem with the customer and together evaluate whether the engagement should be continued.

Which of the following is not a responsibility of the CAE?

a. To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval.

b. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.

c. To follow up on whether appropriate management actions have been taken on significant issues cited in internal audit reports.

d. To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organization's goals.

To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.

The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement?

a. Holding a meeting between the CAE and the independent outside audit firm's partner to discuss the upcoming audit of the financial statements.

b. Providing the independent outside auditor with access to the working papers for an audit of third-party contractors.

c. Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.

d. Requesting that the internal audit function receive a copy of the independent outside auditor's management letter.

Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.

Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The CAE should:

Accept the audit engagement because independence would not be impaired

According to the IPPF, how is the independence of the internal audit function achieved?

Organizational status and objectivity

The process for internal quality assessment does not include:

A quality assurance review by an independent outside party

Who is responsible for periodically assessing whether the internal audit activity's purpose, authority and responsibility, as defined by the audit charter, continue to adequate to enable the activity to accomplish its objectives

Chief Audit Executive

Organizational independence exists if the CAE reports to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity without interference

administratively; controls the scope and performance of work and reporting of results

Audit committees are most likely to participate in the approval of

the appointment of the CAE

According to the IPPF, the independence of the internal audit activity is achieved through

organizational status and objectivity

which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence?

product development team leader

According to the IPPF, internal auditors should possess which of the following skills?

understand human relations and be skilled in dealing with people

be able to recognize and evaluate the materiality and significance of deviations from good business practices

be skilled in oral and written communication

which of the following best describes an auditor's responsibility after noting some indicators of fraud?

Expand activities to determine whether an investigation is warranted

Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity?

Proper supervision

Internal assessment

External assessment

Per IIA Standards, internal audit functions must establish:

a.Internal quality assurance and improvement program assessments.

b. External quality assurance and improvement program assessments.

c. Both internal and external quality assurance and improvement program assessments.

d. neither internal nor external quality assurance and improvement program assessments.

c. Both internal and external quality assurance and improvement program assessments.

Senior management has requested that the internal audit function perform an operational review of the telephone marketing operations of a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should:

a. Accept the audit engagement because independence would not be impaired

b. Accept the engagement, but indicate to management that recommending controls would impair audit independence so that management knows that future audits of the area would be impaired.

c. Not accept the engagement because internal audit functions are presumed to have expertise on accounting controls, not marketing controls.

d. Not accept the engagement because recommending controls would impair future objectivity of the department regarding this client.

a. Accept the audit engagement because independence would not be impaired

Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met?

a. The individual internal audit staff member.

b. The CAE.

c. The audit committee.

d. The internal audit engagement supervisor.

b. The CAE.

Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?

a. To emphasize the importance of the internal audit function to the organization.

b. To make recommendations to improve the strategic plan.

c. To ensure that the internal audit plan supports the overall business objectives.

d. To provide assurance that the strategic plan is consistent with the organization's values.

c. To ensure that the internal audit plan supports the overall business objectives.

The Standards requires policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement?

a. A small internal audit function may be managed informally through close supervision and written memos.

b. Formal administrative and technical audit manuals may not be needed by all internal audit functions.

c. The CAE should establish the function's policies and procedures.

d. All internal audit functions should have a detailed policies and procedures manual.

d. All internal audit functions should have a detailed policies and procedures manual.

When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should:

a. Resign from the consulting engagement and conduct an audit to determine why several months of data are not available.

b. Discuss the problem with the customer and together evaluate whether the engagement should be continued.

c. Increase the frequency of auditing the activity in question.

d. Communicate the potential effects of the scope limitation to the audit committee.

b. Discuss the problem with the customer and together evaluate whether the engagement should be continued.

Which of the following is not a responsibility of the CAE?

a. To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval.

b. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.

c. To follow up on whether appropriate management actions have been taken on significant issues cited in internal audit reports.

d. To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organization's goals.

b. To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management processes.

The Standards requires the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement?

a. Holding a meeting between the CAE and the independent outside audit firm's partner to discuss the upcoming audit of the financial statements.

b. Providing the independent outside auditor with access to the working papers for an audit of third-party contractors.

c. Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.

d. Requesting that the internal audit function receive a copy of the independent outside auditor's management letter.

c. Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.

professional sketpicism means that internal auditors beginning an assurance engagement should:

a. assume client personnel are dishonest until they gather evidence that clearly indicates otherwise.

b. assume client personnel are honest until they gather evidence that clearly indicates otherwise.

c. neither assume client personnel are honest nor assume they are dishonest ineffectively.

d. assume that internal controls are designed inadequately and/or operating ineffectively.

c. neither assume client personnel are honest nor assume they are dishonest ineffectively.

Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make?

a. I will consider the level of risk involved when deciding the kind of evidence I will gather.

b. I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence.

c. I evaluate both the usefulness of the evidence I can obtain and the cost to obtain it.

d. I am seldom absolutely certain about the conclusions I reach based on the evidence I examine.

b. I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence.

Audit evidence is generally considered sufficient when:

a. it is appropriate

b. there is enough of it to support well-founded conclusions

c. it is relevant, reliable, and free from bias.

d. it has been obtained via random sampling

b. there is enough of it to support well-founded conclusions

Documentary evidence is one of the principal types of corroborating information used by an internal auditor. Which one of the following examples of documentary evidence generally is considered the most reliable?

a. A vendor's invoice obtained from the accounts payable department.

b. a credit memorandum prepared by the credit manager.

a receiving report obtained from the receiving department.

d. a copy of a sales invoice obtained from the sales department.

a. a vendor's invoice obtained from the accounts payable department.

An internal auditor must weigh the cost of an audit procedure against the persuasiveness of the evidence to be gathered. Observation is one audit procedure that involves cost-benefit tradeoffs. Which of the following statement regarding observation as an audit procedure is/are correct?

I. Observation is limited because individuals may react differently when being watched.

II. Observation is more effective for testing completeness than it is for testing existence.

III. Observation provides evidence about whether certain controls are operating as designed.

a. I only

b. II only

C. I and III

d. I, II, and III

C. I and III

Your audit objective is to determine that purchases of office supplies have been properly authorized. If purchases of office supplies are made through the purchasing department, which of the following procedures is most appropriate?

a. Vouch purchase orders to approved purchase requisitions.

b. Trace approved purchase requisitions to purchase orders.s

c. Inspect purchase requistions for proper approval

a. vouch purchase orders to approved purchase requisitions.

A production manager of MSM Company ordered excessive raw materials and had the materials delivered to a side business he operated. The manager falsified receiving reports and approved the invoices for payment. Which of the following procedures would most likely detect this fraud?

a. vouch cash disbursements to receiving reports and invoices.

b. confirm the amounts of raw materials purchased, purchase prices, and dates of shipment with vendors.

c. perform ratio and trend analysis compare the cost of raw materials purchased with the cost of goods produced.

d. observe the receiving dock and count materials received. Compare the counts with receiving reports completed by receiving personnel.

c. perform ratio and trend analysis compare the cost of raw materials purchased with the cost of goods produced.

An internal auditor is concerned that fraud, in the form of payments to fictitious vendors, may exist. Company purchasers, responsible for purchases of specific product lines, have been granted the authority to approve expenditures up to $10,000. Which of the following applications of generalized audit software would be most effective in addressing the auditor's concern?

a. list all purchases over $10,000 to determine whether they were properly approved.

b. take a random sample of all expenditures under $10,000 to determine whether they were properly approved.

c. List all major vendors by product line. Select a sample of major vendors and examine supporting documentation for goods or services received.

d. List all major vendors by product line. Select a sample of major vendors and send negative confirmations to validate that they actually provided goods or services.

d. List all major vendors by product line. Select a sample of major vendors and send negative confirmations to validate that they actually provided goods or services.

Which of the following most completely describes the appropriate content of internal audit assurance engagement working papers?

a. Objectives, procedures, and conclusions.

b. Purpose, criteria, techniques and conclusions

c. objectives, procedures, facts, conclusions and recommendations.

d. subject, purpose, sampling information, and analysis.

c. objectives, procedures, facts, conclusions and recommendations.

Which of the following statements regarding audit evidence would be the least appropriate for an internal auditor to make?

A. "I am seldom absolutely certain about the conclusions I reach based on the evidence I examine."

B. "I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence."

C. "I consider the level of risk involved when deciding the kind of evidence I will gather."

D. "I evaluate both the usefulness of the evidence I can obtain and the cost to obtain it."

B. "I do not perform procedures that provide persuasive evidence because I must obtain convincing evidence."

Documentary evidence is one of the principal types of corroborating information used by an internal auditor. Which one of the following examples of documentary evidence generally is considered the most reliable?

A. A credit memorandum prepared by the credit manager

B. A vendor's invoice obtained from the accounts payable department

C. A copy of a sales invoice prepared by the sales department

D. A receiving report obtained from the receiving department

B. A vendor's invoice obtained from the accounts payable department

Of the following, which constitutes the least reliable form of documentary evidence?

A. Process maps prepared by the internal auditor

B. Letters from outside attorneys

C. Bank Statements

D. Confirmations

C. Bank Statements

Documents sent directly from a third party to the internal auditor are less reliable than documents created by the organization.

True or False

False

Vendor invoices are considered a highly reliable form of documentary evidence.

True or False

False

Effective Communication:

(1) provides useful and timely information on significant matters

(2) promotes improvements in control and performance.

Audit Engagement Process - Communicate:

Perform observation evaluation and escalation process. Conduct interim and preliminary engagement communications.

Develop final engagement communications.

Distribute formal and informal final communications.

Perform monitoring and follow-up procedures.