IIA-CIA-Part2 Exam Dumps - Practice of Internal Auditing

If a control is found to be poorly designed during the planning stage, testing its operating effectiveness becomes redundant because even a well-implemented but poorly designed control will not achieve its intended objectives. The primary focus should be on redesigning the control to ensure it is effective in mitigating risks. Therefore, the auditor should not have proceeded to test the operational effectiveness of a control that was already deemed poorly designed.References:

The Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards)

"Auditing: A Risk-Based Approach to Conducting a Quality Audit" by Karla M. Johnstone et al.

For audit evidence to be considered reliable, it must be accurate, truthful, and verifiable. The absence of the bank heading, logo, or address on the bank statements raises concerns about the authenticity and integrity of the documents. Without these elements, there is no assurance that the statements are legitimate and have not been tampered with or falsified. Therefore, this evidence may not be reliable for audit purposes.References:

The Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards)

"Auditing: A Risk-Based Approach to Conducting a Quality Audit" by Karla M. Johnstone, Audrey A. Gramling, Larry E. Rittenberg

The recognition element of a typical internal audit report should describe a brief synopsis of the process or area under review. This section provides context and background information about the scope and focus of the audit, helping readers understand the subject matter of the audit and its significance within the organization. It sets the stage for the detailed findings and recommendations that follow in the report.References:

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2410 – Criteria for Communicating.

The primary reason for an internal auditor to use a risk and control questionnaire when auditing financial processes is to gain an understanding of the control environment. These questionnaires help auditors identify and evaluate the presence and effectiveness of controls within the financial processes. They provide a structured way to gather information about the control environment, helping auditors understand the organization's risk management and control practices before conducting detailed testing.

References:

IIA Standards: 2201 - Planning Considerations

IIA Practice Guide: Internal Auditing and Fraud

Confirmation letters are generally considered the most reliable source of documentary evidence because they involve direct verification of information with an independent third party. This type of evidence is less prone to bias or manipulation compared to internal documents like policy statements or remittance advices.

IIA References:

IIA Standard 2310: Identifying Information requires that internal auditors gather sufficient, reliable, relevant, and useful information to support engagement results. Third-party confirmations, such as confirmation letters, are considered highly reliable because they come from independent sources.

The Practice Guide on Audit Evidence highlights that external confirmations provide strong evidence of the accuracy of the information being audited.

According to IIA guidance, if management refuses to accept audit recommendations and implement corrective actions, the chief audit executive (CAE) has a responsibility to ensure that the audit committee or the board is aware of the unresolved risks. The CAE should escalate the matter to senior management first. If senior management still does not take action, the CAE should then inform the board. This escalation process ensures that the board is fully informed about significant risks that management has decided to accept and can take appropriate action if necessary.References:

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2600 - Communicating the Acceptance of Risks

Understanding a business process involves several steps, with determining the process goals being the next logical step after identifying the process. The goals provide context for why the process exists and what it aims to achieve.

IIA Standard 2201 – Planning Considerations:

This standard emphasizes the importance of understanding the objectives and goals of the area under review. Identifying the goals of a business process is crucial for evaluating its effectiveness and alignment with organizational objectives.

Process Goals:

The process goals define the purpose and desired outcomes of the process. Without understanding these goals, an auditor cannot effectively assess whether the process is functioning as intended or if it needs improvement.

IIA Practice Advisory 2201-1:

This advisory suggests that auditors should first understand the objectives (goals) of the process before delving into the details of inputs, activities, and outputs. The goals provide a framework for evaluating the relevance and effectiveness of these elements.

Option A (Determine process outputs): Outputs are important, but they should be understood in the context of the goals they are intended to achieve.

Option B (Determine process inputs): Inputs are the resources used in the process, but their relevance depends on the process goals.

Option C (Determine process activities): Activities are the steps within the process, but they must be aligned with the goals to be meaningful.

Detailed Explanation:Why Not Other Options?Conclusion: Option D is correct because understanding the process goals is the next logical step after identifying the process, as it provides the context needed to evaluate all other aspects of the process.

When an internal auditor finds that the incidents of noncompliance exceed the organization's acceptable tolerance level, this should be included in the final engagement report. In this case, the 8 out of 90 desks found with sensitive information represent an 8.9% noncompliance rate, which exceeds the organization's tolerance limit of 4%. Reporting this observation in the final engagement report ensures that management is informed and can take necessary corrective actions to address the noncompliance.

References:

IIA Standards: 2410 - Criteria for Communicating

IIA Practice Guide: Reporting and Monitoring