Internal Auditing and Systems Controls Paper 2

Answer (D) is correct. The internal audit activity evaluates the adequacy and effectiveness of controls (Standard 2130.A1). Moreover, the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Standard 2130). Thus, an internal auditor must not simply assume that controls are adequate and effective.

Answer (C) is correct. Internal auditors should assess compliance in specific areas as part of their role in organizational governance. Compliance testing can be used to determine whether laws and regulations are being adhered to, as well as whether internal controls are functioning as designed.

Answer (A) is correct. The external auditor’s traditional role is to perform an audit to determine whether the externally reported financial statements are fairly presented. Thus, a financial audit by the internal audit activity is relevant to the traditional external audit because it is an engagement in which the reliability and integrity of financial information is evaluated. Such an engagement is consistent with internal auditing standards. According to Standard of controls in responding to risks within the organization’s governance, operations, and information systems. This evaluation extends to the (1) reliability and integrity of financial and operational information; (2) effectiveness and efficiency of operations; (3) safeguarding of assets; and (4) compliance with laws, regulations, and contracts.

Answer (A) is correct. The internal audit activity evaluates the controls encompassing governance, operations, and information systems. This evaluation includes the effectiveness and efficiency of operations (Standard 2120.A1). Moreover, the internal auditors must “ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished” (Standard 2210.A3).

Answer (C) is correct. “Adequacy of risk management, control, and governance processes is present if management has planned and designed them in a manner that provides reasonable assurance that the organization’s objectives and goals will be achieved efficiently and economically. Efficient performance accomplishes objectives and goals in an accurate, timely, and economical fashion. Economical performance accomplishes objectives and cost) commensurate with the risk exposure. Reasonable assurance is provided if the most cost-effective measures are taken in the design and implementation stages to reduce risks and restrict expected deviations to a tolerable level. Thus, the design process begins with the establishment of objectives and goals. This is followed by connecting or interrelating concepts, parts, activities, and people in such a manner as to operate together to achieve the established objectives and goals” (PA 2100-1).

Answer (A) is correct. The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board (Standard 1000). The charter should establish the internal audit activity’s position within the organization; authorize access to records, personnel, and physical properties relevant to the performance of engagements; and define the scope of internal audit activities (PA 1000-1). Approval of the charter by the board protects the internal audit activity from management actions that could weaken its status.

Answer (A) is correct. When the internal audit activity or an individual internal auditor is responsible for, or management is considering assigning, an operation that might be the subject of an engagement, independence and objectivity may be impaired. The internal auditor should consider the following factors in assessing the effect on independence and objectivity: The IIA Code of Ethics, the Standards, the expectations of the stakeholders, the internal audit activity’s charter, required disclosures, and subsequent coverage of the activities or responsibilities accepted (PA 1130.A1-2).

Answer (D) is correct. The internal auditor’s objectivity is not adversely affected when (s)he recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, drafting procedures for, or operating systems is presumed to impair objectivity (PA 1130.A1- 1).

Answer (A) is correct. The scope of work of internal auditing includes assurance services that involve evaluating the risk exposures and controls relating to the organization’s governance, operations, and information systems. This evaluation extends to risk exposures and controls regarding compliance with laws, regulations, and contracts. It also includes determining whether the organization is in compliance, that is, whether the activities are complying with the appropriate requirements. The internal auditors are verifying that participants in the job retraining program comply with the eligibility requirements.

Answer (B) is correct. The internal audit activity evaluates risk exposures related to governance, operations, and information systems regarding, among other things, compliance with laws, regulations, and contracts. Based on the risk assessment, the internal audit activity evaluates the adequacy and effectiveness of controls encompassing governance, operations, and information systems. This evaluation should include, among other things, compliance with laws, regulations, and contracts (Standards 2110.A2 and 2120.A1). Operation in accordance with contracts and regulations takes precedence over all other objectives because it relates to the most basic aspects of the programs.