The nature of services provided are defined in the internal audit charter.

Internal auditors must maintain objectivity while performing their work.

The objectives and scope of the engagement typically are directed by management.

Internal auditors may assume management responsibilities.

Description of internal audit activity's responsibilities

Definition of internal auditing

Statement of internal audit activity's authority

Description of internal audit activity's reporting structure

The job responsibilities of the warehouse employee compromise segregation of duties

Spare parts are written off before their actual usage and installation

Warehouse management is conducted on paper and requires further investigation

The inventory counts take place on specific days of the week for no apparent reason

Risks related to employee turnover.

Risks related to data manipulation.

Risks related to employee competency.

Risks related to not achieving sales targets.

Internal auditors may conduct a financial effectiveness engagement in a business unit at any point after being transferred from that area.

Internal auditors may conclude that a business unit's current control environment is adequate and effective if the review of the prior year's workpapers and audit report supports that conclusion.

Internal auditors may conduct an engagement in a business unit at any point after providing a training workshop in that area.

Internal auditors should limit the scope of an engagement if they become aware of a potential impairment of their objectivity in order to reduce the potential impact of the impairment on the engagement results.

The chief audit executive is well qualified and has responsibilities over operational areas that the internal audit activity assesses.

Periodic self-assessments are assigned to entry-level internal audit staff to support their continuing professional development.

All audit workpapers are reviewed and signed by the engagement supervisor before the audit report is issued.

Employees who rotate into the internal audit activity from other areas of the organization are assigned to audit areas where they previously worked, to take advantage of their operational expertise and experience.

Formally audit all governance activities.

Provide strategic guidance on the organizational processes to senior management.

Achieve agreement with the board regarding the range of activities, depth of review, and time period to include in the assessment.

Audit against the governance structures and practices widely used in the industry.

Segregate duties between code development and migrating changes into production.

Conduct fraud training for the IT team responsible for the ERP system.

Penalize the developer who committed the fraud by terminating employment.

Restrict developers' access to the ERP system's test environment.

Avoiding the risk altogether.

Transferring the risk.

Introducing a control feature.

Accepting the risk.

The internal audit activity did not complete an external assessment within the last seven years

The internal audit activity performed an engagement with limited scope due to lack of knowledge

The internal audit activity failed to consider risk when conducting a review of a department

An internal auditor was assigned to an engagement m an area where she previously worked more than 10 years ago

Review payments made for the financial services software.

Confront a procurement specialist with the suspicion.

Submit an anonymous tip to the whistleblower hotline.

Analyze technical terms and conditions of the tender.

Risk responses must be selected.

Risks must be assessed.

The risk universe must be established.

Risk responses must be aligned.

The internal audit activity of a commercial bank routinely performs branch audits for compliance with regulations.

The internal audit activity participates in a cosourcing arrangement with an IT audit firm to test information systems security.

The internal audit activity facilitates biannual training of the risk management team in risk identification methodologies.

The internal audit activity partners with external auditors annually to complete fieldwork required as a part of the external audit exercise.

Request from the audit committee an additional budget and an extension so that the external assessment could be performed next year.

Review the results of the internal assessment, identify weaknesses, and implement improvements at the remaining offices.

Request the regional office that performed the internal assessment to perform an assessment of the remaining offices.

Request that an external assessor validate the results of the internal assessment and review the remaining offices.

Stakeholders

The board

The chief executive officer

Internal auditors

Senior management

Internal audit activity.

All employees.

Board of directors.

A framework that specifies common best practices for an organization to evaluate and benchmark.

A framework that specifies correct and incorrect business methodologies.

A framework with precise specifications for how controls and processes should be employed.

A framework that offers step-by-step guidance for remedial action for all organization types.

Take an accommodating approach and change the overall rating of the audit report.

Take a compromising approach by modifying the tone of the report, while maintaining the critical findings.

Take an assertive approach and be persistent in attempting to convince the director.

Take an assisting approach and offer to assist with the implementation of action plans.

Technical industry-specific expertise.

Expertise in cybersecurity, an area of increasing risk.

Knowledge of IT risks and controls.

Knowledge of forensic accounting.

Determining whether management measures and monitors the costs and benefits of controls.

Providing training on controls and ongoing self-monitoring processes.

Developing flowcharts to obtain information about control design adequacy.

Identifying objectives and the risks involved in achieving them.

By adopting the best practices of similar organizations in the industry.

By adjusting their internal control framework as business practices evolve.

By introducing the universally accepted COSO internal control framework.

By encouraging the internal audit activity to provide training on internal controls.

Recommend a control change and obtain management support.

Evaluate the potential Impact on related controls.

Address the risk with senior management and the board.

Develop and communicate the scope and evaluation criteria to be used by management.

The chief audit executive (CAE) reports functionally to the CEO.

The CAE's compensation is approved by the chief financial officer.

The CAE's appointment Is determined by the CEO

The CAE reports administratively to the chief operating officer.

Skills in evaluating the risk of fraud.

Knowledge of key IT risks and controls

Soft skills such as communication and negotiation.

Knowledge and understanding of the company's expenses policy

Coordinate control activities.

Provide direction.

Design key controls.

Deliver assurance.

The internal audit charter does not identify which audit services are outsourced

The internal audit charter has not been reviewed by the legal department

The internal audit charter has not been approved by the board within the past year

The internal audit charter does not describe the authority of the internal audit activity

Compare vendor addresses to employee addresses.

Match cancelled checks to invoices.

Search for duplicate payment amounts.

Check employee bank records against invoice amounts.

Coordinate and facilitate risk workshops for management to attend.

Establish the degree of risk appetite for management to accept.

Set risk indicators and mitigation plans for management to implement

Determine the number of significant risks for management to report to the board.

The monthly payroll reports are not vetted to ensure terminated employees have been removed from the payroll system

The volume of nonroutine journal entries has steadily increased over time.

The database of approved suppliers has not been reviewed the last year

The recent employee survey indicates that some employees remain unaware of the organization’s whistieblower hotline.

An independent third party has assessed the organization's system of internal controls to be adequate and effective.

The chief audit executive reports both functionally and administratively to the CEO.

The internal audit charter is drafted properly and approved by the appropriate parties.

The mission statement and strategy of the internal audit activity demonstrates alignment to organizational objectives.

1 and 3 only.

2 and 4 only.

1,2. and 3.

2,3, and 4.