AUD 571 (INTERNAL AUDITING)ON-LINE TEST 2 (10 JUNE 2015)
Answer sheet
Name : SITI NORFADILAH BT MOHD RUSLIMatric No. : 2011400298
Question 1a) Describe the work that will be performed at the
preliminary stage and to what extent it will affect the preparation
of the audit program.
The purpose of this stage of the audit process is to conduct an
internal risk assessment of the area under review. This enables the
auditor to identify and focus on the critical risks within the area
or process under review.
1. Conduct opening conferenceThe internal auditor will schedules
an entrance conference with the head of the department to discuss
the purpose and scope of the audit. The auditor should obtain the
following information from the management. Review and research
currents developments, trend, industry information related to the
business conducted by the organization, and other appropriate
sources of information to determine risks and exposures that may
affect the organization and related control procedures used to
address, monitor and reassess the risks. Review the corporate
policies and board minutes to determine the organizations business
strategies, risk management philosophy and methodology, appetite
for risk, and acceptance of risks. Financial information,
organizational chart, policy and procedure and other pertinent
information Obtains any management reports utilized by the
department Conducts interviews of department personnel to obtain an
understanding of the processes under review Based on the interviews
and the process review, auditor will develop process flows and
identify where the risks lie within the process.
b) i. Reporting of the actual result of audit is important
because it will help the auditor to make a conclusions on the audit
reports. The auditor should be independent from the client company,
so that the audit opinion will not be influenced by any
relationship between them. The auditors are expected to give the
unbiased and honest opinion on the financial statement to the
shareholders. The actual result will show that whether the company
itself have a good performance or not show there will be no
conflict of interest and influence by other.
ii.Finding is the fact and figure collected by an auditor to
satisfy the objectives of the audit while recommendation is the
courses of action suggested by the auditor in line which the
objectives of the audit. During the audit finding, the auditor will
discuss and obtain all information with the management to assess
the risk. While for the recommendation, the auditor will suggest
the recommendation based on the risk that have been assess for
management to implement the recommendation have been given to
ensure the system re effective and efficient.
iii. Avoidable conflicts are conflicts that exist within the
internal audit department and process. Conflict will exist when the
internal auditors do not understand the internal audit process due
to ambiguity and uncertainty. When the auditors do not understand
it might will difficult to deal with the management. Next the
auditors fail to think strategically and systematically. Sometime,
in organization, the auditor might give the recommendation without
systematically and strategically. The conflict will occur because
the management will not be satisfied with the auditor. The auditor
should think critically to give the best recommendation to the
management and should use all the knowledge and competence to
ensure their work is effective and efficient. Lastly is there is a
lack of understanding on the importance of the internal audit and
the trends and challenges facing the profession. The management
should understand that the internal audit is important for
assessing the risk and provide the recommendation to ensure that
the organization change implement the effective system for the
organization to achieve their goal. The internal audit also is
important to prevent the fraud that might be happen in the
organization. The internal auditor should explain to the management
about the important of the internal audit.
Question 2a) Audit plan Monitor the employeesAs we know, if we
prevent from early it better as when the situation become worsen it
will be hard to overcome. The management can monitor the employee
by sending an undercover to join the group and if there is
suspicious plan, the undercover can report about it.For example,the
undercover group can make their job by join the project manager,
office manager and long-time employees that have a plan to commit
the fraud by receipts for reimbursements twice.
Employee educationThe internal auditor can advise the management
to give education to the employee at least basic fraud awareness or
anti-fraud training. When the employee take part, they will realize
that the action that he does is wrong and maybe he will be get
punishment. The management should send the entire employee to
anti-fraud training for ensure that they will not not commit fraud
again and will work toward the organizational goals.
Fraud policiesThe auditor should advise the management to have
the fraud policies.an organization should have a policy stating
clearly its stand and actions that would be taken against
perpetrators of fraud. If the management did not take an action,
maybe the perpetrators will excited to commit the fraud and will do
against because there have nobody to take an action against him.
When there have the policies, the perpetrators will afraid to do
the fraud.
b) Identify and explain why the internal auditors failed to
discover these frauds.
No checks to ensure that only appropriate employees are
recruited by taking references, checking for criminal convictions,
and regulatory body disciplinary actions. This means that there has
no check to ensure that the employees that are hires is the right
employee to the company. The management should make a research
about the employees before hired them. No checks over posting
access to information technology systems. The auditor should check
whether the employee misuse the information technology system that
can allowed them to commit the fraud.
Lack of the policies regarding the companys values and
behavioral standards and no published code of conduct. There have
no appropriate policies so that the employee is excited to do the
fraud.
Company management does not take appropriate actions in response
to departures from approved policies and procedures or the code of
conduct.
Question 3What implications do the above findings have for
internal auditors? How would they influence the way that an
internal auditor plans a computer audit?
The implication: Skill and knowledge of IT and e-commerce
environmentThe auditor should be well equipped and be capable to
address e-commerce systems, security, controls, and provide
assurance auditing services. The skill and knowledge of IT and
auditors capability in e-commerce would be the demands by
management those charged with governance, and regulatory
authorities for improved assurance of effective and continues
information security.
Knowledge of the businessThe auditor should have knowledge on
the business strategy, activities and industry. The auditor also
should know whether the entity use the e-commerce strategy or
outsourcing arrangements. This is to ensure that the auditor can
make a effective recommendation the entity for implementation. When
the auditor have an knowledge in the type of the business
activities, the auditor can easily to identifies which fraud that
might be happen for the information technology system and will take
an appropriate action to improves the control of the technical and
procedural controls so as to minimize risks and also to ensure
compliance with policies, standards, procedures and law and
regulations.
Risk identificationRisk assessments should be performed after
the auditors has obtained a clear picture of the organizations IT
environment. The auditor should develop process to identify risks,
asses risk, and rank audit subjects using IT risks factors and
business risk factors. A risk are identified whether through
experience or formal assessment, suitable risk responses should be
determined which may range from not taking any action and accepting
the risk as a cost of doing business, to applying a wide range of
specific controls. Based on the risk above, the auditor should
identify the nature of the business that incurred the high risk.
Based on the survey, the auditor should more focus on the high risk
for example, Business interruption due to network or system failure
and unauthorized access or changes to data or systems. By assessing
the risk, the auditor can give a recommendation should be
appropriate to the level of the risk faced by the organization.
