Solution Manual For Internal Auditing: Assurance and Consulting Services, 2nd Edition

CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions Review Questions 1. As organizations grew in size and complexity and developed geographically dispersed operations, senior management could no longer personally observe operations for which they were responsible nor have sufficient direct contact with people reporting to them. This distancing of senior management from the operations for which they were responsible created a need for other people in the organization to assist them by examining the operations and providing reports based on those examinations. These people began performing internal audit-type activities to provide this assistance. Over time these activities became more formalized and, with the founding of The Institute of Internal Auditors (IIA), the practice of internal auditing began evolving into a profession. 2. The six components of The IIA’s International Professional Practices Framework (IPPF) are: • • • • • • The Definition of Internal Auditing. The Code of Ethics. The International Standards for the Professional Practice of Internal Auditing (Standards). Practice Advisories. Position Papers. Practice Guides. The first three components listed above constitute mandatory guidance; the last three constitute strongly recommended guidance. 3. The purpose of the Code of Ethics is to promote an ethical culture in the practice of internal auditing. The Code sets appropriate aspirations for which internal auditors should strive to achieve and the behavioral expectations auditors should meet in providing internal audit services. 4. The four principles of the Code of Ethics are: • • • • Integrity. Objectivity. Confidentiality. Competency. The principles express the four ideals internal audit professionals should aspire to maintain in conducting their work and represent the core values that internal auditors must uphold to earn the trust of those who rely on their services. 5. “The purpose of the Standards is to: 1. Delineate basic principles that represent the practice of internal auditing. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations.” (Introduction to the Standards) Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-1 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions The Attribute Standards address the characteristics of organizations and individuals performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. 6. In consulting services, the service relationship is generally between users (customers) who have direct involvement in the process, system, or subject matter and the provider (auditor/consultant). In assurance services, there are typically three (or more) parties involved: (1) the auditor, (2) the person or group directly involved with the process, system, or subject matter, and (3) the person or group relying on the auditor’s assessment. As the “contracting” process is more direct in consulting, with the user/customer and provider able to work together to make sure the user’s needs are met by the engagement, less detailed standards are necessary. In assurance services, the user is typically distant from the engagement process and may, in some cases, not even be known. Having established standards allows the needs of all three groups to be balanced. The nature of this three-party relationship also requires the auditor to have control over the engagement as the auditor is responsible for balancing the needs of the other two parties. 7. The Glossary to the Standards defines independence and objectivity as follows: Independence — The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. Objectivity — An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to others. It is important to note that independence and objectivity are two distinct, yet interrelated, concepts that are fundamental to providing value-adding internal audit services — the internal audit function must be independent and individual internal auditors must be objective. Whereas independence is an attribute of the internal audit function, objectivity is an attribute of the individual auditor. 8. The Performance Standards, which describe the nature of internal audit services and the criteria against which the performance of these services can be assessed, are divided into seven main sections: 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Senior Management’s Acceptance of Risks Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-2 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions 9. The Standards apply to all internal audit functions in many types of organizations and environments. They represent the broad attributes and practices that must be followed for internal audit services to be effective. Practice Advisories, on the other hand, are not mandatory and are much more specific. They represent specific best practices or practices applicable to only certain industries. Practice Advisories tend to change more frequently than the Standards. 10. The Professional Practices Advisory Council is responsible for coordinating the initiation, development, issuance, and maintenance of the authoritative guidance that makes up the IPPF. 11. Organizations, other than The IIA, that promulgate guidance that is pertinent to internal auditors include, for example: • • • • • • • • • • • The U.S. Government Accountability Office (GAO) issues issued standards for governmental audits in the United States. Like the United States, most countries have established standards for audit of governmental entities and contracts. ISACA (previously known as the Information Systems Audit and Control Association), provides detailed and specialized guidance about auditing computerized information systems. The Board of Environmental, Health, and Safety Auditor Certifications (BEAC), which develops Standards for the Professional Practice of Environmental, Health, and Safety Auditing to address the needs of environmental, health, and safety audit professionals. The U.S. Public Company Accounting Oversight Board (PCAOB) and the American Institute of Certified Public Accountants (AICPA) set the standards for audits of companies’ financial statements in the United States. The International Auditing and Assurance Standards Board (IAASB), which is a part of the International Federation of Accountants (IFAC), issues international audit standards adopted by a number of countries. The International Standards Organization (ISO) sets standards for quality and environmental audits. Standards Australia promulgates standards for risk management and governance processes. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued four frameworks pertaining specifically to internal control and risk management. The Society of Corporate Compliance and Ethics (SCCE) provides guidance for ethics and compliance practitioners. The Health Care Compliance Association (HCCA) provides guidance for compliance professionals specifically operating in the healthcare industry. The Basel Committee on Banking Supervision has specific requirements (referred to as Basel 1 and Basel 2) for internal audits of banking and financial institutions’ risk management and rating systems. Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-3 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions Multiple-choice Questions 1. B is the best answer. The introduction to the Standards states that the purpose of the Standards is to provide the basis for measurement of internal audit performance. The Standards are not designed primarily to promote coordination between external and internal audit, although they do require the chief audit executive (CAE) to share information and coordinate activities with other internal and external providers of relevant assurance and consulting services (Standard 2050). The Standards also do not codify existing practice. Instead, they describe internal audit practice as it should be. The Standards do not attempt to establish consistency in internal audit practices but do describe what is necessary to be effective. 2. C is the best answer. The Code, Definition, and Standards are mandatory; the Practice Advisories are not. 3. A is the best answer. Preparation of a divisional manager’s tax return for a fee would be considered a conflict of interest for an internal auditor and thus impair objectivity (rule 2.1). The other activities are permitted under the Code. 4. C is the best answer. This situation would not be a prudent use of the information acquired in the course of the internal auditor’s duties or work and could be detrimental to the legitimate and ethical objectives of the company, thus impairing confidentiality (rule 3.1). The situation does not apply to the principles of integrity or objectivity. Privacy is not one of the principles of the Code. 5. C is the best answer. Due care does not vary because the independent outside auditor is going to look at the workpapers. The factors in the other choices would all be part of what needs to be considered to determine due care (see 1220.A1). 6. D is the best answer. Standard 1130.A1 states that objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the auditor was responsible within the previous year. The actions depicted in the other choices do not impair the internal auditor’s objectivity. 7. D is the best answer. Each of the three items listed is a component of the Standards. 8. B is the best answer. Standard 1220.A1 states that “Internal auditors must exercise due professional care by considering the: • • • • • 9. Extent of work needed to achieve the engagement’s objectives; Relative complexity, materiality, or significance of matters to which assurance procedures are applied; Adequacy and effectiveness of governance, risk management, and control processes; Probability of significant errors, fraud, or noncompliance; and Cost of assurance in relation to potential benefits.” A is the best answer. A new Position Paper requires a 30-day exposure period to local IIA institutes. A new Practice Advisory requires no exposure period. A new standard requires a 90-day public exposure period. A new definition in the Standards glossary is considered part of the Standards and requires a 90-day exposure period. Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-4 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions 10. D is the best answer. Standard 2110.A2 states that “The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.” Discussion Questions 1. The importance of promulgated standards to the internal audit profession is reflected in the stated purpose of the Standards. The Introduction to the Standards states that their purpose “is to: 1) Delineate basic principles that represent the practice of internal auditing. 2) Provide a framework for performing and promoting a broad range of value-added internal auditing. 3) Establish the basis for the evaluation of internal audit performance. 4) Foster improved organizational processes and operations.” The Attribute Standards address the characteristics of organizations and individuals performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. 2. a. The purpose of the Code of Ethics “is to promote an ethical culture in the profession of internal auditing.” “A code of ethics is necessary and appropriate to the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control.” b. As described in the chapter text, the Principles express the four ideals internal auditors should aspire to maintain in conducting their work and represent the core values that internal auditors must uphold to earn the trust of those who rely on their services. The Rules of Conduct “describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.” c. The “Code of Ethics applies to both entities and individuals that perform internal audit services.” d. “For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action.” 3. The Code of Ethics and the Attribute Standards are intertwined to a degree in that both cover necessary attributes of the individual auditor. The attributes of objectivity and competence are addressed in both, whereas the attributes of integrity and confidentiality are directly addressed only in the Code. The Attribute Standards go beyond the attributes of the individual auditor and also set out necessary attributes of the audit function (or team). The Performance Standards address the management of the internal audit function, the nature of internal audit work, and the performance of the specific engagement. 4. The participation of the CAE in a company’s stock option plan is not typically considered to be a situation that would impair his or her objectivity. The rationale is that such participation should not create a conflict between the interests of the organization and the duties of the CAE in the long run. Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-5 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions Recent surveys indicate that a large percentage of CAEs currently receive stock options as part of their compensation package. However, it could be argued that short-term conflicts of interest could occur. For example, the CAE may have incentive to delay disclosing bad news about the company to the board until the options are exercised. This question has been debated more frequently in recent years and the authors believe the trend may move toward removing stock options from CAEs’ compensation packages. 5. a. In this situation, the internal auditors are performing the actual accounting function for the organization. Making the accounting entries should be the responsibility of accounting. In doing this work, the internal auditor’s objectivity would be considered impaired. b. The internal auditor is not performing the independent verification control of reconciling the monthly bank statements; this is being done by a staff accountant. The internal auditor is testing whether the control is operating effectively, which is an appropriate internal audit task. Accordingly, the internal auditor’s objectivity would not be considered impaired. 6. a. “Providing a formal, written internal audit charter is critical in managing the internal audit activity. The internal audit charter provides a recognized statement for review and acceptance by management and for approval, as documented in the minutes, by the board. It also facilitates a periodic assessment of the adequacy of the internal audit activity’s purpose, authority, and responsibility, which establishes the role of the internal audit activity. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board about the organization’s internal audit activity.” b. The internal audit charter should clearly define the internal audit activity’s purpose, authority, and responsibility. 7. a. Relevant standards include: • • 1210: Proficiency. This standard states that “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.” 1210.A1. This standard states that “The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.” b. Relevant practice advisories include: • Practice Advisory 1210-1: Proficiency. This practice advisory states that “The CAE may obtain assistance from experts outside the internal audit activity to support or complement areas where the internal audit activity is not sufficiently proficient.” • Practice Advisory 1210.A1-1: Obtaining External Service Providers to Support or Complement the Internal Audit Activity. This practice advisory provides guidance regarding outside service providers and how they may be used by the internal audit function. Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-6 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions Cases Case 1 According to The IIA’s Standards and Code of Ethics, Mr. Eatough should report this situation to the audit committee. Standards 2060 and 2600 are directly pertinent. Standard 2060: Reporting to Senior Management and the Board “The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.” Standard 2600: Resolution of Senior Management’s Acceptance of Risks “When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.” Other applicable standards include: Standard 1110.A1: “The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.” Standard 2440: Disseminating Results “The chief audit executive must communicate results to the appropriate parties.” Applicable Code of Ethics rules include: “1.2 Shall observe the law and make disclosures expected by the law and the profession.” “1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.” “2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.” Mr. Eatough fulfilled his professional obligation if he complied with the Standards and the Code of Ethics. Mr. Eatough did in fact properly report this situation to the audit committee. He was fired and sued for wrongful dismissal. The lawsuit was subsequently settled. Case 2 A. Three relevant Code of Ethics rules: “1.1 Shall perform their work with honesty, diligence, and responsibility.” “1.2 Shall observe the law and make disclosures expected by the law and the profession.” “2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.” Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-7 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions Students may make the case that other rules apply as well: “4.2 Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.” “2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.” Students may express different points of view but it ultimately comes down to the internal auditor’s responsibilities. One point of view is that this situation involves manipulation of the financial statement and thus should be reported to the audit committee as a potential fraud. However, other students should recognize that this is not so clear. Mark is not performing an external audit of the financial statements, which means that, unless he is doing this work as part of an arrangement with the external auditors as support for their work, he may not have sufficient appropriate evidence or the perspective needed to draw valid conclusions about the effects of his inventory and accounts receivable findings on the financial statements. The valuation of inventory and accounts receivable is the responsibility of management and not the internal audit function unless specifically stated as an engagement objective. This is different than the case for external auditing in which the audit’s objective is to express an opinion on the fairness of the financial statements (including significant estimates made by management). However, Mark does have a responsibility to report significant deficiencies in controls that come to his attention during the engagement. Such deficiencies include, for example, the lack of clear policy criteria for determining inventory obsolescence and accounts receivable write-offs and who should be making these decisions. B. There are several things that Comstock’s management and/or the internal audit function might have done to reduce the risk of such a situation arising. These include, for example: • The establishment of clearer accounting policies regarding inventory and accounts receivable estimates. • Stronger senior management leadership, or tone at the top, in terms of communicating policies, reinforcing the importance of adhering to the policies, and holding management personnel accountable for complying with the policies. • The establishment of a financial disclosure committee responsible for addressing and resolving issues of this nature. • Clear statements in the company’s code of ethics regarding employees’ responsibilities for communicating potentially inappropriate behavior or actions. • A CAE with sufficient appropriate accounting and auditing expertise to properly evaluate the situation. • Better communication between the internal audit function and the independent outside audit firm. • An internal audit policy on how to handle disagreements between the internal audit function and auditees. The policy might include, for example, a provision that the CAE is responsible for making final decisions regarding the resolution of disagreements when they occur. • More careful scheduling of internal audit engagements. Conducting this engagement at the same time that management was closing the books and preparing the financial statements significantly Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-8 CHAPTER 2 THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION Illustrative Solutions hampered management’s capacity to thoughtfully address the issues raised and take appropriate corrective action in a timely manner. C. Student responses regarding what they would do if they found themselves in Mark’s position will vary. The most practical response is to issue a report that includes one or more observations regarding the significant control deficiencies without stating that there should be an accounting adjustment (this is up to management and the external auditor to resolve). If this course of action is taken, the CAE should communicate the control deficiencies to the audit committee and recommend that the chief financial officer (CFO) or controller review the accounting estimates. Mark also could request a meeting with the CAE to ensure that she is properly informed about the accounting and control issues, the ethical dilemma he is facing, and the problems he is having working with the auditee to resolve the issue. He might also ask the CAE to set up a meeting with the auditee to address the problem and determine whether a “meeting of the minds” about how to resolve the problem might be reached. The CAE is ultimately responsible for deciding what actions the internal audit function will take. Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA IS2-9