2013-2014 Page 1 of 4

Core Markers Comment Sheet

Course Name: Internal Auditing and Controls (MU1) Assignment: 2 Modules: 3 and 4 General Comments Core Markers Comments are not full solution sets to the questions. Rather, they are intended to provide students with guidance in responding to each of the assignment questions by providing direction as to where the questions responses can be found within the readings/textbook (i.e., topic location); clarification/direction on complex readings; layout and format suggestions; and from time to time, segments of the solution sets. If you have any comments or suggestions for improvements of these markers comment sheets, please forward them to your marker or CGA-BC. Your feedback is important to us. Module 3 covered the topics of risk management, control frameworks and governance. The topic considered the role of management and of the internal auditors with respect to the organizations risk management processes. The Canadian CoCo control framework was introduced, as was the American COSO framework and readings demonstrated how these frameworks were used by internal auditors in evaluating their organizations risk management and control processes. The module concluded with a discussion of the hot topic of corporate governance and the role of the audit committee in the post-Enron era. Module 4 covered the planning phase of internal auditing, considering in turn the long-term and short-term audit planning processes as well as the process for planning a specific internal auditing engagement. The module concluded with the first of three instalments of the Connon Chemicals case study. Question 1 (20 marks) 1. The correct answer is a. The implementation of enterprise risk management should

reduce operational surprises, resulting in an alignment of risk appetite and strategy, and will likely improve deployment of capital. It does not, however, guarantee achievement of objectives and it could result in an increase in the cost of controls (but with benefits exceeding the increased cost).

2. The correct answer is b. Internal auditing is not considered a component of

enterprise risk management but monitors the organizations enterprise risk management program.

3. The correct answer is a. This is the action recommended by the IIA Standards.

2013-2014 Page 2 of 4

4. The correct answer is a. These are the components of control objectives identified by COSO.

5. The correct answer is b. This is the definition set out by COSO. 6. The correct answer is c. The consequences of an event going wrong are its impact

on the organizations ability to achieve its objectives. 7. The correct answer is a. Audit programs are developed as the last step in the

planning stage of the specific audit engagement. 8. The correct answer is d. The first three items may impact which audits are conducted

and how many can be done in any specific year but do not affect the risk rankings. Usually after an audit has been completed, both the inherent risk and the potential benefit of another audit will be lower so that the risk ranking for that particular element of the audit universe will be lower than in the previous year. .

9. The correct answer is a. Ideally, the annual audit plan should be approved by the

board of directors on the recommendation of the audit committee. 10. The correct answer is a. Sources of supply pose an external inherent risk. The other

items listed are examples of internal inherent risk considerations. Question 2 (25 marks) This question is based on material found in Topic 3.1. To answer this question, you were required to identify the risks faced by a particular company in a case context and indicate how you would expect the company to reduce the risks to an acceptable level. To get full marks for the question, you were expected to identify about half of the possible risks identified by the suggested solution. Some of the risks were quite general and would apply to almost all companies. They include the possibility of incorrect financial information for internal decision making, incorrect financial information for external reporting, fraud, etc. Other risks would apply to most, but not all, companies. These would include credit risk, competition, and quality control over finished products. Other risks were quite specific to the circumstances of the company. Examples include accidents caused by logging trucks, potential loss of timber licenses due to non-compliance with government regulations, exchange rate exposure on accounts receivable and long-term debt, obsolescence of equipment, etc. (Markers were instructed to recognize that students are not expected to be experts in the risks faced by specific companies and they should be generous in awarding marks for answers that reflected critical thinking skills.) Your answer should have indicated the appropriate action that you would expect the company to take with respect to each of the controls identified. Such actions include various controls, appropriate training, insurance, market research, hedging of foreign exchange and

2013-2014 Page 3 of 4

interest rate exposures, quality control processes, engineering research, fire prevention programs and credit insurance. Again 1 mark was awarded for the format, clarity, and persuasiveness of your presentation. The answer could have been presented in the form of a table within a properly prepared memo. Question 3 (27 marks) This question is based on material found in Topics 4.3, 4.4 and 4.5. This question invites students to demonstrate their familiarity with long-term audit planning and to describe the application of a risk-based assessment model for audit planning in the chemical industry, which always operates in a delicate risk environment. Although answers will vary in approach, the various components outlined below should all appear in a recognizable form in the answer provided. a) Students should state that any audit planning must take into account ethical values and

consider the community in which the company operates. b) The answer should include consideration of how to define the audit universe for RBD in

such a way as to ensure that all of its activities are considered for audit attention during the planning process.

c) Students should discuss how a risk assessment is conducted to attempt to assess the

controllability, likelihood, and impact associated with the risks faced by the company. Consideration can be given to seeking input from management in conducting the assessment but the final evaluation is the responsibility of the internal audit department.

d) Answers should explicitly state that risk is the product of likelihood and impact and that

controllability and the potential for the audit to provide real benefits to the company must also be taken into account when ranking elements of the audit universe for purposes of long-term audit planning.

e) Students should briefly outline how the results of the risk assessment are used to

determine the frequency of audits of the various units of the company. The second part of the answer addresses the use of a risk-assessment matrix and should discuss the steps involved:

identifying the units to be ranked; obtaining input to assess the controllability, likelihood and impact to the risks

facing each unit; converting the assessment to numerical values; determining the overall risk rating for each unit; ranking the units from highest to lowest risk;

2013-2014 Page 4 of 4

developing an audit plan to focus audit attention on those areas with the highest combinations of risk and potential benefit to the company.

As usual, up to 2 marks were awarded for the format, clarity, and persuasiveness of your presentation. Question 4 (28 marks) This question is based on material found in Topics 4.7 and 4.8. You were asked to address the first six steps in the engagement planning process. Your answer should have considered each of the following in turn:

1. Obtaining specific knowledge of the unit to be audited 2. Establishing the objectives and scope of the audit 3. Designing an overall audit methodology 4. Setting audit criteria 5. Preparing staffing plans and time budgets 6. Communicating with the management of the unit to be audited.

The seventh step, preparing the audit program, was specifically excluded from the question. The following, covering the step of setting appropriate audit criteria, is taken from the marking key to give you an indication of the type of answer that was expected: Setting audit criteria (9 marks)

Criteria are reasonable standards against which systems and practices can be assessed. Students answers should identify sources of criteria and provide concrete examples, as explicitly required by the question. Sources of criteria include nutrition standards, health standards, mandates, labour laws and regulations, college policies and procedures, and so on. Some criteria may emerge from discussions with college management, food services management, and food services users. Obviously, there are no generally accepted criteria covering all aspects included in the audit, and answers should stress the need to obtain criteria acceptable to both the auditor and the management of the food services unit. Illustrative criteria may include:

Provision of a range of meals acceptable to an ethnically diverse campus population Provision of food meeting agreed nutrition standards Achieving or surpassing relevant standards for sanitation and cleanliness Achieving or surpassing relevant labour standards Attaining a rating of acceptable or better in quality and satisfaction surveys taken

among users of the food services Having a suitable budgeting and cost control system in place and working effectively Selling prices at or below other campus food service providers and/or those of other

nearby campuses Attaining financial and other targets mandated by the College Board

Core Markers Comment Sheet