IIA Updated IIA-CIA-Part2 Exam Questions and Answers by elora

Given the situation where a system error prevents the engagement supervisor from adding her electronic signature to the workpapers, the most appropriate response to provide evidence of supervisory review is to print, sign, and date each workpaper after the review is complete, and then scan the document into the database as evidence of review. This ensures that there is a clear and traceable record of the supervisory review process, which is crucial for maintaining the integrity and reliability of the audit documentation.

Printed Documentation: Printing the workpapers provides a physical copy that can be signed and dated, serving as a tangible record of the review.

Signature and Date: The supervisor's signature and date indicate the completion of the review process and provide accountability.

Scanning into Database: Scanning the signed documents back into the electronic workpaper database ensures that the evidence of review is stored in the system of record, maintaining consistency and accessibility.

This method upholds the standards of documentation and supervisory review, ensuring compliance with internal audit policies and procedures.

References:

The Institute of Internal Auditors (IIA) Standards

IIA Practice Advisory: Documenting Information

Combining observations into one reported finding can be appropriate when they were noted during the same audit and the action plan has a common owner. In this case, the failure of both the financial reporting function and the AR staff to perform reconciliations regularly is interconnected and points to a systemic issue under the responsibility of the controller. Addressing these issues together can provide a more comprehensive view of the control deficiencies and facilitate more effective remediation. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), specifically Standard 2410 - Criteria for Communicating.

The IIA’s Practice Advisory on Communicating Results.

When an internal auditor identifies a potential significant weakness in a control and management does not agree with the assessment, the appropriate next step is to perform additional audit work to better articulate the risk. This means gathering more evidence, conducting further analysis, and providing clearer examples of how the weakness could impact the organization. By doing this, the auditor can better communicate the potential consequences and severity of the risk to management, increasing the likelihood of reaching a mutual understanding and agreement on the necessary actions.

References:

The Institute of Internal Auditors (IIA) Practice Guide: Communicating Risk and Control Information

IIA Standard 2310 - Identifying Information

IIA Standard 2410 - Criteria for Communicating

Adding invoices to the computer program to assess the reliability and effectiveness of the review process and whether controls work best describes an internal auditor's use of test data. This approach involves introducing test data into the system to evaluate how well the system processes invoices and whether it effectively identifies and prevents questionable invoices from being processed for payment.

References:

IIA Standards: 1220.A2 - Proficiency and Due Professional Care

IIA Practice Guide: Use of Technology in Auditin