2013-2014 Page 1 of 4

Core Markers Comment Sheet

Course Name: Internal Auditing and Controls (MU1)
Assignment: 2
Modules: 3 and 4

General Comments

Core Markers Comments are not full solution sets to the questions. Rather, they are
intended to provide students with guidance in responding to each of the assignment
questions by providing direction as to where the questions responses can be found within
the readings/textbook (i.e., topic location); clarification/direction on complex readings; layout
and format suggestions; and from time to time, segments of the solution sets.

If you have any comments or suggestions for improvements of these markers comment
sheets, please forward them to your marker or CGA-BC. Your feedback is important to us.

Module 3 covered the topics of risk management, control frameworks and governance. The
topic considered the role of management and of the internal auditors with respect to the
organizations risk management processes. The Canadian CoCo control framework was
introduced, as was the American COSO framework and readings demonstrated how these
frameworks were used by internal auditors in evaluating their organizations risk
management and control processes. The module concluded with a discussion of the hot
topic of corporate governance and the role of the audit committee in the post-Enron era.

Module 4 covered the planning phase of internal auditing, considering in turn the long-term
and short-term audit planning processes as well as the process for planning a specific
internal auditing engagement. The module concluded with the first of three instalments of
the Connon Chemicals case study.


Question 1 (20 marks)

1. The correct answer is a. The implementation of enterprise risk management should
reduce operational surprises, resulting in an alignment of risk appetite and strategy,
and will likely improve deployment of capital. It does not, however, guarantee
achievement of objectives and it could result in an increase in the cost of controls (but
with benefits exceeding the increased cost).

2. The correct answer is b. Internal auditing is not considered a component of
enterprise risk management but monitors the organizations enterprise risk
management program.

3. The correct answer is a. This is the action recommended by the IIA Standards.


2013-2014 Page 2 of 4
4. The correct answer is a. These are the components of control objectives identified by
COSO.

5. The correct answer is b. This is the definition set out by COSO.

6. The correct answer is c. The consequences of an event going wrong are its impact
on the organizations ability to achieve its objectives.

7. The correct answer is a. Audit programs are developed as the last step in the
planning stage of the specific audit engagement.

8. The correct answer is d. The first three items may impact which audits are conducted
and how many can be done in any specific year but do not affect the risk rankings.
Usually after an audit has been completed, both the inherent risk and the potential
benefit of another audit will be lower so that the risk ranking for that particular element
of the audit universe will be lower than in the previous year. .

9. The correct answer is a. Ideally, the annual audit plan should be approved by the
board of directors on the recommendation of the audit committee.

10. The correct answer is a. Sources of supply pose an external inherent risk. The other
items listed are examples of internal inherent risk considerations.


Question 2 (25 marks)

This question is based on material found in Topic 3.1.

To answer this question, you were required to identify the risks faced by a particular
company in a case context and indicate how you would expect the company to reduce the
risks to an acceptable level. To get full marks for the question, you were expected to identify
about half of the possible risks identified by the suggested solution. Some of the risks were
quite general and would apply to almost all companies. They include the possibility of
incorrect financial information for internal decision making, incorrect financial information for
external reporting, fraud, etc. Other risks would apply to most, but not all, companies.
These would include credit risk, competition, and quality control over finished products.
Other risks were quite specific to the circumstances of the company. Examples include
accidents caused by logging trucks, potential loss of timber licenses due to non-compliance
with government regulations, exchange rate exposure on accounts receivable and long-term
debt, obsolescence of equipment, etc. (Markers were instructed to recognize that students
are not expected to be experts in the risks faced by specific companies and they should be
generous in awarding marks for answers that reflected critical thinking skills.)

Your answer should have indicated the appropriate action that you would expect the
company to take with respect to each of the controls identified. Such actions include various
controls, appropriate training, insurance, market research, hedging of foreign exchange and

2013-2014 Page 3 of 4
interest rate exposures, quality control processes, engineering research, fire prevention
programs and credit insurance.

Again 1 mark was awarded for the format, clarity, and persuasiveness of your presentation.
The answer could have been presented in the form of a table within a properly prepared
memo.


Question 3 (27 marks)

This question is based on material found in Topics 4.3, 4.4 and 4.5.

This question invites students to demonstrate their familiarity with long-term audit planning
and to describe the application of a risk-based assessment model for audit planning in the
chemical industry, which always operates in a delicate risk environment. Although answers
will vary in approach, the various components outlined below should all appear in a
recognizable form in the answer provided.

a) Students should state that any audit planning must take into account ethical values and
consider the community in which the company operates.

b) The answer should include consideration of how to define the audit universe for RBD in
such a way as to ensure that all of its activities are considered for audit attention during
the planning process.

c) Students should discuss how a risk assessment is conducted to attempt to assess the
controllability, likelihood, and impact associated with the risks faced by the company.
Consideration can be given to seeking input from management in conducting the
assessment but the final evaluation is the responsibility of the internal audit department.

d) Answers should explicitly state that risk is the product of likelihood and impact and that
controllability and the potential for the audit to provide real benefits to the company must
also be taken into account when ranking elements of the audit universe for purposes of
long-term audit planning.

e) Students should briefly outline how the results of the risk assessment are used to
determine the frequency of audits of the various units of the company.

The second part of the answer addresses the use of a risk-assessment matrix and should
discuss the steps involved:
identifying the units to be ranked;
obtaining input to assess the controllability, likelihood and impact to the risks
facing each unit;
converting the assessment to numerical values;
determining the overall risk rating for each unit;
ranking the units from highest to lowest risk;

2013-2014 Page 4 of 4
developing an audit plan to focus audit attention on those areas with the
highest combinations of risk and potential benefit to the company.

As usual, up to 2 marks were awarded for the format, clarity, and persuasiveness of your
presentation.


Question 4 (28 marks)

This question is based on material found in Topics 4.7 and 4.8.

You were asked to address the first six steps in the engagement planning process. Your
answer should have considered each of the following in turn:
1. Obtaining specific knowledge of the unit to be audited
2. Establishing the objectives and scope of the audit
3. Designing an overall audit methodology
4. Setting audit criteria
5. Preparing staffing plans and time budgets
6. Communicating with the management of the unit to be audited.
The seventh step, preparing the audit program, was specifically excluded from the question.

The following, covering the step of setting appropriate audit criteria, is taken from the
marking key to give you an indication of the type of answer that was expected:

Setting audit criteria (9 marks)
Criteria are reasonable standards against which systems and practices can be assessed.
Students answers should identify sources of criteria and provide concrete examples, as
explicitly required by the question. Sources of criteria include nutrition standards, health
standards, mandates, labour laws and regulations, college policies and procedures, and
so on. Some criteria may emerge from discussions with college management, food
services management, and food services users.

Obviously, there are no generally accepted criteria covering all aspects included in the
audit, and answers should stress the need to obtain criteria acceptable to both the
auditor and the management of the food services unit. Illustrative criteria may include:
Provision of a range of meals acceptable to an ethnically diverse campus population
Provision of food meeting agreed nutrition standards
Achieving or surpassing relevant standards for sanitation and cleanliness
Achieving or surpassing relevant labour standards
Attaining a rating of acceptable or better in quality and satisfaction surveys taken
among users of the food services
Having a suitable budgeting and cost control system in place and working effectively
Selling prices at or below other campus food service providers and/or those of other
nearby campuses
Attaining financial and other targets mandated by the College Board