EMU1D11 CGA-Canada, 2011 Page 1 of 7

CGA-CANADA

INTERNAL AUDITING & CONTROLS [MU1] EXAMINATION
December 2011
Marks Time: 4 Hours
Note:
The questions in this examination test the knowledge, skills, and professional values demonstrated in this course. Marks are given for reasoned
and persuasive arguments, and for clarity and impact of presentation. You must provide practical illustrations for the use of concepts and
analytical methods in the circumstances described in each question. Read the specific requirements of each question carefully, and ration your
time across all questions.

22 Question 1
Select the best answer for each of the following unrelated items. Answer each of these items in your
examination booklet by giving the number of your choice. For example, if the best answer for item (a)
is (1), write (a)(1) in your examination booklet. If more than one answer is given for an item, that item will
not be marked. Incorrect answers will be marked as zero. Marks will not be awarded for explanations.

Note:
2 marks each

a. The term operational auditing refers to which of the following?
1) Management performance evaluation
2) The auditing of risk management and control processes
3) The auditing of attributes related specifically to effectiveness, efficiency, and economy
4) Compliance auditing on all operations across the organization

b. Which of the following areas of work are listed in the definition of internal auditing and the
Performance Standards for internal auditors?
1) Compliance, risk management, controls, governance
2) Effectiveness, economy, compliance, efficiency
3) Economy, effectiveness, efficiency
4) Risk management, controls, governance

c. What is another term for residual risk?
1) Inherent risk
2) Current risk
3) Remainder risk
4) Internal control risk

d. Which of the following is true?
1) An annual audit plan must, at a minimum, cover the total spectrum of an activity selected to be
audited.
2) Business acquisition is an activity that is typically included in the long-term audit plan.
3) The risk attribute for each auditable entity does not normally change from year to year.
4) Most of the audits in a short-term audit plan are taken from the long-term audit plan.





Continued...
EMU1D11 CGA-Canada, 2011 Page 2 of 7
e. Which of the following is a characteristic of a marketing audit?
1) The audit encompasses many marketing functions.
2) The audit focuses exclusively on pricing or product development.
3) The audit is periodic.
4) The audit is rigid, similar to a regimented accounting audit.

f. Performing analytical procedures to identify indicators of excessive inventory is an audit procedure of
which of the following types of audit?
1) Marketing audit
2) Purchasing audit
3) Comprehensive audit
4) Value-for-money audit

g. Which of the following is the most important aspect of total quality management?
1) Promoting
2) Communicating
3) Cost cutting
4) Benchmarking

h. Which of the following has a particularly significant ripple effect on costs of operation, earnings
performance, and ultimately, the value of the firm for manufacturing operations?
1) Marketing
2) Purchasing
3) HR management
4) Treasury

i. Which of the following concerning the public sector is true?
1) Governance and accountability in the public sector are more complex than they are in the private
sector.
2) Improved value for money can be achieved by increasing the complexity of operations.
3) When establishing or assessing audit objectives and scope, significance and risk should be
assessed separately.
4) In Canada, the federal, provincial, and municipal governments are the only guardians of public
funds for delivering programs and services.

j. What are performance audits in not-for-profit (NFP) organizations more commonly referred to as?
1) Efficiency audits
2) Value-for-money audits
3) Functional audits
4) Program management audits

k. Which of the following is true concerning the Treasury Board of Canadas policies for internal audit
for the Government of Canada?
1) When SDAs (small departments and agencies) conduct an internal audit, the audit work is subject
to review by the deputy head prior to the audit being finalized.
2) Deputy heads of departments remain fully responsible for the adequacy of internal audit coverage
in their departments.
3) The auditor general is responsible for ensuring horizontal and sectoral audits.
4) Independent audit committees will include competent and experienced members drawn from
government and crown corporations external to the unit under audit.


Continued...
EMU1D11 CGA-Canada, 2011 Page 3 of 7
22 Question 2
Lite-Tech is a lighting distribution company with administrative offices located in Toronto and Calgary.
Its main products are commercial light fixtures. The lights are purchased from China and sold to retailers
in North America. The company has 6 distribution centres located throughout Canada and the United
States.

A year and a half ago, senior administration decided to implement an information technology (IT) system
at all distribution centres to address concerns regarding inventory management. The main advantage of the
system was that it would allow sales staff easy access to inventory information such as product
availability. The system would consolidate inventory information from the 6 locations and automatically
re-order inventory once a certain threshold was reached. This would make cash flow management much
more efficient as items would only be re-ordered when necessary.

The IT system was an off-the-shelf software customized to Lite-Techs needs. The software vendor gave
in-house training to Lite-Tech staff during the implementation stage. The vendor trained 2 Lite-Tech staff
members to be the key support contacts at each of the distribution centres. The staff members chosen for
this task had only minimal IT experience. Since the implementation, the software vendor has been bought
out twice by other companies and the level of support available from the vendor has significantly
decreased. In addition, 4 of the trained Lite-Tech staff members have left the company because of the
stress of dealing with the demands of the IT system, and they have not been replaced.

At the time of implementation, all staff members were granted access to the system. This essentially gave
purchasing power to all staff at Lite-Tech. Access to the system was supposed to be limited shortly after
implementation; however, to date this has not been changed. Recently, complaints from the sales staff
regarding the accuracy of inventory data in the system have prompted the president of Lite Tech to request
a review of the IT system and its controls. The objective of the review is to determine if any risks or issues
exist with the system and, if so, to determine the impact of the risks and to recommend improvements. The
chief audit executive (CAE) felt that his staff lacked the necessary skills to complete this mandate and has
hired you, a CGA, to conduct the review.

You have met with several of the key staff who interact with the system on a daily basis and gathered the
following information:
Reports used by sales staff require manual intervention to provide desired information, as system data is
not reliable.
The accuracy of inventory data is uncertain as there have been instances of items indicated as being in
stock that are in fact not available.
A review of purchases in the system indicate multiple orders of the same product.
Synchronization between the inventory data at the 6 locations has never been verified.

Required
17 a. Write a memo for the review requested by the CAE.

Note:
4 marks for clarity, logic and persuasiveness

5 b. Explain whether the CAE was correct in assuming that a CGA would have the necessary skills and
knowledge to complete this mandate. Justify your answer.







Continued...
EMU1D11 CGA-Canada, 2011 Page 4 of 7
22 Question 3
Quebecare is a health care network operating 10 hospitals in the greater Montreal area. Operating revenue
in 2011 of $500 million was almost exclusively from government sources. An additional $100 million was
received from the government and private donations to upgrade the facilities and to carry out necessary
deferred maintenance. Quebecare has a large facilities development (FD) department to handle any
building and maintenance projects.

All workers in the FD are members of a union. Their work arrangement is specified in the collective
agreement approved by their union and the hospital administration. Under the collective agreement,
workers in FD work 8 hours a day with a 1-hour lunch break. The regular salary is paid through routine
payroll. Overtime work is occasionally required when there is an emergency or when there is an obligation
to meet a deadline. The collective agreement stipulates that overtime shall be calculated daily. The first
4 hours of overtime are paid at 1.5 times the normal pay rate, and subsequent overtime is paid at double
the normal pay rate. Workers can request the overtime hours to be paid out in their next pay cheque or to
be put in a time bank to be taken as time off at a later date. Workers manually record their overtime hours
on a daily timecard and give them to their supervisors for approval and subsequent data entry into the
payroll system. Quebecare charges the regular salary of FD staff to its central operating budget. However,
the organization requires individual hospitals to absorb overtime cost into their respective budgets.
Therefore, timecards also record the job to which the overtime is charged in order to recover labour cost
from the hospitals.

In an effort to make the hospital network more efficient and accountable to government, the director of the
network has requested you, the chief audit executive (CAE), to evaluate the controls in FD, particularly its
payroll management. The following tables provide information regarding overtime recorded for the month
of November 2011.

EMPLOYEE
EMP_ID EMP_FNAME EMP_LNAME POSITION
101 Ali Awad Plumber
102 Brian Bean Electrician
103 Cathy Chan Landscaper
104 Hugh Holmes Carpenter
105 Kim Kan Plumber
106 Steve Short Electrician
107 Tim Tom Painter

EMP_ID: A unique number for each employee
EMP_FNAME: First name of the employee
EMP_LNAME: Last name of the employee
POSITION: Job position of the employee













Continued...
EMU1D11 CGA-Canada, 2011 Page 5 of 7
JOB
JOB_ID JOB_TITLE BEGIN_DATE CLOSED_DATE
1029 Installing new lighting fixture
in waiting room #215
12/1/2009
1077 Replacing burst pipes in main
kitchen
3/1/2010 3/19/2010
2568 Installing cabinets in new
director office #301
10/27/2011 11/7/2011
2582 Restoring electric supply in
operating room #245
11/1/2011
2591 Painting walls in west wing
level 5
11/11/2011
2604 Stopping leak in laundry
facility
11/23/2011 11/24/2011

JOB_ID: A unique number for each job opened
JOB_TITLE: A description of the job
BEGIN_DATE: The date when the job is initiated
CLOSED_DATE: The date when the job is closed in the system; the job is either completed or terminated

OVERTIME
OT_ID OT_DATE OT_HOUR OT_FACTOR JOB_ID EMP_ID
3001 11/1/2011 4 1.5 1029 102
3002 11/7/2011 3 1.5 1077 101
3003 11/7/2011 3 1.5 1029 102
3004 11/7/2011 4 1.5 2568 104
3005 11/14/2011 2 1.5 2591 107
3006 11/14/2011 2 1.5 2604 103
3007 11/15/2011 4 1.5 2591 107
3008 11/15/2011 6 2 2591 107

OT_ID: A unique number for each record of overtime to be paid out
OT_DATE: The date when overtime work was performed
OT_HOUR: Total number of overtime hours worked
OT_FACTOR: The factor applied to the overtime hours in accordance with the collective agreement
JOB_ID: ID of the job to which the overtime was charged
EMP_ID: ID of the employee who worked the overtime

TIMEBANK
AOT_ID AOT_DATE AOT_HOUR AOT_FACTOR JOB_ID EMP_ID
4001 11/7/2011 4 1.5 2568 104
4002 11/7/2011 4 1.5 2604 105

AOT_ID: A unique number for each record of overtime to be accumulated in the time bank
AOT_DATE: The date when overtime work was performed
AOT_HOUR: Total number of overtime hours worked
AOT_FACTOR: The factor applied to the overtime hours in accordance with the collective agreement
JOB_ID: ID of the job to which the overtime was charged
EMP_ID: ID of the employee who worked the overtime


Continued...
EMU1D11 CGA-Canada, 2011 Page 6 of 7
Required
12 a. Using the information provided, describe the procedures that you would employ using an analytical
software tool such as ACL to fulfill the directors request. State the conclusions that you would reach
as a result of these procedures.

6 b. Identify control weaknesses and their impact on operations for the payroll overtime payment process,
and provide recommendations on how they can be addressed.

4 c. Describe the common steps performed by auditors to analyze data using any generalized audit
software.

34 Question 4
Pelham University is a not-for-profit organization comprised of several faculties with 10,000 students and
an administrative and academic staff of 4,300. The administrative units perform various important
functions to ensure the ongoing operation of the university.

Recently, the internal audit (IA) department had been mandated to audit the department of financial
services, which is a subunit of the office of the vice president (VP) of administration and finance. At the
last audit committee meeting, over 2 months ago, the chief audit executive (CAE) reported that the audit
work was substantially complete and a draft report had been issued to the director of financial services.
The IA department was awaiting a response and an estimated timeframe for implementation of corrective
actions from the auditee. There have been delays in issuing the audit report due to the auditees
misinterpretation of its role regarding the audit report. The CAE does not want to issue the report prior to
receiving the auditees input regarding audit observations and recommendations. However, the university
president has also expressed her concern regarding the length of time taken to issue the report.

With the next audit committee meeting quickly approaching, the VP of administration and finance felt that
the delay reflected poorly on him, as though he were not reacting to the draft audit report in a timely
manner. As a result, he contacted the CAE to discuss the time being taken to issue the report. The VP
stated that his staff felt that the IA department was not clear in defining what was expected from them. His
staff members were unsure whether they were to verify or refute the audit observations and felt that they
were given no direction. The VP wanted this matter resolved as quickly as possible and directed the CAE
to release the internal audit report prior to the next audit committee meeting. The VP also indicated that
the report would be a determining factor in the director of financial services appointment renewal, which
was due prior to the audit committee meeting. The VP speculated that the delay may have been intentional
on the part of the director as the audit report may have been detrimental to his appointment renewal.

The CAE was concerned by the appearance of an incompetent internal audit department as well as the
allegations made by the VP. As a result, he issued the audit report with incomplete responses from the
auditee. Furthermore, he has mandated you, a CGA and consultant, to review the communication with the
auditee throughout the audit period to determine if there were any deficiencies that could be corrected for
the future. He also provided a summary of the major audit observations (Exhibit 4-1) for your review. The
CAE wants your opinion on whether the audit observations would have had an impact on any decision to
renew the directors employment.

To complete your mandate, you interview the lead auditor responsible for the audit. She indicated that at
the initial meeting with the director of financial services she had been instructed that the contact person
regarding audit matters would be the directors assistant. The lead auditor felt that it should have been the
department manager, but the director insisted that his assistant was the correct person. The audit took
approximately 3 months to complete and during that time the lead auditor met with the assistant only twice
to update her on audit matters and once with the director halfway through the audit. Additional requests
for meetings were refused due to scheduling conflicts according to financial services staff.



Continued...
EMU1D11 CGA-Canada, 2011 Page 7 of 7
Upon completion of the audit work the draft report was compiled and given to the auditee. At that time,
the assistant was instructed that, to complete the audit process, the departments response to the audit
recommendations would be required. Three weeks later, the assistant contacted the lead auditor and
indicated that she had concerns with the accuracy of the observations made in the report and wanted to
review the audit work performed. According to the lead auditor, this was a sign that the assistant did not
have a clear understanding of her role in the audit report process. The lead auditor then scheduled a
meeting with the assistant to explain her role and what was expected to complete the audit report. The
assistant indicated that she would have to report back to the department manager and the director and
obtain both their approvals prior to issuing an official response and plan of corrective actions.

Required
28 a. Write the memo to the CAE. In addition, your memo should present the five objectives of an audit
report and explain how this audit report and the process to issue it did or did not satisfy those
objectives.

Note:
4 marks for clarity, logic and persuasiveness

6 b. Upon reviewing the audit report, the chair of the audit committee contacted the CAE and expressed
her disappointment with the report. The CAE explained the sequence of events that forced the release
of the audit report. Upon hearing his explanation, the chair again expressed her dissatisfaction and
stated the CAE should have discussed the matter with her directly.

Identify any deviations from normal reporting procedures with respect to an internal audit report and
explain why the chair was justified in her disappointment regarding the handling of this audit. In
addition, briefly discuss the appropriateness of the VPs request to issue the report as soon as possible.

EXHIBIT 4-1

Audit observations summary
1. Financial services is responsible for reviewing and approving budget submissions from the
various departments. The approval and allocation of department budgets is not performed in a
timely manner.
2. Allocation of staff in the department is inefficient. Many staff members perform similar and
sometimes overlapping duties.
3. The information system in use does not provide accurate and reliable reports. There were many
errors in the system that required manual intervention to correct.
4. Procurement procedures were not effective as individuals responsible for procurement of goods
and services below $1,500 approve their own transactions. This is allowed based on a university-
wide policy.



END OF EXAMINATION
100


INTERNAL AUDITING & CONTROLS [MU1]
EXAMINATION
















MU1














Before starting to write the examination, make sure that it is complete and that there are no
printing defects. This examination consists of 7 pages. There are 4 questions for a total of
100 marks.

READ THE QUESTIONS CAREFULLY AND ANSWER WHAT IS ASKED.


To assist you in answering the examination questions, CGA-Canada includes the following glossary of terms.
Glossary of Assessment Terms
Adapted from David Palmer, Study Guide: Developing Effective Study Methods (Vancouver: CGA-Canada, 1996).
Copyright David Palmer.

Calculate Mathematically determine the
amount or number, showing
formulas used and steps taken. (Also
Compute).
Compare Examine qualities or characteristics
that resemble each other. Emphasize
similarities, although differences
may be mentioned.
Contrast Compare by observing differences.
Stress the dissimilarities of qualities
or characteristics. (Also Distinguish
between)
Criticize Express your own judgment
concerning the topic or viewpoint in
question. Discuss both pros and
cons.
Define Clearly state the meaning of the
word or term. Relate the meaning
specifically to the way it is used in
the subject area under discussion.
Perhaps also show how the item
defined differs from items in other
classes.
Describe Provide detail on the relevant
characteristics, qualities, or events.
Design Create an outcome (e.g., a plan or
program) that incorporates the
relevant issues and information.
Determine Calculate or formulate a response
that considers the relevant
qualitative and quantitative factors.
Diagram Give a drawing, chart, plan or
graphic answer. Usually you should
label a diagram. In some cases, add
a brief explanation or description.
(Also Draw)
Discuss This calls for the most complete and
detailed answer. Examine and
analyze carefully and present both
pros and cons. To discuss briefly
requires you to state in a few
sentences the critical factors.
Evaluate This requires making an informed
judgment. Your judgment must be
shown to be based on knowledge and
information about the subject. (Just
stating your own ideas is not
sufficient.) Cite authorities. Cite
advantages and limitations.
Explain In explanatory answers you must
clarify the cause(s), or reasons(s).
State the how and why of the
subject. Give reasons for differences
of opinions or of results. To explain
briefly requires you to state the
reasons simply, in a few words.
Identify Distinguish and specify the important
issues, factors, or items, usually based
on an evaluation or analysis of a
scenario.
Illustrate Make clear by giving an example,
e.g., a figure, diagram or concrete
example.
Interpret Translate, give examples of, solve, or
comment on a subject, usually
making a judgment on it.
Justify Prove or give reasons for decisions or
conclusions.
List Present an itemized series or
tabulation. Be concise. Point form is
often acceptable.
Outline This is an organized description. Give
a general overview, stating main and
supporting ideas. Use headings and
sub-headings, usually in point form.
Omit minor details.
Prove Establish that something is true by
citing evidence or giving clear logical
reasons.
Recommend Propose an appropriate solution or
course of action based on an
evaluation or analysis of a scenario.
Relate Show how things are connected with
each other or how one causes another,
correlates with another, or is like
another.
Review Examine a subject critically,
analyzing and commenting on the
important statements to be made
about it.
State Clearly provide a position based on
an evaluation, e.g., Agree/Disagree,
Correct/Incorrect, Yes/No. (Also
Indicate)
Summarize Give the main points or facts in
condensed form, like the summary of
a chapter, omitting details and
illustrations.
Trace In narrative form, describe progress,
development, or historical events
from some point of origin.

SMU1D11 CGA-Canada, 2011 Page 1 of 7
CGA-CANADA

INTERNAL AUDITING & CONTROLS [MU1] EXAMINATION
December 2011
SUGGESTED SOLUTIONS

Marks Time: 4 Hours

Note:
The questions in this examination have been set to test the knowledge, skills, and professional values demonstrated in this course. The
emphasis is much more on a reasoned and persuasive argument, on clarity and impact of presentation, and responding specifically to the case
or situation presented, than on the mere recall of material from the Module Notes or readings.

22 Question 1
Note:
2 marks each

Sources:
a. 3) Topic 1.1 (Level 1)

b. 4) Topic 1.2 (Level 1)

c. 2) Topic 4.3 (Level 2)

d. 4) Topic 4.6 (Level 2)

e. 1) Topic 8.1 (Level 2)

f. 1) Topic 8.2 (Level 1)

g. 4) Topic 8.6 (Level 2)

h. 2) Topic 8.4 (Level 2)

i. 1) Topic 10.1 (Level 1)

j. 4) Topic 10.7 (Level 1)

k. 2) Topic 10.4 (Level 1)












Continued...
SMU1D11 CGA-Canada, 2011 Page 2 of 7
22 Question 2
17 a. Source: Topics 3.3 and 7.3 (Level 1)

MEMORANDUM
To: Johan Birk, CAE
Date: June 1, 2011
From: Melody Smith, CGA
Re: IT Risks
At your request I have reviewed the controls surrounding the IT system. In addition, I have considered
assumptions that were made during the implementation stage as well as conducted interviews with
several of the key staff who interact with the system on a daily basis. This report is a compilation of
the identified issues as a result of the review.

The original intent of the system was to provide easy access to inventory data as well as leverage the
companys buying power to increase the efficiency of cash flow management. However, my review
has revealed errors and inconsistency with the data in the system. Manual intervention is required to
provide useful reports from the system.

During the implementation stage of the IT system, the software vendor had provided training to
in-house staff members who were to provide support for each of the distribution centres. While this
approach was appropriate at the time further consideration should have been taken regarding the
competency of the Lite-Tech staff chosen for this task. The staff members chosen did not have prior
experience in IT systems. Their inexperience may have contributed to the departure of 4 Lite-Tech
staff members. In addition, the software vendor has since been bought out twice and the level of
support has decreased significantly. This has left a void for support of the IT system and presents an
ongoing risk as Lite-Tech will continually experience issues that will need to be addressed. Failure to
mitigate this risk can have a significant financial impact.

Access to the IT system has also been a problem. Failure to create a system of control regarding
security and access levels has allowed all staff members the ability to place orders in the system as
well as gain access to information. Furthermore, the proliferation of access to data can contribute to
errors in the system, whether they are intentional or not. Implementation of user access groups with
designated privileges will eliminate or at least significantly reduce the occurrence of redundant orders
in the system.

At the time of implementation, the IT system was supposed to consolidate inventory information from
the 6 locations. However, the synchronization of the data was never verified. No reconciliation was
ever performed. Due to errors that were found it is highly likely that there may be adjustments
required to both the data and the modules in the software that consolidate the information.

Many of the issues noted above can be attributed to Lite-Tech for failing to implement effective
controls regarding support, access, and reconciliation of data. However, some of the errors may be the
result of a poor implementation by the software vendor. In either instance, corrective action in the
form of controls must be implemented to mitigate any further risk to Lite-Tech. By addressing these
issues Lite-Tech can be reasonably assured that the data made available to its staff for decisions will
be accurate.

Please feel free to contact me should you wish to discuss any of the issues outlined above.

Note:
2 marks for each risk identified, its impact, and a recommendation for improvements to a maximum of 10 marks; 4 marks for clarity,
logic, and persuasiveness; 3 marks for conclusion.


Continued...
SMU1D11 CGA-Canada, 2011 Page 3 of 7
5 b. Source: Topic 7.1 (Level 2)
The chief audit executive was correct in assuming that a CGA has the necessary skills and knowledge.
Internal auditors must have sufficient knowledge of key information technology risks and controls and
available technology-based audit techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an auditor whose primary responsibility is information
technology auditing.

It is not necessary for every internal auditor to have the skills of an IT audit specialist. Where
appropriate, audit teams can include IT audit specialists from within the internal audit department or
outsourced resources when the necessary skills are not available internally.

A CGA must possess adequate skills to effectively audit a system of controls, whether it be controls
surrounding the IT function or the marketing function. There is a requirement to have a basic
understanding of the IT environment, especially in todays technology-dependent society.
Note:
1 mark for correct answer; 2 marks for each justification to a maximum of 4 marks.

22 Question 3
Source: Topic 5.6 (Level 1); Topic 9.3 (Level 2)
12 a. Procedures
Join the tables OVERTIME and JOB by matching their common fields JOB_ID, and join the
resulting table to the table EMPLOYEE by matching their common fields EMP_ID.
Join the tables TIMEBANK and JOB by matching their common fields JOB_ID, and join the
resulting table to the table EMPLOYEE by matching their common fields EMP_ID.
Join the tables TIMEBANK and OVERTIME by matching their common fields JOB_ID and
EMP_ID.
Summarize the table OVERTIME by EMP_ID with the summations of the product of overtime
hours and the corresponding overtime factors; that is, SUM (OT_HOUR * OT_FACTOR).
Note:
4 marks (2 marks for each procedure, to a maximum of 4).

Conclusions:
1. Job 1029: Installing new lighting fixture in waiting room 215 has been opened for more than
2 years without being closed. Overtime from employee 102, Brian Bean, was charged to this job
almost 2 years after it had been opened.
2. Job 1077: Replacing burst pipes in main kitchen was already closed on March 19, 2010 but
overtime from employee 101, Ali Awad, was charged to the job on November 7, 2011.
3. Employee 104, Hugh Holmes, had 4 hours of overtime to be paid out and banked at the same
time. The 4 hours recorded in both the OVERTIME table and the TIMEBANK table were for the
same job 2568 Installing cabinets in new director office 301 and performed on the same date
November 7, 2011.
4. A summarization of the OVERTIME table reveals that an employee has done 12 hours of
overtime on job 2591 Painting walls in west wing level 5 within the same week. On one of
those days, 10 hours of overtime were recorded on top of the 8 hours of regular work.
5. Employee 103, Cathy Chan, is a landscaper and yet she recorded overtime for a plumbing job
job 2604 Stopping leak in laundry facility on November 14, 2011. In addition, the JOB file
shows that this job only started on November 23, 2011.
Note:
8 marks (2 marks for each conclusion, to a maximum of 8).
Continued...
SMU1D11 CGA-Canada, 2011 Page 4 of 7
6 b. Weakness: Overtime work can be charged against jobs that are not yet open or that are closed and to
jobs that were opened for prolonged periods of time.

Impact: System prone to error in job cost recovery.

Recommendation: Periodic review should be performed to close jobs that have been completed.
System should not allow any charges to be recorded against a closed job or a job that is not yet open.

Weakness: Overtime can be entered both as paid out and as banked hours.

Impact: Opportunity to process double payments to workers encourages fraud and increases cost to
the organization.

Recommendation: System should not allow double compensation for overtime work.

Weakness: No effective scrutiny on the reasonability of overtime entered into the system.

Impact: Lack of scrutiny hampers accountability, encourages fraud, and increases the chance of
misallocation of resources.

Recommendation: Supervisor needs to review reports on overtime performed to avoid unnecessary
extra cost, as well as to ensure only the correct jobs are charged.

Note:
Marks will be awarded to any other solution deemed acceptable.
1 mark for each weakness, to a maximum of 2.
1 mark for each impact, to a maximum of 2.
1 mark for each recommendation, to a maximum of 2.

4 c. 1. Define the specific audit objectives to be carried out with the assistance of the generalized audit
software.

2. List the tests the generalized audit software will use to assist in reaching the audit objectives.

3. Obtain copies of the data files to be tested.

4. Enter the audit commands or parameters in the generalized audit software.

5. Check the output and draw audit conclusions.

Note:
1 mark each to a maximum of 4.













Continued...
SMU1D11 CGA-Canada, 2011 Page 5 of 7
34 Question 4
28 a. Source: Topics 4.1, 5.7, and 6.2 (Level 1)

MEMORANDUM
To: Elijah Green, CAE
Date: June 1, 2011
From: Jane Halloway, CGA
Re: Internal Audit Process Review

At your request, I have reviewed the process for the audit of the department of financial services with
the objective to determine if there were any deficiencies in the communication with the auditee that
may have contributed to delays. In addition, I have reviewed each of the audit observations and
provided an opinion on whether the director of that department may have acted intentionally to cause
delays in the audit process in light of his pending contract renewal. Furthermore, I have listed the
typical objectives of an audit report and highlighted where this audit has deviated from those
objectives.

After interviewing the audit staff, it was evident that the individual assigned as the contact person
from the department of financial services was the wrong person. The assistant to the director would
not have had sufficient knowledge of the internal control framework in comparison to the department
manager. By her own admission, the assistant had stated that any communication with the internal
audit department would have to be approved by the department manager and the director. This
resulted in additional and unnecessary delays.

The lead auditor is partially to blame as she should have insisted that an individual with knowledge
and understanding of controls should be assigned. The contact person should be capable of making
decisions on behalf of financial services without obtaining the approval of several other staff
members. This would ensure the receipt of managements response in a timely manner and greatly
increase the overall efficiency of the audit process.

As evidenced by the limited number of progress meetings between internal audit and the auditee, it is
apparent that there was a lack of understanding of the importance of the issues being identified. Again,
not keeping management of the audited department informed throughout the audit process resulted in
further delays. The auditee only became aware of the issues upon receipt of the draft report.
Furthermore, upon receiving the report, the assistant clearly did not understand her responsibility with
respect to providing managements response to the audit observations. In fact she communicated with
internal audit several weeks later requesting additional information in an effort to refute some of the
observations. This was not the purpose of managements response and either it was not clearly
communicated to her by the lead auditor or she did not clearly understand her role. Either way this
contributed to an already lengthy audit reporting process.

In order to avoid a recurrence of this situation, the internal audit department must establish with
auditees a clear understanding of the audit process and what will be required. Internal audit must insist
on a contact person with knowledge of department operations as well as sufficient authority to provide
managements response. Regular progress meetings should be held throughout the audit process to
keep auditees well informed. Any requirements, such as managements response, must be well defined
and clearly communicated to the auditees. Deadlines must be set and respected in order to avoid costly
delays.







Continued...
SMU1D11 CGA-Canada, 2011 Page 6 of 7
In reviewing the audit observations summarized in Exhibit 4-1, it is clear that some of the issues
would have reflected poorly on the directors ability to effectively manage his department. One of the
main responsibilities of financial services is to approve and allocate the budget to other departments.
The internal audit revealed that this was not being done in a timely manner, which would cause
university-wide problems with reporting and fiscal management. In addition, it was noted that the
department staff was not allocated in the most efficient manner. A good manager would leverage staff
resources to the maximum extent possible and review operations to eliminate any redundant
processes. The audit revealed that this was not being done. The other two audit observations were
issues that were not directly under the control of the director. However, the director could have
implemented compensating controls within his department to reduce any risks. For example, the
department could have assigned an individual to approve all purchases. This individual would not
make any purchases, only approve them, thus creating a segregation of duties. It is not clear whether
the director intentionally delayed the audit process to prevent the observations from being reported to
senior management. However, it certainly was to his advantage.

A typical internal audit report should accomplish five important objectives:
1. Document the results of audit work The report should summarize the scope, nature, and extent
of the audit work performed. It should present the audit observations, conclusions, and
recommendations.

2. Provide a framework for management action The audit observations and related
recommendations presented in the report should serve as an outline for management on
deficiencies that must be addressed. These issues present a risk to the department and the
university and they must be mitigated as quickly as possible to avoid any potential financial loss.
The report should motivate management to take action, or satisfy senior management and the
board of directors that no action is required, and explain why.

3. Present the auditees views Usually, managers of audited units agree with the auditor on all
important points in the report and will outline how they will address the auditors
recommendations. Auditees may also want to mention mitigating circumstances or clarify an
issue.

4. Provide a basis for follow-up The report provides a basis for following up on audit
recommendations to determine whether management has adequately considered the auditors
recommendations and implemented appropriate corrective action.

5. Express an opinion on the adequacy of governance, risk management, and control within the
organization The most important aspect of the audit report is that there will be a conclusion
reached on the overall performance of the auditee with respect to governance, risk management,
and the effectiveness of the system of controls.

In considering these objectives, there were two that were not accomplished. Releasing the audit report
without presenting the auditees response to the observations may be perceived as being unfair or
biased. In addition, there is no basis for follow-up as the auditee has not officially agreed to any of the
audit observations nor provided an outline of corrective action and timeline for implementation. The
other objectives could still be accomplished; however, the overall effectiveness of the audit report was
greatly diminished.







Continued...
SMU1D11 CGA-Canada, 2011 Page 7 of 7
In reviewing the audit process, I find that there is room for improvement. Requirements need to be
clearly communicated to auditees in order to obtain their cooperation throughout the audit. If auditees
are kept informed of audit progress then they will be more likely to view the process as value adding
and be willing to participate in finding effective solutions to identified issues. A well planned and
executed audit will also avoid any problems such as a perception that an auditee may be purposely
delaying the process for personal reasons.

Should you require any additional insight on any of the items outlined in this report please feel free to
contact me.

Note:
2 marks for each audit report objective to a maximum of 10 marks; 2 marks for identifying each deviation to a maximum of 4 marks.
2 marks for reviewing each recommendation, to a maximum of 10 marks.
4 marks for clarity, logic, and persuasiveness.

6 b. Source: Topic 2.3 (Level 1)

To ensure independent internal auditing, the chief audit executive (CAE) must report to someone in
the organization who has enough authority to promote independence and to ensure unrestricted audit
coverage as well as ensuring that appropriate action is taken on audit recommendations. Under normal
circumstances, the CAE reports to the chair of the audit committee and administratively to the
university president. All audit reports are submitted to the audit committee and to senior management
of the audited department. This is done in order to maintain the objectivity and independence of the
internal audit department.

In this case, the CAE was pressured by the VP to release the report. The CAE does not report to the
VP and if he felt pressured or in any way influenced to release the audit report the matter should have
been discussed with the chair of the audit committee. Any perceived breach of the CAEs
independence would be a serious matter. The VPs actions were inappropriate and should have been
reported to the audit committee. Managements use of the findings in the audit report is not governed
by the audit committee. However, pressure to issue an incomplete report in order to advance a
separate agenda was inappropriate and unjustified.

Note:
2 marks for describing internal audits reporting structure.
2 marks for explaining the importance of independence.
2 marks for identifying deviations.

END OF SOLUTIONS

100

MU1D11 CGA-Canada, 2011
CGA-CANADA

INTERNAL AUDITING & CONTROLS [MU1] EXAMINATION
December 2011
EXAMINERS COMMENTS
General Comments
Candidates overall performance was just below satisfactory. Candidate performance was poorest on
Question 1. On Question 2, candidates often did not to conclude on important matters such as overall risk
assessment. In Question 4, they were not able to adequately identify when an internal auditor was in a
conflict and their objectivity/independence was impaired.

Candidates performed well on other topics covered in the examination. Most were easily able to describe
the audit procedures to be used to analyze data and draw meaningful conclusions, despite not being
entirely familiar with the terminology commonly used to describe the data-centric analytical procedures.
Candidates satisfactorily identified risks, their impact, and made realistic recommendations. They also
demonstrated a good working knowledge of the objectives of the internal audit report and were able to
identify, relevant to the case presented, when these objectives were attained.

Aside from Question 1, candidates have shown vast improvement in the application of course matter to
case scenarios.
Specific Comments
Question 1 Multiple choice (Levels 1 and 2)
Overall candidate performance was unsatisfactory. Candidates had difficulty with questions relating to
residual risk and internal audits of not-for profit organizations and government institutions. There seemed
to be some confusion regarding the audit procedures used in an internal audit of the marketing function.

Question 2 Risk assessment and risks in the IT environment (Level 1)
Candidate performance was borderline satisfactory. As mentioned above, candidates did very well on
describing the impact of each risk and making recommendations for improvement. However, when asked
to write a memo, there is an implicit requirement to conclude on the overall risk exposure of the company.
Many candidates did not provide an opinion.

Question 3 Analysis of data (output from audit software) and computer assisted audit techniques; Steps in
analysis of data using audit software (Levels 1 and 2)
In general, candidate performance was satisfactory for this question. However, improvement is required in
the description of the steps used to analyze data using audit software. This may be simply a need for the
candidates to familiarize themselves with the common terminology as they were able to demonstrate in
other parts of the question the ability to actually analyze the data, identify control weaknesses, and draw
conclusions.

Question 4 Objectives of internal audit reporting, evaluating audit results, and objectivity and independence
(Level 1)
Candidate performance on this question was borderline satisfactory. Candidates satisfactorily described
the objectives of internal audit reporting and were able to identify when the objectives were not met.
Candidates had some difficulty consistently providing an evaluation of the audit results and describing the
potential impact on the company. Candidates also had difficulty correctly identifying when, as an internal
auditor, their objectivity/independence was in question. This is an important topic as any conflict and
impairment, whether real or perceived, can have a significant negative impact of the entire internal audit.