Professional Documents
Culture Documents
ii.Finding is the fact and figure collected by an auditor to satisfy the objectives of the
audit while recommendation is the courses of action suggested by the auditor in line
which the objectives of the audit. During the audit finding, the auditor will discuss and
obtain all information with the management to assess the risk. While for the
recommendation, the auditor will suggest the recommendation based on the risk that
have been assess for management to implement the recommendation have been given
to ensure the system re effective and efficient.
iii. Avoidable conflicts are conflicts that exist within the internal audit department and
process. Conflict will exist when the internal auditors do not understand the internal
audit process due to ambiguity and uncertainty. When the auditors do not understand it
might will difficult to deal with the management. Next the auditors fail to think
strategically and systematically. Sometime, in organization, the auditor might give the
recommendation without systematically and strategically. The conflict will occur
because the management will not be satisfied with the auditor. The auditor should
think critically to give the best recommendation to the management and should use all
the knowledge and competence to ensure their work is effective and efficient. Lastly is
there is a lack of understanding on the importance of the internal audit and the trends
and challenges facing the profession. The management should understand that the
internal audit is important for assessing the risk and provide the recommendation to
ensure that the organization change implement the effective system for the
organization to achieve their goal. The internal audit also is important to prevent the
fraud that might be happen in the organization. The internal auditor should explain to
the management about the important of the internal audit.
Question 2
a) Audit plan
Monitor the employees
As we know, if we prevent from early it better as when the situation become
worsen it will be hard to overcome. The management can monitor the
employee by sending an undercover to join the group and if there is suspicious
plan, the undercover can report about it.For example,the undercover group can
make their job by join the project manager, office manager and long-time
employees that have a plan to commit the fraud by
receipts for
reimbursements twice.
Employee education
The internal auditor can advise the management to give education to the
employee at least basic fraud awareness or anti-fraud training. When the
employee take part, they will realize that the action that he does is wrong and
maybe he will be get punishment. The management should send the entire
employee to anti-fraud training for ensure that they will not not commit fraud
again and will work toward the organizational goals.
Fraud policies
The auditor should advise the management to have the fraud policies.an
organization should have a policy stating clearly its stand and actions that
would be taken against perpetrators of fraud. If the management did not take
an action, maybe the perpetrators will excited to commit the fraud and will do
against because there have nobody to take an action against him. When there
have the policies, the perpetrators will afraid to do the fraud.
b) Identify and explain why the internal auditors failed to discover these frauds.
Lack of the policies regarding the companys values and behavioral standards
and no published code of conduct. There have no appropriate policies so that
the employee is excited to do the fraud.
Question 3
What implications do the above findings have for internal auditors? How would they
influence the way that an internal auditor plans a computer audit?
The implication:
Skill and knowledge of IT and e-commerce environment
The auditor should be well equipped and be capable to address e-commerce systems,
security, controls, and provide assurance auditing services. The skill and knowledge of
IT and auditors capability in e-commerce would be the demands by management
those charged with governance, and regulatory authorities for improved assurance of
effective and continues information security.
Risk identification
Risk assessments should be performed after the auditors has obtained a clear picture of
the organizations IT environment. The auditor should develop process to identify
risks, asses risk, and rank audit subjects using IT risks factors and business risk
factors. A risk are identified whether through experience or formal assessment,
suitable risk responses should be determined which may range from not taking any
action and accepting the risk as a cost of doing business, to applying a wide range of
specific controls. Based on the risk above, the auditor should identify the nature of the
business that incurred the high risk. Based on the survey, the auditor should more
focus on the high risk for example, Business interruption due to network or system
failure and unauthorized access or changes to data or systems. By assessing the risk,
the auditor can give a recommendation should be appropriate to the level of the risk
faced by the organization.