Question 711 - IIA-CIA-Part1 discussion

A control is effective when it achieves its intended objective, such as preventing or detecting errors or fraud.A control is efficient when it minimizes the cost and effort required to achieve its objective2. In this case, the control of automatically creating amended purchase orders is effective because it ensures that the discrepancies between the original purchase order and the final invoice are resolved. However, the control is inefficient because it generates too many amended purchase orders for minor differences that may not be material or significant.This may result in unnecessary administrative burden, delays, and waste of resources3.A more efficient control would be to set a threshold or tolerance level for the discrepancies and only create amended purchase orders when the difference exceeds that level4.

Internal audit requests access to write and export specialized reports from the organization's database to aid with testing and analysis. Management authorizes internal audit only to view production reports that are built into the system. How can the chief audit executive create buy-in with management and attain the access required for the engagement?

By sending the internal audit charter to the general manager to show that the requested level of access is approved by the charter.

By sending a staff auditor with at least two years experience in the field to explain the importance of the internal audit function and the reasons why the requested level of access is necessary

By explaining to the general manager that internal audit's work program requires the reports that can only be gathered from the system's report writer.

By meeting with the general manager to discuss the planned control testing and the risks that can be identified from utilizing the specialized reports.

One of the key skills for a chief audit executive (CAE) is the ability to create buy-in with management and other stakeholders for the internal audit function2.Buy-in means that management understands and supports the value and role of internal audit, and provides the necessary resources and access for internal audit to perform its work effectively3.To create buy-in, the CAE should communicate clearly and persuasively the objectives, scope, and benefits of the internal audit engagements, and how they align with the organization's goals and risks4.The CAE should also demonstrate the professionalism, competence, and independence of the internal audit team, and foster a collaborative and trusting relationship with management5.

In this case, the CAE should meet with the general manager to explain why access to write and export specialized reports from the organization's database is required for the engagement. The CAE should show how these reports will help to test and analyze the controls and processes that are relevant to the organization's risks and objectives. The CAE should also highlight the potential issues or opportunities that can be identified from using these reports, and how they can help to improve the organization's performance and governance. The CAE should also address any concerns or objections that the general manager may have, such as data security, confidentiality, or system integrity, and assure that internal audit will follow the appropriate standards and protocols when accessing and using the data.

The other options are not likely to create buy-in with management. Sending the internal audit charter or a staff auditor may not be sufficient or persuasive enough to convince the general manager of the need for access. Explaining that internal audit's work program requires the reports may not explain how they are relevant or beneficial to the organization. These options may also appear as confrontational or demanding, rather than collaborative or consultative, which may damage the relationship between internal audit and management.