Page 13 - CIMA SCS Workbook February 2019 - Day 1 Suggested Solutions
P. 13
SUGGESTED SOLUTIONS
EXERCISE 3 – INTERNAL AUDIT
Audit testing occurs after an auditor has ascertained the controls that are in place. The internal
audit function (IA) must first be sure of all the risks that may occur in Vita’s operation i.e. all the
ways that their supply chain may be compromised, website may be compromised, or devices may
be used to facilitate a data breach and so on. Following on from this, all controls must be
ascertained. They may feel that some controls are missing (which may result in an audit “point” or
“finding”), others are inadequate (and testing must be done to prove this) or that controls are in
place but need to be tested to ensure that they are adequate.
At this point, IA may begin testing.
In the case of Vita, it is likely that any internal audit function will report to the audit committee. If
they didn’t and reported directly to Gal Yaluz (CEO) or Rhea Turner (COO) – although we have not
been given any reason to assume this may happen – Gal and Rhea may cover up or ignore the
report. It would therefore have no worth to Vita as a monitoring activity even if the quality of the
audit is good.
The IA must feel they have the experience to audit the operations of the website, applications and
R&D, once this is established they may start compliance and substantive testing.
An example of a compliance test would be observing staff doing checks and following the
procedure, for example IA checking the supplier evaluation and assessment is carried out as
appropriate (especially given the close nature of Vita’s working relationship with HJM and Force)
and checking the data controls are active around the protection of the data which Vita store on all
of its app users and so on. Essentially, a compliance check is checking to ensure that any control
identified is being complied with.
As suppliers are critical to Vita’s operations it is likely that IA will spend a significant proportion of
their time reviewing stages in the procurement cycle from identifying the need, through the
evaluation of suppliers (especially making sure that HJM & Force still meet Vita’s assessment
criteria) and negotiation, on to fulfilment and consumption.
The IA may choose to look at any documentation or evidence available first to see if there has
been any issue with the quality of procurement. This would be a substantive test. This type of
testing looks at the outputs of a system to see what has happened in the past, which may guide
the IA in where to concentrate testing.
A form of substantive testing is an analytical review. Analytical review is the examination of ratios,
trends and changes in the business from one period to the next, to obtain a broad understanding
of the results of operations, and to identify any items requiring further investigation. When the
results appear abnormal the auditors will investigate more closely to find out the cause(s) by
performing further work. The IA may choose to do this at the very start of an audit when they are
doing their audit planning.
If Vita is able to provide detailed information regarding its sales units for the various activity
trackers and app usage, this can be extremely useful. A drop in sales of any device or usage of the
app may help to highlight where there have been potential issues with either the tracker or the
app functionality, and this insight can be then used to plan more relevant compliance tests
KAPLAN PUBLISHING 53
