Community Q&A
Expert-verified answers to your financial certification questions. Ask, learn, and connect with fellow candidates.
Updated
Can internal audit write management policies?
author: AcadiFi Team Related article: cia-policy-drafting-advisory-boundary-map Related question-bank placeholders: ["policy-drafting-management-responsibility", "management-signoff-policy-ownership"] Question: Can internal audit write management pol
When should an audit stop at design failure instead of testing operating effectiveness?
Stop at design failure when the control is not defined well enough to test or when the design does not address the risk. Operating effectiveness testing asks whether a designed control operated as intended over time. If management cannot identify...
What criteria can internal audit use for a Shadow IT audit when no policy exists?
Use a criteria hierarchy and make it explicit in the engagement plan. Internal criteria may include the audit charter, board-approved audit plan, risk register, procurement rules, data classification policy, security strategy, and any prior risk...
Can an auditor build a risk-control matrix without taking ownership of management's controls?
The auditor can build an audit working version of a risk-control matrix to plan and document the engagement. That is different from designing management's control framework. The distinction should be visible in the workpapers and in the report. An...
How can internal audit audit a process when risks and controls are not documented?
Yes, internal audit can still perform the engagement, but the objective should be framed carefully. Start by identifying the process objective and the risk, not by asking for a finished control matrix. If management has no formal documentation,...
How do auditors test ongoing monitoring for a credit model?
Auditors should first identify the required monitoring metrics, frequency, thresholds, owners, and escalation path. Then they should test whether monitoring occurred on time, used complete and accurate data, identified threshold breaches, and led to...
What evidence supports model risk governance in an audit file?
Good evidence shows that model risk decisions were assigned, reviewed, approved, monitored, and escalated. Examples include the model risk policy, model inventory, risk-tiering rationale, validation report, approval minutes, limitation notices,...
Does internal audit need to reperform model validation during a model risk audit?
Usually not in full. Internal audit should evaluate whether validation was independent, competent, risk-based, sufficiently documented, and acted on. It may perform targeted challenge work over high-risk assumptions, data, performance metrics, or...
How should internal audit scope a first-time model risk audit?
Start with the model universe, not with model math. Internal audit should understand what counts as a model, who owns the inventory, how models are risk-tiered, which models affect important decisions, and which criteria apply to development,...
When does a marketing audit need specialist help?
Specialist help is appropriate when the audit objective requires skills the team does not have. A marketing ad fraud engagement may require knowledge of platform configuration, attribution data, invalid traffic tools, tracking pixels, lead-source...
What evidence supports a marketing spend audit beyond invoices?
Invoices are only one part of the evidence trail. They show that a payment was requested and approved; they do not prove that the campaign delivered valid, useful, contract-compliant activity. Useful evidence may include approved campaign briefs,...
How can marketing KPIs create ad fraud control risk?
KPI design matters because people optimize what management rewards. If a campaign team is measured only on lead count or cost per lead, low-quality volume can look successful even when sales outcomes, customer consent, and lead validity are weak. An...
Should internal audit review marketing ad fraud risk?
Yes, if the risk assessment supports it. Internal audit does not need to audit marketing every year, but marketing can contain meaningful risk: significant spend, third-party execution, privacy exposure, regulatory messaging, brand impact, and...
How do you write a legacy system audit finding without overstating it?
Write the finding around evidence, not fear. A good finding acknowledges controls that exist and identifies the specific gap that remains. A useful structure is: - **Condition:** critical application runs on unsupported technology. - **Criteria:**...
Who should accept the risk for an unsupported critical application?
Risk acceptance should be made by the appropriate management level, not by internal audit and usually not by the lowest-level technical owner alone. The right approver depends on business criticality, risk appetite, policy, regulatory exposure, and...
How should auditors test compensating controls for unsupported software?
Start by identifying which specific controls management is relying on. "Isolated" and "monitored" are conclusions, not evidence. Useful procedures include: - inspect the asset inventory and confirm system owner, - obtain a dependency map showing why...
Is an internal legacy system still a cyber risk if it is not public-facing?
No. Internal-only placement may reduce exposure, but it does not eliminate risk. Internal systems can still be affected by lateral movement, compromised credentials, vendor remote access, weak segmentation, removable media, malware, misconfigured...
Is a direct system export usually better evidence than a rekeyed workpaper?
Usually, yes, if the export is generated from the right source system and the extraction criteria are documented. A direct export reduces manual transfer risk and preserves a clearer chain from source system to audit population. But the auditor...
Is IPE testing different when a report is used by a control owner instead of only by the auditor?
Yes. If the auditor uses a report only to select a sample, the focus is on whether the sample population is complete, accurate enough, precise, and preserved. If a control owner uses the report to perform a review control, the control design should...
How do auditors prove IPE completeness and accuracy for sample selection?
The auditor should document the source, scope, extraction criteria, and reconciliation. For example, the workpaper might retain the report name, system, extraction date and time, selected company codes, role filters, date range, row count, and the...
Want unlimited access?
You've browsed several pages. Sign in to save your spot, bookmark questions, and unlock all 4,671 community questions plus expert-verified study materials.
Have a Question? Ask Our Experts
Register to ask questions, get expert-verified answers, and connect with fellow certification candidates preparing for CFA, FRM, CIA, CPA, and EA exams.