Community Q&A
Expert-verified answers to your financial certification questions. Ask, learn, and connect with fellow candidates.
Updated
What should an auditor do if a supervisor weakens a supported finding?
Start with the workpapers, not the personalities. Ask what evidence, criteria, rating methodology, or new facts support the revised finding. If the supervisor has a valid basis, document the change and update the conclusion. If the change is...
When should internal audit use specialists instead of handling an emerging risk alone?
It becomes a problem when the engagement objective requires conclusions the team cannot support with its own competence and evidence.
Can internal audit advise management on emerging risks without losing objectivity?
Yes, but the boundary must be clear. Internal audit can provide advisory services by facilitating risk discussions, identifying control considerations, sharing lessons from prior audits, or helping management think through criteria.
How should a CAE plan for emerging risk coverage?
The CAE should start with the organization's strategy, objectives, risk assessment, and board expectations. Emerging risks belong in the plan when they are relevant to the organization and significant enough to justify assurance or advisory work.
What skills keep internal audit relevant as risks become more technical?
No. Every auditor does not need to become a deep technical specialist, but the internal audit function needs enough competence to cover the risks in its plan. Think in layers: core audit skills still matter.
How do you test a control metadata migration?
Test both completeness and accuracy. Compare record counts before and after migration, identify blank required fields, scan for invalid values, reconcile key dashboards, confirm control-to-risk and issue links, and sample individual controls.
Who should approve changes to control-library fields?
Approval should come from the business owner of the control taxonomy, not merely the person who has system administrator access. Depending on the field, that may be the CAE, methodology owner, SOX program owner, compliance lead, or risk owner.
What can go wrong when control-library fields are renamed?
The obvious risk is that users become confused. The more serious risk is that downstream reporting silently changes. Saved filters, audit plan views, SOX scoping reports, and risk-control matrices may depend on field names or values.
How should internal audit change control fields in an audit management system?
Treat the change as a governed configuration change. Start by defining the business purpose of the field, the owner, allowed values, required status, downstream reports, workflows, and approval path.
When should continuous monitoring belong to management instead of internal audit?
Continuous monitoring should belong to management when it is part of running the process or detecting exceptions that management must investigate in the normal course of business.
What controls make audit analytics reliable enough to use in fieldwork?
Reliable audit analytics need controls over source data, transformation, exception logic, access, and review. The auditor should reconcile source extracts to control totals where practical, document filters and joins, and review calculations.
Is a BI dashboard enough evidence for an audit conclusion?
No. A dashboard can help summarize, stratify, or direct testing, but the conclusion should trace back to source data and audit procedures. The dashboard is a tool that transforms and displays information.
How should a small internal audit team start using BI dashboards?
Start with one recurring audit question instead of trying to build a full audit platform. A good first use case is planning: identify unusual activity, rank locations, compare trend lines, or select a population for focused testing.
Is management representation enough audit evidence?
Usually no, not when the conclusion is important. Management representations can support the file, but they rarely replace inspection, recalculation, reperformance, confirmation, analytics, or other evidence.
Why do auditors read minutes and ask management questions?
Minutes and management inquiries help the auditor understand context, identify risks, and find evidence trails. They are not usually enough by themselves to prove a high-risk conclusion, but they can be very useful.
How are substantive procedures different from control tests?
A test of controls asks whether a control is designed or operating effectively. A substantive procedure asks whether the underlying transaction, amount, disclosure, or condition is supported.
What is the purpose of an audit procedure?
An audit procedure is an action designed to obtain evidence for a specific objective, risk, assertion, control, or conclusion. The procedure should not exist only because it appeared on last year's checklist.
When do audit analytics create too many exceptions to be useful?
Analytics create too many exceptions when the test is not tied tightly enough to the risk, criteria, and process logic. A broad outlier rule may flag thousands of items that are unusual but not control failures.
What support should auditors save during fieldwork?
Auditors should save support that explains what was tested, what evidence was obtained, who provided it, when it was obtained, and how it supports the conclusion. That can include source reports, screenshots, meeting notes, and reviewer comments.
How do auditors check population completeness before testing?
Auditors check completeness by comparing the population to an independent source. Examples include reconciling record counts to a system report, reconciling totals to the general ledger, confirming extraction parameters, and reviewing filters.
Want unlimited access?
You've browsed several pages. Sign in to save your spot, bookmark questions, and unlock all 4,671 community questions plus expert-verified study materials.
Have a Question? Ask Our Experts
Register to ask questions, get expert-verified answers, and connect with fellow certification candidates preparing for CFA, FRM, CIA, CPA, and EA exams.