Community Q&A
Expert-verified answers to your financial certification questions. Ask, learn, and connect with fellow candidates.
Updated
Why do refunds and negative entries matter when defining an audit population?
Refunds and negative entries matter because they may represent the activity the auditor needs to test, even if they net against totals in a financial report. If the objective is to test refund approval, the relevant population is refunds, not net sales.
What if management rejects an automated monitoring control?
Internal audit should evaluate the residual risk and management's rationale. If the risk is within appetite, document the decision. If the risk appears above tolerance, the CAE should follow the approved escalation process for risk acceptance. Audit should be careful about continuing to operate the rejected control itself.
How do auditors test management-owned analytics?
Test both design and operation. For design, understand the control objective, source data, population, join logic, threshold, owner, frequency, and exception workflow. For operation, inspect evidence that the analytic ran, exceptions were reviewed, and follow-up was performed.
When should audit analytics become management monitoring?
An audit analytic should become management monitoring when it identifies a risk that management needs to detect and respond to at an operating frequency. The handoff should define the control owner, frequency, data source, threshold, exception workflow, evidence retention, and escalation path.
Should internal audit operate automated control tests for management?
Usually no. Internal audit can use automated tests as audit procedures and can advise management on monitoring ideas. But if the test is needed to manage risk during normal operations, management should own and operate the control. Internal audit may validate the idea and later test effectiveness.
How should auditors handle confidential data in AI tools?
A good answer starts with data classification and tool approval. Internal audit should know what data is restricted, which tools are approved, whether inputs or outputs are retained, who can access them, and whether the data can be used for model training.
Why is AI output not audit evidence by itself?
Audit evidence is information the auditor obtains and evaluates to support a conclusion. AI output may summarize, transform, or draft based on inputs, but it is not the underlying proof that a control exists or operated. You still need source support such as policy documents, configuration, or test results.
What controls should govern AI use in internal audit?
Internal audit should define approved tools, permitted use cases, prohibited data, required review steps, retention expectations, and escalation paths. The control set should answer practical questions about data entry, tool approval, prompt and output retention, and reviewer responsibilities.
Can internal audit use AI to draft workpapers?
It can be acceptable if the use is approved, controlled, and reviewed. AI may help organize material, but it does not replace the auditor's responsibility for evidence, test design, conclusions, or report language. A defensible workpaper should still show source evidence and auditor review.
How should QAIP test whether standards mapping is actually working?
QAIP should test both design and operation. Design testing asks whether the policy, methodology, templates, and audit system fields cover the relevant requirements. Operating testing asks whether completed engagements actually used those templates and retained evidence.
Where do topical requirements fit in an internal audit program?
They fit into engagement planning as an applicability gate. When the risk assessment includes a covered topic for assurance work, the team should document whether the topical requirement applies, which requirements are addressed, what criteria are used, and whether any exclusions have a documented rationale.
What evidence should an internal audit function retain to show conformance with the IIA Standards?
Evidence depends on the requirement. Function-level evidence may include the charter, board minutes, annual plan, methodology manual, and QAIP results. Engagement-level evidence may include risk assessment, scope, criteria, approved work program, workpapers, and follow-up records.
How do we map IIA Standards to audit steps without creating checklist overload?
Start by mapping each requirement to the audit lifecycle rather than to every individual workpaper. Some requirements belong at the function level, such as charter, mandate, board interaction, resources, and QAIP. Others belong at the engagement level.
How do you write audit recommendations that management can actually implement?
Tie the recommendation to root cause, risk level, and implementation capacity. A strong recommendation usually answers four questions: what action should be taken, who owns it, by when, and how it reduces the stated risk.
Does retroactive documentation count as valid audit evidence?
Not as historical operating evidence. Retroactive documentation may be useful to explain the intended future-state process and to support that remediation has started, but it does not prove the control operated during the historical period under review unless contemporaneous evidence also exists.
What should an internal auditor do if management wants a finding removed?
Treat this as a substance-versus-tone question. If management wants to improve wording without changing the supported condition, risk, or action plan, that is normal report clearance. If management wants a supported issue removed or materially diluted, internal audit should follow the approved escalation path.
How should an auditor respond when SOC evidence is missing?
Start by separating three issues: intended control design, available historical evidence, and remediation now underway. If support for prior months is missing, internal audit should not imply the control operated effectively just because the process owner says it usually does.
When should SOX testing automation become a management control?
Once the logic is stable and the activity is valuable as recurring risk monitoring, management should usually own it. A repeatable exception test is no longer just an audit convenience. It has become a detective control, and if audit keeps operating it quarter after quarter, independence starts to blur.
Which cycle count controls actually matter for SOX reliance?
Focus on the steps that prevent or detect a material inventory misstatement, not every administrative step in the count process. The key SOX controls are the ones that answer whether population was counted on time, missed counts escalated, adjustments posted independently, and variances resolved.
When does a central SOX evidence library help instead of creating admin work?
A central library helps when it standardizes proof, not when it becomes a second operating process. Can the repository show the minimum evidence needed to prove the control was performed, reviewed, timed correctly, and escalated when exceptions appeared?
Want unlimited access?
You've browsed several pages. Sign in to save your spot, bookmark questions, and unlock all 4,671 community questions plus expert-verified study materials.
Have a Question? Ask Our Experts
Register to ask questions, get expert-verified answers, and connect with fellow certification candidates preparing for CFA, FRM, CIA, CPA, and EA exams.