To determine which internal audit activity is performed in the design evaluation phase, it's essential
to understand what each phase in the audit process entails. The design evaluation phase involves
assessing whether the design of controls is adequate to mitigate risks to acceptable levels.
Explanation:
Option A: The internal auditor reviews prior audits and workpapers.
This activity typically occurs during the planning phase of an audit. Reviewing prior audits and
workpapers helps the auditor understand the scope, findings, and context of previous audits,
providing valuable information for planning the current audit.
Option B: The internal auditor identifies the controls over segregation of duties.
Identifying controls, particularly those related to segregation of duties, is a key part of the design
evaluation phase. In this phase, the auditor assesses whether the control design, including
segregation of duties, is sufficient to prevent or detect errors and fraud.
Option C: The internal auditor checks a process for completeness.
Checking a process for completeness is more aligned with the testing phase, where the auditor
evaluates the operational effectiveness of controls. During this phase, the auditor ensures that all
parts of a process are functioning as intended.
Option D: The internal auditor communicates the audit results to management.
Communicating audit results occurs in the reporting phase, after the audit fieldwork is complete. In
this phase, the auditor summarizes findings, conclusions, and recommendations and presents them
to management.
Reference:
According to the Institute of Internal Auditors (IIA) Standards and the guidelines in the IPPF
(International Professional Practices Framework), during the design evaluation phase, internal
auditors assess the adequacy of control designs. This includes evaluating whether controls like
segregation of duties are properly designed to mitigate identified risks. Identifying controls over
segregation of duties is a fundamental aspect of assessing the adequacy of the control environment
and its design to ensure it can effectively prevent and detect errors and fraud.
