CIA Part 1 Chapter 1

7/21/2019 CIA Part 1 Chapter 1

1/36

C. Establish Risk-Based IA Plan

. procedures for the planning; organizing, directing; andmonitoringof internal audit

2. Review of the internal.audit function within the risk management framework

3. Direct administrative activities (e.g., budgeting, human resources) of the internalaudit.department

4. Interview candidates for internal audit positions

5. Report on the effectiveness of corporate risk management processes to senior management and the board

6. Report on the effectiveness of the internal control and risk management frameworks

7. Maintain effective Quality Assurance Improvement Program

regulatory oversightbodies ~ndotherintemai assurance functions

system, a~hj~yepient of:SQiporateobjective .; ....

.: . - -_ , : \ .,;, , ; ; . : c , . ,_ . ~:; ,

7 > :

1 I

. djspositictnof.

Function from

IA exam and is

portion of the syllabus

This study unit is the first of four covering Section

The IIA s CIA Exam Syllabus. This section makes

tested at the proficiency level unless otherwise in

is highlighted below. The complete syllabus is in Appe

25 pages of outline)

STUDY UN~TONE

STRATEGIC N OPERATIONAL

ROLES OF INTERNAL AUDIT


2/36

t~

lai and procedural changes often are resisted by the individuals and

ffected. This response may be caused by simple surprise, inertia, or fear of

But it also may arise from the following:

1) Misunderstandings or lack of needed skills

2) Conflicts with, or lack of trust of, management

3) Emotional reactions when change is forced

4) Bad timing

5) Insensitivity to employees needs

6) Perceived threats to employees s tatus or job security

7) Dissolutien of tightly knit work groups

8) Interference with achievement of other objectives

i s a change in an organizations systems or structures.

attitudes and mindset, for example, when a total quality

adopted.

ange in a products physical attributes and usefulness to

3.

10

11)

12) Ope

13) C

, ving creative ideas and taking

.

5

6

8

9

trategy

The internal audit activity can add value to an organization by

change. According to The IIA competency framework,

following interpersonal skills to interact with others

do the following:

1) Champion the change, enlist others in its purs

that includesmilestones and a timeline.

2) Model the change expected of others.

3) Accurately assess the potential b

4) Provide resources, remove ba

change.

Maintainwork efficiency and

Promptly switch strategies if the cu ones

a ~~i; ,~

working.

Provide direction and ng the chan e prbcess.

Support new id

Respond quickly

appropriate

Support the

a.

1. Overview

a. Change management is important to all organizations. An appropriate balance

between change and stability is necessary for an organization to thrive.

1) Organizational change is conducted through change agents, who may include

managers, employees, and consultants hired for the purpose.

2.

nterpersonal kills

1.1 CHANGE MANAGEMENT

16 SU 1 Strategic and Operational Roles nternal udit


3/36

3

.ge must be planned and deliberate.

ange must actually improve the organization. Changes forced

regulatory requirements or changes that merely attempt to follow

management trends and fads are not included.

The change must be implemented using the findings of the

behavioral sciences, such as organizational behavior and group

psychology.

The following are the objectives of 00:

i) Oeepen the sense of organizational purpose and align individuals

with it

Promote interpersonal trust, communication, cooperation, and

support

Encourage a problem-solving approach

Develop a satisfying work experience

Supplement formal authority with authority based on expertise

Increase personal responsibility

Encourage willingness to change

Stop and review You have completed the outline for this subunit. Study multiple-choice

questions

1

through 3 on page 40.

ii)

iii)

iv)

v)

vi)

vii)

b. Methods of coping with employee resistance include the following:

1) Prevention through education and communication

2 Participation in designing and implementing a change

3

Facilitation and support through training and coLlnseling

4

Negotiation by providing a benefit in exchange for cooperation

5

Manipulation of information or events

6 Co-optation through allowing some participation but without meaningful input

7

Coercion

5. Models for Planned Change

a. Change management has been studied by man

models have emerged:

1) Kurt Lewins process model consists of

a) Unfreezing is the diagnosis stage.

preparing employees for the

b) Change is the intervention in

c) Refreezing makes the

not reassert the

2 hat change is ongoing

rocess from being

agent coordinates steps b)

U Strategic and perationalRoles of internal udit


4/36

i i c~ removing the CAE and setting his/her compensation

ApfJl,~ the internal audit charter

l

ing and approving the internal audit activitys work plan

, uring that the internal audit activity is allocated sufficient resources

esolving disputes between the internal audit activity and management

6) Communicating with the CAE, who attends all audit committee meetings

7) Reviewing the internal audit activitys work product (e.g., interimand final

engagement communications)

8) Ensuring that engagement results are given due consideration

9) Overseeing appropriate corrective action for deficiencies notedby the internal

audit activity

10) Making appropriate inquiries of management and the CAE to determine whether

audit scope or budgetary limitations impede the ability of the internal audit

activity to meet its responsibilities .

the audit committee is to promote the independence of

uditors by protecting them from management s influence.

unctions of the audit committee regarding the internal audit

a

3

2

b)

e organization except in his/her

z STAKEHOLDER RELATIONSHIPS

1. Stakeholder Relationships

For internal auditors to be effective, Sawyers

Guide for Internal uditors

6th edition,

states that they must build and maintain strong constructive relationships with

managers and other stakeholders within the organization.

b. These relationships require conscious ongoing focus to ensure that risks are

appropriately identified and evaluated to best meet the needs of th rganization.

c. Internal auditors have a responsibility to work together with and other

stakeholders to facilitate work efforts and compliance with

d. Key stakeholders include the board oj directors, audit

external auditors, and regulators.

2. The Board and the Audit Committee

a. For the internal audit activity to achieve organization

executive (CAE) must have direct and unrestri

the board.

1) The IIA Glossary defines a boa

a board of directors or other

audit committee, to whom

b. The audit committee is a subunit of the

member of the board is ne

1) Some statutes h

membership of

a

8 SU :Strategic and Operational Roles of Internal udit


5/36

re the major issues:

1) . : i l ral business understanding of ethical issues

~ mpliance with laws (e.g., tax, securities, antitrust, environmental, privacy, and

labor)

3) External financial reporting

4) Conflicts of interest

5) Entertainment and gift expenses

6) Relations with customers and suppliers (Should gifts or kickbacks be given or

accepted?)

7) Social responsibility

anizations policies and standards established to ensure

lor by its members.

e principles of conduct expected to be followed by individuals.

1.

process, governance principles, and ethical culture.

o apply knowledge to a setof facts.

1.3 ETHICAL CLIMATE

Stop and review You have completed the

questions 4 through 6 on page 41.

uiding and directing

~

opinion is theirs.

tudy multiple-choice

a. According to Sawyers

Guide for Internal uditors

6th edition,

n

t rn auditors are

responsible for performing their mission, maintaining their ob .d ensuring

the internal audit activity s independence. They also maintain

good working relationships with m_anagement.

b. Good relationships are developed by communicating

constructively, and using participative auditing

1) Participative auditing is a collaboration

management durinq the auditing p

and buil d a shared interest in the eng

accept changes if they have p

used to implement changes

2) However, internal auditors

the audit because the respons

c. The following are other functions of the audit committee regarding the external auditor:

1) Selecting the external auditing firm and negotiating its fee

2) Overseeing and reviewing the work of the external auditor

3) Resolving disputes between the external auditor and management

4) Reviewing the external auditors internal control and audit reports

4. Relationships with Management

SU 1 Streieqic and Operational Roles of Internal udit


6/36

hics is the established general value system the

apply to its members activities by

organizational purposes and beliefs and

niform ethical guidelines for members.

guidance extends to decision making.

~. ecific rules cannot cover all situations. Thus, organizations benefit from

ing a code of ethics that effectively communicates acceptable values to all

sted internal and external parties. For example, a code may do the following:

Require compliance with the law

2) Prohibit conflicts of interest

3) Provide a method of policing and disciplining members for violations through

a) Formal review panels and

b) Group pressure (informal).

Set high standards against which individuals can measure their own

performance .

5) Communicate to those outside the organization the value system from which its

members must not be asked to deviate

5.

. he1;areinfluenced by the following:

r ,ling right, punishment for doing wrong)

..._alassoclations, informal groups) .

et ponsibilities to superiors and the organization)

I respect were aware of it?

or for myself, other employees,

a. The following questions aid

Would my be

2) What are the

customers,

b. Ethics are indivi

e to another. For

stent with customary

3. Factors That May Lead to Unethical Behavior

a. In any normal population, some people behave unethically. if these people hold

. leadership positions, they may have a bad influence

Or}

subordinates.

1) Organizational Factors

a) Pressure to improve short-run performance is an incentive for wrongdoing.

b) Emphasis on strict chain-at-command authority may excuse unethical

behavior when following orders.

c) Informal work-group loyalties may result in tolerance

behavior.

d) Committee decision processes reduce indiv .

2) External Factors

a) Competitive pressures may result in u

of survival.

b) The advantage obtained by a

imitation of that behavior.

c) Definitions of ethical

example, bribes to

business practices in s

4. Criteria for Evaluating Ethical Behavior

SU

Strategic and Operational Roles

nternal udit


7/36

2) Governance practices reflect the organizations culture and largely depend on it

for effectiveness, The culture

a) Sets values, objectives, and strategies;

b) Defines roles and behaviors;

c) Measures performance;

d) Specifies accountability; and

e) Determines the degree of sensitivity to social responsibility,

Compliance Creditors

.satisfaction

~end

Benefits Billing

Reporting

Reminders

s meets four responsibilities:

Compl,i,.aflitc.ith legal and regulatory rules

.s_af ....t~~of generally accepted norms and social expectations

Pro g Qenefits to society and specific stakeholders

b

Ing fully and truthfully to ensure accountability

Governance Process

Responsibilities

b. The internal a

corporate

organi .

. The ipt,enlalaudit adivitYfTl -

, : c f t h e orqanizations e th i .

c. A typical code for auditors or accountants in an organization requires the following:

1) Independence from conflicts of economic or professional interest

a) They are responsible for presenting information fairly to stakeholders

rather than protecting management.

b) They are responsible for presenting appropriate information to all

managers. They should not favor certain managers or conceal

unfavorable information.

c) They are responsible for maintaining an ethical conduct of

professional activities.

i) They should do what they can to ens

with the spirit as well as the letter of

ii) They should conduct themselves

legal standards.

iii They should report to a

fraudulent or other illegal

2) Integrity and a refusal to comp

3) Objectivity in presenting info

6. ol of the Internal Audit Activity

SU

Strategic andOperational Roles of nternal udit


8/36

s er of benefits between an employee and those with

qanization deals.

use of organizational information for private gain.

meted the outline for this subunit

Study

multiplechoice

42

c. Other internal

complaints,

ethics cli

4) The minimum internal audit activity role is assessor of a) the ethical climate and

b) the effectiveness of processes to achieve legal and ethical compliance.

Internal auditors should evaluate the effectiveness of the folio ng features of

an enhanced, highly effective ethical culture:

a) A formal code of conduct and related stateme

procedures covering fraud and corruption)

b) Frequent demonstrations of ethical attitudes

leaders

c) Explicit strateqies to enhance the ethical

d) Easily accessible means of confid

e) Regular declarations by emp

requirements for ethical

f) Clear delegation of res

2) investigation, and

h) Positive personnel

r::l I TII~C

i) Regular s

state of

j

Regular

k) Regula

3) Because of their skills and position in the organization, auditors should actively

support the ethical culture. Auditor roles may include

a) Chief ethics officer,

b) Member of an ethics council, or

c) Assessor of the ethical climate.

Stop

ques

SU

Strategic and Operational Roles nternal ud it


9/36

a. mance, risk management, and control processes are adequate

if

management

has planned and designed them to provide reasonable assurance of achieving the

organization's objectives efficiently and economically.

1) Efficient performance accomplishes objectives in an accurate, timely, and

economical fashion. Economica performance accomplishes objectives with

minimal use of resources (i.e cost) proportionate to the risk exposure.

2) Reasonable assurance is provided if the most cost-effective measures are

taken in the design and implementation stages to reduce risks and restrict

expected deviations to a tolerable level.

2

senior management and the board about best

management, control, and compliance.

ed in The IIA Glossary as adherence to policies, plans,

, regulations, contracts, or other requirements.

hEt~ mal audit activity must evaluate the risks involved in governance,

rations, and information systems that relate to compliance with laws,

ulations, policies, procedures, and contracts. The internal audit

activity also must evaluate the controls regarding compliance.

b

e~ , the board, and other parties

-od that established objectives and

plans, organizes, and directs the

provide reasonable assurance that

ved.

, manage, and control

Ieassurance regarding

) defines

1. Nature Work

a. According to The IIA's Definition of lnternal Auditing, the int

an organization accomplish its objectives by bringing,

approach to evaluate and improve-the effectiveness

governance processes.

1) These processes are closely related. The II

them asfollows:

a) Governance - The combination

by the board to inform, di

organization toward

b) Risk management -

potential events or .

the achievement of the

c Control

A ny

to man

goals

perfo

obj

i

Performance Standard 2100

Nature of Work

The internal audit activity must evaluate and contribute to the improvement of governance, risk

management, and control processes using a systematic and disciplined approach.

1.4 EDUCATION IN BEST PRACTICES

U 1 Strategic and Operational Roles of nternal udi t


10/36

. ati s may use the work of external auditors to provide assurance

activities within the scope of internal auditing. In these cases, the

es the steps necessary to understand the work performed by the

nal auditors, including:

The nature, extent, and timing of work planned by external auditors, to be

satisfied that the external auditors' planned work, in conjunctionwith the

internal auditors' planned work, satisfies the requirementsof

Standard 2100,

b) The external auditor's assessment of risk and materiality.

c) The external auditors' techniques, methods, and terminology to enable the

CAE to (1) coordinate internal and external auditingwork; (2) evaluate, for

purposes of reliance, the external auditors' work; and (3) communicate

effectively with external auditors.

d) Access to the external auditors' programs and working papers, to be

satisfied that the external auditors' work call be relied upon for internal

audit purposes. lnternal.auditors are responsible for respecting the

confidentiaiity of those programs and working papers (para. 2).

.external auditors, including coordinationwith the

s the responsibility of the board, Coordinationof internal

~~i ork is the responsibility of the chief audit executive (CAE).

the support of the board to coordinate audit work effectively

a

1

e activities with other internal and

ure proper coverage and minimize

The chief audit executive should shar

external providers of assurance an

duplication of efforts.

1.5 COORDINATION

3. Basic Types of internal Audit Engagements

a. The essential strategic function of the internal audit activity is to provide assurance

services and consulting services. Thus, the Definition of Internal Auditing describes

internal auditing as an independent, objective assurance and consulting activity.

b. Separate groups of Implementation Standards have been issued for assurance

services and consulting services. These services are defined in The IIA Glossary as

follows:

1

Assurance services - An objective examination of

providing an independent assessment on governance, ri

control processes for the organizaUon. Exampl

performance, compliance, sy_stemsecurity, and'

2 Consulting services - Advisory and related eli

and scope of which are agreed with the client

improve an organization's governance, risk

processes without the internal auditor as

Examples include counsel, advice, f

Stop and review You have completed the outline

questions

through 12 on page 43.

24 SUI Strategic and Operational Roles o Internal Audit


11/36

,, , e for regular evaluations of the coordination between

I auditors. Such evaiuations may also include assessments

over ciency and effectiveness Of internal and external audit

activitie~:\. , ing aggregate audit cost. The

CAE

communicates the results of

thes~,..ev1tI~:glions to senior management and the board, including relevant

conirf~:~s about the performance of external auditors ( para. 7).

1

v

minimized

e audit

timely completion

3) The external auditor may rely on the work of the internal audit activity in

performing their work. In this case,

the CAE

needs to provide sufficient

information to enable external auditors to understand the internal auditors

techniques, methods, and terminology to facilitate reliance by external auditors

on work performed. Access to the internal auditors programs and working

papers is provided to external auditors in order for external auditors to be

satisfied as to the acceptability for external audit purposes of relying on the

internal auditors work (para. 3

NOTE: Professional standards place sole responsibility for th

external auditors. Only the external auditors have the

permit the provision of assurance to external parties.

the external auditors use the work of other independe

cannot be shared with the internal auditors.

Planned audit activities of internal and

ensure that audit coverage is coordin

where possible. Sufficient meetings

process to ensure coordination

of audit activities, and to d

recommendations from

planned work be adjusted (

5 The internal audit activitys final

those corn rn unrcauons

available to external .

in determinin

internal audito

and manag

included i

input to

audit

U Strategic and Operational RoJesof nternal udit


12/36

Stop and review You have completed the outline for this subunit Study multiple-choice

questions 13 through on page 44.

acquisitions

and trading

dities

vernments may have their own regulatory bodies.

rganizations, entire departments or functions are established to

with the regulations issued by these governmental bodies.

q

e, broker-dealers in securities establish compliance departments to

. that trades are executed according to the requirements of securities

. Moreover, manufacturers have departments to monitor wage-and-hour

pliance, workplace safety issues, and discharge of toxic wastes.

the responsibilities of the internal audit activity is the evaluation of the

anizations compliance with applicable laws and regulations.

1) The internal audit activity coordinates its work with that of inspectors and other

personnel from the appropriate governmental bodies and with personnel from

internal assurance functions.

uJJijeeto governmental regulation in

2.

oordinating with Regulatory versight

a. Businesses and not-f

many countries.

1) Below is a sam

EXAMPLE

From CIA Exam

Which t the following is not a true statement about the relationship between internal auditors and

external auditors?

A. External auditors must assess the competence and objectivity t internal auditors.

B. There may be periodic meetings between internal and external auditors to discuss matters of

mutual interest.

C. There may be an exchange of engagement communications and manage

D. Internal auditors may provide engagement work programs and

auditors.

(A) is correct. The external auditor assesses the objectivity and com

auditors only if (s)he intends to rely on their work.

(B) is incorrect. The relationship involves a sufficient number of

(C) is incorrect. .The relationship involves reasonable mu

communications and management letters.

(D) is incorrect. The relationship involves reaso

programs and working papers.

SU Strategic and Operational Roles of nternal udit


13/36

uditors evaluate the whole management process of planning, organizing, and

fl g to determine whether reasonable assurance exists that objectives will be

ved.

c. All business systems, processes, operations, functions, and activities within the

organization are subject to the internal auditors eva luations. Internal auditing

provides reasonable assurance that management s

1} Riskmanagement activities are effective;

2) Internal control is effective and efficient; and

3) Governance process is effective by establishing and preserving values, setting

goals, monitoring activities and performance, and defining the measures of

accountability.

s of internal auditors involves organizing and leading a team in

d business process improvement.

ap is a simple flowchart or narrative description used to depict a

It aids in assessing the effectiveness and efficiency of processes and

ys an important strategic role in the governance

ole includes providing leadership, assessinq the

urement systems, making appropriate

Ing the achievement of corporate objectives.

b.

, In ternal auditors

. and contributing to the

IInti ntnn

auditors provide

and operating effectiveness of the

may provide consulting services

s. In some cases, internal auditors

oard selt;r8ssessmentsof governance practices

2.

Strategic Role of the Internal Audit

Acti

a

j

The internal audit activity must assess and make appropriate recom

governance process in its accomplishment of the foftowing objectives:

Promoting appropriate ethics and values within the organizatio

Ensuring effective organizational performance management a

Q

Communicating risk and control information to appropria

Coordinating the activities of and communicating i

internal auditors, and.management.


Governance

1.

Governance

a. Internal auditors evaluate and improve governance processes as part of their

assurance function. This subunit addresses the overall role of internal auditing in

governance.

t

also outlines more specific governance activities, such as the

assessment of the internal audit activity s own performance.

1.6 OTHER TOPiCS

SU 1: Strategic and Operational Roles of nternal udit


14/36

Interpretation of Standard 2040

The form and content of policies and procedures are dependent upon the size and structure of

the internal audit activity and the complexity of its work.

. ractice Advisory 2040~1,

Policies and Procedures

policies and

developed by the CAE do not necessarily need to be contained in formal

rative and technical manuals.

A small internal audit activity may be managed informally through daily, close

supervision and memoranda.

2) In a large internal audit activity, more forma and comprehensive policies and

procedures are essential to guide the execution of the internal audit plan.

b. The importance of the relationship of the particular internal audit activity to the extent

of its formal policies and procedures is made clear in this Interpretation:

policies and procedures to guide the internal audit activity.

7

Study multiple-choice

5. Performance Measurement Systems a

a. An important element of co

objectives. Internal auditors can u

b. Internal auditors can add value to an

performance measurem and

c. Internal auditors ma

results of these en

system is adequ

Stop and review You have

questions 16 and 17 on pa

4 Internal Audit PerformanceMeasurements

Key performance measurements for the internal audit activity provide criteria against

which it is judged.

b. The following guidance is provided by The IIA Practice Guide,

Measuring Internal

Audit Effectiveness and Efficiency:

1) Establishing performance measures is critical in determining whether an audit

activity is meeting its objectives, consistent with the highest quality practices

and standards.

2) The first step is to identify key performance measures for

stakeholders believe add value and improve

3) Once key effectiveness and fficiency measure

identified, a monitoring process and a method

should be established (e.g., format, timing,

reporting should be based on stakeholder n

4) It is important that the internal audit acti

stakeholders on audit effectiveness

8 SU

1.

Strategic and Operational Roles of Internal Audit


15/36

C

Catch

.Lying

Records

'he IIA Position Paper groups the internal audit activity's roles into three

categories:

a) ~ore internal audit roles in regard to ERM

b) Legitirnate internal audit roles with safeguards

c) Roles the internal audit activity should not undertake

helpful memory aid is

can undertake a broad range of ERM activities. However, internal

auld not undertake any activities that could threaten their independence

e to an organization by providing the board with objective

2.

lement of corporate

nd operating the risk

1. Overview

a. The IIA Position Paper:

The Role

Management

states that risk man

governance. Management is respon

management framework on If of th

b. Enterprise-wide risk mana

structured, consi

relation to ERMsho

the effectiveness

c. When internal

certain safe

therefore,

indep


Risk Management

The internal audit activity must evaluate the effectiveness and

management processes.

At one time, audit professionals thought of risk only in the context of an audit (e.q., the probability of not

discovering a material financial statement misstatement). Today, after extensive research and many

scholarly publications, risk is recognized as something that must be examined and mitigated in every aspect

of an organization's operations. Thus, CIA candidates should understand the distin nsibilitiesof

(1) the internal audit activity and (2) senior management and the board for enterpri

1.8 ROLE OF iNTERNAL AUDiT IN RiSK MANAGEMENT

Stop and review You have completed the outline for this subunit. Study multiple-cholce

. questions 18 through 20 beginning on page 45.

SI Strategic and Operational Roles of internal udit


16/36

0) is incorrect. Internal auditors may recommend controls without losing independence.

veness of management s risk processes.

the risks identified.

ity that threatens independence.

ssessments and reports on the organizations risk management

.mal audit role but also a high audit priority.

management s responsibility for the risk management process is a

internal audit activitys independence. It requires a full discussion and board

-1, para. 5).

(C) is incorrect. Internal auditors assist both management and the board examining,

evaluating, reporting, and recommending improvements of the adequacy and effectiveness of risk

management processes.

A.

B.

C.

D.

n internal auditor who had participated in

ess? .

Whichof the following th

the initial establishme

in pursuit of

uences the entitys

3. Core lnternal Audit

Activity

Roles in ERM

a. Giving assurance on the risk management process

b. Giving assurance that risks are correctly evaluated

c. Evaluating risk management processes

d. Evaluating the reporting of key risks

e. Reviewingthe management of key risks

4. Legitimate Internal Audit Activity Roles Given Safeguards

a. Facilitating identification and evaluation of risks

b. Coaching management in responding to risks

c. Coordinating ERM activities ~

d. Consolidating the reporting on risks

e. Maintaining and developing the ERM framework

f. Championing establishment of ERM

g. Developing an ERM strategy for board approval

5 . Roles the Internal Audit Activity Should Not Unde

a. Setting the risk appetite

1) Risk appetite is the amount of

value. It reflects the risk ma

culture and operating style.

b. Imposing risk management processes

c. Management assurance on ri

d. Making decisions on

e. Implementing risk res

f

Accountability for

SU

1

Strategic and Operational Roles of n ternal udit


17/36

1) Risk management is a key responsibility of senior management and the board.

a) Management ensures that sound risk management processes (RMPs)

are in place and functioning.

b) Boards have an oversight function. They determine that RMPs are in

place, adequate, and effective.

c) The internal audit activity may be directed to examine, evaluate, report,

or recommend improvements.

i)

It

also has a consulting role in identifying, evaluating, and

implementing risk management methods and controls.

nsibil

~

The _.:

ion of responsibility is described in Practice Advisory

2120-1, Assessing the

~cy of Risk Management Processes.

blishing.._JI.QSased audit model and participating in the organizations risk

anage~~2processes are ways for the internal audit activity to add value.

~.JI

r-Organizational Risk Management

. , :

, , . ( fo r; .th e

~t~urrenceof fraud and

. ~

.

? ~Fgi~nizatiQns: .;).< {

.:.i;

Interpretation of Standard

2 2

Determining whether risk management processes are effective is a judgment resulting from the

internal auditor s assessment that:

~ Organizational objectives support and align with the orqanizations mission

Significant risks are identified and assessed;

Appropriate risk responses are selected that align risks with the

appetite; and

Relevant risk information is captured and communicated in a

organization, enabling staff, management, and the board

responsibilities.

The internal audit activity may gather the information to support

engagements. The results of these engagements, when vi

understanding of the organizations risk management

Risk management processes are monitored th

evaluations, or both.

6. Role in Risk Management

a. The following Interpretation clarifies the internal audit activitys role:

U : Strategic and Operational Roles of Internal Audit


18/36

. internal

ard-

Stop and review You havecompleted the outline for this subunit. Study multiple choice

questions 21

through

23

beginning on

page 46.

nature, timing, and extent of certain tests must be determined before tile

trol processes can be evaluated.

(B) is incorrect. Internal auditors have no authority to ensure correction of material weaknesses.

(C) is correct. Risk management, control, and governance processes are adequate if

management has planned and designed them to provide reasonable assurance o f achieving tile

organizations objectives efficiently and economically. Efficient performance accomplishes

objectives in an accurate, timely, and economical fashion. Economical performance accomplishes

objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.

(0) is incorrect. The scope of internal auditing is much broader than concern for the fairness of

financial statements.

sk management, control, and governance processes ensure that

nl Jgement,control, and governance processes provide

, anizations objectives are achieved efficiently and

B.

C

Which of the following

adequacy of risk manag

To help rotorrn

object

6 To form an opinion 0

sufficient, a .

a

anizations

small entity may

5) RMPs may be formal or informal, qua

business units or centralized.

culture, management style,

use an informal risk comm

2) If the organization has no formal RMPs, the CAE has formal discussions with

management and the board about their obligations for understanding,

managing, and monitoring risks.

3) The CAE must understand management s and the boards expectations of the

internal audit activity in risk management. The understanding is codified in-the

charters of the internal audit activity and the board.

4 Senior management and the board determine the internal audit activity s role in

risk management based on factors such as (a) organizational culture, (b)

abilities of the internal audit activity staff, and (c) local co . ns and customs.

a) That role may range from no role, to auditi the

audit plan, to active, continuous support

to managing and cooroinatinq the proces

i) But assuming management respo

audit activity independence m

approved.

SU

Strategic and Operational Roles of nternal ud it


19/36

b

3 Human Resources

a. The skill set and

help the organizatio

ssura nce

C

associates to fill

et. Generally, the

r to develop the

t

and the board for

1. Overview

. a. The chief audit executive (CAE) is responsible for management of internal audit

activity resources in a manner that ensures fulfillment of its responsibilities. Like any

well-managed department, the internal audit activity should operate effectively and

efficiently. This can be accomplished through proper planning, which includes

budgeting and human resources management.

b. Management oversees the day-to-day operations of the internal

including the foilowing administrative activities:

1) Budgeting and management accounting

2) Human resource administration, including pe

compensation

3) Internal communications and information fl

4) Administration of the internal audit activity'

2 udgeting

a. The CA.Eis responsible for creating

CAE, audit managers, and the i

budget annually. The budget is

their review and approval.

que nd forms should be prepared in advance to evaluate,

othejj ~'theapplicant's (a) technical qualifications, (b) educational

rQuncfl~i.personalappearance, (d) ability to communicate, (e) maturity,

pers'l~ivJiess, (g) self-confidence, (h) intelligence, (i) motivation, and

p 9 er}tit'b contribute to the organization.

j~~l~fs

eed a diverse set of skills to perform their jobs effectively. These

skinsffi:A i) 0 always apparent in a standard resume. Developingeffective

int~lliWj.flg techniques will ensure that the internal audit function acquires the proper

:~\ Q :Skills,capabilities, and technical knowledge needed to accomplish its goals.

C l

E.~ive interviewing techniques involve structured interviews and behavioral

interviewing.

1) Structured interviews are designed to eliminate individual bias. These interviews

use a set of job-related questions with standardized answers, which then are

scored by a committee of three to six members. According to

anagement

(Kreitner

Cassidy, 12th edition), interviewers can use four general types of

questions:

a) Situational - What would you do if you saw two people arguing loudly in

the work area?

b) job knowledge - Do you know how to do an Internet search?

1.9

INTERNL UDIT DMINISTR TIVE

ACTIVITIES

SU :

Strategic and Operational Roles of nternal udit


20/36

ssurance and Improvement Program

provides

in the continuous examination of their processes

. of stakeholders.

processes designed to provide reasonable assurance to

internal audit activity

n accordance with its charter, the Definitionof Internal Auditing,

e of Ethics, and the

Standards

_jDerates effectively and efficiently

5

perceived as addi;lg value and improving operations

~Jl eserocesses include appropriate supervision, periodic internal and external

assessments,and ongoing monitoring of quality assurance.

The QAIP embraces all facets of the internal audit activity as reflected in the

pronouncements of The IIA and

best practices

of the profession.

a) Its processes are performed or supervised by the CAE.

b) A large or complex entity has a formal, independent QAIP administered

and monitored by an audit executive.

a.

1.

ssurance and improvement program

110 QUALITY ASSURANCE AND IMPROVEM

Stop and review You have completed the

outl

questions 24 through 27 beginning on page 47

ility,

1) Governance,

2) Risk management, and

3) Control.

b. Periodic reports also are made on internal audit s

and performance.

c. Reporting to senior management and the boa

Unit 2, Subunit 3.

The chief audit executive must

that covers all aspects of the i

4.

Reporting

a. Reporting to senior management and the board provides assu

c) Job sample simulation - Can you show

S

how to compose and send an

e-mail message?

d) Worker requirements - Are you able to spend 25 percent of your time on

the road?

2) Behavioral interviews determine how candidates handled past situations. Past

performance is generally indicative of future performance.

SU : Strategic and Operational Roles o Internal udit


21/36

~:

organizations governance processes.

question sizes the element not required in the assessment of a QAIP.

A) is corre ersight of the work of external auditors, including coordination with the internal

audit activity, is the responsibility of the board PA 2050-1). It is not within the scope of the

process for monitoring and assessing the quality program.

B) is incorrect. Conformance with the Definition of Internal Auditing, Standards and Code of

Ethics, including timely corrective actions to remedy any significant instances of nonconformance,

is an element of the assessment of a quality program.

C) is incorrect. Adequacy of the internal audit activitys charter, objectives, policies, and

procedures is an element of the assessment of a quality program.

D)is incorrect. Contribution to the organizations governance, risk management, and control

processes is an element of the assessment of a quality program.

e work of external auditors.

dards and Code of Ethics.

nprovernent program should includeevaluation of all of

35

Attribute Standard 1310

Requirements of the Quality Assurance and Improvement Program

The quality assurance and improvement proqrarn must include both internal and external

assessments.

SU : Strategic and Operational Roles of nt ;:rna Audit

b. Practice Advisory 1310-1, Requirem ents of the Quality ssurance and Im provement

Pro gram

provides detailed guidance:

1) A OAIP is an ongoing and periodic assessment of all wo

activity. These rigorous assessments include

a) Continuous supervision-and testing of perf

b) Periodic validation of conformance with

c) Measurement and analysis of

perform

accomplishment and customer

2

Indicated improvements are impl

Assessments evaluate and

audit activity

and produce.

a) Conformance with man

b) Adequacy of the internal a

procedures;

c) The contri mana~emenj~f0ntr6L and gove.rnanee;

d) Complia: .. atio nmgovernment or Industrystandards;

e) Continuer and n of best practices; and

f

VVheth udit ac ds value and improves operations.

4) OAIP efta up invojvi appropriate and timely modification of

ures, and technology.

5) . communicated to stakeholders. The CAE

and the board on OAIP efforts at least annually.


22/36

~

.. ~. ongoing or periodic internal assessment, conclusions about

~ o rrnance are reached, and appropriate action is begun to ensure

iiifrflprOVements are made.

hose conducting internal assessments generally report directly to the CAE, who

should establish a structure for reporting results that maintains credibility and

objectivity.

6) At least annually, the CAE reports results, action plans, and implementation

information ~osenior management and the board.

should not communicate assurances about the outcome of

I assessment, although the report may give recommendations

e practices.

r~e .er, the periodic internal assessment may be the self-assessment

of

a selfassessment with independent validation.

b)

c)

d)

. :q . , , ;

bl~f~rs (in interviews and surveys)

)

2. Internal Assessments

a. Ongoing and periodic internal assessments are addre

13111 Internal Assessment:

1) The processes and tools used in ongoing intern

a) Engagement supervision;

b) Checklists and procedures;

c) Feedback;

d) Peer reviews of working pa

e) Budget.s, timekeeping,

recoveries; and

f Analyses of other pe

2) The IIAs Quality Assessment Man

assessments. These volve

Internal assessments must include:

Ongoing monitoring of the performance of the internal audit activity; and

til Periodic self-assessments or assessments by other persons within the organization with

sufficient knowledge of internal audit practices.


Intema

Assessments

SU

1



23/36

Objectivity is impartiality, intellectual honesty, and freedom from conflicts

of interest.

An external reviewer should be a certified audit professional well versed in the

Standards and best practices with at least 3 years of management experience

in internal auditing or related consulting,

a) Leaders of independent review teams and those who validate a

self-assessment must have additional competence and experience,

i) Qualifications include prior external assessment work, quality

assessment training, or service as a senior internal auditor,

5) The reviewers) should have relevant technical and industry experience, and

other specialists may be needed.

6) Senior management and the board are involved in selecting a) the approach

and b) the external quality assessment provider,

rganizatiQ~@ .

to in ,::lldence include conflicts of former employees or

idin h~}financial statement audit, 2) significant

3)assistance to the internal audit activity.

er part o f the organization or in a related organization

. an affiliate) is not independent.

i lll

mong three unrelated organizations but not between two)

the independence requirement.

cerns about independence, one or more independent

duals may provide separate validation.

is honesty and candor limited by confidentiality, with no subordination

vice and the public trust to personal gain.

a

or interest in,

have no rea

relations

sment should have no obligation to,

r its personnel. External assessors

erest due to current or past

c) The scopemu

Individuals

nal audit activity.

~, identification, and

s ssments

~.~~.

,independent

f-assessment

. ternal

3, External Assessments

a. External assessments provide an independent and

audit activitys compliance with the Standards and

b. Further specifics are provided in Practice Advi

1) An external assessment may be a full

external reviewer or review

with independent valldat

a

b)


External Assessments

External assessments must be conducted at least once every five years by a qualified, independent

assessor or assessment team from outside the organization. The chief audit executive must discuss

with the board:

The form and frequency of external assessments; and

The qualifications and independence of the external reviewer or assessmen

potential conflict of interest.

SU Strategic and Operational Roles of Internal udit


24/36

from the interpretation of Standard 1320 addresses the frequency of

on the QAIP:

demonstrate conformance with the Definition

o

Internal Auditing the

Code of Ethics and the

Standards,

the results of external and periodic

internal assessments are communicated upon completion of such

assessments and the results of ongoing monitoring are communicatedat

least annually

nicate the results of the quality assurance and improvement

prIJ.~Jjlll ;..Jndhe board.

The

prog

must be kept informed about the extent to which

the degree of professionalism required by The IIA.

ccountability and transparency

responsibilities is impaired

i) The degree of pa

b Expression of an opinion

due professional care.

c) The cornrnuruc Tlr,n

practices (2)

action pia.

10) The results inc

accomplish

(e.g., senio

a

4

Reporting

Res

a. Se

t

7) The scope of the review extends to conformance with mandatory guidance of

The IIA, the internal audit activitys charter, laws, etc. It also extends to

a The expectations of management and the board,

b) Integration of the internal audit activity with the governance process

c) The internal audit activitys tools and techniques,

d) Competence (mix of the staffs knowledge, experience, and disciplines),

and

e) Whether the internal audit activity adds value and

8 Preliminary results are discussed with the CAE. Final

communicated to the CAE, and a formal commu

management and the board. -

9

The communication includes an opinion on

guidance of The IIA. Conformance means

activity satisfy such guidance.

a

SU



25/36

39

ce

Stop and review You have completed the outline for this subunit Study multiplechoice

questions

28

through 30

on

page 49.

.~ndependent external assessment of the internal audit activity must be

t once every 5 years.

(C) is incorrect. The CAE must develop and maintain a QAIP that covers all aspects of the

internal audit activity.

(0) is incorrect. Assessments also may be made by others who are (1) independent, (2) qualified,

and (3) from outside the organization.

izes t

\ >

Standard~

i

''Wditexecutive may state that the internal audit activity conforms with the

fefthe Professional Practice of Internal uditingonly if the results of the

provement program support this statement (Attr. Std. 1321).

.ccountable for implementing a quality program.

al audit activity are made by external auditors.

gftion permitting internai auditors to report that their activities

;: ogram.

e internal audit activity is conducted annually.

Internal auditors may rep

statement only if

A. It is supported

B.

They may use this

I

audit activity and not to. Nonconformance of

specific engageme

CSor the Standards

audit executive must

the board.

6 Importance of Reporting Nonconformance

a. The internal audit activity is a crucial part of a cornpl

processes. Senior management and the board

assessment discovers significant nonconfo


Use of Conforms with the

International Standards for the Professional Practice

of

Internal uditing

The chief audit executive may state that the internalaudit activity conforms with the International

Standards for the Professional Practice of Internal uditing only if the results of ity assurance

and improvement program support this statement.

5 Importance of Conforming with the Standards

a. Compliance with the Standards requires an effective QAIP.

SU : Strategic and Operational Roles of Internal udit


26/36

~ : ~

nswer A) is correct.

REQUIRED:

The true statement about resistance to

organizational change.

DISCUSSION: Resistance to change may be caused by

fear of the personal adjustments that may be required.

Employees may have a genuine concern about the usefulness of

the change, perceive a lack of concern for workers feelings, fear

the outcome, worry about downgrading of j ob status, and resent

deviations from past procedures for implementing change

especially if new procedures are less participative than the old).

Social adjustments also may be required that violate the

behavioral norms of informal groups or disrupt the social status

quo within groups. Economic adjustments may involve potential

economic loss or insecurity based on perceived threats to jobs.

In general, any perceived deterioration in the work situation that

is seen as a threat to economic, social, and/or psychological

needs will produce resistance. The various adjustments required

are most likely to be resisted when imposed unilaterally by higher

authority. However, employees who share in finding solutions to

the problems requiring change are less likely to resistbecause

they will have some responsibility for the change.

Lack of skills, threats to job status or

re inhibit changes in the culture of the

8) is incorrect. Lack of skills, threats to

job status . rity, and fear of failure are not symptoms of

dissatistacjion with the structure of the organization. Answer C)

is iORprret1.Lack of skills, threats to job status or security, and

featot failure do not indicate an inability to perform.

. \~~

Answer C) is correct.

REQUIRED: The factor management is least likely to be

able to change.

DISCUSSION: The environment of an organization consists

of external forces outside its direct control that may affect its

performance. These forces include competitors, suppliers,

customers, regulators, climate, culture, pol technological

change, and many other factors. The members

are a factor that managers are clearly

Answe~ A) is incorrect.

factor that managers are

incorrect. The organiz

are clearly able to change.

organizations technology

able to change.

D.

C.

B.

A. Want to change the culture of their

organization.

B. Are dissatisfied with the structure of their

organization. .

C. Are unable to perform their jobs.

D. Resist organizational change.

2. Lack of skills, threats to job status or security, and

fear of failure all have been identified as reasons that

employees often

The organizations members.

B. The organizations structure.

C. The organizations environment.

D. The organizations technology.

QUESTIONS

Change Management

1. An organizations management perceives the

need to make significant changes. Which of the

following factors is management least likely to be

able to change?

S

U

1:

Strategic and Operational Roles

of

n ternal udit


27/36

nswer D) is correct.

REQUIRED The most effectivecomposition of an audit

committee.

DIS USSION The audit committee of the board of directors

should be composed entirely of outside directors. Outside

directors are members of the boardwho are independent of

internal management. Because the primary purpose of the audit

committee is to promote the independenceof the internal and

external auditors from management, an audit committee

composed of inside directors would be ineffective.

Answer A) is incorrect. The audit committee is not required

to be rotated periodically. Answer 8) is incorrect. Regulators

ordinarily do not serve as directors. Answer C) is incorrect.

Officers are not outside directors.

Answer A) is correct.

REQUIRED The most important limitation on the

effectiveness of audit committees. ..

DIS USSION The audit committee is a s ubcommittee

made up of outside directors who are independent of

management. Its purpose is to help keep external and internal

auditors independent of management and to ensure that the

directors are exercising due care. However, if independence is

impaired by personal and professional ps, the

effectiveness of the audit committee ited.

Answer 8) is incorrect. The

members receive is usually

independenf and therefore

Answer C) is incorrect.

concerned with external audi

internal audit activity.

members do not need

understand engage

regu

C. Mem from a

specifically inclu

banking, labor, re tory agencies,

shareholders, and officers.

D. Only external members of the board of

directors or its equivalent.

B.

An audit committee

enhance the inAo onrior

external auditing

functions from

this criterion, a

of

D

A. Assigning the internal audit activity

respo~sibility for interaction with governrn~~;

agencIes.

B Using the chief audit executive as a major

resource in selecting the external a

Following up on recommendations

the chief audit executive.

5

The audit committee strengthens the control

processes of an organization by

Audit committees devote most of their efforts to

external audit concerns and do not pay much

attention to the internal audit activity and the

overall control environment.

D

Audit committee membersdo not normally

have degrees in the accounting or auditing

fields.

A. Audit committees maybe composed of

independent directors. However, those

directors may have close personal and

professional friendships with management.

B Audit committee members are compensated

by the organization and thus favor an owners

view.

1.2 Stakeholder Relationships

4. Audit committees have been identified as a major

factor in promoting the independence of both internal

and external auditors. Which of the following is the

most important limitation on the effectiveness of audit

committees?

SU

:

Strategic and Operational Roles of n ternal u dit


28/36

.i~~

..(.Alns (A) is correct. .

~\ EQUIRED the content of a code of ethics of a

rnf essional organization.

DISCUSSION An organizations code of ethical conduct is

the established general value system tile organization wishes to

apply to its members activities by communicating organizational

purposes and beliefs and establishing uniformethical guidelines

for members, which include guidance on behavior tor members in

making decisions. A code establishes high standards against

which individuals can measure their own performance and

communicates to those outside the organization the value system

from which the organization s members must not be asked to

deviate.

Answer

8

is incorrect. The organizational details of the

professions governing body are stated in the by-laws of the

professional organization. Answer (C) is incorrect. Certain

actions may be legal but contrary to an organizations code of

ethics. For example, an internal auditor may not perform a

service for which (s)he does not possess the necessary

knowledge, skills, and experience. Answer (0) is incorrect. ne

Standards establish a basis for the measurement of internal audit

performance.

of ethical conduct is

organization wishes to

municates organizational

es uniform ethical guidelines

inclu nee on behavior for members in

A code, . blishes high standards against

m~j3sti(etheir own performance. It also

outside the organization the value system

be must not be asked to deviate.

rrect. Governments typically have no such

r (C) is incorrect. Codes of conduct provide

qualitative, antitative, standards. Answer (0) is incorrect.

Other purposes of a code of conduct aremuch more significant.

.. i f

Answer (A) is correct.

REQUIRED The primary purpose of establishing a code of

ethics.

DISCUSSION The primary purpose of a code of ethical

behavior for a professional organization is to promote an ethical

culture among professionals who serve others.

Answer (B) is incorrect. National standards-setting bodies,

not codes of ethics, provide guidance for effective accounting

practice. Answer (C) is incorrect. A code of ethics does not

provide the framework within which policies are

developed. Answer (0) is incorrect. rpose is not

for interviewing new accountants.

D.

C.

8.

A.

9. The code of ethics of a profes

sets forth

A. Are typically required by governments.

B. Express standards of individual behavior for

members of the organization.

C. Provide a quantifiable basis for personnel

evaluations.

O .

Have tremendous public relations potenti~~ ,

8. The best reason for establishing a code of

conduct within an organization is that such codes

A. To outline criteria for professional behavior to

maintain standards of integrity and objectivity.

B. To establish standards to follow for effective

accounting practice.

C. To provide a framework within which

accounting policies could be effectively

developed and executed.

O .

To outline criteria that can be used in

conducting interviews of potential new

accountants.

7. An accounting association established a code of

ethics for all members. What is one of the

association s primary purposes of establishing the

code of ethics?

1.3 Ethical Climate

SU

Strategic and Operational Roles of Interna udit


29/36


REQUIRED The most accurate term for the means of

providing oversight of processes administered by management.

DISUSSION Governance is the combination of

processes and structures implemented by the board to inform,

direct, manage, and monitor the activities of the organization

toward the achievement of its objectives (The IIA Glossary).

Answer (8) is incorrect. Control is any action taken by'

management, the board, and other parties to manage risk and

increase the likelihood til at established objectives and goals will

be achieved. Management plans, organizes, and directs the

performance of sufficient actions to provide reasonable

assurance that objectives and goals will be achieved (The IIA

Glossary). Answer (C) is incorrect. Risk management is a

process to identify, assess, manage, and control potential events

or situations to provide reasonable assurance regarding the

achievement of the organization's objectives (The IIA Glossary).

Answer (D) is incorrect. Monitoring consists of actions taken by

management and others t o assess the quality of internal control

performance over time. It is not currently defined in the

Standards and The IA Glossary.

C.

D.

taken by

to manage risk and

objectives will be

, and directs the

to provide reasonable

IV .SiW.1I1 be achieved. Thus, control by

of proper planning, organizing, and

Ascertaining needs, identifying

action, setting standards for measuring

comparing outcomes with predetermined

standards i ic management function. Answer (C) is

incorrects-Authorizinq and monitoring performance and

c .~'aring actual performance with planned performance is a

anagement function. Answer (D) is incorrect.

ining efficiency and economy of operations, including

ether objectives have been met, is a basic management

nction.

Planning, organizing, and directing of

organizational ctivities

B. Ascertaining needs, identifying alternative

courses of action, setting standards for

measuring performance, and comparing

outcomes with predetermined standards.

C. Authorizing and monitoring perforrnancegg

comparing actual performancewith planwlti

performance.

D. Determining efficiency and economy

operations, including whether

been met.

11. Control by management is the result of

Answer (B) is correct.

REQUIRED The purpose of the evaluation of the

effectiveness of risk management processes.

DISUSSION Risk management, control, and qovernance

processes are effective if management directs processes to

provide reasonable assurance of achieving the organization's

objectives. In addition to accomplishing the objectives and

planned activities, management directs by authorizing activities

and transactions, monitoring.resulting ance, and verifying

that the organization's processes are s designed.

Management has plannedand designed so as

to provide reasonable assurance of achieving

objectives.

B. Management directs processes so as to

provide reasonable assurance of achieving

objectives.

C. The organization's objectives will be achieved

efficiently and economically.

O. The organization's objectives will be achieved

in an accurate and timely manner and with

minimal use of resources.

10. The purpose of the internalaudit activity's

evaluation of the effectiveness of existing risk

management processes is t o determine that

1.4 Education in Best Practices

U 1: Strategic and Operationai Roles of nternal udit


30/36


REQUIRED The person responsiblefor coordinating

internal and external audit efforts.

DIS USSION Coordination of internal and external audit

work is the responsibil ity of the CAE. The CAE obtains the

support of the board to coordinate audit work effectively

(PA 2050-1 para. 1).

Answer (8) is incorrect. The external auditor is an interested

party but not one that has direct responsibility for coordinating

internal and external auditing efforts. Answer (C) is incorrect.

The board has oversight responsibility, but the CAE is

responsible for the actual coordination of internal and external

auditing work. Answer

0

is incorrect. Management is an

interested party but not one that has direct responsibility for

coordinating internal and external auditing efforts.

i t

stances in which internal auditors

of external auditors.

o anizations may use the work of external

ssurance related to activities within the

diting (PA

2050-1

para.

2 .

Coordination of

internal an nal audit work is the responsibility of the CAE

(PA

2050J

para.

1. .

,cj}.nsv{erA) is incorrect. Duplication of effort may result if the

ext''(malaudit is performed after the internal auditing

.Agrga'~ment. Answer (8) is incorrect. Internal auditing

. j ~ p ~f0fl passes both financial and operational objectives and

atJvllies. Thus, Internal auditing coverage could also be

, rovided by external audit work that included primarily financial

objectives and activities. Answer 0 is incorrect. External

auditing work is conducted in accordance with auditing standards

generally accepted in the host country.

Answer (8) is correct.

REQUIRED The responsible party for providing information

about the benefits of coordin-ationof internal audit activities with

those of other providers. .

DIS USSION The chief audit executive should share

information and coordinate activities with other internal and

external providers of assurance and consulting services to

ensure proper coverage and minimize duplication of efforts

(Perf. Std. 2050 . While oversight of the of external auditors

is the responsibility of the board, rnal and

external audit work is the responsibility (PA 2050-1

para. 1).

Answer (A) is incorrect

thatthe internal audit

achievable from coo

consulting activities. Iways

form part of any activi

auditor, to the board.

is not responsible

internal audit as

C. The board.

D. Management.

14. To improve their eff iciency, internal auditors may

rely upon the work of external auditors if it is

A. Performed after the internal auditing worR'

8. Primarily concerned with operational

and activities.

C. Coordinated with internal auditi

D. Conducted in accordance with

Ethics.

A. The external auditor.

8. The chief audit executive.

C. The chief executive officer.

D. Each assurance and consulting function.

13. Who has primary responsibility for providing

information to the board on the professional and

organizational benefits of coordinating internal audit

activities with those of other providers of similar

services?

1.5 Coordination

44 SU Strategic and Operational Roles of nternal udit


31/36

Answer

0

is correct.

REQUIRED: The item mostessential for guiding the internal

audit staff.

DISCUSSION: The chief audit executive must establish

policies and procedures to guide the internal audit activity

(Perf. Std. 2040).

TILl: s,n~.frnassurance engagement, The internal audit activity

e~tevaluate the design, implementation, and effectiveness of

e qrtJanization'sethics-related objectives, programs, and

tivrties': (Imp. Std. 2110.A1).. .'

Answer (A) is incorrect. Identifying significant exposures to

risk most directly relates to risk management rather than to

governance. Answer (8) is incorrect. Evaluating the

effectiveness of the risk-management system most directly

relates to risk management rather than to governance.

Answer (C) is incorrect. Promoting continuous improvement of

controls relates to controls rather than to governance.

Answer

0

is correct.

REQUIRED:

contributes to

DISCUSSI

Answer (A) is correct. .

. REQUIRED: The basic principle of governance.

DISCUSSION: The internal audit activity must assess and

make appropriate recommendations for improving the .

governance process (Perf. Std. 2110).

Answer B is incorrect. The internal audit activity is an

assessor of the governance process. It is not accountable for

that process. Answer (C) is incorrect. External parties and

internal auditors may provide'assurance the governance

process. Answer

0

is incorrect. The' it activity must

assess and make appropriate improving

the governance process in ethics

and~values within the orga

A.

B. Position descriptions.

C. Performance appraisals.

O. Policies and procedures.

A. Identifying significant exposures to risk.

'. B. Evaluating the effectiveness of the risk

management system.

C. Promoting continuous improvement of

controls.

O. Evaluating the design of ethics-related

activities.

7 The internal audit activity has a role in an

organization's governance process. The internal

audit activity most directly contributes to this process

by

A. Assessment of the governance process by an

independent internal audit activity.

Holding the board, senior management, and

the internal audit activity accountable for its

effectiveness.

C. Exclusive use of external auditors to provide

assurance about the governance process.

O

Separation of the governance process from

promoting an ethical culture in the

organization.

1.6 Other Topics

16. A basic principle of governance is

45

SU Strategic and Operational Rofes of nternal udi t


32/36

Answer B) is correct.

REQUIRED The purpose of the evaluation of the

effectiveness of risk management processes.

DIS USSION Risk management, control, and governance

processes are effective if management directs processes to

provide reasonable assurance of achieving the organizations

objectives. in addition to accomplishing the objectives and

planned activities. management directs by authorizing activities

and transactions, monitoring resulting performance, and verifying

that the organization s processes are operating as designed.

Answer B) is correct.

REQUIRED The false statement about policies and

procedures to guide the internal audit activity.

DIS USSION Formal administrative and technical audit

manuals may not be needed by all internal audit entities. A small

internal audit activity may be managed informally. Its audit staff

may be directed and controlled through daily, close supervision

and written memoranda. I n a l arge internal audit activity, more

formal and comprehensive policies and procedures are essential

to guide the internal audit staff in the execution of the internal

audit plan PA 2040-1, para. 1).

Answer A) is incorrect. The

procedures depend on the.size

Answer 0 is incorrect. Fo

manuals may not be n

Answer

0

is incorrect.

managed informally throu

O. The organization jectives will be achieved

in an accurate and timely manner and with

minimal use of resources.

C.

B

A. Ensure compliance with its performance

standards.

B. Give consideration to its structure and the

complexity of the work performed.

C. Result in consistent job performance.

D. Prescribe the format and distribution of

engagement communications and the

f

classification of observations. ~

20. Written policies and procedures relative to

managing the internal audit activity should

A. The form and content of written policies and

procedures depend on the size of the internal

audit activity.

B. All internal audit activities must have a detailed

policies and procedures manual.

C. Formal administrative and technical manuals

may not be needed by all internal audit

activities.

O. A small internal audit activity may be managed

informally through close supervision and

memoranda.

19. Policies and procedures must be established to

guide the internal audit activity. Which of the

following statements is false with respect to this

requirement?

SU Strategic and Operational Roles of nternal udit


33/36

Answer (B) is correct.

REQUIRED: The most important reason for the chief audit

executive to ensure that the internal audit department has

adequate and sufficient resources.

DISCUSSION: The CAE must ensure that internal audit

resources are appropriate, sufficient, and effectively deployed to

achieve the approved plan (Perf. Std. 2030).

Answer (A) is incorrect. The decision to outsource the

internal audit function is not primarily based on existing

resources. Answer (C) is incorrect. The amount of resources is

not a significant factor in establishing credibility. Answer (0) is

incorrect. Succession planning is not relatedto the amount of

audit resources.

is incorre . nternal auditors have no authority

m agEf m~ntprocesses. They must seek

ent and the board as to their role in the

incorrect. Internal auditors are not

risk analysis of the possible consequences

a risk management process. However, such a

request mi made by management. Answer (C) is

incorrects In the absence of a specific legal requirement, internal

a_l> .lltors areot required to report to outside parties.

f~~ ~

~~r

al a an

e cess.

ari izaiion

does not

ief audit

and the board

monitor risks within

mselves that there

ization, even if informal,

sibility into the key risks.

and monitored (PA 2120-1,

Answer 0 is correct.

REQUIRED: The

organization has no

DISCUSSIO

have formal ris

Answer C is correct.

REQUIRED: The cause of losses giving rise to physical

safeguards that should be reviewed by the auditor.

. DISCUSSION: The internal audit activity must evaluate risk

exposures relating to governance, operations, and information

systems regarding the safeguarding of assets

(Imp.Std. 2120.A1). For example, internal auditors evaluate risk

exposure arising from theft, fire, improper or illegal activities, and

exposure to the elements.

Answer (A) is incorrect. Misapplication of accounting

principles relates to the reliability of i and not physical

safeguards. Answer (B) is incorrect. that are not

cost justified relate to efficiency, not of operations.

Answer 01is incorrect. Un to

efficiency of operations.

.

B

A. Establish risk management processes based

on industry norms.

B. Formulate hypothetical results of possible

consequences resulting from risks not being

managed.

C. Inform regulators that the organization is guilty

of an infraction.

o Formally discuss with the directors their

obligations for risk management proces~~

23.

If an organization has no formal risk

management processes, the chief audit executive

should

A. Misapplication of accounting principles.

B. Procedures that are not cost justified.

C. Exposure to the elements.

O

Underusage of physical facilities.

22. internal auditors should review the means of

physicaily safeguarding assets from losses arising

from

SU

1:

Strategic and perationalRoles of internal udit


34/36

er (A) is correct.

REQUIRED The basic principle of governance.

DISUSSION The internal audit activity must assess and

make appropriate recommendations for improving the

governance process (Perf. Std.

2110

Answer (B) is incorrect. The internal audit activity is an

assessor of the governance process. It is not accountable for

that process. Answer (C) is incorrect. External parties and

internal auditors may provide assurance about the governance

process. Answer (D) is incorrect. The internal audit activity must

assess and make appropriate recommendations for.improving

the governance process in its promotion of appropriate ethics

and values within the organization.

es, and directs

. reasonable

achieved.

ives and goals and

, changes in internal and

I~ establishes and maintains

an ethical climate that fosters

tnr,,,rrt,,.,t{ I~ternaluditors are responsible for

effectiveness of controls, including

lity and integrity of financial and

Answer (C) is incorrect. Senior

to oversee the establishment,

assessment of the system of risk

managemeqt control processes. Answer (0) is incorrect.

The ardhas oversight responsibilities but ordinarily does not

bee;> involved in the details of operations.

Answer (C) is correct.

REQUIRED The key factor in the success of an internal

audit activitys h uman resources program.

DIS USSION Internal auditors should bequalified and

cornpeten t Because the selection of a superior staff is

dependent on the ability to evaluate applicants, selection criteria

must be well-developed. Appropriate questions and forms

should be prepared in advance to evaluate, among other things,

the applicant s technical qualifications, educational background,

personal appearance, ability to communicate, maturity,

persuasiveness, self-confidence, intelligen otivation, and

potential to contribute to the organization

Answer (A) is incorrect. The human

should be formal. Answer i

human resources is more

Answer (0) is incorrect. The

more significant than special

C.

B.

A

27. A basic principle of

A. Establishing and maintaining an organizational

culture.

B. Reviewing the reliability and integrity of

financial and operational information.

C. Ensuring that external and internal auditors

oversee the administration of the system of risk

management and control processes. l

O. Implementing and monitoring controls

designed by the board of directors.

26. Directors, management, external auditors, and

internal auditors all play important roles in creating

proper control processes. Senior management is

prirnariiy responsible for

A. An informal program for developing and

counseling staff.

B. A compensation plan based on years of

experience.

C. A well-developed set of selection criteria.

D. A program for recognizing the special interests

of individual staff members.

25. The key factor in the successof an internal audit

activitys human resources program is

SU 1: Strategic and Operational Roles of n ternal udit


35/36

Use the additional quest~ns in Gleim CIA Test Prep Online to create Practice Exams

t h a ; ~ ; ; ; ~

ear;onu~C~~

...J

r 0 ) is correct.

EQUIRED: The subject of the opinion expressed in a

. mmunication after an external assessmentof a quality

program.

DISCUSSION: External assessments of an internal audit

activity contain an expressed opinion as to the entire spectrum of

assurance and consulting work performed orthat should have

been performed under its charter). including but not limited to)

conformance with the Definition of InternalAuditing, the Code of

Ethics, and the Standards An external assessment also

includes, as appropriate, recommendations for improvement

PA 1312-1, para. 2). On completion of the review, a formal

communication should be given to senior management and the

board PA 1312-1, para. 3).

Answer A) is incorrect. An opinion is expressed on all

assurance and consulting work performed or that should have

been performed under its charter). Answer B) isincorrect. The

scope of an external assessment extends to more than the

effectiveness of the internal auditing coverage. Answer C) is

incorrect. An external assessment addresses the internal audit

activity, not the adequacy of ihe organization s controls.


REQUIRED:

the quality of pi

engagements.

D st include ongoing

audit activity and

ssessment or by other

ufficient knowledge of

1311). The processes and

include, among other

of working papers by staff not

. dits PA 1311-1, para. 1).

Project assignment documentation

rmation for assessment purposes than

C) is incorrect. Status reports do not

ning. Answer 0) is incorrect. The

. gement work schedule does not relate to

ocumentation for individual engagements.


REQUIRED: The element not part o f a quality assurance

progffim. .

DISCUSSION: Appraising each internal auditor s work at

least annually is properly a function of the human resources

program of the internal audit activity.

49

C.

D

30. An external assessment of an i

activity contains an expressed

applies

A. Written engagement work programs.

B. Project assignment documentation.

C. Weekly status reports.

O. The long-range engagement work schedule.

29. As a part of a quality program, internal

assessment teams most likely will examine which of

the following to evaluate the quality of engagement

planning and documentation for individual

engagements?

Annual appraisals of individual internal

auditors performance.

B. Periodic internal assessment.

C. Supervision.

D. Periodic external assessments.

28. The chief audit executive should develop and

maintain a quality assurance and improvement

program that covers all aspects of the internal audit

activity and continuously monitors its effectiveness.

All of the following are includedin a quality program

except

1.10 Quality Assurance and Improvement Program QAIP)

SU Strategicand Operational Roles of Internal udit


36/36

g l e i m . C : o m / _ d a

80087 4~5346

~

,,

_ \~~

CIA Part 1 Chapter 1

Documents

organizational change

change agents

change management16

internal control

internal audit positions5

risk management frameworks7

risk management framework3

senior management