7/21/2019 CIA Part 1 Chapter 1
1/36
C. Establish Risk-Based IA Plan
. procedures for the planning; organizing, directing; andmonitoringof internal audit
2. Review of the internal.audit function within the risk management framework
3. Direct administrative activities (e.g., budgeting, human resources) of the internalaudit.department
4. Interview candidates for internal audit positions
5. Report on the effectiveness of corporate risk management processes to senior management and the board
6. Report on the effectiveness of the internal control and risk management frameworks
7. Maintain effective Quality Assurance Improvement Program
regulatory oversightbodies ~ndotherintemai assurance functions
system, a~hj~yepient of:SQiporateobjective .; ....
.: . - -_ , : \ .,;, , ; ; . : c , . ,_ . ~:; ,
7 > :
1 I
. djspositictnof.
Function from
IA exam and is
portion of the syllabus
This study unit is the first of four covering Section
The IIA s CIA Exam Syllabus. This section makes
tested at the proficiency level unless otherwise in
is highlighted below. The complete syllabus is in Appe
25 pages of outline)
STUDY UN~TONE
STRATEGIC N OPERATIONAL
ROLES OF INTERNAL AUDIT
7/21/2019 CIA Part 1 Chapter 1
2/36
t~
lai and procedural changes often are resisted by the individuals and
ffected. This response may be caused by simple surprise, inertia, or fear of
But it also may arise from the following:
1) Misunderstandings or lack of needed skills
2) Conflicts with, or lack of trust of, management
3) Emotional reactions when change is forced
4) Bad timing
5) Insensitivity to employees needs
6) Perceived threats to employees s tatus or job security
7) Dissolutien of tightly knit work groups
8) Interference with achievement of other objectives
i s a change in an organizations systems or structures.
attitudes and mindset, for example, when a total quality
adopted.
ange in a products physical attributes and usefulness to
3.
10
11)
12) Ope
13) C
, ving creative ideas and taking
.
5
6
8
9
trategy
The internal audit activity can add value to an organization by
change. According to The IIA competency framework,
following interpersonal skills to interact with others
do the following:
1) Champion the change, enlist others in its purs
that includesmilestones and a timeline.
2) Model the change expected of others.
3) Accurately assess the potential b
4) Provide resources, remove ba
change.
Maintainwork efficiency and
Promptly switch strategies if the cu ones
a ~~i; ,~
working.
Provide direction and ng the chan e prbcess.
Support new id
Respond quickly
appropriate
Support the
a.
1. Overview
a. Change management is important to all organizations. An appropriate balance
between change and stability is necessary for an organization to thrive.
1) Organizational change is conducted through change agents, who may include
managers, employees, and consultants hired for the purpose.
2.
nterpersonal kills
1.1 CHANGE MANAGEMENT
16 SU 1 Strategic and Operational Roles nternal udit
7/21/2019 CIA Part 1 Chapter 1
3/36
3
.ge must be planned and deliberate.
ange must actually improve the organization. Changes forced
regulatory requirements or changes that merely attempt to follow
management trends and fads are not included.
The change must be implemented using the findings of the
behavioral sciences, such as organizational behavior and group
psychology.
The following are the objectives of 00:
i) Oeepen the sense of organizational purpose and align individuals
with it
Promote interpersonal trust, communication, cooperation, and
support
Encourage a problem-solving approach
Develop a satisfying work experience
Supplement formal authority with authority based on expertise
Increase personal responsibility
Encourage willingness to change
Stop and review You have completed the outline for this subunit. Study multiple-choice
questions
1
through 3 on page 40.
ii)
iii)
iv)
v)
vi)
vii)
b. Methods of coping with employee resistance include the following:
1) Prevention through education and communication
2 Participation in designing and implementing a change
3
Facilitation and support through training and coLlnseling
4
Negotiation by providing a benefit in exchange for cooperation
5
Manipulation of information or events
6 Co-optation through allowing some participation but without meaningful input
7
Coercion
5. Models for Planned Change
a. Change management has been studied by man
models have emerged:
1) Kurt Lewins process model consists of
a) Unfreezing is the diagnosis stage.
preparing employees for the
b) Change is the intervention in
c) Refreezing makes the
not reassert the
2 hat change is ongoing
rocess from being
agent coordinates steps b)
U Strategic and perationalRoles of internal udit
7/21/2019 CIA Part 1 Chapter 1
4/36
i i c~ removing the CAE and setting his/her compensation
ApfJl,~ the internal audit charter
l
ing and approving the internal audit activitys work plan
, uring that the internal audit activity is allocated sufficient resources
esolving disputes between the internal audit activity and management
6) Communicating with the CAE, who attends all audit committee meetings
7) Reviewing the internal audit activitys work product (e.g., interimand final
engagement communications)
8) Ensuring that engagement results are given due consideration
9) Overseeing appropriate corrective action for deficiencies notedby the internal
audit activity
10) Making appropriate inquiries of management and the CAE to determine whether
audit scope or budgetary limitations impede the ability of the internal audit
activity to meet its responsibilities .
the audit committee is to promote the independence of
uditors by protecting them from management s influence.
unctions of the audit committee regarding the internal audit
a
3
2
b)
e organization except in his/her
z STAKEHOLDER RELATIONSHIPS
1. Stakeholder Relationships
For internal auditors to be effective, Sawyers
Guide for Internal uditors
6th edition,
states that they must build and maintain strong constructive relationships with
managers and other stakeholders within the organization.
b. These relationships require conscious ongoing focus to ensure that risks are
appropriately identified and evaluated to best meet the needs of th rganization.
c. Internal auditors have a responsibility to work together with and other
stakeholders to facilitate work efforts and compliance with
d. Key stakeholders include the board oj directors, audit
external auditors, and regulators.
2. The Board and the Audit Committee
a. For the internal audit activity to achieve organization
executive (CAE) must have direct and unrestri
the board.
1) The IIA Glossary defines a boa
a board of directors or other
audit committee, to whom
b. The audit committee is a subunit of the
member of the board is ne
1) Some statutes h
membership of
a
8 SU :Strategic and Operational Roles of Internal udit
7/21/2019 CIA Part 1 Chapter 1
5/36
re the major issues:
1) . : i l ral business understanding of ethical issues
~ mpliance with laws (e.g., tax, securities, antitrust, environmental, privacy, and
labor)
3) External financial reporting
4) Conflicts of interest
5) Entertainment and gift expenses
6) Relations with customers and suppliers (Should gifts or kickbacks be given or
accepted?)
7) Social responsibility
anizations policies and standards established to ensure
lor by its members.
e principles of conduct expected to be followed by individuals.
1.
process, governance principles, and ethical culture.
o apply knowledge to a setof facts.
1.3 ETHICAL CLIMATE
Stop and review You have completed the
questions 4 through 6 on page 41.
uiding and directing
~
opinion is theirs.
tudy multiple-choice
a. According to Sawyers
Guide for Internal uditors
6th edition,
n
t rn auditors are
responsible for performing their mission, maintaining their ob .d ensuring
the internal audit activity s independence. They also maintain
good working relationships with m_anagement.
b. Good relationships are developed by communicating
constructively, and using participative auditing
1) Participative auditing is a collaboration
management durinq the auditing p
and buil d a shared interest in the eng
accept changes if they have p
used to implement changes
2) However, internal auditors
the audit because the respons
c. The following are other functions of the audit committee regarding the external auditor:
1) Selecting the external auditing firm and negotiating its fee
2) Overseeing and reviewing the work of the external auditor
3) Resolving disputes between the external auditor and management
4) Reviewing the external auditors internal control and audit reports
4. Relationships with Management
SU 1 Streieqic and Operational Roles of Internal udit
7/21/2019 CIA Part 1 Chapter 1
6/36
hics is the established general value system the
apply to its members activities by
organizational purposes and beliefs and
niform ethical guidelines for members.
guidance extends to decision making.
~. ecific rules cannot cover all situations. Thus, organizations benefit from
ing a code of ethics that effectively communicates acceptable values to all
sted internal and external parties. For example, a code may do the following:
Require compliance with the law
2) Prohibit conflicts of interest
3) Provide a method of policing and disciplining members for violations through
a) Formal review panels and
b) Group pressure (informal).
Set high standards against which individuals can measure their own
performance .
5) Communicate to those outside the organization the value system from which its
members must not be asked to deviate
5.
. he1;areinfluenced by the following:
r ,ling right, punishment for doing wrong)
..._alassoclations, informal groups) .
et ponsibilities to superiors and the organization)
I respect were aware of it?
or for myself, other employees,
a. The following questions aid
Would my be
2) What are the
customers,
b. Ethics are indivi
e to another. For
stent with customary
3. Factors That May Lead to Unethical Behavior
a. In any normal population, some people behave unethically. if these people hold
. leadership positions, they may have a bad influence
Or}
subordinates.
1) Organizational Factors
a) Pressure to improve short-run performance is an incentive for wrongdoing.
b) Emphasis on strict chain-at-command authority may excuse unethical
behavior when following orders.
c) Informal work-group loyalties may result in tolerance
behavior.
d) Committee decision processes reduce indiv .
2) External Factors
a) Competitive pressures may result in u
of survival.
b) The advantage obtained by a
imitation of that behavior.
c) Definitions of ethical
example, bribes to
business practices in s
4. Criteria for Evaluating Ethical Behavior
SU
Strategic and Operational Roles
nternal udit
7/21/2019 CIA Part 1 Chapter 1
7/36
2) Governance practices reflect the organizations culture and largely depend on it
for effectiveness, The culture
a) Sets values, objectives, and strategies;
b) Defines roles and behaviors;
c) Measures performance;
d) Specifies accountability; and
e) Determines the degree of sensitivity to social responsibility,
Compliance Creditors
.satisfaction
~end
Benefits Billing
Reporting
Reminders
s meets four responsibilities:
Compl,i,.aflitc.ith legal and regulatory rules
.s_af ....t~~of generally accepted norms and social expectations
Pro g Qenefits to society and specific stakeholders
b
Ing fully and truthfully to ensure accountability
Governance Process
Responsibilities
b. The internal a
corporate
organi .
. The ipt,enlalaudit adivitYfTl -
, : c f t h e orqanizations e th i .
c. A typical code for auditors or accountants in an organization requires the following:
1) Independence from conflicts of economic or professional interest
a) They are responsible for presenting information fairly to stakeholders
rather than protecting management.
b) They are responsible for presenting appropriate information to all
managers. They should not favor certain managers or conceal
unfavorable information.
c) They are responsible for maintaining an ethical conduct of
professional activities.
i) They should do what they can to ens
with the spirit as well as the letter of
ii) They should conduct themselves
legal standards.
iii They should report to a
fraudulent or other illegal
2) Integrity and a refusal to comp
3) Objectivity in presenting info
6. ol of the Internal Audit Activity
SU
Strategic andOperational Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
8/36
s er of benefits between an employee and those with
qanization deals.
use of organizational information for private gain.
meted the outline for this subunit
Study
multiplechoice
42
c. Other internal
complaints,
ethics cli
4) The minimum internal audit activity role is assessor of a) the ethical climate and
b) the effectiveness of processes to achieve legal and ethical compliance.
Internal auditors should evaluate the effectiveness of the folio ng features of
an enhanced, highly effective ethical culture:
a) A formal code of conduct and related stateme
procedures covering fraud and corruption)
b) Frequent demonstrations of ethical attitudes
leaders
c) Explicit strateqies to enhance the ethical
d) Easily accessible means of confid
e) Regular declarations by emp
requirements for ethical
f) Clear delegation of res
2) investigation, and
h) Positive personnel
r::l I TII~C
i) Regular s
state of
j
Regular
k) Regula
3) Because of their skills and position in the organization, auditors should actively
support the ethical culture. Auditor roles may include
a) Chief ethics officer,
b) Member of an ethics council, or
c) Assessor of the ethical climate.
Stop
ques
SU
Strategic and Operational Roles nternal ud it
7/21/2019 CIA Part 1 Chapter 1
9/36
a. mance, risk management, and control processes are adequate
if
management
has planned and designed them to provide reasonable assurance of achieving the
organization's objectives efficiently and economically.
1) Efficient performance accomplishes objectives in an accurate, timely, and
economical fashion. Economica performance accomplishes objectives with
minimal use of resources (i.e cost) proportionate to the risk exposure.
2) Reasonable assurance is provided if the most cost-effective measures are
taken in the design and implementation stages to reduce risks and restrict
expected deviations to a tolerable level.
2
senior management and the board about best
management, control, and compliance.
ed in The IIA Glossary as adherence to policies, plans,
, regulations, contracts, or other requirements.
hEt~ mal audit activity must evaluate the risks involved in governance,
rations, and information systems that relate to compliance with laws,
ulations, policies, procedures, and contracts. The internal audit
activity also must evaluate the controls regarding compliance.
b
e~ , the board, and other parties
-od that established objectives and
plans, organizes, and directs the
provide reasonable assurance that
ved.
, manage, and control
Ieassurance regarding
) defines
1. Nature Work
a. According to The IIA's Definition of lnternal Auditing, the int
an organization accomplish its objectives by bringing,
approach to evaluate and improve-the effectiveness
governance processes.
1) These processes are closely related. The II
them asfollows:
a) Governance - The combination
by the board to inform, di
organization toward
b) Risk management -
potential events or .
the achievement of the
c Control
A ny
to man
goals
perfo
obj
i
Performance Standard 2100
Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.
1.4 EDUCATION IN BEST PRACTICES
U 1 Strategic and Operational Roles of nternal udi t
7/21/2019 CIA Part 1 Chapter 1
10/36
. ati s may use the work of external auditors to provide assurance
activities within the scope of internal auditing. In these cases, the
es the steps necessary to understand the work performed by the
nal auditors, including:
The nature, extent, and timing of work planned by external auditors, to be
satisfied that the external auditors' planned work, in conjunctionwith the
internal auditors' planned work, satisfies the requirementsof
Standard 2100,
b) The external auditor's assessment of risk and materiality.
c) The external auditors' techniques, methods, and terminology to enable the
CAE to (1) coordinate internal and external auditingwork; (2) evaluate, for
purposes of reliance, the external auditors' work; and (3) communicate
effectively with external auditors.
d) Access to the external auditors' programs and working papers, to be
satisfied that the external auditors' work call be relied upon for internal
audit purposes. lnternal.auditors are responsible for respecting the
confidentiaiity of those programs and working papers (para. 2).
.external auditors, including coordinationwith the
s the responsibility of the board, Coordinationof internal
~~i ork is the responsibility of the chief audit executive (CAE).
the support of the board to coordinate audit work effectively
a
1
e activities with other internal and
ure proper coverage and minimize
The chief audit executive should shar
external providers of assurance an
duplication of efforts.
1.5 COORDINATION
3. Basic Types of internal Audit Engagements
a. The essential strategic function of the internal audit activity is to provide assurance
services and consulting services. Thus, the Definition of Internal Auditing describes
internal auditing as an independent, objective assurance and consulting activity.
b. Separate groups of Implementation Standards have been issued for assurance
services and consulting services. These services are defined in The IIA Glossary as
follows:
1
Assurance services - An objective examination of
providing an independent assessment on governance, ri
control processes for the organizaUon. Exampl
performance, compliance, sy_stemsecurity, and'
2 Consulting services - Advisory and related eli
and scope of which are agreed with the client
improve an organization's governance, risk
processes without the internal auditor as
Examples include counsel, advice, f
Stop and review You have completed the outline
questions
through 12 on page 43.
24 SUI Strategic and Operational Roles o Internal Audit
7/21/2019 CIA Part 1 Chapter 1
11/36
,, , e for regular evaluations of the coordination between
I auditors. Such evaiuations may also include assessments
over ciency and effectiveness Of internal and external audit
activitie~:\. , ing aggregate audit cost. The
CAE
communicates the results of
thes~,..ev1tI~:glions to senior management and the board, including relevant
conirf~:~s about the performance of external auditors ( para. 7).
1
v
minimized
e audit
timely completion
3) The external auditor may rely on the work of the internal audit activity in
performing their work. In this case,
the CAE
needs to provide sufficient
information to enable external auditors to understand the internal auditors
techniques, methods, and terminology to facilitate reliance by external auditors
on work performed. Access to the internal auditors programs and working
papers is provided to external auditors in order for external auditors to be
satisfied as to the acceptability for external audit purposes of relying on the
internal auditors work (para. 3
NOTE: Professional standards place sole responsibility for th
external auditors. Only the external auditors have the
permit the provision of assurance to external parties.
the external auditors use the work of other independe
cannot be shared with the internal auditors.
Planned audit activities of internal and
ensure that audit coverage is coordin
where possible. Sufficient meetings
process to ensure coordination
of audit activities, and to d
recommendations from
planned work be adjusted (
5 The internal audit activitys final
those corn rn unrcauons
available to external .
in determinin
internal audito
and manag
included i
input to
audit
U Strategic and Operational RoJesof nternal udit
7/21/2019 CIA Part 1 Chapter 1
12/36
Stop and review You have completed the outline for this subunit Study multiple-choice
questions 13 through on page 44.
acquisitions
and trading
dities
vernments may have their own regulatory bodies.
rganizations, entire departments or functions are established to
with the regulations issued by these governmental bodies.
q
e, broker-dealers in securities establish compliance departments to
. that trades are executed according to the requirements of securities
. Moreover, manufacturers have departments to monitor wage-and-hour
pliance, workplace safety issues, and discharge of toxic wastes.
the responsibilities of the internal audit activity is the evaluation of the
anizations compliance with applicable laws and regulations.
1) The internal audit activity coordinates its work with that of inspectors and other
personnel from the appropriate governmental bodies and with personnel from
internal assurance functions.
uJJijeeto governmental regulation in
2.
oordinating with Regulatory versight
a. Businesses and not-f
many countries.
1) Below is a sam
EXAMPLE
From CIA Exam
Which t the following is not a true statement about the relationship between internal auditors and
external auditors?
A. External auditors must assess the competence and objectivity t internal auditors.
B. There may be periodic meetings between internal and external auditors to discuss matters of
mutual interest.
C. There may be an exchange of engagement communications and manage
D. Internal auditors may provide engagement work programs and
auditors.
(A) is correct. The external auditor assesses the objectivity and com
auditors only if (s)he intends to rely on their work.
(B) is incorrect. The relationship involves a sufficient number of
(C) is incorrect. .The relationship involves reasonable mu
communications and management letters.
(D) is incorrect. The relationship involves reaso
programs and working papers.
SU Strategic and Operational Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
13/36
uditors evaluate the whole management process of planning, organizing, and
fl g to determine whether reasonable assurance exists that objectives will be
ved.
c. All business systems, processes, operations, functions, and activities within the
organization are subject to the internal auditors eva luations. Internal auditing
provides reasonable assurance that management s
1} Riskmanagement activities are effective;
2) Internal control is effective and efficient; and
3) Governance process is effective by establishing and preserving values, setting
goals, monitoring activities and performance, and defining the measures of
accountability.
s of internal auditors involves organizing and leading a team in
d business process improvement.
ap is a simple flowchart or narrative description used to depict a
It aids in assessing the effectiveness and efficiency of processes and
ys an important strategic role in the governance
ole includes providing leadership, assessinq the
urement systems, making appropriate
Ing the achievement of corporate objectives.
b.
, In ternal auditors
. and contributing to the
IInti ntnn
auditors provide
and operating effectiveness of the
may provide consulting services
s. In some cases, internal auditors
oard selt;r8ssessmentsof governance practices
2.
Strategic Role of the Internal Audit
Acti
a
j
The internal audit activity must assess and make appropriate recom
governance process in its accomplishment of the foftowing objectives:
Promoting appropriate ethics and values within the organizatio
Ensuring effective organizational performance management a
Q
Communicating risk and control information to appropria
Coordinating the activities of and communicating i
internal auditors, and.management.
Performance Standard 211
Governance
1.
Governance
a. Internal auditors evaluate and improve governance processes as part of their
assurance function. This subunit addresses the overall role of internal auditing in
governance.
t
also outlines more specific governance activities, such as the
assessment of the internal audit activity s own performance.
1.6 OTHER TOPiCS
SU 1: Strategic and Operational Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
14/36
Interpretation of Standard 2040
The form and content of policies and procedures are dependent upon the size and structure of
the internal audit activity and the complexity of its work.
. ractice Advisory 2040~1,
Policies and Procedures
policies and
developed by the CAE do not necessarily need to be contained in formal
rative and technical manuals.
A small internal audit activity may be managed informally through daily, close
supervision and memoranda.
2) In a large internal audit activity, more forma and comprehensive policies and
procedures are essential to guide the execution of the internal audit plan.
b. The importance of the relationship of the particular internal audit activity to the extent
of its formal policies and procedures is made clear in this Interpretation:
policies and procedures to guide the internal audit activity.
7
Study multiple-choice
5. Performance Measurement Systems a
a. An important element of co
objectives. Internal auditors can u
b. Internal auditors can add value to an
performance measurem and
c. Internal auditors ma
results of these en
system is adequ
Stop and review You have
questions 16 and 17 on pa
4 Internal Audit PerformanceMeasurements
Key performance measurements for the internal audit activity provide criteria against
which it is judged.
b. The following guidance is provided by The IIA Practice Guide,
Measuring Internal
Audit Effectiveness and Efficiency:
1) Establishing performance measures is critical in determining whether an audit
activity is meeting its objectives, consistent with the highest quality practices
and standards.
2) The first step is to identify key performance measures for
stakeholders believe add value and improve
3) Once key effectiveness and fficiency measure
identified, a monitoring process and a method
should be established (e.g., format, timing,
reporting should be based on stakeholder n
4) It is important that the internal audit acti
stakeholders on audit effectiveness
8 SU
1.
Strategic and Operational Roles of Internal Audit
7/21/2019 CIA Part 1 Chapter 1
15/36
C
Catch
.Lying
Records
'he IIA Position Paper groups the internal audit activity's roles into three
categories:
a) ~ore internal audit roles in regard to ERM
b) Legitirnate internal audit roles with safeguards
c) Roles the internal audit activity should not undertake
helpful memory aid is
can undertake a broad range of ERM activities. However, internal
auld not undertake any activities that could threaten their independence
e to an organization by providing the board with objective
2.
lement of corporate
nd operating the risk
1. Overview
a. The IIA Position Paper:
The Role
Management
states that risk man
governance. Management is respon
management framework on If of th
b. Enterprise-wide risk mana
structured, consi
relation to ERMsho
the effectiveness
c. When internal
certain safe
therefore,
indep
Performance Standard 2120
Risk Management
The internal audit activity must evaluate the effectiveness and
management processes.
At one time, audit professionals thought of risk only in the context of an audit (e.q., the probability of not
discovering a material financial statement misstatement). Today, after extensive research and many
scholarly publications, risk is recognized as something that must be examined and mitigated in every aspect
of an organization's operations. Thus, CIA candidates should understand the distin nsibilitiesof
(1) the internal audit activity and (2) senior management and the board for enterpri
1.8 ROLE OF iNTERNAL AUDiT IN RiSK MANAGEMENT
Stop and review You have completed the outline for this subunit. Study multiple-cholce
. questions 18 through 20 beginning on page 45.
SI Strategic and Operational Roles of internal udit
7/21/2019 CIA Part 1 Chapter 1
16/36
0) is incorrect. Internal auditors may recommend controls without losing independence.
veness of management s risk processes.
the risks identified.
ity that threatens independence.
ssessments and reports on the organizations risk management
.mal audit role but also a high audit priority.
management s responsibility for the risk management process is a
internal audit activitys independence. It requires a full discussion and board
-1, para. 5).
(C) is incorrect. Internal auditors assist both management and the board examining,
evaluating, reporting, and recommending improvements of the adequacy and effectiveness of risk
management processes.
A.
B.
C.
D.
n internal auditor who had participated in
ess? .
Whichof the following th
the initial establishme
in pursuit of
uences the entitys
3. Core lnternal Audit
Activity
Roles in ERM
a. Giving assurance on the risk management process
b. Giving assurance that risks are correctly evaluated
c. Evaluating risk management processes
d. Evaluating the reporting of key risks
e. Reviewingthe management of key risks
4. Legitimate Internal Audit Activity Roles Given Safeguards
a. Facilitating identification and evaluation of risks
b. Coaching management in responding to risks
c. Coordinating ERM activities ~
d. Consolidating the reporting on risks
e. Maintaining and developing the ERM framework
f. Championing establishment of ERM
g. Developing an ERM strategy for board approval
5 . Roles the Internal Audit Activity Should Not Unde
a. Setting the risk appetite
1) Risk appetite is the amount of
value. It reflects the risk ma
culture and operating style.
b. Imposing risk management processes
c. Management assurance on ri
d. Making decisions on
e. Implementing risk res
f
Accountability for
SU
1
Strategic and Operational Roles of n ternal udit
7/21/2019 CIA Part 1 Chapter 1
17/36
1) Risk management is a key responsibility of senior management and the board.
a) Management ensures that sound risk management processes (RMPs)
are in place and functioning.
b) Boards have an oversight function. They determine that RMPs are in
place, adequate, and effective.
c) The internal audit activity may be directed to examine, evaluate, report,
or recommend improvements.
i)
It
also has a consulting role in identifying, evaluating, and
implementing risk management methods and controls.
nsibil
~
The _.:
ion of responsibility is described in Practice Advisory
2120-1, Assessing the
~cy of Risk Management Processes.
blishing.._JI.QSased audit model and participating in the organizations risk
anage~~2processes are ways for the internal audit activity to add value.
~.JI
r-Organizational Risk Management
. , :
, , . ( fo r; .th e
~t~urrenceof fraud and
. ~
.
? ~Fgi~nizatiQns: .;).< {
.:.i;
Interpretation of Standard
2 2
Determining whether risk management processes are effective is a judgment resulting from the
internal auditor s assessment that:
~ Organizational objectives support and align with the orqanizations mission
Significant risks are identified and assessed;
Appropriate risk responses are selected that align risks with the
appetite; and
Relevant risk information is captured and communicated in a
organization, enabling staff, management, and the board
responsibilities.
The internal audit activity may gather the information to support
engagements. The results of these engagements, when vi
understanding of the organizations risk management
Risk management processes are monitored th
evaluations, or both.
6. Role in Risk Management
a. The following Interpretation clarifies the internal audit activitys role:
U : Strategic and Operational Roles of Internal Audit
7/21/2019 CIA Part 1 Chapter 1
18/36
. internal
ard-
Stop and review You havecompleted the outline for this subunit. Study multiple choice
questions 21
through
23
beginning on
page 46.
nature, timing, and extent of certain tests must be determined before tile
trol processes can be evaluated.
(B) is incorrect. Internal auditors have no authority to ensure correction of material weaknesses.
(C) is correct. Risk management, control, and governance processes are adequate if
management has planned and designed them to provide reasonable assurance o f achieving tile
organizations objectives efficiently and economically. Efficient performance accomplishes
objectives in an accurate, timely, and economical fashion. Economical performance accomplishes
objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.
(0) is incorrect. The scope of internal auditing is much broader than concern for the fairness of
financial statements.
sk management, control, and governance processes ensure that
nl Jgement,control, and governance processes provide
, anizations objectives are achieved efficiently and
B.
C
Which of the following
adequacy of risk manag
To help rotorrn
object
6 To form an opinion 0
sufficient, a .
a
anizations
small entity may
5) RMPs may be formal or informal, qua
business units or centralized.
culture, management style,
use an informal risk comm
2) If the organization has no formal RMPs, the CAE has formal discussions with
management and the board about their obligations for understanding,
managing, and monitoring risks.
3) The CAE must understand management s and the boards expectations of the
internal audit activity in risk management. The understanding is codified in-the
charters of the internal audit activity and the board.
4 Senior management and the board determine the internal audit activity s role in
risk management based on factors such as (a) organizational culture, (b)
abilities of the internal audit activity staff, and (c) local co . ns and customs.
a) That role may range from no role, to auditi the
audit plan, to active, continuous support
to managing and cooroinatinq the proces
i) But assuming management respo
audit activity independence m
approved.
SU
Strategic and Operational Roles of nternal ud it
7/21/2019 CIA Part 1 Chapter 1
19/36
b
3 Human Resources
a. The skill set and
help the organizatio
ssura nce
C
associates to fill
et. Generally, the
r to develop the
t
and the board for
1. Overview
. a. The chief audit executive (CAE) is responsible for management of internal audit
activity resources in a manner that ensures fulfillment of its responsibilities. Like any
well-managed department, the internal audit activity should operate effectively and
efficiently. This can be accomplished through proper planning, which includes
budgeting and human resources management.
b. Management oversees the day-to-day operations of the internal
including the foilowing administrative activities:
1) Budgeting and management accounting
2) Human resource administration, including pe
compensation
3) Internal communications and information fl
4) Administration of the internal audit activity'
2 udgeting
a. The CA.Eis responsible for creating
CAE, audit managers, and the i
budget annually. The budget is
their review and approval.
que nd forms should be prepared in advance to evaluate,
othejj ~'theapplicant's (a) technical qualifications, (b) educational
rQuncfl~i.personalappearance, (d) ability to communicate, (e) maturity,
pers'l~ivJiess, (g) self-confidence, (h) intelligence, (i) motivation, and
p 9 er}tit'b contribute to the organization.
j~~l~fs
eed a diverse set of skills to perform their jobs effectively. These
skinsffi:A i) 0 always apparent in a standard resume. Developingeffective
int~lliWj.flg techniques will ensure that the internal audit function acquires the proper
:~\ Q :Skills,capabilities, and technical knowledge needed to accomplish its goals.
C l
E.~ive interviewing techniques involve structured interviews and behavioral
interviewing.
1) Structured interviews are designed to eliminate individual bias. These interviews
use a set of job-related questions with standardized answers, which then are
scored by a committee of three to six members. According to
anagement
(Kreitner
Cassidy, 12th edition), interviewers can use four general types of
questions:
a) Situational - What would you do if you saw two people arguing loudly in
the work area?
b) job knowledge - Do you know how to do an Internet search?
1.9
INTERNL UDIT DMINISTR TIVE
ACTIVITIES
SU :
Strategic and Operational Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
20/36
ssurance and Improvement Program
provides
in the continuous examination of their processes
. of stakeholders.
processes designed to provide reasonable assurance to
internal audit activity
n accordance with its charter, the Definitionof Internal Auditing,
e of Ethics, and the
Standards
_jDerates effectively and efficiently
5
perceived as addi;lg value and improving operations
~Jl eserocesses include appropriate supervision, periodic internal and external
assessments,and ongoing monitoring of quality assurance.
The QAIP embraces all facets of the internal audit activity as reflected in the
pronouncements of The IIA and
best practices
of the profession.
a) Its processes are performed or supervised by the CAE.
b) A large or complex entity has a formal, independent QAIP administered
and monitored by an audit executive.
a.
1.
ssurance and improvement program
110 QUALITY ASSURANCE AND IMPROVEM
Stop and review You have completed the
outl
questions 24 through 27 beginning on page 47
ility,
1) Governance,
2) Risk management, and
3) Control.
b. Periodic reports also are made on internal audit s
and performance.
c. Reporting to senior management and the boa
Unit 2, Subunit 3.
The chief audit executive must
that covers all aspects of the i
4.
Reporting
a. Reporting to senior management and the board provides assu
c) Job sample simulation - Can you show
S
how to compose and send an
e-mail message?
d) Worker requirements - Are you able to spend 25 percent of your time on
the road?
2) Behavioral interviews determine how candidates handled past situations. Past
performance is generally indicative of future performance.
SU : Strategic and Operational Roles o Internal udit
7/21/2019 CIA Part 1 Chapter 1
21/36
~:
organizations governance processes.
question sizes the element not required in the assessment of a QAIP.
A) is corre ersight of the work of external auditors, including coordination with the internal
audit activity, is the responsibility of the board PA 2050-1). It is not within the scope of the
process for monitoring and assessing the quality program.
B) is incorrect. Conformance with the Definition of Internal Auditing, Standards and Code of
Ethics, including timely corrective actions to remedy any significant instances of nonconformance,
is an element of the assessment of a quality program.
C) is incorrect. Adequacy of the internal audit activitys charter, objectives, policies, and
procedures is an element of the assessment of a quality program.
D)is incorrect. Contribution to the organizations governance, risk management, and control
processes is an element of the assessment of a quality program.
e work of external auditors.
dards and Code of Ethics.
nprovernent program should includeevaluation of all of
35
Attribute Standard 1310
Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement proqrarn must include both internal and external
assessments.
SU : Strategic and Operational Roles of nt ;:rna Audit
b. Practice Advisory 1310-1, Requirem ents of the Quality ssurance and Im provement
Pro gram
provides detailed guidance:
1) A OAIP is an ongoing and periodic assessment of all wo
activity. These rigorous assessments include
a) Continuous supervision-and testing of perf
b) Periodic validation of conformance with
c) Measurement and analysis of
perform
accomplishment and customer
2
Indicated improvements are impl
Assessments evaluate and
audit activity
and produce.
a) Conformance with man
b) Adequacy of the internal a
procedures;
c) The contri mana~emenj~f0ntr6L and gove.rnanee;
d) Complia: .. atio nmgovernment or Industrystandards;
e) Continuer and n of best practices; and
f
VVheth udit ac ds value and improves operations.
4) OAIP efta up invojvi appropriate and timely modification of
ures, and technology.
5) . communicated to stakeholders. The CAE
and the board on OAIP efforts at least annually.
7/21/2019 CIA Part 1 Chapter 1
22/36
~
.. ~. ongoing or periodic internal assessment, conclusions about
~ o rrnance are reached, and appropriate action is begun to ensure
iiifrflprOVements are made.
hose conducting internal assessments generally report directly to the CAE, who
should establish a structure for reporting results that maintains credibility and
objectivity.
6) At least annually, the CAE reports results, action plans, and implementation
information ~osenior management and the board.
should not communicate assurances about the outcome of
I assessment, although the report may give recommendations
e practices.
r~e .er, the periodic internal assessment may be the self-assessment
of
a selfassessment with independent validation.
b)
c)
d)
. :q . , , ;
bl~f~rs (in interviews and surveys)
)
2. Internal Assessments
a. Ongoing and periodic internal assessments are addre
13111 Internal Assessment:
1) The processes and tools used in ongoing intern
a) Engagement supervision;
b) Checklists and procedures;
c) Feedback;
d) Peer reviews of working pa
e) Budget.s, timekeeping,
recoveries; and
f Analyses of other pe
2) The IIAs Quality Assessment Man
assessments. These volve
Internal assessments must include:
Ongoing monitoring of the performance of the internal audit activity; and
til Periodic self-assessments or assessments by other persons within the organization with
sufficient knowledge of internal audit practices.
Attribute Standard 1311
Intema
Assessments
SU
1
Strategic and Operational Roles of Internal Audit
7/21/2019 CIA Part 1 Chapter 1
23/36
Objectivity is impartiality, intellectual honesty, and freedom from conflicts
of interest.
An external reviewer should be a certified audit professional well versed in the
Standards and best practices with at least 3 years of management experience
in internal auditing or related consulting,
a) Leaders of independent review teams and those who validate a
self-assessment must have additional competence and experience,
i) Qualifications include prior external assessment work, quality
assessment training, or service as a senior internal auditor,
5) The reviewers) should have relevant technical and industry experience, and
other specialists may be needed.
6) Senior management and the board are involved in selecting a) the approach
and b) the external quality assessment provider,
rganizatiQ~@ .
to in ,::lldence include conflicts of former employees or
idin h~}financial statement audit, 2) significant
3)assistance to the internal audit activity.
er part o f the organization or in a related organization
. an affiliate) is not independent.
i lll
mong three unrelated organizations but not between two)
the independence requirement.
cerns about independence, one or more independent
duals may provide separate validation.
is honesty and candor limited by confidentiality, with no subordination
vice and the public trust to personal gain.
a
or interest in,
have no rea
relations
sment should have no obligation to,
r its personnel. External assessors
erest due to current or past
c) The scopemu
Individuals
nal audit activity.
~, identification, and
s ssments
~.~~.
,independent
f-assessment
. ternal
3, External Assessments
a. External assessments provide an independent and
audit activitys compliance with the Standards and
b. Further specifics are provided in Practice Advi
1) An external assessment may be a full
external reviewer or review
with independent valldat
a
b)
Attribute Standard 1312
External Assessments
External assessments must be conducted at least once every five years by a qualified, independent
assessor or assessment team from outside the organization. The chief audit executive must discuss
with the board:
The form and frequency of external assessments; and
The qualifications and independence of the external reviewer or assessmen
potential conflict of interest.
SU Strategic and Operational Roles of Internal udit
7/21/2019 CIA Part 1 Chapter 1
24/36
from the interpretation of Standard 1320 addresses the frequency of
on the QAIP:
demonstrate conformance with the Definition
o
Internal Auditing the
Code of Ethics and the
Standards,
the results of external and periodic
internal assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are communicatedat
least annually
nicate the results of the quality assurance and improvement
prIJ.~Jjlll ;..Jndhe board.
The
prog
must be kept informed about the extent to which
the degree of professionalism required by The IIA.
ccountability and transparency
responsibilities is impaired
i) The degree of pa
b Expression of an opinion
due professional care.
c) The cornrnuruc Tlr,n
practices (2)
action pia.
10) The results inc
accomplish
(e.g., senio
a
4
Reporting
Res
a. Se
t
7) The scope of the review extends to conformance with mandatory guidance of
The IIA, the internal audit activitys charter, laws, etc. It also extends to
a The expectations of management and the board,
b) Integration of the internal audit activity with the governance process
c) The internal audit activitys tools and techniques,
d) Competence (mix of the staffs knowledge, experience, and disciplines),
and
e) Whether the internal audit activity adds value and
8 Preliminary results are discussed with the CAE. Final
communicated to the CAE, and a formal commu
management and the board. -
9
The communication includes an opinion on
guidance of The IIA. Conformance means
activity satisfy such guidance.
a
SU
Strategic and Operational Roles of Internal Audit
7/21/2019 CIA Part 1 Chapter 1
25/36
39
ce
Stop and review You have completed the outline for this subunit Study multiplechoice
questions
28
through 30
on
page 49.
.~ndependent external assessment of the internal audit activity must be
t once every 5 years.
(C) is incorrect. The CAE must develop and maintain a QAIP that covers all aspects of the
internal audit activity.
(0) is incorrect. Assessments also may be made by others who are (1) independent, (2) qualified,
and (3) from outside the organization.
izes t
\ >
Standard~
i
''Wditexecutive may state that the internal audit activity conforms with the
fefthe Professional Practice of Internal uditingonly if the results of the
provement program support this statement (Attr. Std. 1321).
.ccountable for implementing a quality program.
al audit activity are made by external auditors.
gftion permitting internai auditors to report that their activities
;: ogram.
e internal audit activity is conducted annually.
Internal auditors may rep
statement only if
A. It is supported
B.
They may use this
I
audit activity and not to. Nonconformance of
specific engageme
CSor the Standards
audit executive must
the board.
6 Importance of Reporting Nonconformance
a. The internal audit activity is a crucial part of a cornpl
processes. Senior management and the board
assessment discovers significant nonconfo
Attribute Standard 1321
Use of Conforms with the
International Standards for the Professional Practice
of
Internal uditing
The chief audit executive may state that the internalaudit activity conforms with the International
Standards for the Professional Practice of Internal uditing only if the results of ity assurance
and improvement program support this statement.
5 Importance of Conforming with the Standards
a. Compliance with the Standards requires an effective QAIP.
SU : Strategic and Operational Roles of Internal udit
7/21/2019 CIA Part 1 Chapter 1
26/36
~ : ~
nswer A) is correct.
REQUIRED:
The true statement about resistance to
organizational change.
DISCUSSION: Resistance to change may be caused by
fear of the personal adjustments that may be required.
Employees may have a genuine concern about the usefulness of
the change, perceive a lack of concern for workers feelings, fear
the outcome, worry about downgrading of j ob status, and resent
deviations from past procedures for implementing change
especially if new procedures are less participative than the old).
Social adjustments also may be required that violate the
behavioral norms of informal groups or disrupt the social status
quo within groups. Economic adjustments may involve potential
economic loss or insecurity based on perceived threats to jobs.
In general, any perceived deterioration in the work situation that
is seen as a threat to economic, social, and/or psychological
needs will produce resistance. The various adjustments required
are most likely to be resisted when imposed unilaterally by higher
authority. However, employees who share in finding solutions to
the problems requiring change are less likely to resistbecause
they will have some responsibility for the change.
Lack of skills, threats to job status or
re inhibit changes in the culture of the
8) is incorrect. Lack of skills, threats to
job status . rity, and fear of failure are not symptoms of
dissatistacjion with the structure of the organization. Answer C)
is iORprret1.Lack of skills, threats to job status or security, and
featot failure do not indicate an inability to perform.
. \~~
Answer C) is correct.
REQUIRED: The factor management is least likely to be
able to change.
DISCUSSION: The environment of an organization consists
of external forces outside its direct control that may affect its
performance. These forces include competitors, suppliers,
customers, regulators, climate, culture, pol technological
change, and many other factors. The members
are a factor that managers are clearly
Answe~ A) is incorrect.
factor that managers are
incorrect. The organiz
are clearly able to change.
organizations technology
able to change.
D.
C.
B.
A. Want to change the culture of their
organization.
B. Are dissatisfied with the structure of their
organization. .
C. Are unable to perform their jobs.
D. Resist organizational change.
2. Lack of skills, threats to job status or security, and
fear of failure all have been identified as reasons that
employees often
The organizations members.
B. The organizations structure.
C. The organizations environment.
D. The organizations technology.
QUESTIONS
Change Management
1. An organizations management perceives the
need to make significant changes. Which of the
following factors is management least likely to be
able to change?
S
U
1:
Strategic and Operational Roles
of
n ternal udit
7/21/2019 CIA Part 1 Chapter 1
27/36
nswer D) is correct.
REQUIRED The most effectivecomposition of an audit
committee.
DIS USSION The audit committee of the board of directors
should be composed entirely of outside directors. Outside
directors are members of the boardwho are independent of
internal management. Because the primary purpose of the audit
committee is to promote the independenceof the internal and
external auditors from management, an audit committee
composed of inside directors would be ineffective.
Answer A) is incorrect. The audit committee is not required
to be rotated periodically. Answer 8) is incorrect. Regulators
ordinarily do not serve as directors. Answer C) is incorrect.
Officers are not outside directors.
Answer A) is correct.
REQUIRED The most important limitation on the
effectiveness of audit committees. ..
DIS USSION The audit committee is a s ubcommittee
made up of outside directors who are independent of
management. Its purpose is to help keep external and internal
auditors independent of management and to ensure that the
directors are exercising due care. However, if independence is
impaired by personal and professional ps, the
effectiveness of the audit committee ited.
Answer 8) is incorrect. The
members receive is usually
independenf and therefore
Answer C) is incorrect.
concerned with external audi
internal audit activity.
members do not need
understand engage
regu
C. Mem from a
specifically inclu
banking, labor, re tory agencies,
shareholders, and officers.
D. Only external members of the board of
directors or its equivalent.
B.
An audit committee
enhance the inAo onrior
external auditing
functions from
this criterion, a
of
D
A. Assigning the internal audit activity
respo~sibility for interaction with governrn~~;
agencIes.
B Using the chief audit executive as a major
resource in selecting the external a
Following up on recommendations
the chief audit executive.
5
The audit committee strengthens the control
processes of an organization by
Audit committees devote most of their efforts to
external audit concerns and do not pay much
attention to the internal audit activity and the
overall control environment.
D
Audit committee membersdo not normally
have degrees in the accounting or auditing
fields.
A. Audit committees maybe composed of
independent directors. However, those
directors may have close personal and
professional friendships with management.
B Audit committee members are compensated
by the organization and thus favor an owners
view.
1.2 Stakeholder Relationships
4. Audit committees have been identified as a major
factor in promoting the independence of both internal
and external auditors. Which of the following is the
most important limitation on the effectiveness of audit
committees?
SU
:
Strategic and Operational Roles of n ternal u dit
7/21/2019 CIA Part 1 Chapter 1
28/36
.i~~
..(.Alns (A) is correct. .
~\ EQUIRED the content of a code of ethics of a
rnf essional organization.
DISCUSSION An organizations code of ethical conduct is
the established general value system tile organization wishes to
apply to its members activities by communicating organizational
purposes and beliefs and establishing uniformethical guidelines
for members, which include guidance on behavior tor members in
making decisions. A code establishes high standards against
which individuals can measure their own performance and
communicates to those outside the organization the value system
from which the organization s members must not be asked to
deviate.
Answer
8
is incorrect. The organizational details of the
professions governing body are stated in the by-laws of the
professional organization. Answer (C) is incorrect. Certain
actions may be legal but contrary to an organizations code of
ethics. For example, an internal auditor may not perform a
service for which (s)he does not possess the necessary
knowledge, skills, and experience. Answer (0) is incorrect. ne
Standards establish a basis for the measurement of internal audit
performance.
of ethical conduct is
organization wishes to
municates organizational
es uniform ethical guidelines
inclu nee on behavior for members in
A code, . blishes high standards against
m~j3sti(etheir own performance. It also
outside the organization the value system
be must not be asked to deviate.
rrect. Governments typically have no such
r (C) is incorrect. Codes of conduct provide
qualitative, antitative, standards. Answer (0) is incorrect.
Other purposes of a code of conduct aremuch more significant.
.. i f
Answer (A) is correct.
REQUIRED The primary purpose of establishing a code of
ethics.
DISCUSSION The primary purpose of a code of ethical
behavior for a professional organization is to promote an ethical
culture among professionals who serve others.
Answer (B) is incorrect. National standards-setting bodies,
not codes of ethics, provide guidance for effective accounting
practice. Answer (C) is incorrect. A code of ethics does not
provide the framework within which policies are
developed. Answer (0) is incorrect. rpose is not
for interviewing new accountants.
D.
C.
8.
A.
9. The code of ethics of a profes
sets forth
A. Are typically required by governments.
B. Express standards of individual behavior for
members of the organization.
C. Provide a quantifiable basis for personnel
evaluations.
O .
Have tremendous public relations potenti~~ ,
8. The best reason for establishing a code of
conduct within an organization is that such codes
A. To outline criteria for professional behavior to
maintain standards of integrity and objectivity.
B. To establish standards to follow for effective
accounting practice.
C. To provide a framework within which
accounting policies could be effectively
developed and executed.
O .
To outline criteria that can be used in
conducting interviews of potential new
accountants.
7. An accounting association established a code of
ethics for all members. What is one of the
association s primary purposes of establishing the
code of ethics?
1.3 Ethical Climate
SU
Strategic and Operational Roles of Interna udit
7/21/2019 CIA Part 1 Chapter 1
29/36
Answer (A) is correct.
REQUIRED The most accurate term for the means of
providing oversight of processes administered by management.
DISUSSION Governance is the combination of
processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization
toward the achievement of its objectives (The IIA Glossary).
Answer (8) is incorrect. Control is any action taken by'
management, the board, and other parties to manage risk and
increase the likelihood til at established objectives and goals will
be achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved (The IIA
Glossary). Answer (C) is incorrect. Risk management is a
process to identify, assess, manage, and control potential events
or situations to provide reasonable assurance regarding the
achievement of the organization's objectives (The IIA Glossary).
Answer (D) is incorrect. Monitoring consists of actions taken by
management and others t o assess the quality of internal control
performance over time. It is not currently defined in the
Standards and The IA Glossary.
C.
D.
taken by
to manage risk and
objectives will be
, and directs the
to provide reasonable
IV .SiW.1I1 be achieved. Thus, control by
of proper planning, organizing, and
Ascertaining needs, identifying
action, setting standards for measuring
comparing outcomes with predetermined
standards i ic management function. Answer (C) is
incorrects-Authorizinq and monitoring performance and
c .~'aring actual performance with planned performance is a
anagement function. Answer (D) is incorrect.
ining efficiency and economy of operations, including
ether objectives have been met, is a basic management
nction.
Planning, organizing, and directing of
organizational ctivities
B. Ascertaining needs, identifying alternative
courses of action, setting standards for
measuring performance, and comparing
outcomes with predetermined standards.
C. Authorizing and monitoring perforrnancegg
comparing actual performancewith planwlti
performance.
D. Determining efficiency and economy
operations, including whether
been met.
11. Control by management is the result of
Answer (B) is correct.
REQUIRED The purpose of the evaluation of the
effectiveness of risk management processes.
DISUSSION Risk management, control, and qovernance
processes are effective if management directs processes to
provide reasonable assurance of achieving the organization's
objectives. In addition to accomplishing the objectives and
planned activities, management directs by authorizing activities
and transactions, monitoring.resulting ance, and verifying
that the organization's processes are s designed.
Management has plannedand designed so as
to provide reasonable assurance of achieving
objectives.
B. Management directs processes so as to
provide reasonable assurance of achieving
objectives.
C. The organization's objectives will be achieved
efficiently and economically.
O. The organization's objectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
10. The purpose of the internalaudit activity's
evaluation of the effectiveness of existing risk
management processes is t o determine that
1.4 Education in Best Practices
U 1: Strategic and Operationai Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
30/36
Answer (A) is correct.
REQUIRED The person responsiblefor coordinating
internal and external audit efforts.
DIS USSION Coordination of internal and external audit
work is the responsibil ity of the CAE. The CAE obtains the
support of the board to coordinate audit work effectively
(PA 2050-1 para. 1).
Answer (8) is incorrect. The external auditor is an interested
party but not one that has direct responsibility for coordinating
internal and external auditing efforts. Answer (C) is incorrect.
The board has oversight responsibility, but the CAE is
responsible for the actual coordination of internal and external
auditing work. Answer
0
is incorrect. Management is an
interested party but not one that has direct responsibility for
coordinating internal and external auditing efforts.
i t
stances in which internal auditors
of external auditors.
o anizations may use the work of external
ssurance related to activities within the
diting (PA
2050-1
para.
2 .
Coordination of
internal an nal audit work is the responsibility of the CAE
(PA
2050J
para.
1. .
,cj}.nsv{erA) is incorrect. Duplication of effort may result if the
ext''(malaudit is performed after the internal auditing
.Agrga'~ment. Answer (8) is incorrect. Internal auditing
. j ~ p ~f0fl passes both financial and operational objectives and
atJvllies. Thus, Internal auditing coverage could also be
, rovided by external audit work that included primarily financial
objectives and activities. Answer 0 is incorrect. External
auditing work is conducted in accordance with auditing standards
generally accepted in the host country.
Answer (8) is correct.
REQUIRED The responsible party for providing information
about the benefits of coordin-ationof internal audit activities with
those of other providers. .
DIS USSION The chief audit executive should share
information and coordinate activities with other internal and
external providers of assurance and consulting services to
ensure proper coverage and minimize duplication of efforts
(Perf. Std. 2050 . While oversight of the of external auditors
is the responsibility of the board, rnal and
external audit work is the responsibility (PA 2050-1
para. 1).
Answer (A) is incorrect
thatthe internal audit
achievable from coo
consulting activities. Iways
form part of any activi
auditor, to the board.
is not responsible
internal audit as
C. The board.
D. Management.
14. To improve their eff iciency, internal auditors may
rely upon the work of external auditors if it is
A. Performed after the internal auditing worR'
8. Primarily concerned with operational
and activities.
C. Coordinated with internal auditi
D. Conducted in accordance with
Ethics.
A. The external auditor.
8. The chief audit executive.
C. The chief executive officer.
D. Each assurance and consulting function.
13. Who has primary responsibility for providing
information to the board on the professional and
organizational benefits of coordinating internal audit
activities with those of other providers of similar
services?
1.5 Coordination
44 SU Strategic and Operational Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
31/36
Answer
0
is correct.
REQUIRED: The item mostessential for guiding the internal
audit staff.
DISCUSSION: The chief audit executive must establish
policies and procedures to guide the internal audit activity
(Perf. Std. 2040).
TILl: s,n~.frnassurance engagement, The internal audit activity
e~tevaluate the design, implementation, and effectiveness of
e qrtJanization'sethics-related objectives, programs, and
tivrties': (Imp. Std. 2110.A1).. .'
Answer (A) is incorrect. Identifying significant exposures to
risk most directly relates to risk management rather than to
governance. Answer (8) is incorrect. Evaluating the
effectiveness of the risk-management system most directly
relates to risk management rather than to governance.
Answer (C) is incorrect. Promoting continuous improvement of
controls relates to controls rather than to governance.
Answer
0
is correct.
REQUIRED:
contributes to
DISCUSSI
Answer (A) is correct. .
. REQUIRED: The basic principle of governance.
DISCUSSION: The internal audit activity must assess and
make appropriate recommendations for improving the .
governance process (Perf. Std. 2110).
Answer B is incorrect. The internal audit activity is an
assessor of the governance process. It is not accountable for
that process. Answer (C) is incorrect. External parties and
internal auditors may provide'assurance the governance
process. Answer
0
is incorrect. The' it activity must
assess and make appropriate improving
the governance process in ethics
and~values within the orga
A.
B. Position descriptions.
C. Performance appraisals.
O. Policies and procedures.
A. Identifying significant exposures to risk.
'. B. Evaluating the effectiveness of the risk
management system.
C. Promoting continuous improvement of
controls.
O. Evaluating the design of ethics-related
activities.
7 The internal audit activity has a role in an
organization's governance process. The internal
audit activity most directly contributes to this process
by
A. Assessment of the governance process by an
independent internal audit activity.
Holding the board, senior management, and
the internal audit activity accountable for its
effectiveness.
C. Exclusive use of external auditors to provide
assurance about the governance process.
O
Separation of the governance process from
promoting an ethical culture in the
organization.
1.6 Other Topics
16. A basic principle of governance is
45
SU Strategic and Operational Rofes of nternal udi t
7/21/2019 CIA Part 1 Chapter 1
32/36
Answer B) is correct.
REQUIRED The purpose of the evaluation of the
effectiveness of risk management processes.
DIS USSION Risk management, control, and governance
processes are effective if management directs processes to
provide reasonable assurance of achieving the organizations
objectives. in addition to accomplishing the objectives and
planned activities. management directs by authorizing activities
and transactions, monitoring resulting performance, and verifying
that the organization s processes are operating as designed.
Answer B) is correct.
REQUIRED The false statement about policies and
procedures to guide the internal audit activity.
DIS USSION Formal administrative and technical audit
manuals may not be needed by all internal audit entities. A small
internal audit activity may be managed informally. Its audit staff
may be directed and controlled through daily, close supervision
and written memoranda. I n a l arge internal audit activity, more
formal and comprehensive policies and procedures are essential
to guide the internal audit staff in the execution of the internal
audit plan PA 2040-1, para. 1).
Answer A) is incorrect. The
procedures depend on the.size
Answer 0 is incorrect. Fo
manuals may not be n
Answer
0
is incorrect.
managed informally throu
O. The organization jectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
C.
B
A. Ensure compliance with its performance
standards.
B. Give consideration to its structure and the
complexity of the work performed.
C. Result in consistent job performance.
D. Prescribe the format and distribution of
engagement communications and the
f
classification of observations. ~
20. Written policies and procedures relative to
managing the internal audit activity should
A. The form and content of written policies and
procedures depend on the size of the internal
audit activity.
B. All internal audit activities must have a detailed
policies and procedures manual.
C. Formal administrative and technical manuals
may not be needed by all internal audit
activities.
O. A small internal audit activity may be managed
informally through close supervision and
memoranda.
19. Policies and procedures must be established to
guide the internal audit activity. Which of the
following statements is false with respect to this
requirement?
SU Strategic and Operational Roles of nternal udit
7/21/2019 CIA Part 1 Chapter 1
33/36
Answer (B) is correct.
REQUIRED: The most important reason for the chief audit
executive to ensure that the internal audit department has
adequate and sufficient resources.
DISCUSSION: The CAE must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to
achieve the approved plan (Perf. Std. 2030).
Answer (A) is incorrect. The decision to outsource the
internal audit function is not primarily based on existing
resources. Answer (C) is incorrect. The amount of resources is
not a significant factor in establishing credibility. Answer (0) is
incorrect. Succession planning is not relatedto the amount of
audit resources.
is incorre . nternal auditors have no authority
m agEf m~ntprocesses. They must seek
ent and the board as to their role in the
incorrect. Internal auditors are not
risk analysis of the possible consequences
a risk management process. However, such a
request mi made by management. Answer (C) is
incorrects In the absence of a specific legal requirement, internal
a_l> .lltors areot required to report to outside parties.
f~~ ~
~~r
al a an
e cess.
ari izaiion
does not
ief audit
and the board
monitor risks within
mselves that there
ization, even if informal,
sibility into the key risks.
and monitored (PA 2120-1,
Answer 0 is correct.
REQUIRED: The
organization has no
DISCUSSIO
have formal ris
Answer C is correct.
REQUIRED: The cause of losses giving rise to physical
safeguards that should be reviewed by the auditor.
. DISCUSSION: The internal audit activity must evaluate risk
exposures relating to governance, operations, and information
systems regarding the safeguarding of assets
(Imp.Std. 2120.A1). For example, internal auditors evaluate risk
exposure arising from theft, fire, improper or illegal activities, and
exposure to the elements.
Answer (A) is incorrect. Misapplication of accounting
principles relates to the reliability of i and not physical
safeguards. Answer (B) is incorrect. that are not
cost justified relate to efficiency, not of operations.
Answer 01is incorrect. Un to
efficiency of operations.
.
B
A. Establish risk management processes based
on industry norms.
B. Formulate hypothetical results of possible
consequences resulting from risks not being
managed.
C. Inform regulators that the organization is guilty
of an infraction.
o Formally discuss with the directors their
obligations for risk management proces~~
23.
If an organization has no formal risk
management processes, the chief audit executive
should
A. Misapplication of accounting principles.
B. Procedures that are not cost justified.
C. Exposure to the elements.
O
Underusage of physical facilities.
22. internal auditors should review the means of
physicaily safeguarding assets from losses arising
from
SU
1:
Strategic and perationalRoles of internal udit
7/21/2019 CIA Part 1 Chapter 1
34/36
er (A) is correct.
REQUIRED The basic principle of governance.
DISUSSION The internal audit activity must assess and
make appropriate recommendations for improving the
governance process (Perf. Std.
2110
Answer (B) is incorrect. The internal audit activity is an
assessor of the governance process. It is not accountable for
that process. Answer (C) is incorrect. External parties and
internal auditors may provide assurance about the governance
process. Answer (D) is incorrect. The internal audit activity must
assess and make appropriate recommendations for.improving
the governance process in its promotion of appropriate ethics
and values within the organization.
es, and directs
. reasonable
achieved.
ives and goals and
, changes in internal and
I~ establishes and maintains
an ethical climate that fosters
tnr,,,rrt,,.,t{ I~ternaluditors are responsible for
effectiveness of controls, including
lity and integrity of financial and
Answer (C) is incorrect. Senior
to oversee the establishment,
assessment of the system of risk
managemeqt control processes. Answer (0) is incorrect.
The ardhas oversight responsibilities but ordinarily does not
bee;> involved in the details of operations.
Answer (C) is correct.
REQUIRED The key factor in the success of an internal
audit activitys h uman resources program.
DIS USSION Internal auditors should bequalified and
cornpeten t Because the selection of a superior staff is
dependent on the ability to evaluate applicants, selection criteria
must be well-developed. Appropriate questions and forms
should be prepared in advance to evaluate, among other things,
the applicant s technical qualifications, educational background,
personal appearance, ability to communicate, maturity,
persuasiveness, self-confidence, intelligen otivation, and
potential to contribute to the organization
Answer (A) is incorrect. The human
should be formal. Answer i
human resources is more
Answer (0) is incorrect. The
more significant than special
C.
B.
A
27. A basic principle of
A. Establishing and maintaining an organizational
culture.
B. Reviewing the reliability and integrity of
financial and operational information.
C. Ensuring that external and internal auditors
oversee the administration of the system of risk
management and control processes. l
O. Implementing and monitoring controls
designed by the board of directors.
26. Directors, management, external auditors, and
internal auditors all play important roles in creating
proper control processes. Senior management is
prirnariiy responsible for
A. An informal program for developing and
counseling staff.
B. A compensation plan based on years of
experience.
C. A well-developed set of selection criteria.
D. A program for recognizing the special interests
of individual staff members.
25. The key factor in the successof an internal audit
activitys human resources program is
SU 1: Strategic and Operational Roles of n ternal udit
7/21/2019 CIA Part 1 Chapter 1
35/36
Use the additional quest~ns in Gleim CIA Test Prep Online to create Practice Exams
t h a ; ~ ; ; ; ~
ear;onu~C~~
...J
r 0 ) is correct.
EQUIRED: The subject of the opinion expressed in a
. mmunication after an external assessmentof a quality
program.
DISCUSSION: External assessments of an internal audit
activity contain an expressed opinion as to the entire spectrum of
assurance and consulting work performed orthat should have
been performed under its charter). including but not limited to)
conformance with the Definition of InternalAuditing, the Code of
Ethics, and the Standards An external assessment also
includes, as appropriate, recommendations for improvement
PA 1312-1, para. 2). On completion of the review, a formal
communication should be given to senior management and the
board PA 1312-1, para. 3).
Answer A) is incorrect. An opinion is expressed on all
assurance and consulting work performed or that should have
been performed under its charter). Answer B) isincorrect. The
scope of an external assessment extends to more than the
effectiveness of the internal auditing coverage. Answer C) is
incorrect. An external assessment addresses the internal audit
activity, not the adequacy of ihe organization s controls.
Answer A) is correct.
REQUIRED:
the quality of pi
engagements.
D st include ongoing
audit activity and
ssessment or by other
ufficient knowledge of
1311). The processes and
include, among other
of working papers by staff not
. dits PA 1311-1, para. 1).
Project assignment documentation
rmation for assessment purposes than
C) is incorrect. Status reports do not
ning. Answer 0) is incorrect. The
. gement work schedule does not relate to
ocumentation for individual engagements.
Answer A) is correct.
REQUIRED: The element not part o f a quality assurance
progffim. .
DISCUSSION: Appraising each internal auditor s work at
least annually is properly a function of the human resources
program of the internal audit activity.
49
C.
D
30. An external assessment of an i
activity contains an expressed
applies
A. Written engagement work programs.
B. Project assignment documentation.
C. Weekly status reports.
O. The long-range engagement work schedule.
29. As a part of a quality program, internal
assessment teams most likely will examine which of
the following to evaluate the quality of engagement
planning and documentation for individual
engagements?
Annual appraisals of individual internal
auditors performance.
B. Periodic internal assessment.
C. Supervision.
D. Periodic external assessments.
28. The chief audit executive should develop and
maintain a quality assurance and improvement
program that covers all aspects of the internal audit
activity and continuously monitors its effectiveness.
All of the following are includedin a quality program
except
1.10 Quality Assurance and Improvement Program QAIP)
SU Strategicand Operational Roles of Internal udit
7/21/2019 CIA Part 1 Chapter 1
36/36
g l e i m . C : o m / _ d a
80087 4~5346
~
,,
_ \~~