Professional Documents
Culture Documents
The IIA defines internal auditing as an independent, objective assurance and consulting activity
designed to add value and improve an organizations operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. In delineating this working
domain for internal auditors is the understanding that controls help the organization manage risk
and promote effective governance.
Auditors are charged with an involved role in the organizations risk management and governance
processes.
Topic 2: Define Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P)
The internal audit manual and the annual audit plan help in determining the resource requirements.
Internal auditors are expected to be able to recognize good business practices, to understand
human relations, and to be skilled in oral and written communications.
1
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Topic 4: Develop and/or Produce Necessary Knowledge, Skills and Competencies Collectively Required
by internal Audit Activity (Level P)
According to Practice Advisory 1210.A1-1, "Obtaining External Service Providers to Support or
Complement the Internal Audit Activity," when assessing competency, the best way of checking on
the reputation of an outside service provider is to do which of the following? Call past clients to find
out how satisfied they were with the service provider's work.
The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement. The internal audit
activity may use external service providers or internal resources that are qualified.
Topic 7: Promote Quality Assurance and Improvement of the Internal Audit Activity (Level P)
QAIP Key is Supervision is done throughout the entire audit process to ensure DCS is met. D-
Definition of Internal Audit, C Compliance with Code of Ethics, S Compliance with Standards
A benefit of a QAIP is to:
- Helps with continuous improvement of IAA
- Provides assurance IAA is in compliance with DCS (Definition of Internal Audit, Code of Ethics,
and Standards)
- Evaluates effectiveness and efficiency of IAA
- Evaluates if IAA is adding value
An internal audit activity has many stakeholders with an interest in its successful performance.
Internal quality assurance reviews of an internal audit activity are primarily meant to benefit which
of the following stakeholders? Answer: CAE
The chief audit executive (CAE) must discuss with the board the need for more frequent external
assessments. More frequent reviews may be appropriate, particularly when there have been
significant changes in the internal audit function or the organization itself.
Exam Alert: After the completion of a QAIP the results should be provided to the Board and
Management.
See the Holy Grail for more on QAIP (last page of Cheat Sheet).
Enterprise risk management involves the identification of events with negative impacts on
organizational objectives.
Preventive controls are actions taken prior to the occurrence of transactions with the intent of
stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of
unacceptable suppliers.
3
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
A small business uses segregation of duties for processing checks and cash received at its office. No
financial transaction is handled by one person from start to finish. This is an example of a Preventive
Control.
Organizations should not have unrealistic expectations about internal control. Internal control can
help with all of the objectives listed but cannot ensure any of them.
Which of the following internal controls would have most likely prevented this fraud from
occurring? Answer: Segregating the receiving function from the authorization of parts purchases
Exam Alert: Preventive vs. Detective. Preventive controls are proactive controls that deter
undesirable events from occurring. Specific control activities for segregation of duties should be
documented in the accounting policies and procedures manual. Detective controls are reactive and
detect undesirable events that have occurred. Directive controls are proactive controls that cause or
encourage a desirable event to occur. Mitigating or compensating controls compensate for the lack
of an expected control.
Exam Alert: If you see a question with the term Preventive Control think Separation of Duties
Exam Alert: If you see a question with the term Detective Control think Reconciliation, Monitoring,
and other type of back end reports to help management detect something is wrong.
Transaction Control - Control that operates at individual transaction level. They can be a Preventive
Control (approval) or Detective (error messages).
Process Control - Control that operates at transaction level or higher level (reconciliation). Can be a
detective or preventive control.
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.
Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission
published Enterprise Risk Management Integrated Framework. This document describes a model
that incorporates the earlier COSO internal control framework while extending it to the broader
area of enterprise risk management.
The risk assessment map looks at each type of fraud and determines how likely the fraud is to occur
and how significant it would be if it did occur. Any fraud that has a high probability and high
significance of material effect must be addressed with processes and procedures that prevent this
type of fraud.
Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the quantification
and prioritization of risks simple.
In conducting a cultural diversity audit internal audit should:
5
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Risk sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk.
The most widely used form of risk transfer is insurance. Risk acceptance is taking no action to affect
likelihood or impact.
Exam Alert: The function of the chief risk officer (CRO) is most effective when the CRO works with
management in their areas of responsibility.
Management is responsible for controls.
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Types of Risk:
a. Strategic risks include political risk, regulatory risk, reputation risk, leadership risk, and
market brand risk.
b. Operational risks include an organizations systems, technology, and people.
c. Financial risks includes risks from volatility in foreign currencies, interest rates, and
commodities. It also includes credit risk, liquidity risk, and market risk.
d. Hazard risks include natural disasters, impairment of physical assets, and terrorism.
It is important to emphasize that the uncertainties could have a potential upside or downside so that
the scope of ERM encompasses the more traditional view of potential hazards as well as
opportunities.
Risk is pervasive throughout an organization as it can arise from any business function or process at
any time without warning. Because of this widespread exposure, no single functional department
management, other than the board of directors, can oversee the enterprise-wide risk management
program.
Exam Alert Understand how to respond to risk (risk response):
1. Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?
A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.
Answer (D) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction.
By eliminating checks, the organization avoids all risk associated with them.
2. When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.
6
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Answer (B) is correct. A predetermined risk response may be made when a certain event occurs,
such as when cash is below a given level or a customer has not paid an invoice within a certain
period of time.
See the Holy Grail (last page) to see how COSO fits in the overall Risk Assessment process.
Required Reading IPPF Practice Guide Assessing the Adequacy of Risk Management Using ISO3100
(Issued December 2010). This document can be downloaded from the IIA website.
7
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
8
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
acceptable limit, the auditor must assess the level of risk pertaining to each component of audit
risk.
A process to identify, assess, manage, and control potential events or situations, to provide
reasonable assurance regarding the achievement of the organizations objectives.
A Risk Management Framework helps a business meet objectives (financial, operational, and
compliance)
Organizations measure risk in terms of impact and likelihood
Know the difference between risk appetite (the amount of risk, on a broad level, an organization is
willing to accept in pursuit of stakeholder value) vs. risk tolerance (the specific maximum risk that an
organization is willing to take regarding each relevant risk, can be more quantifiable and measurable).
Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-
optimal.
The chief audit executive (CAE) should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, and external auditors; review
of regulations; and analysis of financial/operating data.
Risk assessment is a systematic process of assessing and integrating professional judgments about
probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level of
assessed risk of an auditable entity at any time, making appropriate adjustments to the work schedule.
9
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Risk assessment does not necessarily involve the assignment of dollar values and is not intended to
identify the audit area with the greatest dollar savings.
Acceptable risk is the level of residual risk that has been determined to be a reasonable level of
potential loss or disruption for a specific computer system (see Holy Grail which is on the last page for
a visual view of a risk assessment process).
Answer (C) is correct. Risk management is a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the organizations
objectives (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the
improvement of risk management, governance, and control processes using a systematic and
disciplined approach.
10
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
(4) Most fraud perpetrators would attempt to conceal their theft by charging it against an
expense account.
Topic 3: Conduct Interviews and Walk-Throughs as Part of a Preliminary Survey of the Engagement
Area (Level P)
When you need people to open up and provide opinions and analysis, as in this situation, an
open-ended question such as, "Tell me about your work environment" has the best chance of
succeeding. Closed-ended questions that can be answered by yes, no, or a fact are less likely to
get people to open up. Questionnaires also provide less opportunity to open up, especially if
staff feel threatened and therefore unwilling to put an opinion in writing unless they are
absolutely certain of anonymity. (In a difficult situation like this one, a variety of approaches
may be necessary.)
11
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Topic 4: Use Observation to Gather Data (Level P)
Understand the pros and cons of gathering data by using observation. Know the least benefit of
observation and know people can act differently when observed.
Topic 5: Conduct Engagement Risk Assessment to Assure Identification of Key Risks and Controls
(Level P)
Assessment of the risk levels of current and future events, their effect on achievement of the
organization's objectives, and their underlying causes is the best risk assessment technique as it
takes a comprehensive approach to risk management; it not only considers the event and the
impact but also the causes.
Risk assessment for audit planning provides a systematic process for assessing and integrating
professional judgment about probable adverse conditions.
Student Input: Sampling was on there. 1 on discovery, the other few were more so based on statistical
sampling, they'd give you the 5% error and upper deviation limit of 3.7% sample of 80 items with no
errors found..then ask for a "proper conclusion" it was worded something like "I am 95% confident that
the population error rate, although unknown, is below 3.7%"
12
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Flowcharts allow internal auditors to document their understanding of a process, evaluate
efficiency, determine areas of primary concern, and identify key risks and controls. Flowcharts can
be used to support an auditor's overall assessment of risk and control in an engagement. All
stakeholders should provide input in the flowchart.
An internal auditor develops a vertical flowchart of a process. The value to the auditor is to Answer:
depict inputs, activities, workflows, and interactions with other processes and outputs
Only symbol that will be asked is the diamond (decision making).
Mean = Average, Median = Middle Point after arranging, Mode = Most Often
14
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Student Input: I didn't see anything on regression analysis, I saw a question on trend analysis and a
couple on benchmarking (external and with trend analysis)
15
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Other Topics on Part 1
IT/Business Continuity
Note: Most of the exam questions for this section are not actually IT questions but risk (events and
vulnerabilities) and control questions. The key is to dumb down the question and focus on the risk and
control. Testing is based on overall concepts of security and not in depth IT. IT is covered more heavily
in Part 3.
IT Security
Guidance relating to IT
-
- COSO ERM COSO Enterprise Risk Management
Risks
Malware is short for "malicious software." Malware is any kind of unwanted software that is installed
without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software
that are often grouped together and referred to as malware.
1. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?
A. Trojan horses
B. Worms
C. Viruses
D. Root kits
To mitigate the risks controls should be implemented. Know some key terms as they relate to
internal controls:
- General Controls = The whole organization (body)
- Application Controls = a specific application (knee)
16
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
- Preventive Controls = Separation of duties
- Detective Controls = Reconciliation (back end reviewing, monitoring)
- Effective = Test
To mitigate IT risk organizations should have IT controls in place. However, the cost of the
controls should be commensurate with the level of risk mitigation.
Hardware Controls
1. Redundant character check
2. Equipment check
3. Duplicate process check
4. Echo check
5. Fault-tolerant components (allows a system to continue to work even when a fault exists i.e.
nuclear power plant, subway)
Q4. To reduce security exposure when transmitting proprietary data over communication lines, a
company should use
A. asynchronous modems.
B. authentication techniques.
C. cryptographic devices.
D. call-back procedures
17
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Q5. The best means of managing the confidentiality of satellite transmissions would be:
A. monitoring software.
B. access control.
C. encryption.
D. cyclic redundancy checks
Application Development
Exam Alert: Understand the definition of Change and Patch Management Controls Change
management includes application code revisions, system upgrades, and infrastructure changes such
as changes to servers, routers, cabling, or firewalls.
Change control manages changes in information system resources and procedures. It includes a
formal change request procedure; assessments of change requests on technical and business
grounds; scheduling changes; testing, installing, and monitoring changes; and reporting the status of
recorded changes. The analysts were reusing erroneous code that should have been but was not
corrected.
Changes should be scrutinized, reviewed, approved and bundled.
8. Which of the following is the policy on change and patch management that most high-performing IT
organizations follow?
A. Have IT staff perform those patches that department heads feel are important.
B. Manually install every patch as soon as it is available.
C. Wait to install routine patches until enough are ready for simultaneous testing and installation.
D. Have patches automatically install as soon as they are released by the vendor.
CIA Exam Alert: There was a question on the systems development life cycle analysis (feasibility)
stage - something along the lines of: in which stage do we make a decision if it makes sense
financially to develop internally or buy software?
18
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Many programmers are using Rapid Application Development (RAD) techniques to speed up the
SDLC. One approach that will be tested on the exam is object-oriented approach. An object-
oriented approach is intended to produce reusable code. Because code segments can be reused
in other programs, the time and cost of writing software should be reduced.
What would you expect to find in a user developed system vs. an IT developed system?
(documentation question)
What would be primary benefit of using EFT for international money transfers?
Auditors role in assessing systems development
Auditors role in reviewing systems that are outsourced
Understand Logical Control
Which of the following is an objective of logical security controls for information systems?
19
Provided courtesy of Lyndon S.Remias
June 2017
Remias Holy Grail
1. Planning Phase
Risk Controls
Objectives Risk-Based
(Events, Vulnerabilities) (COSO)
- Compliance Audit Program Guide (APG)
H,L H,H C R I M E Audit Step Objective and Scope
- Operational
Impact
of engagement
- Financial L,L L,H
Control Activities
Risk Assessment
Control Environment
Monitoring
- Strategic - To validate
Likelihood
- Inherent
- Residual - Adequate
- Effective