Professional Documents
Culture Documents
• The IIA defines internal auditing as “an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.” In delineating this working
domain for internal auditors is the understanding that controls help the organization manage risk
and promote effective governance.
• Auditors are charged with an involved role in the organization’s risk management and governance
processes.
Topic 2: Define Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P)
• The internal audit manual and the annual audit plan help in determining the resource requirements.
• Internal auditors are expected to be able to recognize good business practices, to understand
human relations, and to be skilled in oral and written communications.
1
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Topic 2: Maintain Independence and Objectivity (Level P)
• Exam Alert: Tested heavily. Internal audit organizations must maintain independence (reporting
structure) and objectivity (frame of mind). CAEs have to establish and promote what internal
auditing can do for the organization while at the same time ensuring that boundaries are clear and
expectations for internal auditing are realistic.
• According to the Interpretation of Standard 1100, “To achieve the degree of independence necessary
to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has
direct and unrestricted access to senior management and the board. This can be achieved through a
dual-reporting relationship… Objectivity requires that internal auditors do not subordinate their
judgment on audit matters to others.”
• Internal auditors may accept gifts of promotional items from audit clients if they are not of material
value.
• When an internal auditor participates directly in the functioning of other areas in the organization,
he or she may compromise the ability to assess those areas objectively in future audits.
Topic 4: Develop and/or Produce Necessary Knowledge, Skills and Competencies Collectively Required
by internal Audit Activity (Level P)
• "Obtaining External Service Providers to Support or Complement the Internal Audit Activity," when
assessing competency, the best way of checking on the reputation of an outside service provider is
to do which of the following? Call past clients to find out how satisfied they were with the service
provider's work.
• The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement. The internal audit
activity may use external service providers or internal resources that are qualified.
Topic 7: Promote Quality Assurance and Improvement of the Internal Audit Activity (Level P)
• QAIP – Key is Supervision is done throughout the entire audit process to ensure DCS is met. D-
Definition of Internal Audit, C – Compliance with Code of Ethics, S – Compliance with Standards
• A benefit of a QAIP is to:
- Helps with continuous improvement of IAA
- Provides assurance IAA is in compliance with DCS (Definition of Internal Audit, Code of Ethics,
and Standards)
- Evaluates effectiveness and efficiency of IAA
- Evaluates if IAA is adding value
• An internal audit activity has many stakeholders with an interest in its successful performance.
Internal quality assurance reviews of an internal audit activity are primarily meant to benefit which
of the following stakeholders? Answer: CAE
• The chief audit executive (CAE) must discuss with the board the need for more frequent external
assessments. More frequent reviews may be appropriate, particularly when there have been
significant changes in the internal audit function or the organization itself.
• Exam Alert: After the completion of a QAIP the results should be provided to the Board and
Management.
• See the “Holy Grail” for more on QAIP (last page of Cheat Sheet).
• Enterprise risk management involves the identification of events with negative impacts on
organizational objectives.
• Preventive controls are actions taken prior to the occurrence of transactions with the intent of
stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of
unacceptable suppliers.
3
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
4
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Chapter B: Internal Control Framework Characteristics and Use
Chapter Introduction
Topic 1: Demonstrate an Understanding of COSO’s Internal Control-Integrated Framework (Level P)
Student Input: At least ten questions on COSO Framework but nothing on the other frameworks (except
for one generic question about the difference between COSO and Turnbull) centering around core
concepts and most important.
• The COSO framework includes five components: control environment (most important), risk
assessment, control activities, information and communication, and monitoring (CRIME).
• COSO = CRIME
- Control Activities
- Risk Management
- Information & Communication
- Monitoring
- Control Environment (most important component as it sets the “tone at the Top”)
The updated principles-based framework, which supersedes the original 1992 framework, now explicitly
describes its principles rather than simply implying them, thus making it easier for companies to apply
the principles. The revised COSO framework’s 17 principles of effective internal control are as follows:
Internal Control
Principles
Component
1. Demonstrate commitment to integrity and ethical values
2. Ensure that board exercises oversight responsibility
Control environment 3. Establish structures, reporting lines, authorities and responsibilities
4. Demonstrate commitment to a competent workforce
5. Hold people accountable
1. Specify appropriate objectives
2. Identify and analyze risks
Risk assessment 3. Evaluate fraud risks
4. Identify and analyze changes that could significantly affect internal
controls
1. Select and develop control activities that mitigate risks
Control activities 2. Select and develop technology controls
3. Deploy control activities through policies and procedures
1. Use relevant, quality information to support the internal control
Information and function
communication 2. Communicate internal control information internally
3. Communicate internal control information externally
1. Perform ongoing or periodic evaluations of internal controls (or a
Monitoring combination of the two)
2. Communicate internal control deficiencies
5
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Which of the following control models is fully incorporated into the broader integrated framework
of enterprise risk management (ERM)?
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.
Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission
published Enterprise Risk Management – Integrated Framework. This document describes a model
that incorporates the earlier COSO internal control framework while extending it to the broader
area of enterprise risk management.
• The risk assessment map looks at each type of fraud and determines how likely the fraud is to occur
and how significant it would be if it did occur. Any fraud that has a high probability and high
significance of material effect must be addressed with processes and procedures that prevent this
type of fraud.
• Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the quantification
and prioritization of risks simple.
• In conducting a cultural diversity audit internal audit should:
1. Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?
A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.
Answer (D) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction.
By eliminating checks, the organization avoids all risk associated with them.
2. When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.
Answer (B) is correct. A predetermined risk response may be made when a certain event occurs,
such as when cash is below a given level or a customer has not paid an invoice within a certain
period of time.
• See the Holy Grail (last page) to see how COSO fits in the overall Risk Assessment process.
7
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• ISO 31000:2009 “Risk Management – Principles and Guidelines” is an international standard
framework for risk management that is simple and concise. ISO 31000 is a framework for the
systematic development of enterprise risk management that can be used successfully by any size or
type of organization because the organization can adapt the framework to the proper scope and
environmental context. As the organization’s risk management activities become more mature the
framework can likewise be augmented.
• Exam Alert: There are two approaches to risk management which are widely practiced: top down
(start with objectives, risk and then controls over the process) and bottom up (start with the process,
then controls, risk, and objectives).
• Exam Alert: Understand bottom up approach. It is a philosophy that an organization need to identify
risk in following level: Process Level - Project/Department Level - Vertical/Functional Level- Business
Unit Level-Organization Level. Bottom-up approach could completely consume all resources and take
all your time, but it would represent the most precise picture of the risk and could be completely
quantified. However, it is not widely used.
• ISO 31000 is based on the Plan, Do, Check, and Act method:
Required Reading – IPPF Practice Guide “Assessing the Adequacy of Risk Management Using ISO3100”
(Issued December 2010). This document can be downloaded from the IIA website.
8
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Audit Risk is the risk that an auditor “expresses an inappropriate opinion” on the financial
statements.
9
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
The others are components of audit risk but it is the overall “audit risk” that leads to the
expression of an inappropriate opinion.
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial
statements. By itself it may or may not lead to “expressing an inappropriate opinion” on the
financial statements based on inherent and control risk factors.
Audit risk may be considered as the product of the various risks which may be encountered in
the performance of the audit. In order to keep the overall audit risk of engagements below
acceptable limit, the auditor must assess the level of risk pertaining to each component of audit
risk.
• A process to identify, assess, manage, and control potential events or situations, to provide
reasonable assurance regarding the achievement of the organization’s objectives.
• A Risk Management Framework helps a business meet objectives (financial, operational, and
compliance)
• Organizations measure risk in terms of impact and likelihood
• Know the difference between risk appetite (the amount of risk, on a broad level, an organization is
willing to accept in pursuit of stakeholder value) vs. risk tolerance (the specific maximum risk that an
organization is willing to take regarding each relevant risk, can be more quantifiable and measurable).
• Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-
optimal.
10
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• The chief audit executive (CAE) should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, and external auditors; review
of regulations; and analysis of financial/operating data.
• Risk assessment is a systematic process of assessing and integrating professional judgments about
probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
• As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level of
assessed risk of an auditable entity at any time, making appropriate adjustments to the work schedule.
• Risk assessment does not necessarily involve the assignment of dollar values and is not intended to
identify the audit area with the greatest dollar savings.
• Acceptable risk is the level of residual risk that has been determined to be a reasonable level of
potential loss or disruption for a specific computer system (see Holy Grail which is on the last page for
a visual view of a risk assessment process).
Answer (C) is correct. Risk management is “a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the organization’s
objectives” (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the
improvement of risk management, governance, and control processes using a systematic and
disciplined approach.
11
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
daily receipts of a business (or from any cash transaction involving a third interested party) and
officially reporting a lower total. The formal legal term is defalcation.
- Misappropriation of assets (stealing)
• If auditor discovers fraud must report to management and board not responsible for reporting
to outside third party
Student input: “I honestly don't remember much about fraud except for a couple questions
related to what should an auditor do if they suspect it.”
Topic 3: List Fraud Red Flags (Level A)
• (4) Most fraud perpetrators would attempt to conceal their theft by charging it against an
expense account.
Topic 3: Conduct Interviews and Walk-Throughs as Part of a Preliminary Survey of the Engagement
Area (Level P)
12
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• When you need people to open up and provide opinions and analysis, as in this situation, an
open-ended question such as, "Tell me about your work environment" has the best chance of
succeeding. Closed-ended questions that can be answered by yes, no, or a fact are less likely to
get people to open up. Questionnaires also provide less opportunity to open up, especially if
staff feel threatened and therefore unwilling to put an opinion in writing unless they are
absolutely certain of anonymity. (In a difficult situation like this one, a variety of approaches
may be necessary.)
Topic 5: Conduct Engagement Risk Assessment to Assure Identification of Key Risks and Controls
(Level P)
• Assessment of the risk levels of current and future events, their effect on achievement of the
organization's objectives, and their underlying causes is the best risk assessment technique as it
takes a comprehensive approach to risk management; it not only considers the event and the
impact but also the causes.
• Risk assessment for audit planning provides a systematic process for assessing and integrating
professional judgment about probable adverse conditions.
13
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Student Input: Sampling was on there. 1 on discovery, the other few were more so based on statistical
sampling, they'd give you the 5% error and upper deviation limit of 3.7% sample of 80 items with no
errors found..then ask for a "proper conclusion" it was worded something like "I am 95% confident that
the population error rate, although unknown, is below 3.7%"
14
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Chapter C: Data Analysis and Interpretation
Chapter Introduction
Topic 1: Use Computerized Audit Tools and Techniques (Level P)
• Automated working papers provide an efficient medium to document, review, store, and access
information supporting assurance and consulting work performed.
• Mean = Average, Median = Middle Point after arranging, Mode = Most Often
15
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Student Input: I didn't see anything on regression analysis, I saw a question on trend analysis and a
couple on benchmarking (external and with trend analysis)
17
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Other Topics on Part 1
IT/Business Continuity
Note: Most of the exam questions for this section are not actually IT questions but risk (events and
vulnerabilities) and control questions. The key is to dumb down the question and focus on the risk and
control. Testing is based on overall concepts of security and not in depth IT. IT is covered more heavily
in Part 3 but you should still be familiar with IT Risk and Controls.
IT Security
• Guidance relating to IT
• Risks
Malware is short for "malicious software." Malware is any kind of unwanted software that is installed
without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software
that are often grouped together and referred to as malware.
1. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?
A. Trojan horses
B. Worms
C. Viruses
D. Root kits
• To mitigate the risks controls should be implemented. Know some key terms as they relate to
internal controls:
- General Controls = The whole organization (body)
- Application Controls = a specific application (knee)
18
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
- Preventive Controls = Separation of duties
- Detective Controls = Reconciliation (back end reviewing, monitoring)
- Effective = Test
• To mitigate IT risk organizations should have IT controls in place. However, the cost of the
controls should be commensurate with the level of risk mitigation.
• Hardware Controls
1. Redundant character check
2. Equipment check
3. Duplicate process check
4. Echo check
5. Fault-tolerant components (allows a system to continue to work even when a fault exists i.e.
nuclear power plant, subway)
19
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
CIA Exam Alert: Be able to identify examples of IT Application Controls—Input Controls
• Control data as it enters system
• Garbage-in, garbage-out (GIGO)
• Manual input controls, e.g., authorizations
• Electronic aids for manual inputs
o Screen formats, entry fields, drop-down menus
o Keystroke verification
o Labeling conventions and completeness checks
• Edit Checks – such as check digits
• Processing Controls
• Output Controls
• What would you expect to find in a user developed system vs. an IT developed system?
(documentation question)
• What would be primary benefit of using EFT for international money transfers?
• Auditors role in assessing systems development
• Auditors role in reviewing systems that are outsourced
• Understand Logical Control
Which of the following is an objective of logical security controls for information systems?
20
Provided courtesy of Lyndon S.Remias
January 2018
Remias Holy Grail
1. Planning Phase
Risk Controls
Objectives Risk-Based
(Events, Vulnerabilities) (COSO)
- Compliance Audit Program Guide (APG)
H,L (Share) H,H (Avoid) C R I M E Audit Step Objective and Scope
- Operational
Impact
of engagement
- Financial L,L (Accept) L,H (Reduce)
Control Activities
Risk Assessment
Control Environment
Monitoring
- Strategic - To “validate”
Likelihood
- Inherent
- Residual - Adequate
COSO ERM integrates Objectives, Risks, and Controls - Effective
Mandatory Guidance:
Recommended Guidance:
• Implementation Guidance.
• Supplemental Guidance.
1
IPPF Framework 2017
Mission of Internal Audit
The Mission of Internal Audit articulates what internal audit aspires to accomplish within an
organization. Its place in the New IPPF is deliberate, demonstrating how practitioners should leverage
the entire framework to facilitate their ability to achieve the Mission.
Mission: To enhance and protect organizational value by providing risk-based and objective assurance,
advice, and insight.
MANDATORY (CPDCS)
I. Core Principles for the Professional Practice of Internal Auditing
The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit
function to be considered effective, all Principles should be present and operating effectively. How an
internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles
may be quite different from organization to organization, but failure to achieve any of the Principles
would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s
mission (see Mission of Internal Audit).
• Demonstrates integrity.
• Demonstrates competence and due professional care.
• Is objective and free from undue influence (independent).
• Aligns with the strategies, objectives, and risks of the organization.
• Is appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.
II. The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal
auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
The Code of Ethics states the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum requirements for conduct,
and behavioral expectations rather than specific activities.
2
IPPF Framework 2017
The purpose of The Institute's Code of Ethics is to promote an ethical culture in the profession of
internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on
the trust placed in its objective assurance about governance, risk management, and control.
The Institute's Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
1.Principles that are relevant to the profession and practice of internal auditing.
2.Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the Principles into practical applications and are intended to guide the ethical conduct of
internal auditors.
"Internal auditors" refers to Institute members, recipients of or candidates for IIA professional
certifications, and those who perform internal audit services within the Definition of Internal Auditing.
This Code of Ethics applies to both entities and individuals that perform internal audit services.
For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code
of Ethics will be evaluated and administered according to The Institute's Bylaws and Administrative
Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent
it from being unacceptable or discreditable, and therefore, the member, certification holder, or
candidate can be liable for disciplinary action.
Internal auditors are expected to apply and uphold the following principles:
1.Integrity - The integrity of internal auditors establishes trust and thus provides the basis for reliance
on their judgment.
2.Objectivity - Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgments.
3.Confidentiality - Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority unless there is a legal or professional obligation
to do so.
4.Competency - Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.
3
IPPF Framework 2017
Rules of Conduct
1. Integrity
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
2. Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict
with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.
3. Confidentiality
Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law
or detrimental to the legitimate and ethical objectives of the organization.
4. Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and
experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the
Professional Practice of Internal Auditing (Standards).
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
4
IPPF Framework 2017
IV. International Standards for the Professional Practice of Internal Auditing (Standards)
• Standards are principle-focused and provide a framework for performing and promoting internal
auditing. The Standards are mandatory requirements consisting of:
• Statements of basic requirements for the professional practice of internal auditing and for
evaluating the effectiveness of its performance. The requirements are internationally applicable
at organizational and individual levels.
• Note: See the separate PDF File of the IPPF 2017 Standards.
5
IPPF Framework 2017
RECOMMENDED GUIDANCE
Mandatory Guidance
Recommended Guidance
Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices
for effective implementation of The IIA's Core Principles, Definition of Internal Auditing, Code of Ethics,
and Standards. The recommended elements of the IPPF are:
2. Supplemental Guidance:
• Includes Practice Guides provide detailed processes and procedures for internal audit
practitioners.
• Global Technology Audit Guide (GTAG)
• Guide to the Assessment of IT Risk
Note: While Position Papers are no longer an official part of the New IPPF, these documents are still
relevant and valid for practitioners and other interested parties.