Part 1 1 – 1 V3.0 THE IIA’S CIA LEARNING SYSTEM TM Overview Internal Audit Reviews the...

Part 1 1 – 1V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

OverviewInternal Audit

Reviews the effectiveness and efficiency of operations; compliance with laws, regulations, policies, and procedures; achievement of operational/ organizational objectives; reliability of information; and safeguarding of assets

Compliance Audit

Financial Audit

Regulatory Audit

Government Audit

Strictly tests adherence to laws, regulations, standards, and policies and procedures

Provides an attestation solely on the financial reports and statements generated by an organization

Reviews compliance with specific regulations

Focuses on compliance with programs, performance audits, budget reviews, and management audits

Part 1, Overview

Part 1 1 – 2V3.0


www.LearnCia.com

1. Define purpose, authority, and responsibility of the internal audit activity

2. Maintain independence and objectivity

3. Determine availability of required knowledge, skills, and competencies

4. Develop and/or procure necessary knowledge, skills, and competencies collectively required by internal audit activity

Section Topics5. Exercise due

professional care

6. Promote continuing professional development

7. Promote quality assurance and improvement of the internal audit activity

8. Abide by and promote compliance with The IIA’s Code of Ethics

Part 1, Section 1

Rosemary Root

Part 1 1 – 3V3.0


www.LearnCia.com

Internal Auditing, Defined

“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Part 1, Section 1, Introduction

Part 1 1 – 4V3.0


www.LearnCia.com

International Professional Practices Framework (IPPF)

Practice Advisories

Practice Guides

Position Papers

Not mandatory (but endorsed and recommended by The IIA)


Code of Ethics

International Standards for the Professional Practice of Internal Auditing (Standards)

Definition of Internal Auditing

Mandatory

Part 1 1 – 5V3.0


www.LearnCia.com

A. basic auditing principles.

B. evaluation criteria for audit performance.

C. considerations on how to plan and perform the engagement.

D. a framework for a broad range of value-added internal audit activities.

Answer: C. Approach and methodology (but not detailed processes and procedures) are covered in the Practice

Advisories.

Discussion Question

During an internal audit, the Standards establish all of the following EXCEPT


Part 1 1 – 6V3.0


www.LearnCia.com

• Apply to all internal audit services and internal auditors, individually (organizations; parties performing internal audit activities)

• Provide guidance for the quality of the internal audit programs

Categories of Standards

• Apply to all internal audit services and internal auditors

• Describe the nature of internal audit activities

• Provide quality criteria for performance evaluation

• Expand Attribute and Performance Standards

• Apply to specific engagements

Attribute Performance Implementation


Part 1 1 – 7V3.0


www.LearnCia.com

A. Attribute Standards.

B. Performance Standards.

C. Implementation Standards.

D. Practice Guides and Position Papers.

Answer: A. Attribute Standards describe the characteristics of organizations and parties performing internal audit activities.

Discussion QuestionDefining characteristics such as independence and objectivity or due professional care are covered in


Part 1 1 – 8V3.0


www.LearnCia.com

Types of Internal Audit Activity

“An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization”

“Advisory and related client service activities, the nature and scope of which are agreed to by the client and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility”

Assurance Services Consulting Services


Part 1 1 – 9V3.0


www.LearnCia.com

A. Compliance with applicable Standards

B. Conformance to applicable Standards

C. Assessment or advisory role

D. Internal or external expertise

Answer: C

Discussion Question

Which of the following characteristics differentiates the internal auditor’s activity during assurance and consulting engagements?


Part 1 1 – 10V3.0


www.LearnCia.com

Practice Advisories

Strongly endorsed and recommended guidance on best practices for performance of the Standards

Practice Guides

Detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches


Position Papers

IIA Guidance and Materials

Statements to assist a wide range of interested parties

Part 1 1 – 11V3.0


www.LearnCia.com

Internal Audit Activity, Defined

“A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations”

Helps accomplish organizational objectives through a systematic, disciplined approach

Evaluates and improves the effectiveness of risk management, control, and governance processes

Requires top-level support (e.g., the board and senior management) communicated throughout the organization

Part 1, Section 1, Topic 1

Part 1 1 – 12V3.0


www.LearnCia.com

A. overseeing the service contract with a consultant.

B. waiving a regulatory agency’s recommendation on a risk management or control issue.

C. developing the audit charter and securing approval by the board.

D. reporting to senior management and the boardon internal audit activities.

Answer: B. This is a management decision, not an internal audit decision.

Discussion QuestionAll of the following are reasonable responsibilities for the chief audit executive EXCEPT


Part 1 1 – 13V3.0


www.LearnCia.com

Internal Audit Charter, Defined

“A formal document that defines the internal audit activity’s purpose, authority, and responsibility”

Establishes the internal audit activity’s position within the organization

Authorizes access to records, personnel, and physical properties relevant to the performance of engagements

Defines the scope of internal audit activities


Part 1 1 – 14V3.0


www.LearnCia.com

Mission and scope of the internal auditing department

Accountability of the CAE to management and an audit committee

Independence of the internal auditing function

Responsibilities of the CAE and internal auditing staff

Range of authority of the CAE and internal auditing staff

Applicable standards of audit practice

Typical Audit Charter Elements


Part 1 1 – 15V3.0


www.LearnCia.com

Types of Engagements

Assurance

Consulting

“Blended”

Formal—Engagements planned and subject to written agreement

Informal—Various routine activities

Special—Participation in a merger, acquisition, or conversion

Emergency—Participation in disaster recovery or special business events


Part 1 1 – 16V3.0


www.LearnCia.com

A. Authorization and access

B. Levels of staff proficiency

C. Inquiry and observation processes employed

D. Activity objectives for external service providers

Answer: A

Discussion Question

Which of the following items is appropriate to include in an internal audit activity charter?


Part 1 1 – 17V3.0


www.LearnCia.com

Basic documents to support the purpose, authority, and responsibility of the internal audit department and internal audit activities

Internal audit charter

Function and responsibility (F and R) statement

Statement of policy (corporate audit policy or policy statement missions)

Audit manual (policies and procedures)

Staff job descriptions

Key Documents


Part 1 1 – 18V3.0


www.LearnCia.com

Marketing the Audit Function

Brochures Promote the audit function and explain the features and benefits

Newsletters Highlight important aspects of internal audit activities

Publications Provide softer human interest stories

Audit department open house

Facilitate introductions and/or dialogue

Advisory board of operating managers chaired by CAE

Facilitate an exchange of information on related topics

Client training Educate client personnel and/or internal auditing new hires

Engagement documents and meetings

Structure an internal audit activity as a problem-solving partnership


Part 1 1 – 19V3.0


www.LearnCia.com

Identify whether the statement is related to the purpose, authority, or responsibility of the internal audit activity.

Answers:

Discussion Question

1. Ensure that staff possesses sufficient expertise to fulfill the engagement charter.

2. Maintain access with the appropriate governing authority.

3. Add value and improve operations.

Responsibility

Authority

Purpose


Part 1 1 – 20V3.0


www.LearnCia.com

Internal Audit Activity Purpose, Authority, and Responsibility

• Attribute Standard 1000• Attribute Standard 1130• Performance Standard 2400• Performance Standard 2420


Part 1 1 – 21V3.0


www.LearnCia.com

Independence and Objectivity, Defined

“… the freedom from conditions that threaten objectivity or the appearance of objectivity ...”

Independence

“… the freedom from conditions that threaten objectivity or the appearance of objectivity ...”

Independence “An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made”

Objectivity

“The freedom from conditions that threaten objectivity or the appearance of objectivity”

Independence


Part 1 1 – 22V3.0


www.LearnCia.com

Independence and Organizational Reporting

Board of Directors

Senior Management Audit Committee

CAE and Internal Audit Function

Administrative reporting

Functional reporting

Functional reporting


Part 1 1 – 23V3.0


www.LearnCia.com

Examples:

• Approve: – Internal audit activity’s charter.

– Internal audit risk assessment and related audit plan.

– All decisions regarding performance evaluation, appointment/removal of CAE.

– Annual compensation and salary adjustment of CAE.

• Receive communications from CAE. • Make appropriate inquiries of

management and CAE.

Examples:• Budgeting and management

accounting• Human resource administration• Internal communications and

information flows• Administration of the internal

audit activity’s internal policies and procedures

Functional Reporting Administrative Reporting

Provides independence and authority Facilitates day-to-day operations


Part 1 1 – 24V3.0


www.LearnCia.com

Have regular and direct communication with the board.

Report to an individual at the senior management level with sufficient authority to promote independence and to ensure broad audit coverage.

Report directly to the audit committee (or its equivalent).

Alignment to Ensure Organizational Independence


Part 1 1 – 25V3.0


www.LearnCia.com

A. Strategic synergies

B. Win-win conflict resolution

C. Periodic communication with the engagement client

D. Independent mental attitude

Answer: D. An internal auditor must have an unbiased and impartial mindset in regard to all engagements.

Discussion Question

Which action best exemplifies internal auditing objectivity?


Part 1 1 – 26V3.0


www.LearnCia.com

Policies to Promote Objectivity

Have no operational responsibility for the activity under review.

Have had no authority or responsibility during the past year or a reasonable time frame.

Abide by the Code of Ethics.

Not subordinate their judgment to that of others.

Not compromise the quality of their work or objectivity of their judgment.

Avoid potential conflicts of interest and bias.

Have an independent review of engagement results.

Internal auditors should:


Part 1 1 – 27V3.0


www.LearnCia.com

• Periodic query of internal auditing staff

• Periodic staff assignment rotation

• Refusal of material fees, gifts, or entertainment—consideration of what is “reasonable”

Additional Best Practices to Maintain Objectivity

CAE

Internal Auditor


Part 1 1 – 28V3.0


www.LearnCia.com

Identify which of the following items exemplify potential impairments. Respond “yes,” “no,” or “probable.”

Discussion Question

1. Accepting a breakfast invitation

2. An executive demanding the rescheduling of an audit

3. A designer passport travel ID case

4. Denial of facility access

Answers:

Yes

Probable

Yes

No

Potential impairments should be reported to the CAE.


Part 1 1 – 29V3.0


www.LearnCia.com

Reinforcing Activity 1-1Part 1, Section 1, Topic 2

Maintain Independence and Objectivity


Part 1 1 – 30V3.0


www.LearnCia.com

Engagement Staffing Options

In-house auditing Establishing a dedicated audit team with requisite resources

Total out-sourcing Out-sourcing 100% of the internal audit activity to an external provider, usually on an ongoing basis

Co-sourcing A combination of internal staffing and external out-sourcing; external providers provide supplementary specialist skills

Subcontracting

(staff augmentation)

Securing a specific individual to perform a specific engagement or part of an engagement

Secondment Borrowing an employee from another part of the organization to work in the audit activity for a specified period of time


Part 1 1 – 31V3.0


www.LearnCia.com

Requisite Knowledge, Skills, and Competencies

Knowledge

Skills

Competencies

Information

Proficiency

Performance

Examples

Knowledge required to perform technical audits

Language/communication skills

Interpersonal skills/audit tools and techniques


Part 1 1 – 32V3.0


www.LearnCia.com

Internal Audit Designated Competencies


Part 1 1 – 33V3.0


www.LearnCia.com

A. Audit committee

B. Chief audit executive (CAE)

C. Board

D. Human resources

Answer: B. The CAE is responsible for determining levels of education and experience for the organization’s IA positions.

Discussion Question

Who is ultimately responsible for ensuring that the internal audit activity is staffed appropriately?


Part 1 1 – 34V3.0


www.LearnCia.com

Identify the employment term described in the example.

Answers:

Discussion Question

1. Requiring CIA certification for an internal audit position

2. List of requisite knowledge, skills, and competencies

3. Evaluation and feedback at the end of an engagement

4. Progressive promotions of an internal auditor

Job description

Performance appraisal

Career path

Job specifications


Part 1 1 – 35V3.0


www.LearnCia.com

How to Evaluate Staff Proficiency

1Review the education and background of the IA activity’s staff.

2Review staff and management job descriptions.

3Obtain and review information pertaining to specialized skills required by the IA activity.

4 Conduct a staffing analysis.


Part 1 1 – 36V3.0


www.LearnCia.com

A. co-sourcing.

B. out-sourcing.

C. joint venture.

D. alliance.

Answer: A. In co-sourcing, an external providersupplements the internal audit function; in out-sourcing, an outside firm is paid to handle the responsibility.

Discussion QuestionThe CAE must hire an outside service provider to support the internal audit activity with statistical analysis responsibilities. This best describes


Part 1 1 – 37V3.0


www.LearnCia.com

Co-sourcing and Out-sourcing

Advantages Disadvantages

+ Frees internal resources+ Provides flexibility + Can improve efficiency and

effectiveness + Can reduce expenses + Can expand coverage + May improve quality and/or

timeliness+ Can provide additional skill

sets

– Can cost more – Results in a loss of in-house

capabilities and process control

– Can undermine morale– Requires a learning curve,

oversight, and coordination– Has potential for privacy and

confidentiality issues– Can undermine career

pathing


Part 1 1 – 38V3.0


www.LearnCia.com

Determine the competence.

Assess the relationship with the organization.

Ensure that independence and objectivity are maintained.

Review necessary information (e.g., work objectives, scope, access).

Document matters in an engagement letter or contract.

Reference compliance with The IIA’s Standards (as applicable).

CAE Responsibilities for Outside Service Providers


Part 1 1 – 39V3.0


www.LearnCia.com

What Is Fraud?Examples:• Acceptance of bribes or kickbacks• Diversion of a potentially profitable

transaction • Embezzlement• Intentional concealment/misrepresentation

of events, transactions, or data• Bogus claims submitted for services or

goods • Intentional failure to act• Unauthorized or illegal use of confidential

or proprietary information• Unauthorized or illegal manipulation of IT

networks or operating systems• Theft

“Any illegal act characterized by deceit, concealment or violation of trust”


Part 1 1 – 40V3.0


www.LearnCia.com

Information Technology Considerations

“Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.” (Standard 1210.A3)


Part 1 1 – 41V3.0


www.LearnCia.com

• Calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances.

• Requires internal auditors to act responsibly.

• Exercised when internal audits are performed in accordance with the Standards.

• Internal auditors must be independent, competent, and objective.

• Audit work must be planned and supervised.

• Audit reports must be objective, clear, concise, constructive, and timely.

• Internal auditors must follow up on reported audit findings.

Characteristics of Due Professional Care

What is due professional care?

What are the implications?


Part 1 1 – 42V3.0


www.LearnCia.com

A. Understanding the performance goals of the client

B. Recognizing the needs of management

C. Being alert to significant risks that affect objectives, goals, and strategies

Answer: C

Discussion Question

Which of the following statements exemplifies due professional care in an assurance engagement?


Part 1 1 – 43V3.0


www.LearnCia.com

A. More applicable standards

B. Increased client needs and expectations

C. Fewer potential benefits derived from the engagement

Answer: B. Many of the same considerations apply. However, the needs and expectationsof clients have increased significance.

Discussion QuestionHow does due professional care in a consulting engagement differ from that in an assurance engagement?


Part 1 1 – 44V3.0


www.LearnCia.com


Exercise Due Professional Care


Part 1 1 – 45V3.0


www.LearnCia.com

What Is Continuing Professional Development?

Description General Examples The IIA Offerings

The means to maintain, improve, and broaden the knowledge, skills, and competence required in a profession

• Occupational assignments

• Mentoring

• Networking

• Training

• Research projects

• Collective wisdom

• Formal education

• Conferences

• Membership/activity in professional societies

• Certification and recertification

• Seminars

• Conferences

• Web-based training

• Vision University


Part 1 1 – 46V3.0


www.LearnCia.com

Certification

Description Achieved By The IIA Certifications

The systematic measurement of characteristics that results in recognition of meeting suggested knowledge and other minimum requirements

• Graduation from accredited or approved training

• Completion of a specified amount or type of work experience

• Acceptable exam performance

• Certified Internal Auditor® (CIA)

• Certification in Control Self-Assessment (CCSA)

• Certified Government Auditing Professional (CGAP)

• Certified Financial Services Auditor (CFSA)


Part 1 1 – 47V3.0


www.LearnCia.com

• Helps provide reasonable assurance to stakeholders that the internal audit activity:

– Performs in accordance with its charter and is consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

– Operates in an effective and efficient manner.

– Is perceived as adding value and improving operations.

• Includes appropriate supervision, periodic internal assessments, ongoing monitoring of quality assurance, and periodic external assessments.

Quality Assurance and Improvement Program (QA&IP)


Part 1 1 – 48V3.0


www.LearnCia.com

• Ongoing internal evaluations of the internal audit activity coupled with periodic self-assessments and/or reviews

• Conducted by persons within the organization’s internal audit activity

• Supervised by the direction of the CAE

• Evaluation of the internal audit activity compliance with the Standards, the use of best practices, and internal audit activity efficiency and effectiveness

• Conducted by a qualified independent reviewer or review team from outside the organization

QA&IP Internal and External Assessments

Periodic internal assessment Periodic external assessment


Part 1 1 – 49V3.0


www.LearnCia.com

Identify whether the statement describes internal or external periodic quality assessments or both.

Discussion Question

1. Usually incorporated into routine policies and practices

2. Provides an opinion about conformance to the Standards

3. CAE involvement precludes total objectivity

4. Conducted at least once every five years

Answers:

Internal

Internal or external

Internal

External


Part 1 1 – 50V3.0


www.LearnCia.com

• Routine and continuous supervision and testing of performance of audit/ consulting work

• Ongoing measurements and analyses of performance metrics

• Periodic validations of compliance with applicable laws, regulations, standards

• Periodic validations of compliance with Standards and Code of Ethics

Scope of Internal Assessments• Evaluation of adequacy of internal

audit activity’s charter, goals, objectives, policies, procedures

• Assessment of contribution to organization’s governance, risk management, and control processes

• Evaluation of effectiveness of continuous improvement activities and adoption of best practices

• Whether auditing activity adds value and improves organization’s operations


Part 1 1 – 51V3.0


www.LearnCia.com

QA&IP Internal Performance Measures

International Professional Practices

Framework

Corporate and Internal Audit Strategies

Laws and Regulations

Innovation and Capabilities

Board/Audit Committee

Internal Audit Process

Management & Audit Clients


Part 1 1 – 52V3.0


www.LearnCia.com

Which of the following are acceptable teams to performexternal quality assessment reviews? (Select all that apply.)I. A team that is totally independent of the organization yet

knowledgeable in standards of audit performanceII. Internal auditors from a subsidiary organizationIII. A self-assessment with independent validation by an

independent reviewerIV. A peer review team made of members from at least three

different organizations

Answer: I, III, and IV. External reviewers must be independent of the organization whose internal audit activity is the subject of the assessment. “Independent of the organization” means not a part of or under the control of the organization to which the internal auditing activity belongs.

Discussion Question


Part 1 1 – 53V3.0


www.LearnCia.com

• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards and with the internal audit activity’s charter, plans, policies, procedures, practices, and applicable legislative and regulatory requirements

• Expectations of the internal audit activity expressed by the board, senior management, and operational managers

• Integration of the internal audit activity into the organization’s governance process, including the attendant relationships between and among the key groups involved in that process

Scope of External Assessments• Tools and techniques

employed by the internal audit activity

• Mix of knowledge, experience, and disciplines within the staff, including staff focus on process improvement

• Determination as to whether or not the audit activity adds value and improves the organization’s operations


Part 1 1 – 54V3.0


www.LearnCia.com

The CAE should share results, necessary action plans, and their successful implementation with stakeholders such as:

• Senior management.

• The board.

• External auditors.

• Preliminary results should be discussed with the CAE during and at the conclusion of the process.

• Final results should be communicated in a formal report to:

– The CAE or other official who authorized the review.

– Appropriate members of senior management and the board.

Reporting the Results of QA&IP

Internal assessments External assessments


Part 1 1 – 55V3.0


www.LearnCia.com

Statement may be used only if validated by assessments of the QA&IP.

Assessments should include recommendations for compliance improvement.

Compliance may be expressed in one of three ways.• “In compliance with the Standards”• “In conformity to the Standards”• “In accordance with the Standards”

Compliance is conformity and “adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.”

Compliance/Conformity to the Standards


Part 1 1 – 56V3.0


www.LearnCia.com


Promote Quality Assurance andImprovement of the Internal Audit Activity


Part 1 1 – 57V3.0


www.LearnCia.com

The IIA’s Code of Ethics, Defined

Integrity

Objectivity

Confidentiality

Competency

“Principles relevant to the profession and practice of internal auditing and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession ofinternal auditing.”

Principles:


Part 1 1 – 58V3.0


www.LearnCia.com


Abide By and Promote ComplianceWith The IIA’s Code of Ethics


Part 1 1 – 59V3.0


www.LearnCia.com

Questions?

End of Section 1

Part 1, Section 1

Part 1 1 – 1 V3.0 THE IIA’S CIA LEARNING SYSTEM TM Overview Internal Audit Reviews the...

Documents

Transcript of Part 1 1 – 1 V3.0 THE IIA’S CIA LEARNING SYSTEM TM Overview Internal Audit Reviews the...