You are on page 1of 20

Part 1: Internal Audit Basics Remias Cheat Sheet

Section I: Mandatory Guidance (DCS)


Introduction
Chapter A: Definition of Internal Auditing
Topic 1: Define and Break Down the Definition of Internal Auditing (Level P)

The IIA defines internal auditing as an independent, objective assurance and consulting activity
designed to add value and improve an organizations operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. In delineating this working
domain for internal auditors is the understanding that controls help the organization manage risk
and promote effective governance.
Auditors are charged with an involved role in the organizations risk management and governance
processes.

Topic 2: Define Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P)
The internal audit manual and the annual audit plan help in determining the resource requirements.
Internal auditors are expected to be able to recognize good business practices, to understand
human relations, and to be skilled in oral and written communications.

Chapter B: Code of Ethics


Topic 1: Abide By and Promote Compliance With the IIAs Code of Ethics (Level P)
Four components of a Code of Ethics IOCC. I (Integrity) O (Objectivity) C (Comepetence) C
(Confidentiality)
Competency Rule of Conduct of the Code of Ethics, which requires auditors to continually strive for
improvement in their proficiency and in the effectiveness of their audits.
Auditors must exhibit loyalty to the organization, but they must not be a party to any illegal activity.
Thus, auditors must comply with legal subpoenas. Answer: In response to a subpoena, an auditor
appeared in a court of law and disclosed confidential, audit-related information that could
potentially damage the auditors organization.
A formalized corporate code of ethics presents objective criteria by which actions can be evaluated
and would thus serve as criteria against which activities could be evaluated.

Chapter C: International Standards


Topic 1: Comply With The IIAs Attribute Standards (Level P)
Note: It is important and will pay dividends to read the Standards. If I did not provide you a hard
copy a pdf version can be found here on the IIA website:
https://na.theiia.org/standards-guidance/Public%20Documents/IPPF%202013%20English.pdf
(Note: After 7/1/2017 the new standards will be tested).
There is no need to memorize Standard numbers but be very familiar with each of the Standards.
- 1000 Purpose, Authority, and Responsibility
Audit Charter (several questions) defines: PAR (Purpose, Authority, Responsibility)
- Also position in company, access to records and scope of services
- Describes nature of assurance and consulting activities
- Charter must be approved by senior management and then the board

1
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet

Topic 2: Maintain Independence and Objectivity (Level P)


Exam Alert: Tested heavily. Internal audit organizations must maintain independence (reporting
structure) and objectivity (frame of mind). CAEs have to establish and promote what internal
auditing can do for the organization while at the same time ensuring that boundaries are clear and
expectations for internal auditing are realistic.
According to the Interpretation of Standard 1100, To achieve the degree of independence necessary
to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has
direct and unrestricted access to senior management and the board. This can be achieved through a
dual-reporting relationship Objectivity requires that internal auditors do not subordinate their
judgment on audit matters to others.
Internal auditors may accept gifts of promotional items from audit clients if they are not of material
value.
When an internal auditor participates directly in the functioning of other areas in the organization,
he or she may compromise the ability to assess those areas objectively in future audits.

Topic 3: Determine Availability of Required Knowledge, Skills, and Competencies (Level P)


Internal auditor proficiency in information technology (IT) that supports business processes is best
exemplified by Answer: ensuring appropriate manual and automated controls are identified,
documented, evaluated, and tested.
Internal auditors do not have to be an expert but do have the knowledge, skills, and competencies
required of an internal auditor.

Topic 4: Develop and/or Produce Necessary Knowledge, Skills and Competencies Collectively Required
by internal Audit Activity (Level P)
According to Practice Advisory 1210.A1-1, "Obtaining External Service Providers to Support or
Complement the Internal Audit Activity," when assessing competency, the best way of checking on
the reputation of an outside service provider is to do which of the following? Call past clients to find
out how satisfied they were with the service provider's work.
The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement. The internal audit
activity may use external service providers or internal resources that are qualified.

Topic 5: Exercise Due Professional Care (Level P)


An auditor finds a situation where there is some suspicion, but no evidence, of potential
misstatement. The Standard of due professional care would be violated if the auditor Answer: did
not test for possible misstatement because the audit program had already been approved by audit
management.
Due professional care requires the internal auditor to conduct examinations and verifications to a
reasonable extent. Internal auditors cannot give absolute assurance that noncompliance or
2
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance
needs to be considered.

Topic 6: Promote Continuing Professional Development (Level P)


Professional certification communicates professionalism and proficiency to employers and others.
CAE should develop with each internal auditor, a schedule of training opportunities based upon the
goals of the auditor and the objectives of the internal audit activity.

Topic 7: Promote Quality Assurance and Improvement of the Internal Audit Activity (Level P)
QAIP Key is Supervision is done throughout the entire audit process to ensure DCS is met. D-
Definition of Internal Audit, C Compliance with Code of Ethics, S Compliance with Standards
A benefit of a QAIP is to:
- Helps with continuous improvement of IAA
- Provides assurance IAA is in compliance with DCS (Definition of Internal Audit, Code of Ethics,
and Standards)
- Evaluates effectiveness and efficiency of IAA
- Evaluates if IAA is adding value
An internal audit activity has many stakeholders with an interest in its successful performance.
Internal quality assurance reviews of an internal audit activity are primarily meant to benefit which
of the following stakeholders? Answer: CAE
The chief audit executive (CAE) must discuss with the board the need for more frequent external
assessments. More frequent reviews may be appropriate, particularly when there have been
significant changes in the internal audit function or the organization itself.
Exam Alert: After the completion of a QAIP the results should be provided to the Board and
Management.
See the Holy Grail for more on QAIP (last page of Cheat Sheet).

Section II Internal Control and Risk


Section Introduction

Enterprise risk management involves the identification of events with negative impacts on
organizational objectives.
Preventive controls are actions taken prior to the occurrence of transactions with the intent of
stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of
unacceptable suppliers.

Chapter A: Types of Controls and Management Control Techniques


Topic 1: Define Types of Controls (Level A)

3
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
A small business uses segregation of duties for processing checks and cash received at its office. No
financial transaction is handled by one person from start to finish. This is an example of a Preventive
Control.
Organizations should not have unrealistic expectations about internal control. Internal control can
help with all of the objectives listed but cannot ensure any of them.
Which of the following internal controls would have most likely prevented this fraud from
occurring? Answer: Segregating the receiving function from the authorization of parts purchases
Exam Alert: Preventive vs. Detective. Preventive controls are proactive controls that deter
undesirable events from occurring. Specific control activities for segregation of duties should be
documented in the accounting policies and procedures manual. Detective controls are reactive and
detect undesirable events that have occurred. Directive controls are proactive controls that cause or
encourage a desirable event to occur. Mitigating or compensating controls compensate for the lack
of an expected control.
Exam Alert: If you see a question with the term Preventive Control think Separation of Duties
Exam Alert: If you see a question with the term Detective Control think Reconciliation, Monitoring,
and other type of back end reports to help management detect something is wrong.
Transaction Control - Control that operates at individual transaction level. They can be a Preventive
Control (approval) or Detective (error messages).
Process Control - Control that operates at transaction level or higher level (reconciliation). Can be a
detective or preventive control.

Topic 2: Describe Types of Management Control Techniques (Level A)


A good system of internal controls is likely to expose an irregularity if it is perpetrated by one
employee, without the aid of others. Management can often override controls, singularly or in
groups. A group has a better chance of successfully perpetrating an irregularity than does an
individual employee.

Chapter B: Internal Control Framework Characteristics and Use


Chapter Introduction
Topic 1: Demonstrate an Understanding of COSOs Internal Control-Integrated Framework (Level P)
Student Input: At least ten questions on COSO Framework but nothing on the other frameworks (except
for one generic question about the difference between COSO and Turnbull) centering around core
concepts and most important.
The COSO framework includes five components: control environment (most important), risk
assessment, control activities, information and communication, and monitoring (CRIME).
COSO = CRIME
- Control Activities
- Risk Management
- Information & Communication
- Monitoring
- Control Environment (most important component as it sets the tone at the Top)
4
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet

Example of Awareness Type CIA Exam Question


Which of the following control models is fully incorporated into the broader integrated framework
of enterprise risk management (ERM)?

A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.

Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission
published Enterprise Risk Management Integrated Framework. This document describes a model
that incorporates the earlier COSO internal control framework while extending it to the broader
area of enterprise risk management.
The risk assessment map looks at each type of fraud and determines how likely the fraud is to occur
and how significant it would be if it did occur. Any fraud that has a high probability and high
significance of material effect must be addressed with processes and procedures that prevent this
type of fraud.
Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the quantification
and prioritization of risks simple.
In conducting a cultural diversity audit internal audit should:

I. Review the organizations Web site.


II. Verify compliance with country and regional laws and regulations.
III. Assess overt and subtle business practices for different cultures.
IV. Evaluate the political environment of the nations in which the organization conducts business.
Managing risk includes a variety of activities that attempt to identify, assess, manage, and control risk
across the entire spectrum of an organization, ranging from single events or projects to narrowly
defined types of risk (e.g., market risk) to threats and opportunities facing the entire enterprise.
Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical
to warrant continuous oversight and monitoring.
A risk framework provides a master list that enables all risks identified in the organization to be
tracked and categorized. An important step in ERM is to assess risks identified, and the ranking
provides a standardized view of risks.
Practice Advisory 2120-1 states that risk management is a key responsibility of senior management
and the board, not the CAE. To achieve its business objectives, management ensures that sound risk
management processes are in place and functioning.
ERM takes a broader (as opposed to a focused) portfolio approach than traditional risk management
and deals with risks and opportunities affecting the creation or preservation of organizational value.

5
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Risk sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk.
The most widely used form of risk transfer is insurance. Risk acceptance is taking no action to affect
likelihood or impact.
Exam Alert: The function of the chief risk officer (CRO) is most effective when the CRO works with
management in their areas of responsibility.
Management is responsible for controls.
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Types of Risk:
a. Strategic risks include political risk, regulatory risk, reputation risk, leadership risk, and
market brand risk.
b. Operational risks include an organizations systems, technology, and people.
c. Financial risks includes risks from volatility in foreign currencies, interest rates, and
commodities. It also includes credit risk, liquidity risk, and market risk.
d. Hazard risks include natural disasters, impairment of physical assets, and terrorism.
It is important to emphasize that the uncertainties could have a potential upside or downside so that
the scope of ERM encompasses the more traditional view of potential hazards as well as
opportunities.
Risk is pervasive throughout an organization as it can arise from any business function or process at
any time without warning. Because of this widespread exposure, no single functional department
management, other than the board of directors, can oversee the enterprise-wide risk management
program.
Exam Alert Understand how to respond to risk (risk response):

1. Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?

A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.

Answer (D) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction.
By eliminating checks, the organization avoids all risk associated with them.

2. When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.

6
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Answer (B) is correct. A predetermined risk response may be made when a certain event occurs,
such as when cash is below a given level or a customer has not paid an invoice within a certain
period of time.
See the Holy Grail (last page) to see how COSO fits in the overall Risk Assessment process.

Topic 2: Demonstrate an Understanding of Alternative Control Frameworks (Level A)


ISO 31000:2009 Risk Management Principles and Guidelines is an international standard
framework for risk management that is simple and concise. ISO 31000 is a framework for the
systematic development of enterprise risk management that can be used successfully by any size or
type of organization because the organization can adapt the framework to the proper scope and
environmental context. As the organizations risk management activities become more mature the
framework can likewise be augmented.
Exam Alert: There are two approaches to risk management which are widely practiced: top down
(start with objectives, risk and then controls over the process) and bottom up (start with the process,
then controls, risk, and objectives).
Exam Alert: Understand bottom up approach. It is a philosophy that an organization need to identify
risk in following level: Process Level - Project/Department Level - Vertical/Functional Level- Business
Unit Level-Organization Level. Bottom-up approach could completely consume all resources and take
all your time, but it would represent the most precise picture of the risk and could be completely
quantified. However, it is not widely used.
ISO 31000 is based on the Plan, Do, Check, and Act method:

Required Reading IPPF Practice Guide Assessing the Adequacy of Risk Management Using ISO3100
(Issued December 2010). This document can be downloaded from the IIA website.

Exam Alert: Three Lines of Defense for Managing Risk:

7
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet

COBIT is the framework to Help an organization to meet their IT business objectives.


Other terms to be familiar with:
- Maturity Model - Maturity model is a measurement of the ability of an organization for
continuous improvement in a particular discipline. The higher the maturity, the higher will be
the chances that incidents or errors will lead to improvements either in the quality or in the use
of the resources of the discipline as implemented by the organization.
- Turnbull Internal Control: Guidance for Directors on the Combined Code also known as the
"Turnbull Report" was a report drawn up with the London Stock Exchange for listed companies.
The committee which wrote the report was chaired by Nigel Turnbull of The Rank Group plc. The
report informed directors of their obligations under the Combined Code with regard to keeping
good "internal controls" in their companies, or having good audits and checks to ensure the
quality of financial reporting and catch any fraud before it becomes a problem.
Note: Do not waste your time memorizing any of the other frameworks. What you do need to
understand is that the purpose of a framework is to Help an organization to meet their
business objectives. It does not matter which framework it is.

Chapter C: Risk Vocabulary and Concepts


Chapter Introduction
Topic 1: Define Risk Terminology (Level A)
Risk is the possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.
Residual risk is that risk left over after all controls and risk management techniques have been
applied.
Understand the definition of the various risk terms. Put on flaschcards.
Exam Alert: Formula on the Exam Audit Risk = Inherent Risk x Control Risk x Detection
Risk
Audit risk may be considered as the product of the various risks which may be encountered in
the performance of the audit. In order to keep the overall audit risk of engagements below

8
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
acceptable limit, the auditor must assess the level of risk pertaining to each component of audit
risk.

Topic 2: Describe Risk Elements (Level A)


This order ranks the risks by a combination of probability and impact.
Focus on areas in the high/high on the risk map could be referred to as a heat map

Topic 3: Demonstrate an Understanding of Risk Management (Level A)


Enterprise Risk Management (ERM) takes a broader portfolio approach than traditional risk
management and deals with risks and opportunities affecting the creation or preservation of
organizational value.

Exam Alert: Risk Management is tested heavily on the exam.

A process to identify, assess, manage, and control potential events or situations, to provide
reasonable assurance regarding the achievement of the organizations objectives.
A Risk Management Framework helps a business meet objectives (financial, operational, and
compliance)
Organizations measure risk in terms of impact and likelihood
Know the difference between risk appetite (the amount of risk, on a broad level, an organization is
willing to accept in pursuit of stakeholder value) vs. risk tolerance (the specific maximum risk that an
organization is willing to take regarding each relevant risk, can be more quantifiable and measurable).

Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-
optimal.
The chief audit executive (CAE) should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, and external auditors; review
of regulations; and analysis of financial/operating data.
Risk assessment is a systematic process of assessing and integrating professional judgments about
probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level of
assessed risk of an auditable entity at any time, making appropriate adjustments to the work schedule.

9
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Risk assessment does not necessarily involve the assignment of dollar values and is not intended to
identify the audit area with the greatest dollar savings.
Acceptable risk is the level of residual risk that has been determined to be a reasonable level of
potential loss or disruption for a specific computer system (see Holy Grail which is on the last page for
a visual view of a risk assessment process).

Example of Awareness Type CIA Exam Question


Which of the following is the most accurate term for a process to identify, assess, manage, and
control potential events or situations to provide reasonable assurance regarding the achievement of
the organizations objectives?

A. The internal audit activity.


B. Control process.
C. Risk management.
D. Consulting service.

Answer (C) is correct. Risk management is a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the organizations
objectives (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the
improvement of risk management, governance, and control processes using a systematic and
disciplined approach.

Chapter D: Fraud Risk Awareness


Chapter Introduction
Topic 1: Define and Introduce Fraud (Level A)
Fraud Triangle
To minimize fraud risk must have internal controls
Topic 2: Describe Types of Fraud (Level A)
Understand business cycle and types of fraud that can occur in that cycle
- Skimming - Form of white-collar crime, skimming is slang for taking cash "off the top" of the
daily receipts of a business (or from any cash transaction involving a third interested party) and
officially reporting a lower total. The formal legal term is defalcation.
- Misappropriation of assets (stealing)
If auditor discovers fraud must report to management and board not responsible for reporting
to outside third party
Student input: I honestly don't remember much about fraud except for a couple questions
related to what should an auditor do if they suspect it.
Topic 3: List Fraud Red Flags (Level A)

10
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
(4) Most fraud perpetrators would attempt to conceal their theft by charging it against an
expense account.

Section III Conducting Internal Audit Engagements-Audit Tools and Techniques


Section Introduction
Considering the strategic plan in the development of the internal audit plan will ensure that the
audit objectives support the overall business objectives stated in the strategic plan.
The audit schedule should be reduced only as a last resort once all other viable alternatives have
been explored, including the request for additional resources.

Chapter A: Data Gathering and Process Mapping


Chapter Introduction
Topic 1: Review Previous Audit Reports and Other Relevant Documentation
As Part of a Preliminary Survey of the Engagement Area (Level P)
Internal auditors consider management's assessment of risks relevant to the activity under
review, obtain or update background information about the activities to be reviewed, and, if
appropriate, conduct surveys to become familiar with the activities, risks, and controls to
identify areas for engagement emphasis and to invite comments and suggestions from
engagement clients.
If a department's operating standards are vague and thus subject to interpretation, an auditor
should seek agreement with the departmental manager as to the criteria needed to measure
operating performance.
Internal auditors have immediate access to working papers and reports, which can supply
evidence of compliance testing to the regulatory examiners.

Topic 2: Develop Checklists/Internal Control Questionnaires as Part of a Preliminary Survey of the


Engagement Area
Checklists increase the uniformity of data acquisition. Checklists are developed during the
planning phase, typically at the end of the preliminary survey.

Topic 3: Conduct Interviews and Walk-Throughs as Part of a Preliminary Survey of the Engagement
Area (Level P)
When you need people to open up and provide opinions and analysis, as in this situation, an
open-ended question such as, "Tell me about your work environment" has the best chance of
succeeding. Closed-ended questions that can be answered by yes, no, or a fact are less likely to
get people to open up. Questionnaires also provide less opportunity to open up, especially if
staff feel threatened and therefore unwilling to put an opinion in writing unless they are
absolutely certain of anonymity. (In a difficult situation like this one, a variety of approaches
may be necessary.)

11
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Topic 4: Use Observation to Gather Data (Level P)
Understand the pros and cons of gathering data by using observation. Know the least benefit of
observation and know people can act differently when observed.

Topic 5: Conduct Engagement Risk Assessment to Assure Identification of Key Risks and Controls
(Level P)
Assessment of the risk levels of current and future events, their effect on achievement of the
organization's objectives, and their underlying causes is the best risk assessment technique as it
takes a comprehensive approach to risk management; it not only considers the event and the
impact but also the causes.
Risk assessment for audit planning provides a systematic process for assessing and integrating
professional judgment about probable adverse conditions.

Topic 6: Conduct Sampling (Level P)


Sampling is important in auditing because a complete census, i.e., measuring an entire
population, is usually too costly, too time-consuming, impossible (as in the case of destructive
testing), and error-prone. In addition to auditing, sampling is used extensively in quality control,
market research, and analytical studies of business operations.
The objective of discovery sampling is to provide a specified level of assurance that a sample will
show at least one example of an attribute if the rate of occurrence of that attribute within the
population is at or above a specified limit. The audit decision is made once the first error is
observed.
Discovery sampling is best utilized to determine whether a fraud might be existing. For
example: Take a discovery sample of employee claims that were submitted through dentist
offices and confirm the type of service performed by the dentist through direct correspondence
with the employee who had the service performed.
Which sampling plan requires no additional sampling once the first error is found?
- Stratified sampling
- Stop-or-go sampling
- Discovery sampling
- Attributes sampling

Student Input: Sampling was on there. 1 on discovery, the other few were more so based on statistical
sampling, they'd give you the 5% error and upper deviation limit of 3.7% sample of 80 items with no
errors found..then ask for a "proper conclusion" it was worded something like "I am 95% confident that
the population error rate, although unknown, is below 3.7%"

Topic 7: Conduct Process Mapping Including Flowcharting


Flowcharts provide a visual of how a process works vs. Narrative that provides a written view of
how a process works

12
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Flowcharts allow internal auditors to document their understanding of a process, evaluate
efficiency, determine areas of primary concern, and identify key risks and controls. Flowcharts can
be used to support an auditor's overall assessment of risk and control in an engagement. All
stakeholders should provide input in the flowchart.
An internal auditor develops a vertical flowchart of a process. The value to the auditor is to Answer:
depict inputs, activities, workflows, and interactions with other processes and outputs
Only symbol that will be asked is the diamond (decision making).

Chapter B: Evaluating Relevance, Sufficiency, and Competence of Evidence


Chapter Introduction
Determining whether inventory stocks are sufficient to meet projected sales is an appropriate
statement of an audit engagement objective.

Topic 1: Identify Potential Sources of Evidence (Level P)


Primary legal evidence, also called best evidence, is generally confined to written documents and is
considered superior to oral testimony.

Topic 2: Evaluate Relevance, Sufficiency, and Competence of Evidence (Level P)


Exam Alert: Know what is the best form of evidence SRRU
Persuasive evidence enables an internal auditor to formulate well-founded conclusions and to
provide advice confidently. To be persuasive, evidence must be sufficient, relevant, reliable, and
useful, as stated in Standard 2130, "Identifying Information." Relevant means the evidence must be
pertinent to the audit objective and logically support the internal auditor's conclusion or advice.
Reliable implies the evidence must come from a credible source. This considers whether or not the
internal auditor directly obtained the evidence. Sufficient means there should be enough evidence
and different but related pieces of evidence should corroborate each other. Useful information
helps the organization meet its goals.
Competence, or reliability, of audit information depends in part upon the type of evidence. For
example, a confirmation from a customer is the most reliable evidence that a receivable exists.
The strongest evidence is direct evidence, such as the auditor's first-hand report on observing a
successful trial of the system.

Chapter C: Data Analysis and Interpretation


Chapter Introduction
Topic 1: Use Computerized Audit Tools and Techniques (Level P)
Automated working papers provide an efficient medium to document, review, store, and access
information supporting assurance and consulting work performed.

Topic 2: Conduct Spreadsheet Analysis (Level P)


Student Input: Spreadsheet Analysis - One question where data is provided and you determine if
the data is graphed correctly in Graph A,Graph B, both, or neither .
13
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet

Topic 3: Use Statistical Analysis/Process Control Techniques (Level A)


Internal auditors are responsible for reviewing operations and programs to ascertain the extent to
which results are consistent with established goals and objectives to determine whether operations
and programs are being implemented or performed as intended.

Mean = Average, Median = Middle Point after arranging, Mode = Most Often

Discovery Sampling = Find just one error

Topic 4: Use Analytical Review Techniques (Level P)


Internal auditors may apply various techniques when analyzing and evaluating audit information. All
of the examples listed here are appropriate analytic techniques. In particular, trend analysis traces
data over time to identify a tendency or direction.
Exam Alert: Regression analysis is a statistical process for estimating the relationships among
variables. It includes many techniques for modeling and analyzing several variables, when the focus
is on the relationship between a dependent variable and one or more independent variables (or
'predictors').
Exam Alert: Trend Analysis is the practice of collecting information and attempting to spot a pattern,
or trend, in the information.
Exam Alert: A cause-and-effect diagram (also called a fishbone) uses a visual to map out a list of
factors that are thought to affect a problem or a desired outcome (see diagram on p 1-253).

Topic 5: Conduct Benchmarking (Level P)


Benchmarking involves looking at best practices in other companies.
Know different types of benchmarking especially External

14
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Student Input: I didn't see anything on regression analysis, I saw a question on trend analysis and a
couple on benchmarking (external and with trend analysis)

Chapter D: Documentation/Work Papers


Chapter Introduction
Topic 1: Develop Documentation/Work Papers (Level P)
The working papers should document all facets of the audit up to the time the new auditor steps in,
and the audit program provides a complete description of the audit's objectives as well as all
evidence gathered to date.

Topic 2: Review Documentation/Work Papers (Level P)


Supervision is one method of ongoing review, which is part of the internal assessment aspect of
quality assurance (QAIP).

Chapter E: Data Reporting


Chapter Introduction
Topic 1: Report Test Results to Auditor-in-Charge (Level P)
Involving the staff in the development of the change from the beginning will reduce their resistance
to change.
Vouching (Going back to a document) vs. Tracing (going forward)

Topic 2: Develop Conclusions regarding Controls (Level P)


Understand the components of a Finding.
Criteria
Condition
Cause
Effect (Impact)
Recommendation / Action Plan
As long as the auditor assesses the effects of the incomplete data and disclaims the reliability of the
data clearly in the report, the analysis may prove useful without being misleading.
The board is ultimately responsible for the company's, corporate governance, not the internal
auditors.
A chief audit executive should establish a follow-up process to monitor the adequacy, effectiveness,
and timeliness of actions taken by management on reported engagement observations and
recommendations, including those made by the external auditors and others.

15
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Other Topics on Part 1
IT/Business Continuity

Note: Most of the exam questions for this section are not actually IT questions but risk (events and
vulnerabilities) and control questions. The key is to dumb down the question and focus on the risk and
control. Testing is based on overall concepts of security and not in depth IT. IT is covered more heavily
in Part 3.

IT Security

Guidance relating to IT

- GTAG (Global Audit Technology Guide) created by IIA

- COBIT Internationally accepted framework created by ISACA. It is a framework that assists


enterprises in achieving their objectives for the governance and management of enterprise
information and technology assets (IT). Simply put, it helps enterprises create optimal value
from IT by maintaining a balance between realizing benefits and optimizing risk levels and
resource use.
- Val IT is a governance framework that can be used to create business value from IT
investments. It consists of a set of guiding principles and a number of processes and best
practices that are further defined as a set of key management practices to support and help
executive management and boards at an enterprise level. Note: Val IT extends and
complements COBIT, which provides a comprehensive control framework for IT governance.

-
- COSO ERM COSO Enterprise Risk Management

Risks

Malware is short for "malicious software." Malware is any kind of unwanted software that is installed
without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software
that are often grouped together and referred to as malware.

1. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?

A. Trojan horses
B. Worms
C. Viruses
D. Root kits

To mitigate the risks controls should be implemented. Know some key terms as they relate to
internal controls:
- General Controls = The whole organization (body)
- Application Controls = a specific application (knee)

16
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
- Preventive Controls = Separation of duties
- Detective Controls = Reconciliation (back end reviewing, monitoring)
- Effective = Test

To mitigate IT risk organizations should have IT controls in place. However, the cost of the
controls should be commensurate with the level of risk mitigation.

Physical Security Controls


1. Key card with security computer database
2. Role-based subdivisions within a building
3. Biometrics
4. Data centers: not on exterior wall; slab-to-slab construction

Hardware Controls
1. Redundant character check
2. Equipment check
3. Duplicate process check
4. Echo check
5. Fault-tolerant components (allows a system to continue to work even when a fault exists i.e.
nuclear power plant, subway)

System and Data Backup Recovery Controls


1. Backing up datagrandfather-father-son
2. Off-site storagesite that is physically distant from primary operations
3. Cloud backupnetwork of distributed databases/ servers
4. Electronic vaultingelectronic transmission of changes to data to off-site facility
5. Backup data controlsmethodology for labeling/ storing physical items

Controls for Transmitting Data


1. To reduce security exposure when transmitting proprietary data over communication lines, a
company should ENCRYPT the data. The device to ENCRYPT is a CRYPTOGRAPHIC DEVICE (the
word CRYPT will be in the answer)
2. Encryption vs. Encoding - Here's what encryption does. It scrambles the data in a way that turns
it into gibberish before it's sent out over the Internet. The receiving party has the key to
unscrambling it and restoring it to valid information. Is encrypting the same as encoding? Not
quite. Encoding is transforming data in order to transmit it or to meet some necessary standard
for usagewith encoding, usability, not confidentially, is the goal.

Example of Awareness Type CIA Exam Questions

Q4. To reduce security exposure when transmitting proprietary data over communication lines, a
company should use
A. asynchronous modems.
B. authentication techniques.
C. cryptographic devices.
D. call-back procedures

17
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet

Q5. The best means of managing the confidentiality of satellite transmissions would be:
A. monitoring software.
B. access control.
C. encryption.
D. cyclic redundancy checks

Application Development

Exam Alert: Understand the definition of Change and Patch Management Controls Change
management includes application code revisions, system upgrades, and infrastructure changes such
as changes to servers, routers, cabling, or firewalls.
Change control manages changes in information system resources and procedures. It includes a
formal change request procedure; assessments of change requests on technical and business
grounds; scheduling changes; testing, installing, and monitoring changes; and reporting the status of
recorded changes. The analysts were reusing erroneous code that should have been but was not
corrected.
Changes should be scrutinized, reviewed, approved and bundled.

Example of Awareness Type CIA Exam Questions

8. Which of the following is the policy on change and patch management that most high-performing IT
organizations follow?

A. Have IT staff perform those patches that department heads feel are important.
B. Manually install every patch as soon as it is available.
C. Wait to install routine patches until enough are ready for simultaneous testing and installation.
D. Have patches automatically install as soon as they are released by the vendor.

Understand the basic steps of a System Development Life Cycle (SDLC)


1. Systems Planning
2. System Analysis Systems design/systems selection
3. Programming and Customization/Configuration
4. Testing
- Alpha (comes first) testing by developers
- Beta (comes second) testing by users)
5. Conversion and Implementation
6. Systems operation and refinement

CIA Exam Alert: There was a question on the systems development life cycle analysis (feasibility)
stage - something along the lines of: in which stage do we make a decision if it makes sense
financially to develop internally or buy software?

18
Provided courtesy of Lyndon S.Remias
June 2017
Part 1: Internal Audit Basics Remias Cheat Sheet
Many programmers are using Rapid Application Development (RAD) techniques to speed up the
SDLC. One approach that will be tested on the exam is object-oriented approach. An object-
oriented approach is intended to produce reusable code. Because code segments can be reused
in other programs, the time and cost of writing software should be reduced.

CIA Exam Alert: Be able to identify examples of IT Application ControlsInput Controls


Control data as it enters system
Garbage-in, garbage-out (GIGO)
Manual input controls, e.g., authorizations
Electronic aids for manual inputs
o Screen formats, entry fields, drop-down menus
o Keystroke verification
o Labeling conventions and completeness checks
Edit Checks such as check digits
Processing Controls
Output Controls

Other IT type questions on the CIA Exam:

What would you expect to find in a user developed system vs. an IT developed system?
(documentation question)
What would be primary benefit of using EFT for international money transfers?
Auditors role in assessing systems development
Auditors role in reviewing systems that are outsourced
Understand Logical Control

Which of the following is an objective of logical security controls for information systems?

A. To ensure complete and accurate recording of data.


B. To ensure complete and accurate processing of data.
C. To restrict access to specific data and resources.
D. To provide an audit trail of the results of processing.

Answer (A) is incorrect because it is not an objective of logical security control.


Answer (B) is incorrect because it is not an objective of logical security control.
Answer (C) is correct. The primary objective of security controls for information systems is to restrict
access to data and resources (both hardware and software) to only authorized individuals. In addition,
authorization tables for operating system access address logical controls.
Answer (D) is incorrect because it is not an objective of logical security control.

19
Provided courtesy of Lyndon S.Remias
June 2017
Remias Holy Grail
1. Planning Phase
Risk Controls
Objectives Risk-Based
(Events, Vulnerabilities) (COSO)
- Compliance Audit Program Guide (APG)
H,L H,H C R I M E Audit Step Objective and Scope
- Operational

Impact
of engagement
- Financial L,L L,H

Control Activities

Risk Assessment

Info. and Comm.


- To determine

Control Environment
Monitoring
- Strategic - To validate
Likelihood
- Inherent
- Residual - Adequate
- Effective

2. Fieldwork Phase 3. Reporting Phase 4. Audit Follow-Up


Audit Results Prepare and Distribute Report Monitor implementation of recommendations
- Assurance on controls, Gather Evidence (SRRU) - Exit conference to discuss DRAFT - Perform follow-up procedures
- Identify audit findings - Issue FINAL (Board, Mgmnt,
(non-compliance, effectiveness) other stakeholders)
Condition
Criteria
Cause
Effect
Recommendation Quality Assurance
QAIP Internal Assessments -Supervision throughout Continuous improvement
Self-Assessment w/independent validation
QAIP External Assessment Peer Review (every 5 years) Assurance audit is compliance to DCS
Peer Review
Report results to mgmnt/board Compliance with DCS Effective and Efficient
Report mgmnt/board annually Adding Value