CIA Part 3 Remias Cheat Sheet All Sections Updated October 2017

Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Note: This is additional information to augment what is covered in the Red IIA workbook.
These are high level points that and should be useful in helping you to comprehend the topics
covered. Be sure to create your own “cheat sheets”.
Section 1 - Governance/Business Ethics
Chapter A: Corporate/Organizational Governance Principles
Exam Alert: Corporate Governance is tested heavily on the exam.
• An organization should set the tone at the top for honesty and integrity and reinforce that every
manager, director, and employee needs to maintain these values.
• A corporation’s governance mechanism is established by a firm’s bylaws, which are a set of
internal rules or policies. Bylaws describe the powers of the corporation and the duties and
responsibilities of the board of directors and officers, and how to treat stockholders.
• For a corporation to be legitimate, its governance principles must correspond to the will of the
general public. Therefore, a corporation must be managed on the principles of corporate
governance defining the roles of shareholders, directors, and officers/managers in corporate
decision making and accountability.
- Example 1 of Corporate Governance problem: Separation of ownership from control. This is
the major issue embedded in the structure of modern corporations that has contributed to
the corporate governance problem. Stockholders are owners, and the board of directors,
officers, and managers control the corporation on a day-to-day basis. This means no one
shareholder or a group of shareholders own enough shares to exercise control; so
shareholders perceive themselves to be investors rather than owners.
- Example 2 of Corporate Governance problem: Self-interest. Agency problems develop when
the interests of the shareholders are not aligned with the interests of the manager, and the
manager (who is simply a hired agent with the responsibility of representing the owner’s
(principal’s) best interest) begins to pursue self-interest instead.
• The internal audit activity is responsible for assessing and making recommendations for improving
governance processes in the accomplishment of various organizational objectives. However, it is
the role of management to ensure the timely implementation of the audit recommendations. The
internal audit activity is responsible for the development of a timely procedure to monitor the
disposition of the audit recommendations. The internal audit activity works with senior
management and the audit committee to ensure that audit recommendations receive
appropriate attention.
• CIA Learning System Quick Quiz: The board is the focal point for all governance activities and
establishes the "tone at the top." The board is also responsible for implementing best governance
practices and providing oversight of organizational activities.
• Tone  Board, Values  Management
1
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
• The board of directors is responsible for establishing and maintaining the organization's
governance processes and obtaining assurances concerning the effectiveness of the risk
management and control processes.
• Corporate values are not typically assessed during routine risk and control evaluations. Instead,
self-assessment methods and appropriate audit programs are generally used to measure the
comprehension and preservation of corporate values.
• Operating management is responsible for risk management, executive management is
responsible for oversight, and internal auditors serve in the capacity of oversight and advisory
roles.
• Abusive acts can be legal but unethical. Abuse occurs when the conduct of an activity or function
falls short of expectations for prudent behavior. Abuse is distinguished from noncompliance in
that abusive conditions may not directly violate laws or regulations. Abusive activities may be
within the letter of the laws and regulations but violate their spirit or the more general standards
of impartial behavior, and more specifically the ethical behavior. This means that abusive acts can
be legal but unethical.
For example: Marketing tactics can walk a fine line between persuasion and manipulation, and
this is another area where subjective ethics come into play heavily. Some marketing tactics can
take advantage of uneducated segments of the population, which can be perfectly legal while
being scorned throughout the marketplace. For example, before the Credit Card Act of 2009,
banks could lure teens into opening credit accounts with promises of financial freedom, regardless
of the teens' ability to repay the high-interest debts.
Chapter B - Environmental and Social Safeguards
• The International Finance Corporation’s Environmental, Health, and Safety (IFC’s EHS) Guidelines
specify operational practices in different areas, including environment, occupational and
community health and safety, and sustainable materials use. Sustainable materials policies reflect
the entire lifecycle of purchased materials, from procurement through disposal or
decommissioning (e.g., recycling, handling of hazardous waste). When an organization adopts the
guidelines, it pledges to implement whichever is stricter—the guidelines or the host country’s
laws and regulations.
• A framework is simply a set of guidelines to help organizations meet organizational objectives.
CIA Learning System Quick Quiz: A realistic outcome of a privacy framework evaluation is
assurance of compliance with specific laws and/or standards.
2
Chapter C – Corporate Social Responsibility
Exam Alert: CSR is tested HEAVILY on the exam.
What is CSR?
 Social responsibility is defined as a business's intention, beyond its legal and economic obligations,
to do the right things and act in ways that are good for society. A socially responsible organization
does what is right.
 Generally, CSR is understood to be the way firms integrate social, environmental, and economic
concerns into their values, culture, decision making, strategy and operations in a transparent and
accountable manner and thereby establish better practices within the firm, create wealth, and
improve society.
 Corporate social responsibility (CSR, also called corporate conscience, corporate citizenship or
responsible business) is a form of corporate self-regulation integrated into a business model. CSR
policy functions as a self-regulatory mechanism whereby a business monitors and ensures its
active compliance with the spirit of the law, ethical standards and national or international norms.
 It is a philosophy that must be championed from the top down. Thorough change management
is needed to ensure that these objectives are reinforced and brought into the culture and
incentive structures of the organization.
 Note: Know the difference between Corporate Social Responsibility (not required but good
practice) and Corporate Social Obligation (required by law).
 For companies to be sustainable in this day and age they must not only look to the bottom line
but the “Triple Bottom Line” of Economic Prosperity, Environmental Stewardship and Social
Responsibility.
3
What risk are addressed by CSR?
 Risk addressed by a CSR Policy are:

- Reputation
- Stock market
- Compliance
- Liability
- Operational
- Staffing
- Marketing
- Supply chain partner
 Exam Answer: Not having a CSR policy and program exposes the organization to significant risks
that the board is responsible for controlling. These risks could include but are not restricted to
penalties for noncompliance with laws and regulations. Non-sustainable actions could also
damage the organization’s reputation and its ability to attract investors, employees, and
customers. It can also make the organizational liable for damages, possibly including liability for
the actions of suppliers.
 Mere adoption of a CSR framework is not sufficient; an organization’s processes must be
integrated into the framework. Results should be reported both within and outside the
organization to meet the needs of various stakeholders, including regulatory groups. Internal
audit may be involved in auditing the organization’s CSR programs, as long as internal auditing
was not involved in creating the programs.
 Internal Auditors should review the CSR Policy and Program to ensure it is operating effectively.
4
What risk are some examples of a CSR Program?
Molson Coors & responsible drinking
Tyson Foods & hunger relief
Haagen-Dazs & honeybee preservation

Honeybees are disappearing at an alarming rate — and that’s bad news for the global food chain. Haagen-
Dazs decided to create a microsite to raise awareness about the issue. The company is donating a portion
of proceeds from its Haagen-Dazs honeybee brand to research on the topic. (So eat our ice cream and
save the bees).
What are some categories covered by a CSR Program?
1. Environmental efforts: One primary focus of corporate social responsibility is the environment.
Businesses regardless of size have a large carbon footprint. Any steps they can take to reduce
those footprints are considered both good for the company and society as a whole.
2. Philanthropy: Businesses also practice social responsibility by donating to national and local
charities. Businesses have a lot of resources that can benefit charities and local community
programs.
3. Ethical labor practices: By treating employees fairly and ethically, companies can also
demonstrate their corporate social responsibility. This is especially true of businesses that operate
in international locations with labor laws that differ from those in the United States.
4. Volunteering: Attending volunteer events says a lot about a company's sincerity. By doing good
deeds without expecting anything in return, companies are able to express their concern for specific
issues and support for certain organizations.
5
Additional Guidance:
Quality Glossary Definition: ISO 26000
ISO 26000 is the international standard developed to help organizations effectively assess and
address those social responsibilities that are relevant and significant to their mission and vision;
operations and processes; customers, employees, communities, and other stakeholders; and
environmental impact.
The ISO 26000 standard provides guidance on:
• The seven key underlying principles of social responsibility: accountability, transparency, ethical
behavior, respect for stakeholder interests, respect for the rule of law, respect for international
norms of behavior, and respect for human rights
• Recognizing social responsibility and engaging stakeholders
• The seven core subjects and issues pertaining to social responsibility: organizational governance,
human rights, labor practices, the environment, fair operating practices, consumer issues, and
community involvement and development
• Ways to integrate socially responsible behavior into the organization
In addition to providing definitions and information to help organizations understand and address
social responsibility, the standard emphasizes the importance of results and improvements in
performance on social responsibility.
Examples of CSR Questions on the CIA Exam
1. Which of the following refers to the corporate behavior in response to market forces or legal
constraints?
a. Social obligation
Correct. Sethi (S. Prakash Sethi, “Dimensions of Corporate Social Performance: An Analytical
Framework,” California Management Review (Spring 1975): 58-64) proposes a three-stage schema
for classifying corporate behavior in responding to social or societal needs: social obligation, social
responsibility, and social responsiveness. Social obligation is corporate behavior in response to
market forces or legal constraints. Obligation (required by law) vs. Responsibility (right thing to do)
b. Social responsibility - Incorrect. See correct answer (a).
c. Social responsiveness - Incorrect. See correct answer (a).
d. Social attitude - Incorrect. See correct answer (a).
Social obligation occurs when a firm engages in social actions because of its obligation to meet its
economic and legal responsibilities. The organization does only what it is obligated to do and
nothing more. This idea reflects the classical view of social responsibility that says that
management's only social responsibility is to maximize profits.
In contrast to social obligation, however, both social responsiveness and social responsibility reflect
the socioeconomic view. According to this view a manager's social responsibilities go beyond making
profits to include protecting and improving society's welfare. This view is based on the belief that
6
corporations are not independent entities responsible only to stockholders, but have an obligation to
the larger society.
Social responsiveness occurs when a company engages in social actions in response to some popular
social need. Managers are guided by social norms and values and make practical, market-oriented
decisions about their actions. A socially responsible organization views things differently. It goes
beyond what it is obligated to do or chooses to do because of some popular social need and does
what it can to help improve society because it is the right thing to do.
7
2. Which type of social responsibility embraces those activities and practices that are expected or
prohibited by societal members even though they are not codified into law?
a. Ethical responsibilities
Correct. Because laws are important but not adequate, ethical responsibilities embrace
those activities and practices that are expected or prohibited by societal members even
though they are not codified into law. Ethical responsibilities embody the full scope of
norms, standards, and expectations that reflect a belief of what consumers, employees,
shareholders, and the community regard as fair, just, and in keeping with the respect for
or protection of stakeholders’ moral rights. Philanthropic responsibilities include donating
money and property to social programs (Archie B. Carroll, “The Four Faces of Corporate
Citizenship,” Business and Society Review 100-101 (1998): 1-7).
b. Legal responsibilities
Incorrect. See correct answer (a).
c. Philanthropic responsibilities
d. Economic responsibilities
3. A chief audit executive advises the board during a meeting to create a corporate social responsibility
(CSR) policy and begin planning a CSR program. The board resists the suggestion, saying that this is
not really their role and that the organization cannot fulfill its obligations to its shareholders and to
society and the environment at the same time. How could the CAE best respond?
a. Creation of a policy and program may be delayed now but should be considered in the
future.
b. Implementing a CSR policy should not require significant investment of time or money.
c. Not having a CSR policy could pose significant risks to the organization.
d. Having a CSR policy is a matter of compliance.
Not having a CSR policy and program exposes the organization to significant risks that the board is
responsible for controlling. These risks could include but are not restricted to penalties for noncompliance
with laws and regulations. Nonsustainable actions could also damage the organization’s reputation and
its ability to attract investors, employees, and customers. It can also make the organizational liable for
damages, possibly including liability for the actions of suppliers.
Required Reading – IPPF Practice Guide “Evaluating Corporate Social Responsibility/Sustainable

Development” (Issued February 2010). This document can be downloaded from the IIA website.
8
Question: What does auditing by element mean? The term Auditing by Element is commonly referred
to in the Practice Guide of CSR Appendix A "Auditing by Element". With this audit approach consider
how compliance with laws, regulations, and contractual obligations is managed for all elements.
So basically if you audit by element that means auditing by all of the various elements (components) of
the CSR program. So just substitute Element for the word Component. Auditing by each respective CSR
Component.
Appendix A gives you examples of what to audit in each element (component).
For example, you can audit:
1. Governance - Do the board and management report reliable financial and nonfinancial
information to stakeholders?
2. Ethics - Is there a reporting system for stakeholders to report concerns or allegations of ethics
violations?
3. Environment - Are green or socially responsible procurement pro-cesses in place? How are they
monitored?
4. Transparency - Are CSR related policies available to the public (e.g., on the Web site)?
5. Health, Safety, and Security - Are health and safety management programs included in
procurement processes? How are they monitored?
6. Human Rights and Work Conditions - Does compensation consider fair pay, living wages, and job
opportunities?
7. Community Investment -Does the organization encourage volunteerism? What programs are in
place?
Even if a question regarding Auditing by Element comes up in another area outside of CSR it basically
means the same thing as auditing a component of an area.
Part 3 - An auditor is conducting a Corporate Social Responsibility (CSR) audit and will be Auditing by
Element. With this audit approach the auditor will consider how compliance with laws, regulations, and
contractual obligations is managed for which of the following areas:
I. Governance
II. Customers
III. Environment
IV. Community Investment
A. I and II
B. III and IV
C. I, III, and IV
D. I, II, III and IV
9
Section II – Risk Management
Chapter A: Risk Management Techniques
Exam Alert: Risk Management is tested heavily on the exam.
• A process to identify, assess, manage, and control potential events or situations, to provide
reasonable assurance regarding the achievement of the organization’s objectives.
• A Risk Management Framework helps a business meet objectives (financial, operational, and
compliance)
• Organizations measure risk in terms of impact and likelihood
• Know the difference between risk appetite (the amount of risk, on a broad level, an organization is
willing to accept in pursuit of stakeholder value) vs. risk tolerance (the specific maximum risk that an
organization is willing to take regarding each relevant risk, can be more quantifiable and measurable).
• Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-
optimal.
• The chief audit executive (CAE) should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, and external auditors; review
of regulations; and analysis of financial/operating data.
10
• Risk assessment is a systematic process of assessing and integrating professional judgments about
probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
• As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level of
assessed risk of an auditable entity at any time, making appropriate adjustments to the work schedule.
• Risk assessment does not necessarily involve the assignment of dollar values and is not intended to
identify the audit area with the greatest dollar savings.
• Acceptable risk is the level of residual risk that has been determined to be a reasonable level of
potential loss or disruption for a specific computer system (see Holy Grail).
Example of “Awareness” Type CIA Exam Question

Which of the following is the most accurate term for a process to identify, assess, manage, and
control potential events or situations to provide reasonable assurance regarding the achievement of
the organization’s objectives?
A. The internal audit activity.

B. Control process.
C. Risk management.
D. Consulting service.
Answer (C) is correct. Risk management is “a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the organization’s
objectives” (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the
improvement of risk management, governance, and control processes using a systematic and
disciplined approach
Chapter B – Organizational Use of Frameworks

• COSO = CRIME
- Control Activities
- Risk Management
- Information & Communication
- Monitoring
- Control Environment (most important component as it sets the “tone at the Top”)

Which of the following control models is fully incorporated into the broader integrated framework
of enterprise risk management (ERM)?
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
11
D. COBIT.
Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission
published Enterprise Risk Management – Integrated Framework. This document describes a model
that incorporates the earlier COSO internal control framework while extending it to the broader
area of enterprise risk management.
• The risk assessment map looks at each type of fraud and determines how likely the fraud is to occur
and how significant it would be if it did occur. Any fraud that has a high probability and high
significance of material effect must be addressed with processes and procedures that prevent this
type of fraud.
• Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the quantification
and prioritization of risks simple.
• In conducting a cultural diversity audit internal audit should:
I. Review the organization’s Web site.

II. Verify compliance with country and regional laws and regulations.
III. Assess overt and subtle business practices for different cultures.
IV. Evaluate the political environment of the nations in which the organization conducts business.
• Managing risk includes a variety of activities that attempt to identify, assess, manage, and control risk
across the entire spectrum of an organization, ranging from single events or projects to narrowly
defined types of risk (e.g., market risk) to threats and opportunities facing the entire enterprise.
Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical
to warrant continuous oversight and monitoring.
• A risk framework provides a master list that enables all risks identified in the organization to be
tracked and categorized. An important step in ERM is to assess risks identified, and the ranking
provides a standardized view of risks.
• Practice Advisory 2120-1 states that risk management is a key responsibility of senior management
and the board, not the CAE. To achieve its business objectives, management ensures that sound risk
management processes are in place and functioning.
• ERM takes a broader (as opposed to a focused) portfolio approach than traditional risk management
and deals with risks and opportunities affecting the creation or preservation of organizational value.
• Risk sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk.
The most widely used form of risk transfer is insurance. Risk acceptance is taking no action to affect
likelihood or impact.
• Exam Alert: The function of the chief risk officer (CRO) is most effective when the CRO works with
management in their areas of responsibility.
• Management is responsible for controls.
• Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
• Types of Risk:
12
a. Strategic risks include political risk, regulatory risk, reputation risk, leadership risk, and
market brand risk.
b. Operational risks include an organization’s systems, technology, and people.
c. Financial risks includes risks from volatility in foreign currencies, interest rates, and
commodities. It also includes credit risk, liquidity risk, and market risk.
d. Hazard risks include natural disasters, impairment of physical assets, and terrorism.
• It is important to emphasize that the uncertainties could have a potential upside or downside so that
the scope of ERM encompasses the more traditional view of potential hazards as well as
opportunities.
• Risk is pervasive throughout an organization as it can arise from any business function or process at
any time without warning. Because of this widespread exposure, no single functional department
management, other than the board of directors, can oversee the enterprise-wide risk management
program.
• Exam Alert Understand how to respond to risk (risk response):
• 1. Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?
A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.
Answer (D) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction.
By eliminating checks, the organization avoids all risk associated with them.
2. When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.
Answer (B) is correct. A predetermined risk response may be made when a certain event occurs,
such as when cash is below a given level or a customer has not paid an invoice within a certain
period of time.
• ISO 31000:2009 “Risk Management – Principles and Guidelines” is an international standard

framework for risk management that is simple and concise. ISO 31000 is a framework for the
systematic development of enterprise risk management that can be used successfully by any size or
type of organization because the organization can adapt the framework to the proper scope and
13
environmental context. As the organization’s risk management activities become more mature the
framework can likewise be augmented.
• Exam Alert: There are two approaches to risk management which are widely practiced: top down
(start with objectives, risk and then controls over the process) and bottom up (start with the process,
then controls, risk, and objectives).
• Exam Alert: Understand bottom up approach. It is a philosophy that an organization need to identify
risk in following level: Process Level - Project/Department Level - Vertical/Functional Level- Business
Unit Level-Organization Level. Bottom-up approach could completely consume all resources and take
all your time, but it would represent the most precise picture of the risk and could be completely
quantified. However, it is not widely used.
• ISO 31000 is based on the Plan, Do, Check, and Act method:
14
Required Reading – IPPF Practice Guide “Assessing the Adequacy of Risk Management Using ISO3100”
(Issued December 2010). This document can be downloaded from the IIA website.
Exam Alert: Three Lines of Defense for Managing Risk:
15
Section III – Organizational Structure / Business Processes and Risks
Chapter A: Organizational Structure
16
• Exam Alert: Understand the pros and cons of Centralized vs. Decentralized vs. Matrix
• A centralized configuration has several levels of authority, a long chain of command, and a narrow
span of control. All of these characteristics support management consistency and may discourage
innovation and employee involvement and empowerment.
• Centralized configuration Increased uniformity in decisions is an advantage of centralization. In a
centralized structure, most communication is vertical, up and down a hierarchical chain of command.
This impedes communication and awareness across functional lines, which can be an obstacle for
ERM.
• Span of control is the term now used more commonly in business management, particularly human
resource management. Span of control refers to the number of subordinates a supervisor has.
• A matrix organizational structure allows authority to flow both vertically and horizontally. A matrix
can work regardless of whether the product life cycle is long or short.
• Exam Alert: In a matrix organization project managers may "borrow" specialists from line managers
thus employees may report to multiple managers. Thus a matrix organization can be confusing to
employees who report to multiple bosses.
• Which structure has dual reporting methodology?
A) Product
B) Territorial
C) Matrix
D) Functional
• Decentralized - In order to remain competitive and adaptable many organizations adopt a flatter
organizational structure.
• A "flat" organization structure is one with relatively few levels of hierarchy and characterized by wide
spans of management
• For a flat structure to be successful, employees must be able to work unsupervised most of the time
because the manager, having many employees, has little time for each one.
Chapter B – Typical Activities in Various Business Cycles

• Exam Alert - Procurement Cycle will be on the exam. Know and understand the three major steps
and the order they are performed: 1. Organization's requirements established 2. Sourcing 3.
Purchasing 4. Supplier relationship management
• Companies have different objectives for their procurement strategies, based on their own business
objectives. In some cases, the manufacturer may place a higher value on the quality of the
components than price or reliability of supply.
• Strategic marketing is driven by customer needs.
• A vertical marketing system consists of producers, wholesalers, and retailers managed as a
coordinated or programmed system. Example: grocery store chain operates an ice-making facility, a
soft drink bottling operation, an ice cream-making plant, and a bakery that supplies its individual
stores with everything from bagels to birthday cakes
17
• Conventional distribution systems consist of one or more independent producers, wholesalers, and
retailers, each of which is a separate profit-maximizing business. The profit objective of each
independent channel member may result in actions that are not profit-maximizing for the system as
a whole, and the conventional distribution system offers no means for controlling channel conflict.
• The vertical and lateral approaches are the most widely used supply chain management approaches
globally.
• The operating cycle shows the intended result of operations, from purchase of resources and/or
materials, through production, sales, and collection cycles. The cycle is also known as the cash-to-cash
cycle, since it shows how cash disbursed is converted back into cash received.
Chapter C – Business Process Analysis

• Exam Alert - Know the purpose of a flowchart. The best tool that operating personnel could provide
to internal auditors so that they can “see” the operations in order to identify inefficiencies, ineffective
steps, and control weaknesses is a Process flowchart
• Efficiency is related to the cost of a process relative to the value it creates. An efficient process
achieves results with minimal waste, expense, and/or cycle time (the time it takes from the beginning
to end to complete a process), and has a high ratio of output to input.
• The TOC philosophy holds that there is only one constraint in a system at any given time and that each
constraint limits the output of the entire system. It is important to concentrate on addressing specific
constraints rather than trying to fix the entire system, which may or may not have tangible results.
• The Six Sigma process for conducting continuous improvement is referred to by the initials DMAIC.
Once the organization has defined the nature of the problem, the next step is to measure existing
performance and begin recording data and facts that provide information about the underlying causes
of the problem.
• A flowchart, also called a process-flow analysis, is a graphical representation of an operation in terms
of the sequence of activities and decisions throughout a process.
Chapter D – Inventory Management Techniques and Concepts

• Materials requirements planning (MRP) is a planning and controlling technique for managing
dependent-demand manufacturing inventories.
• Exam Alert: EOQ Calculates the optimal quantity to order and when the order should be placed
• Demand increase 36% does EOQ go up or down? Demand goes up, EOQ goes up (direct
relationship).
• EOQ is a fixed order model that depends on the assumptions that lead time is constant, demand
occurs at a relatively stable and known rate, operating and storage costs are known, replenishment is
instantaneous, and there are no stockouts.
18
• The EOQ decision model calculates the optimum quantity of inventory to order by incorporating only
the ordering costs and carrying costs into the model. These costs behave opposite each other.
Purchase costs, quality costs, and stockout costs are not incorporated into the EOQ model.
• Computer Integrated Manufacturing CIM involves a manufacturing system that completely integrates
all factory and office functions within an organization throughout the life cycle of a product or service.
CIM can help an organization reduce costs of spoilage and scrap, increase productivity, improve
quality, and increase its overall responsiveness to customers.
• Poor quality materials cause major problems in a JIT system because it retains no safety stock to use
for replacing defective materials. Substandard materials cause major production disruptions in JIT
systems and defeat its benefits, which include lowering cost and lead time while increasing product
quality.
• Inventory shipping and handling costs are classified as ordering costs, not as carrying costs. Property
tax, insurance, and depreciation and obsolescence are all classified as inventory carrying costs.
Chapter E – Electronic Funds Transfer (EFT) / Electronic Data Interchange (EDI) / E-commerce
• Successful EDI implementation begins with Mapping the work processes and flows that support the
organization's goals
• Transmission of EDI transactions to trading partners may sometimes fail.
• Internal auditors should look for network security controls, user identification systems, privacy and
confidentiality controls, a list of all e-commerce applications within the enterprise, maintenance
activities to ensure continued operation, failure detection and automated repair features, application
change management controls, and business continuity plans.
• Unauthorized access is a risk which is higher in an EFT environment.
Chapter F – Business Development Life Cycles

• Exam Alert: Phases of the cycle Emergence, Growth, Maturity, and Decline (EGMD)
During the growth stage of a product’s life cycle:
A. The quality of products is poor.

19
B. New product models and features are introduced.

C. There is little difference between competing products.
D. The quality of the products becomes more variable and products are less differentiated.
Answer (A) is incorrect because poor product quality is evident during the introduction stage of the
product life cycle.
Answer (B) is correct. In the growth stage, sales and profits increase rapidly, cost per customer decreases,
customers are early adopters, new competitors enter an expanding market, new product models and
features are introduced, and promotion spending declines or remains stable. The firm enters new market
segments and distribution channels and attempts to build brand loyalty and achieve the maximum share
of the market. Thus, prices are set to penetrate the market, distribution channels are extended, and the
mass market is targeted through advertising. The strategy is to advance by these means and by achieving
economies of productive scale.
Answer (C) is incorrect because competitors are most numerous and products become less differentiated
during the maturity stage of the product life cycle. In this stage, imitators have entered the market and
competitors have learned which technologies and features are successful.
Answer (D) is incorrect because the quality of the products becomes more variable and products are less
differentiated
Chapter G – The ISO Framework

• The ISO certification standards represent a stamp of approval on the quality of products and services,
and many companies will buy only from ISO-certified suppliers.
• ISO 9000 series focuses on quality assurance
• ISO 14000 Standards address management of environmental impact and performance improvement
• Tested Heavily - ISO31000 Standard addresses Risk Management
Chapter H – Out-Sourcing Business Processes

• Organizations should not out-source functions deemed as core competencies.
Section IV – Communication
Chapter A: Communication
20
• The term for barriers in the sender-to-receiver and receiver-to-sender message processes is
communication noise. Communication noise can happen anywhere along the communications
spectrum. Both senders and receivers need to be careful about the intent of the message, the
medium, and the interpretation.
• Communication channel richness refers to the amount of information that can be transmitted during
a communication episode.
• Face-to-face discussion is the richest medium because it permits direct experience, multiple
information cues, immediate feedback, and personal focus. Impersonal written media, including
flyers, bulletins, and standard computer reports, are the lowest in richness. These channels are not
focused on a single receiver, use limited information cues, and do not permit feedback.
• Decoding is how the receiver of a message interprets that message. Interpretations can vary widely
given cultural backgrounds.
• Nonverbal communication is often imprecise. It is influenced heavily by culture and can sometimes
convey more information than verbal communication.
• Deductive reasoning (top down) is the process of reasoning from general principles (hypothesis) to
particular examples. Those that take a CIA Exam Review Course will pass the CIA Exam. We noted of
the 10 students who took the exam the five that took the review course passed.
• Inductive reasoning (bottom up) is the process of reasoning from detailed facts to a general principle.
Most common method used by scientist. Draw a conclusion from evidence (facts). Jane and Wayne
passed the CIA Exam. Jane and Wayne were in Lyndon’s CIA Exam review course. Those that take
Lyndon’s CIA Exam review Course will pass the CIA Exam.
• In both organizations and cultures the distribution of organizational power can interfere with
communication. The person who perceives himself or herself as having little power or authority will
be less likely to initiate discussion, even of important topics.
• Information overload (I) and misrepresentation of feelings and emotions (II) are considered
drawbacks of electronic communication. Information overload, such as numerous electronic mail
messages, may lead to lost time and inefficiencies and is considered a drawback of electronic
communication. Reduced transmission time (III) is considered a positive result of electronic
communication, and electronic communication generally results in an adequate paper trail (such as
saved "sent mail").
• Listen with empathy and intensity. Listening with empathy to the speaker's ideas allows for objective,
not judgmental, listening. Empathy puts the listener in the speaker's shoes, so the listener
understands what the speaker wants to communicate rather than what the listener wants to
understand. A listener must concentrate intensely to avoid being distracted.
• Exam alert: Open (descriptive response) vs. Closed (One word response)
• Selective perception is the process of selecting some information and filtering out other information
as it is received based on an individual's needs, interests, values, opinions, and past experiences.
21
Chapter B: Stakeholder Relationships
• The audit charter and annual plan must be aligned with the organization’s strategic objectives and
risk appetite. If not, the annual plan, even if approved, will not meet the board’s and senior
management’s expectations. This will lead to conflict between internal audit activities and
board/senior management’s expectations and risk appetite.
• For internal audit to add value to an organization, it must go beyond assessing present controls
towards identifying root causes of problems and recommending solutions and changes. This will
require support from the board and senior management in the form of example, resources, and
direction. To add value, internal audit must have organizational knowledge and relationships. A new
CAE would be less likely to have sufficient organizational and industry knowledge.
• When handling related parties the most difficult type of transaction is one where a close family
member who is a major shareholder. Transactions involving major shareholders (e.g., close family
and relations), either directly or indirectly, are potentially the most difficult type of transactions.
• The ultimate goal of shareholder and investor communications is honesty. Honesty from
management is the ultimate goal of shareholder and investor communications, although the
communication should provide consistency, clarity, candor, and effectiveness.
• A golden parachute is a contract in which a corporation agrees to make payments to key management
and senior officers in the event of a change in the control of the corporation. Shareholders do not
initiate golden parachutes; management does.
Section V – Management and Leadership
Chapter A: Strategic Management
• Industry Life Cycle Four Stages (I, G, M, D) – Introduction, Growth, Maturity and Decline
• During the maturity stage, competition is at its greatest, and costs are at their lowest; thus, prices
would be at their lowest.
• Different strategies are used to manage in each type of industry. Organizations must recognize when
an industry is shifting in some way.
• Franchising and horizontal mergers commonly used to gain market share in a fragmented industry.
• Growth strategy - An organization may decide to enter a new business in the same or a different
industry when the benefits outweigh entry costs and other legal and administrative barriers.
• Quantitative research is based on numbers and mathematical calculations (aka quantitative data),
qualitative research is based on written or spoken narratives (or qualitative data).
22
• Regression Analysis - Indicates correlation(s) based on assumption of cause-and-effect relationships

among variables. Often used to analyze cost behavior or forecast sales levels.
• Quality is the reliability of a product or service for its users. To ensure a reliable level of quality
throughout an organization, every individual, department, and subdivision of an organization must
conform to design specifications set by customer expectations.
• Exam Alert: Total Quality Management (TQM) Managing people and business process to ensure 100%
customer satisfaction. Look for the answer with Customer.
Chapter B: Organizational Behavior
• Wider span of control at the top means fewer managers. Conversely, a narrower span of control
means more managers.
• Span of control affects delegation, employee participation, and employee learning.
• Understand Environmental Factors Impacting the motivation of employees such as organizational
structure and culture, relationships with managers and supervisors, job design, reward system, and
performance appraisal.
• Group types (structural, functional, task, informal) - A task group is charged with completion of a task,
and the group will disband once the task is complete. Informal groups also may have a task to
complete, but they may not be formally appointed. Structural and functional groups usually are
embedded in the organization's structure and are ongoing.
• CIA Exam Alert: Groups - Some group members go along with what appears to be the group consensus
rather than giving their honest input is the definition of Groupthink which is undesirable.
Chapter C: Management Skills/Leadership Styles
• Note: This Chapter is not tested heavily on the exam.

• To successfully implement empowerment in an organization, leaders must balance their need for
personal control with providing freedom for others to act on their own authority.
• Teams need a clear purpose, performance objectives, and outcomes
Chapter D: Conflict Management
• Negotiation and Conflict Management skills help auditors build relationships and trust, understand
and handle adversarial communication, and effectively deliver reports and recommendations.
• Conflict should be viewed as a healthy way to facilitate growth in an organization.
• An avoidance strategy aims to resolve the conflict by ignoring it or imposing a solution. It is only
appropriate if the conflict is trivial or if quick action is needed to prevent the conflict from arising.
23
• Utilizing Principled Negotiation skills if an agreement is reachable, results should meet the needs of
both parties to the extent possible and should be fair, long lasting, and in the public good.
• Utilizing the Added-Value Negotiation skills this process usually takes less time because of the
multiple offers presented at the beginning of the process.
Chapter E: Project Management / Change Management
• Gannt Chart (scheduling tool) - Divides project into sequential activities with estimated start and
completion times. Internal audit scheduling is effectively accomplished with use of Gantt chart.
• Determining the most efficient path for reaching project goals can be done utilizing:
1. Critical path method (CPM) – Helps determine quickest path
2. Program Evaluation Review Technique (PERT)
• CPM and CRT identify and prioritize tasks which must be completed on time for the whole project to
be completed on time.
• Exam Alert: Know the difference between Gannt Chart vs. CPM
24
Section VI – IT/Business Continuity
Note: Most of the exam questions for this section are not actually IT questions but risk (events and
vulnerabilities) and control questions. The key is to dumb down the question and focus on the risk and
control. Testing is based on overall concepts of security and not in depth IT.
Chapter A: Security
• Guidance relating to IT
- GTAG (Global Audit Technology Guide) created by IIA
- COBIT – Internationally accepted framework created by ISACA. It is a framework that assists

enterprises in achieving their objectives for the governance and management of enterprise
information and technology assets (IT). Simply put, it helps enterprises create optimal value
from IT by maintaining a balance between realizing benefits and optimizing risk levels and
resource use.
- COSO ERM
• Risks
Malware is short for "malicious software." Malware is any kind of unwanted software that is installed
without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software
that are often grouped together and referred to as malware.
1. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?
A. Trojan horses
B. Worms
C. Viruses
D. Root kits
• To mitigate the risks controls should be implemented. Know some key terms as they relate to
internal controls:
- General Controls = The whole organization (body)
- Application Controls = a specific application (knee)
- Preventive Controls = Separation of duties
- Detective Controls = Reconciliation (back end reviewing, monitoring)
- Effective = Test
• To mitigate IT risk organizations should have IT controls in place. However, the cost of the
controls should be commensurate with the level of risk mitigation.
• Physical Security Controls

1. Key card with security computer database
25
2. Role-based subdivisions within a building

3. Biometrics
4. Data centers: not on exterior wall; slab-to-slab construction
• Hardware Controls
1. Redundant character check
2. Equipment check
3. Duplicate process check
4. Echo check
5. Fault-tolerant components (allows a system to continue to work even when a fault exists i.e.
nuclear power plant, subway)
• System and Data Backup Recovery Controls

1. Backing up data—grandfather-father-son
2. Off-site storage—site that is physically distant from primary operations
3. Cloud backup—network of distributed databases/ servers
4. Electronic vaulting—electronic transmission of changes to data to off-site facility
5. Backup data controls—methodology for labeling/ storing physical items
• Controls for Transmitting Data

1. To reduce security exposure when transmitting proprietary data over communication lines, a
company should ENCRYPT the data. The device to ENCRYPT is a CRYPTOGRAPHIC DEVICE (the
word CRYPT will be in the answer)
2. Encryption vs. Encoding - Here's what encryption does. It scrambles the data in a way that turns
it into gibberish before it's sent out over the Internet. The receiving party has the key to
unscrambling it and restoring it to valid information. Is encrypting the same as encoding? Not
quite. Encoding is transforming data in order to transmit it or to meet some necessary standard
for usage—with encoding, usability, not confidentially, is the goal.
Example of “Awareness” Type CIA Exam Questions
Q4. To reduce security exposure when transmitting proprietary data over communication lines, a
company should use
A. asynchronous modems.
B. authentication techniques.
C. cryptographic devices.
D. call-back procedures
Q5. The best means of managing the confidentiality of satellite transmissions would be:
A. monitoring software.
B. access control.
C. encryption.
D. cyclic redundancy checks
26
Chapter B: Application Development
• Exam Alert: Understand the definition of Change and Patch Management Controls – Change
management includes application code revisions, system upgrades, and infrastructure changes such
as changes to servers, routers, cabling, or firewalls.
• Change control manages changes in information system resources and procedures. It includes a
formal change request procedure; assessments of change requests on technical and business
grounds; scheduling changes; testing, installing, and monitoring changes; and reporting the status of
recorded changes. The analysts were reusing erroneous code that should have been but was not
corrected.
• Changes should be scrutinized, reviewed, approved and bundled.
8. Which of the following is the policy on change and patch management that most high-performing IT
organizations follow?
A. Have IT staff perform those patches that department heads feel are important.
B. Manually install every patch as soon as it is available.
C. Wait to install routine patches until enough are ready for simultaneous testing and installation.
D. Have patches automatically install as soon as they are released by the vendor.
• Understand the basic steps of a System Development Life Cycle (SDLC)

1. Systems Planning
2. System Analysis Systems design/systems selection
3. Programming and Customization/Configuration
4. Testing
- Alpha (comes first) – testing by developers
- Beta (comes second) – testing by users)
5. Conversion and Implementation
6. Systems operation and refinement
• CIA Exam Alert: There was a question on the systems development life cycle analysis (feasibility)
stage - something along the lines of: in which stage do we make a decision if it makes sense
financially to develop internally or buy software?
• Many programmers are using Rapid Application Development (RAD) techniques to speed up the
SDLC. One approach that will be tested on the exam is object-oriented approach. An object-
oriented approach is intended to produce reusable code. Because code segments can be reused
in other programs, the time and cost of writing software should be reduced.
27
Gleim Exam Question: Object technology is likely to become more important in companies’ strategic use
of information systems because of its potential to:
A. Permit quicker and more reliable development of systems.
B. Maintain programs written in procedural languages.
C. Minimize data integrity violations in hierarchical databases.
D. Streamline the traditional “waterfall” systems development methodology.
• IT Application Controls—Input Controls

• Control data as it enters system
• Garbage-in, garbage-out (GIGO)
• Manual input controls, e.g., authorizations
• Electronic aids for manual inputs
o Screen formats, entry fields, drop-down menus
o Keystroke verification
o Labeling conventions and completeness checks
• Edit Checks – such as check digits
• Processing Controls
• Output Controls
Chapter C – System Infrastructure
• A database is a collection of information that is organized so that it can easily be accessed,

managed, and updated.
• Data definition language (DDL) Establish the structure of database tables
24. Users making database queries often need to combine several tables to get the information
they want. One approach to combining tables is known as
A. projecting.
B. joining.
C. pointing.
D. mail merge.
• Firewalls - Separates two networks and prevents passage of specific types of network traffic while
maintaining a connection between the networks. Generally, an Internet firewall is designed to
protect a system from unauthenticated logins from outside users, although it may provide several
other features as well.
• Intrusion testing – An intrusion test is a localized, time-constrained and authorized attempt to
breach the information security architecture of a system using attackers? Intrusion testing or
ethical hacking, unlike hacking, has a constructive intent: to improve the IS posture of a financial
institution.
- Localized: It requires a definition of scope.
28
- Time-constrained: It does not last forever, although it is said that attackers have infinite time
on their hands!
- Using attackers? It is neither a simulation nor a hypothetical attack scenario, but a carefully
executed authorized attack using the same tools and techniques attackers have at hand.
• Exam Alert: What translates HTTP and puts on screen for viewing? The Internet Protocol (IP) is
the method or protocol by which data is sent from one computer to another on the Internet.
• Five Functions of the IT Area:
1. Security and Quality

2. Application and Systems
3. Data
4. Technical Support
5. Operations
- Help Desk
- Change Control Librarian (holds the master versions of applications)
- End Users
• VPN encrypts data and provide authentication thus allowing remote connections to the protected
files of a corporation. Example: Remote employees operating over the internet but wanting to
access the corporate intranet.
• Business Continuity Management - “process by which an organization prepares for future
incidents that could jeopardize the organization’s core mission and its long-term viability”
- Hot Site (Hot and Ready) - Fully equipped site ready for immediate use in emergencies
• Cold Site - Site with utilities but no equipment; requires days or weeks to activate
• Best evidence of plan adequacy is testing the plan (e.g., fire drill)
29
Chapter D: Business Continuity
• Business Continuity Management - “process by which an organization prepares for future

incidents that could jeopardize the organization’s core mission and its long-term viability”
- Hot Site (Hot and Ready) - Fully equipped site ready for immediate use in emergencies
• Cold Site - Site with utilities but no equipment; requires days or weeks to activate
• Best evidence of plan adequacy is testing the plan (e.g., fire drill)
Other questions on the CIA Exam:
• What would you expect to find in a user developed system vs. an IT developed system?
(documentation question)
• What would be primary benefit of using EFT for international money transfers?
• Auditors role in assessing systems development
• Auditors role in reviewing systems that are outsourced
• Understand Logical Control
Which of the following is an objective of logical security controls for information systems?
A. To ensure complete and accurate recording of data.

B. To ensure complete and accurate processing of data.
C. To restrict access to specific data and resources.
D. To provide an audit trail of the results of processing.
Answer (A) is incorrect because it is not an objective of logical security control.

Answer (B) is incorrect because it is not an objective of logical security control.
Answer (C) is correct. The primary objective of security controls for information systems is to restrict
access to data and resources (both hardware and software) to only authorized individuals. In addition,
authorization tables for operating system access address logical controls.
Answer (D) is incorrect because it is not an objective of logical security control.
What is the safest mode of transmitting data?
A. Radio transmission
B. Infrared laser
C. Satellite transmission
D. Fiber optic cable
30
Section VII – Financial Management
Chapter A: Financial Accounting and Finance (Tested at a basic high level)
Topic 1: Describe Basic Concepts and underlying Principles of Financial Accounting
Accounting Concepts
• Understand the common accounting terms (p.3-438)

• Goal of financial reporting: is to provide stakeholders with information to exercise due diligence
in decision making.
• To ensure that financial statements are truly useful, GAAP requires the information in financial
statements to be Relevant, Reliable, Comparable and Consistent
• Dual-entry (or double-entry) accounting is the international standard. In a dual-entry system,
each transaction is recorded in at least two places: a debit to one account and a credit to another
account.
• A common way of expressing the dual-entry method is with a T-account. Preparing periodic trial
balances can ensure that the accounts balance at that specific moment in time.
• Exam Alert: Know the impact of a Debit or a Credit on accounts.
Assets, Expenses and Dividends: Debits increase accounts and Credits decrease accounts
Liabilities, Revenues, Capital Stock, and Retained Earnings: Debits decrease accounts and Credits
increase accounts
Example Test Question

4. When purchasing an asset using debt, which of the following transactions occurs?
A. Debit assets (increase) and credit liabilities (increase).

B. Debit assets (decrease) and credit liabilities (increase).
C. Debit liabilities (decrease) and credit assets (increase).
D. Debit liabilities (increase) and credit assets (increase).
An asset account is debited, increasing it by the value of the additional assets. A liability account
is credited, increasing it by the amount of the loan.
• A number of questions about “if this occurs, then what” such as a sale takes place, but the sale is
not posted and inventory is not adjusted. How is inventory and accounts receivable affected?
• The temporary accounts get closed at the end of an accounting year. Temporary accounts include
all of the income statement accounts (revenues, expenses, gains, and losses), the sole proprietor's
drawing account, the income summary account, and any other account that is used for keeping a
tally of the current year amounts. Since the temporary accounts are closed at the end of each
fiscal year, they will begin the new fiscal year with zero balances.
31
• The accounts that do not get closed (their balances are carried forward to the next accounting
year) are referred to as permanent accounts. The balance sheet accounts are permanent
accounts.
• Accrual versus cash basis accounting. Accrual relies on the principles of revenue recognition and
matching. Accrual basis accounting records transaction as they occur recognizing revenue only
when earned and expenses only when incurred, regardless of when the cash is actually paid out
(GAAP). Cash basis accounting, the organization recognizes revenue only when cash is received
and recognizes expenses only when cash is paid out (Not GAAP) thus payables and receivables are
ignored.
• Accounting assumptions used in preparing the financial statements include Economic entity,
Going concern, monetary unit, and Periodic reporting.
• Accounting principles used in preparing the financial statements include:
• Historical cost
Revenue recognition - The practice of recording advanced payments from customers as liabilities.
Example Test Question
25. The practice of recording advanced payments from customers as liabilities is an

application of the
A. going concern assumption.
B. monetary unit assumption.
C. historic cost principle.
D. revenue recognition principle.
• Matching – Expenses should be recognized in the period in which the correspondence

revenues are recognized. Example: Depreciation and amortization are ways to apply the cost
of a long-lived asset over the periods in which the benefits are received. Period costs are
expensed immediately because they cannot be matched.
• Full disclosure
• Accounting cycle – Closing is the process of transferring from Ledger to Trial Balance
• Financial Statements
• Income Statement – Shows net profits from primary activities, a key creditworthiness
indicator
• Statement of Shareholders’ Equity (Retained Earnings)
• Balance Sheet: Assets – Liabilities = Equity
• Statement of Cash Flows – A statement of cash flows provides information about the cash
receipts and cash payments of an enterprise during a period. This activity could be related to
Operating, Investing and Financing activities
• Disclosures / footnotes – The notes or disclosures to the financial statements should be an
integral part of the statements. Required disclosures are:
32
• Contingent liabilities – Both material and uncertain

Example: A lessee agrees to reimburse a lessor for a shortfall in the residual value of an asset
under lease.
• Subsequent events
• Contractual obligations
• Accounting policies and valuation methods used
• Change in accounting policies
• Capital stock disclosures
• Off-balance sheet accounting
• Other disclosures
• Depreciation Methods
• Allocating the cost of tangible assets over the periods of expected use
• Straight Line = Depreciable Base / Useful Life
Topic 2
• Characteristics of an Operating Lease

• A lease agreement transfers substantially all the benefits and risk of ownership of the
asset to the lessee if at least one of the following criteria is met:
1) The lease provides for the transfer of ownership of the leased property.
2) The lease contains a bargain purchase option (BPO).
a) A bargain purchase option gives the lessee the right to purchase the leased property for a price
lower than its expected fair value at the date the BPO becomes exercisable.
3) The lease term is 75% or more of the estimated economic life of the leased property.
4) The present value of the minimum lease payments is at least 90% of the fair value of the leased
property.
a) Minimum lease payments equal minimum rental payments plus the amount of residual value
(or the minimum rental payments plus the amount of BPO).
• Defined benefit plan promises specific level of retirement benefits.
Topic 3
• Preferred stocks are designed to pay shareholders consistent dividends. They get their name from
the fact that they have preference over common stocks in the payment of dividends. This means
preferred stock dividends are always paid to shareholders before dividends on common stock.
Preferred dividends generally have yields that are competitive with corporate bonds.
• When an organization purchases equity interest in other organizations in the form or capital
or preferred stock and has “Significant Influence” (20% to 50% ownership) they must value this
investment using the Equity method: Proportional share of investee’s net income/loss, dividends
33
Topic 4
• The effects of under/over counting inventory on COGS and income.

• Formula for COGS: To compute cost of goods sold, start with the cost of beginning inventory of
finished goods, add the cost of goods manufactured, and then subtract the cost of ending
inventory of finished goods.
Suppose your chocolate milk factory started out with $2,000 worth of beginning inventory of
finished goods. Your cost of goods manufactured (inputs) was $18,000, and your ending
inventory of finished goods was $500. COGS = $19,500
• Residual income is a metric used to measure performance of a department. It measures the return
earned by the department which is in excess of the minimum required return. RI is often
compared to ROI. ROI is a % while RI is a dollar amount.
Quick Ratio
 You will only see one or two ratios on the exam. Thus, NO need to memorize all of the formulas.
 Quick Ratio is defined as Current Assets (Cash and AR - Inventory) / Current Liabilities
 Current Ratio is defined as Current Assets (Cash, AR and Inventory) / Current Liabilities
 Inventory turnover is an efficiency ratio which calculates the number of times per period a
business sells and replaces its entire batch of inventories. It is the ratio of cost of goods sold by a
business during an accounting period to the average inventories of the business during the period.
 The inventory turnover ratio is calculated by dividing the cost of goods sold for a period
by the average inventory for that period.
 Exam Question: Inventory Turnover Ratio (Cost of Raw Materials = 60k, COGS = 120K, Remaining
Inventory Valued at 40k - what is Inventory Turnover Ratio)
 Residual income is a metric used to measure performance of a department. It measures the return
earned by the department which is in excess of the minimum required return. Set minimum return
rate, and if RI is positive, investors will get their return and excess can go to retained earnings.
34
Topic 5: Define and differentiate various types of Debt and Equity
• Government-backed securities (Most secure)

• Common Stock vs. Preferred Stocks. Preferred stocks are designed to pay shareholders consistent
dividends. They get their name from the fact that they have preference over common stocks in
the payment of dividends. This means preferred stock dividends are always paid to shareholders
before dividends on common stock. Preferred dividends generally have yields that are
competitive with corporate bonds.
• Exam Alert: Stock splits - A stock split is a decision by the company's board of directors to increase
the number of shares that are outstanding by issuing more shares to current shareholders. For
example, in a 2-for-1 stock split, every shareholder with one stock is given an additional share.
Topic 6
• Bond, Common Stock vs. Preferred Stock

• Bonds are the principal form of long-term debt financing for corporations and governmental
entities.
1) A bond is a formal contractual obligation to pay an amount of money (called the par value,
maturity amount, or face amount) to the holder at a certain date, plus, in most cases, a series of
cash interest payments based on a specified percentage (called the stated rate or coupon rate)
of the face amount at specified intervals.
2) All of the terms of the agreement are stated in a document called an indenture.
Topic 7
• Understand Cash Receipt Controls whether taking revenue at a Point of Sale (POS), mail, or
electronically.
Topic 8: Describe Inventory and Business Valuation Models
• Know the difference between a perpetual inventory (keeps a continuous record of inventory
changes as the occur) vs. periodic inventory (which determines only the inventory on hand at the
end of a period by physical count).
• FIFO (can distort net income and gross profit), LIFO, and Weighted Average (Called “moving” if
perpetual, Simple and Income cannot be manipulated)
• Cost / Retail Ratio and retail method for valuing inventory. The retail method converts ending
inventory stated at retail to cost.
Effect on Cost- Effect on Estimated

Retail Ratio Ending Inventory at Retail
A. No effect No effect
B. No effect Overstatement
35
C. Overstatement Overstatement
D. Overstatement Understatement
B. The retail method of inventory estimation applies a cost-retail ratio to the ending inventory at retail to
determine ending inventory at cost. The ratio equals goods available at cost divided by goods available at
retail. Normal inventory shrinkage is deducted from the retail amount of goods available because the
goods are not available. However, abnormal amounts of theft, etc., are deducted in arriving at both the
cost and retail amounts. The reason for the difference in treatment is that normal but not abnormal
inventory losses are anticipated and included in selling price (retail value). Accordingly, failure to account
for normal inventory shrinkage has no effect on the calculation of the cost-retail ratio but overstates
ending inventory at retail.
Topic 9 – Capital Budgeting
• Operating Budget - A summary of an organization’s plans that sets specific targets for sales,
production, distribution, and financing activities.
What budget do you complete first?" Then it listed "cash, sales, production, and administrative
expenses." CIA Exam Alert: Always do the Sales budget first. It drives the others.
• A capital budget identifies, evaluates, and selects projects that require large amounts of capital
investment and provide benefits far into the future. To make capital investment decisions,
managers must estimate the quantity and timing of cash flows, assess the risk of the investment,
and consider the impact of the project on the organization's profits.
• Capital budget Discounting Methods:
Net Present Value - Compares present value of a project’s cash inflows to present value of a
project’s cash outflows. Provides realistic assumptions.
Internal Rate of Return - The discount rate often used in capital budgeting that makes the net
present value of all cash flows from a particular project equal to zero. Generally speaking, the
higher a project's internal rate of return, the more desirable it is to undertake the project. As such,
IRR can be used to rank several prospective projects a firm is considering. Assuming all other
factors are equal among the various projects, the project with the highest IRR would probably be
considered the best and undertaken first.
Topic 10 – Taxes (1 or 2 questions)
• Progressive (High-income taxpayers pay a larger fraction of income) vs. Regressive tax (Low-
income taxpayers pay a larger fraction of income)
• Example of a regressive tax is a State sales tax.
• In the distribution of liquidation proceeds for a bankrupt firm. Taxes payable is a priority claim.
Priority claims are paid in full before any liquidation proceeds are distributed to general claimants
or shareholders.
36
• Exam Alert: What is a 'Marginal Tax Rate' - A marginal tax rate is the amount of tax paid on an
additional dollar of income. The marginal tax rate for an individual will increase as income rises.
This method of taxation aims to fairly tax individuals based upon their earnings, with low-income
earners being taxed at a lower rate than higher income earners.
• Marginal Tax Rates and Example: For the 2016 tax year (taxes due in 2017), in the United States,
there are seven different marginal tax rates based on an individual's income. They are 10%, 15%,
25%, 28%, 33%, 35% and 39.6%. Individuals who make the lowest amount of income are placed
into the lowest marginal tax rate bracket, while higher earning individuals are placed into higher
marginal rate tax brackets. However, the marginal tax bracket in which an individual falls does not
determine how the entire income is taxed. Instead, income taxes are assessed on a progressive
level. Each bracket has a range of income values that are taxed at a particular rate. For example,
in 2016, for a single taxpayer, the marginal tax rates have the following income ranges:
10% Bracket: $0 to $9,275

15% Bracket: $9,275 to $37,650
25% Bracket: $37,650 to $91,150
28% Bracket: $91,150 to $190,150
33% Bracket: $190,150 to $413,350
35% Bracket: $413,350 to $415,050
39.6% Bracket: $415,050+
Thus if an individual taxpayer earned $150,000 in income, they would owe the following income taxes,
as shown below:
10% Bracket: ($9,275 - $0) x 10% = $927.50

15% Bracket: ($37,650 - $9,275) x 15% = $4,256.25
25% Bracket: ($91,150 - $37,650) x 25% = $13,375
28% Bracket: ($150,000 - $91,150) x 28% = $16,478
Chapter B – Managerial Accounting
Exam Alert: Contribution Margin (4) = Sales (30) – Variable Cost (26)
Breakeven Point (45,000) = Fixed Cost (180,000) / Contribution Margin (4)
Example: A company makes a product that sells for $30. During the coming year, fixed costs are expected
to be $180,000, and variable costs are estimated at $26 per unit. How many units must the company sell
in order to break even?
Topic 8 – Transfer Pricing
• A transfer price is the price charged by one segment of an organization for a product or service
supplied to another segment of the same organization. The three basic criteria that the transfer
pricing system in a decentralized company should satisfy are to (1) provide information allowing
37
central management to evaluate divisions with respect to total company profit and each division’s
contribution to profit, (2) stimulate each manager’s efficiency without losing each division’s
autonomy, and (3) motivate each divisional manager to achieve his/her own profit goal in a manner
contributing to the company’s success.
One department of an organization, Final Assembly, is purchasing subcomponents from another

department, Materials Fabrication. The price that Materials Fabrication will charge Final Assembly is to
be determined. Outside market prices for the subcomponents are available. Which of the following is the
most correct statement regarding a market-based transfer price? Overall long-term competitiveness is
enhanced with a market-based transfer price.
Correct. Market-based transfer prices provide market discipline. Inefficient internal suppliers will tend to
wither while efficient ones prosper, enhancing the overall long-term competitiveness of the firm.
Sample Question: A limitation of transfer prices based on actual cost is that they
A. Charge inefficiencies to the department that is transferring the goods.
B. Can lead to suboptimal decisions for the company as a whole.
Answer (B) is correct.
The optimal transfer price of a selling division should be set at a point that will have the most desirable
economic effect on the firm as a whole while at the same time continuing to motivate the management
of every division to perform efficiently. Setting the transfer price based on actual costs rather than
standard costs would give the selling division little incentive to control costs.
C. Must be adjusted by some markup.
D. Lack clarity and administrative convenience.
Section VIII – Global Business Environment
• Exam Alert: What strategy should a company adopt first to enter into an international market? (There
are many ways to enter the global marketplace, but first organizations need to look at requirements
– key success indicators such as:
- Is global strategy a part of the organization’s overall competitive strategy?
- Is there general global market awareness?
- Is the timing right for expansion?
- Have factors that favor entry for the organization and industry been identified?
- Have the best way to penetrate foreign markets been identified?
• Exam Alert: Porter’s Framework - Porter's five forces analysis is a framework that attempts to
analyze the level of competition within an industry and business strategy development. It draws
38
upon industrial organization (IO) economics to derive five forces that determine the competitive
intensity and therefore attractiveness of an Industry. Attractiveness in this context refers to the
overall industry profitability. An "unattractive" industry is one in which the combination of these five
forces acts to drive down overall profitability. A very unattractive industry would be one approaching
"pure competition", in which available profits for all firms are driven to normal profit. This analysis is
associated with its principal innovator Michael E. Porter of Harvard University.
• Porter's five forces include – three forces from 'horizontal' competition: the threat of substitute
products or services, the threat of established rivals, and the threat of new entrants; and two forces
from 'vertical' competition: the bargaining power of suppliers and the bargaining power of
customers.
• Geocentric vs. Ethnocentric (GREP)
1. Which type of organization uses a very high degree of local decision-making, evaluation,
and control?
a. Polycentric
Correct. A polycentric attitude leads to a loose confederation of comparatively independent

subsidiaries, rather than to a highly integrated structure. It uses a high degree of local decision
making, evaluation, and control.
b. Geocentric
Incorrect. A geocentric attitude is necessary in today’s competitive global marketplace.

Geocentric companies are truly world-oriented and favor no specific country. Both local and
worldwide objectives are balanced in all aspects of operations.
c. Ethnocentric (Understand this term as it will come up on exam).
39
Incorrect. Ethnocentric companies place emphasis on their home countries. An ethnocentric

attitude assumes that the home country’s personnel and ways of doing things are best. Authority
and decision making are centered in headquarters.
d. Polychromic
Incorrect. The term “polychromic” has no meaning here.
1. An Ethnocentric company has all of the following attributes except:
A. It uses a high degree of local decision making, evaluation, and control. (False)
B. Place emphasis on their home countries. (True)
C. Assumes that the home country’s personnel and ways of doing things are best. (True)
D. Authority and decision making are centered in headquarters. (True)
• Exam Alert: Inflation is defined as a sustained increase in the general level of prices for
goods and services in a county, and is measured as an annual percentage change. Under
conditions of inflation, the prices of things rise over time. Put differently, as inflation rises,
every dollar you own buys a smaller percentage of a good or service. When prices rise, and
alternatively when the value of money falls you have inflation.
• The value of a dollar (or any unit of money) is expressed in terms of its purchasing power,
which is the amount of real, tangible goods or actual services that money can buy at a
moment in time. When inflation goes up, there is a decline in the purchasing power of
money. For example, if the inflation rate is 2% annually, then theoretically a $1 pack of gum
will cost $1.02 in a year. After inflation, your dollar does not go as far as it did in the past.
This why a pack of gum cost just $0.05 in the 1940’s – the price has risen, or from a different
perspective, the value of the dollar has declined. In recent years, most developed countries
have attempted to sustain an inflation rate of 2-3% by using monetary policy tools put to
use by central banks. This general form of monetary policy is known as inflation targeting.
40
Required Supplemental Reading for Part 3 (All are located in the Dropbox)
https://www.dropbox.com/sh/4m5mti6376rhisp/AAD6oh9-dzMA9KMKu8jhwYFTa?dl=0
• Practice Guide Assessing the Adequacy of Risk Management Using ISO 31000
• Practice Guide Evaluating Corporate Social Responsibility/Sustainable Development
• Practice Guide Business Continuity Management (BCM)
• GTAG Information Technology Risk and Controls
Student Input
Input from student Jane M:
Yes, much of your list was indeed on the exam:
 CSR – At least 4 questions covered CSR (risks CSR aims to address, stakeholders, elements of triple
bottom line)
 Risk management frameworks and objectives
 EOQ
 Characteristics of business and industry life cycles
 Forecasting methods
 Principled negotiation skills
 EDI – At least 2 questions specifically on EDI risks and controls
 Firewalls
 Protocol
 Databases
 Change management
 Contribution margin & break-even point
Additional topics that appeared several times throughout the exam:
 Examples of risk avoidance strategies

 Groups & group effectiveness
 Quality management
 Transfer pricing models
IT questions were framed just as you discussed: they were primarily presented in terms of risks and
related controls. Specific IT topics:
 Phases of the SDLC

 End-user computing
 Unlicensed software
 Object-oriented programming (pros and cons)
 IT governance vs. IT management
41
Financial accounting questions were also based more on underlying concepts/theory as opposed to
specific computations, as you expected. There was only 1 ratio computation to determine sales given
total asset turnover, debt to assets, and total liability.
Hope this helps! Thank you again! Jane
Input from Ana N:
Lyndon, I passed the part 3 exam and I am finally done with all exams for the certification. Just for your
info here are some of the questions/topics on the exam:
 Surprisingly there were about 3 questions on Corporate and Social Responsibility

 Ethics question-1-2
 Environment ISO standard-1
 Definition of Internet Protocol
 COSO framework- 2-3 questions related to components of the framework
 COBIT 2-3 questions related to components of the framework
 3 questions on ISO 31000 - definition/purpose of standard, components
 2 questions on Inventory, COGS, and Net Profit relationship
 Liquidity ratios question
 2-3 questions on determining the strategy based on case description (i.e. select from polycentric,
global, local, ethnocentric, etc) GREP
 Change controls few questions
 BC processes and components per process
 Application and software controls
 EDI controls
 Ecommerce controls
 Understanding of each stage of company maturity (EGMD)
 Understanding of departmentalization and how can it be done (by product, geography, etc)
 Communication- surprisingly around 4-5 questions: understanding of various stakeholders,
decoding, proper communication channels
 There was only one questions for which I used the calculator, and I did not have many questions
on finance which was surprising, nothing on LIFO, FIFO, weighted average but retail vs. cost
inventory costing instead.
 1 question about styles for conflict management i.e. avoiding, collaborating
 Understanding of Bond components (i.e. maturity date, principal fair value)
This is high level of what I can recall but if you have specific questions please let me know. Here is my
studying strategy:
 pre study quiz

 read through the red book before each class with you (for most of the classes but had to do some
catching up in the end)
 read through the slides twice (after each class and later after all of the quizzes) and completed a
quiz after each of the 8 sections
 read through the red book for the sections emphasized in your presentation
42
 read the flashcards (I didn’t do flashcards on my own)- this method doesn’t work for my learning
style and I found it the least beneficial
 post study quiz and CIA practice exam Note: I don’t think the CIA practice exam is a good reflection
of how much you know because its comprised of questions already seen from the quizzes and
post study exam; therefore I took practice exams from Gleim (40Q), Fast Forward Academy (100
Q) and Wiley (100Q). Each of them allow you free access to just certain amount of questions but
it’s a good additional practice. The free access is just for limited amount of time.
 I read through the red book twice- before I started taking your classes and during the classes.
Note: I found your classes extremely valuable as they provided me the structure I needed to do readings
and quizzes in a planned and disciplined manner. Also the clarifications and practical application you
provided was very helpful to put the concepts into perspective.
Thank you again! Please let me know when you visit San Francisco. I would love to catch up over coffee
or lunch and thank you in person.
Best regards and happy holidays!!
From: Lyndon S. Remias

To: Newman, A
Subject: Re: I PASSED!!! THANK YOU!!!
Congratulations! I know you were very determined and worked very hard. I am very happy for you.
Thank you for "paying it forward". Your detailed insight will help future students.
A few questions on some of your input:
1. Definition of Internet protocol. Can you expand a little on that? I want to make sure I
understand what they were asking.
Sure. They were just asking for the definition of IP such as: The Internet Protocol (IP) is the
method or protocol by which data is sent from one computer to another on the Internet. I just
googled the definition but it was something similar to this.
2. BC? Business Continuity, understanding of what is being done in the planning, Business impact
analysis and other components of the overall BC process. The question was specifically around
when in the BC process do you determine which processes are critical enough to be included in
a business continuity plan. Understand in which stage of BC process and criticality being
determined per process.
3. Any questions from the Accounting Section related to the accounting cycle, debits / credits,
balance sheet, income statement or stockholders equity? It's a long section so I want to see
what if any I need to adjust?
Now that you mentioned it I recall a question around components under procurement, sales,
43
cash, production cycles. They listed few items and you are supposed to select the cycle. There
were few questions asking for the impact on net income and impact on cogs if final inventory
increased (decreased in the other question). Other than these questions and the ones I initially
mentioned I don’t recall anything else but if I think of it I’ll let you know.
4. What about from managerial accounting? The budget etc.?

Yes! there was a question on operation budget – what it includes. Also there was another
question asking which budged contains CAPEX (capital expenditures) and Sales.
• Another question I just recalled is around Database and whether or not is located in between the
application or the software something along those lines, I don’t remember exactly. There was
another question on database controls and who has access to manipulate the data.
• There was a question on the systems development life cycle analysis (feasibility) stage -
something along the lines of: in which stage do we make a decision if it makes sense financially
to develop internally or buy software?
5. Besides retail / cost inventory anything you saw that I did not cover?
Yes I think so there were only few questions I flagged because I was not familiar with the topic
but I could not go back to them as I finished the exam 1 min before the time was up. I can’t
remember now but will let you know once I think of it.
The question on bonds was around board approval of bond components when a bond is issued
i.e. which components are approved by the board i.e. maturity/duration, principal, coupon, etc.
it might be helpful if you briefly cover this piece in the classes.
6. What was the topic for the hardest question that you saw?
IT system infrastructure and application. My background is in finance and banking so this area is
not one of my strengths.
Also there was a question of which one of the 4 options provided represents a component of
business continuity. The response (I believe) was around having a backup facility for data
recovery while the other options were just regular controls.
7. The question where you had to use your calculator what was the topic?
They give you D/A ratio, debt, Asset turnover, and you need to calculate the Sales.
Also there was a question of what 0 correlation shows and another question of which method is
appropriate for a particular scenario and the choice is among scenario analysis, Delphi method,
Courtney method (I think this is made up) and a 4th option. I don’t recall what was the exact
question (I think it’s when entering an emerging market to figure out success levels of different
strategies).
Please let me know if you have other specific questions as they help me recall the exam questions. If I
think of anything else that I have not included I’ll let you know.
44

CIA Part 3 Remias Cheat Sheet All Sections Updated October 2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIA Part 3 Remias Cheat Sheet All Sections Updated October 2017

Uploaded by

Copyright:

Available Formats

Part 3 – Remias Cheat Sheet

Summary of Key points to remember for the exam

Section 1 - Governance/Business Ethics

Chapter A: Corporate/Organizational Governance Principles

Exam Alert: Corporate Governance is tested heavily on the exam.

Chapter B - Environmental and Social Safeguards

Chapter C – Corporate Social Responsibility

Exam Alert: CSR is tested HEAVILY on the exam.

What risk are addressed by CSR?

 Risk addressed by a CSR Policy are:

What risk are some examples of a CSR Program?

Molson Coors & responsible drinking

Tyson Foods & hunger relief

Haagen-Dazs & honeybee preservation

What are some categories covered by a CSR Program?

The ISO 26000 standard provides guidance on:

Examples of CSR Questions on the CIA Exam

Required Reading – IPPF Practice Guide “Evaluating Corporate Social Responsibility/Sustainable

Appendix A gives you examples of what to audit in each element (component).

For example, you can audit:

Section II – Risk Management

Chapter A: Risk Management Techniques

Exam Alert: Risk Management is tested heavily on the exam.

Example of “Awareness” Type CIA Exam Question

A. The internal audit activity.

Chapter B – Organizational Use of Frameworks

Example of “Awareness” Type CIA Exam Question

I. Review the organization’s Web site.

• ISO 31000:2009 “Risk Management – Principles and Guidelines” is an international standard

Exam Alert: Three Lines of Defense for Managing Risk:

Section III – Organizational Structure / Business Processes and Risks

Chapter A: Organizational Structure

Chapter B – Typical Activities in Various Business Cycles

Chapter C – Business Process Analysis

Chapter D – Inventory Management Techniques and Concepts

Chapter F – Business Development Life Cycles

During the growth stage of a product’s life cycle:

A. The quality of products is poor.

B. New product models and features are introduced.

Chapter G – The ISO Framework

Chapter H – Out-Sourcing Business Processes

Chapter B: Stakeholder Relationships

Section V – Management and Leadership

Chapter A: Strategic Management

• Regression Analysis - Indicates correlation(s) based on assumption of cause-and-effect relationships

Chapter B: Organizational Behavior

Chapter C: Management Skills/Leadership Styles

• Note: This Chapter is not tested heavily on the exam.

Chapter D: Conflict Management

Chapter E: Project Management / Change Management

Section VI – IT/Business Continuity

- GTAG (Global Audit Technology Guide) created by IIA

- COBIT – Internationally accepted framework created by ISACA. It is a framework that assists

• Physical Security Controls

2. Role-based subdivisions within a building

• System and Data Backup Recovery Controls

• Controls for Transmitting Data

Example of “Awareness” Type CIA Exam Questions

Chapter B: Application Development

Example of “Awareness” Type CIA Exam Questions

• Understand the basic steps of a System Development Life Cycle (SDLC)

Example of “Awareness” Type CIA Exam Questions

• IT Application Controls—Input Controls