Professional Documents
Culture Documents
Note: This is additional information to augment what is covered in the Red IIA workbook.
These are high level points that and should be useful in helping you to comprehend the topics
covered. Be sure to create your own “cheat sheets”.
• An organization should set the tone at the top for honesty and integrity and reinforce that every
manager, director, and employee needs to maintain these values.
• A corporation’s governance mechanism is established by a firm’s bylaws, which are a set of
internal rules or policies. Bylaws describe the powers of the corporation and the duties and
responsibilities of the board of directors and officers, and how to treat stockholders.
• For a corporation to be legitimate, its governance principles must correspond to the will of the
general public. Therefore, a corporation must be managed on the principles of corporate
governance defining the roles of shareholders, directors, and officers/managers in corporate
decision making and accountability.
- Example 1 of Corporate Governance problem: Separation of ownership from control. This is
the major issue embedded in the structure of modern corporations that has contributed to
the corporate governance problem. Stockholders are owners, and the board of directors,
officers, and managers control the corporation on a day-to-day basis. This means no one
shareholder or a group of shareholders own enough shares to exercise control; so
shareholders perceive themselves to be investors rather than owners.
- Example 2 of Corporate Governance problem: Self-interest. Agency problems develop when
the interests of the shareholders are not aligned with the interests of the manager, and the
manager (who is simply a hired agent with the responsibility of representing the owner’s
(principal’s) best interest) begins to pursue self-interest instead.
• The internal audit activity is responsible for assessing and making recommendations for improving
governance processes in the accomplishment of various organizational objectives. However, it is
the role of management to ensure the timely implementation of the audit recommendations. The
internal audit activity is responsible for the development of a timely procedure to monitor the
disposition of the audit recommendations. The internal audit activity works with senior
management and the audit committee to ensure that audit recommendations receive
appropriate attention.
• CIA Learning System Quick Quiz: The board is the focal point for all governance activities and
establishes the "tone at the top." The board is also responsible for implementing best governance
practices and providing oversight of organizational activities.
• Tone Board, Values Management
1
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• The board of directors is responsible for establishing and maintaining the organization's
governance processes and obtaining assurances concerning the effectiveness of the risk
management and control processes.
• Corporate values are not typically assessed during routine risk and control evaluations. Instead,
self-assessment methods and appropriate audit programs are generally used to measure the
comprehension and preservation of corporate values.
• Operating management is responsible for risk management, executive management is
responsible for oversight, and internal auditors serve in the capacity of oversight and advisory
roles.
• Abusive acts can be legal but unethical. Abuse occurs when the conduct of an activity or function
falls short of expectations for prudent behavior. Abuse is distinguished from noncompliance in
that abusive conditions may not directly violate laws or regulations. Abusive activities may be
within the letter of the laws and regulations but violate their spirit or the more general standards
of impartial behavior, and more specifically the ethical behavior. This means that abusive acts can
be legal but unethical.
For example: Marketing tactics can walk a fine line between persuasion and manipulation, and
this is another area where subjective ethics come into play heavily. Some marketing tactics can
take advantage of uneducated segments of the population, which can be perfectly legal while
being scorned throughout the marketplace. For example, before the Credit Card Act of 2009,
banks could lure teens into opening credit accounts with promises of financial freedom, regardless
of the teens' ability to repay the high-interest debts.
• The International Finance Corporation’s Environmental, Health, and Safety (IFC’s EHS) Guidelines
specify operational practices in different areas, including environment, occupational and
community health and safety, and sustainable materials use. Sustainable materials policies reflect
the entire lifecycle of purchased materials, from procurement through disposal or
decommissioning (e.g., recycling, handling of hazardous waste). When an organization adopts the
guidelines, it pledges to implement whichever is stricter—the guidelines or the host country’s
laws and regulations.
• A framework is simply a set of guidelines to help organizations meet organizational objectives.
CIA Learning System Quick Quiz: A realistic outcome of a privacy framework evaluation is
assurance of compliance with specific laws and/or standards.
2
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
What is CSR?
Social responsibility is defined as a business's intention, beyond its legal and economic obligations,
to do the right things and act in ways that are good for society. A socially responsible organization
does what is right.
Generally, CSR is understood to be the way firms integrate social, environmental, and economic
concerns into their values, culture, decision making, strategy and operations in a transparent and
accountable manner and thereby establish better practices within the firm, create wealth, and
improve society.
Corporate social responsibility (CSR, also called corporate conscience, corporate citizenship or
responsible business) is a form of corporate self-regulation integrated into a business model. CSR
policy functions as a self-regulatory mechanism whereby a business monitors and ensures its
active compliance with the spirit of the law, ethical standards and national or international norms.
It is a philosophy that must be championed from the top down. Thorough change management
is needed to ensure that these objectives are reinforced and brought into the culture and
incentive structures of the organization.
Note: Know the difference between Corporate Social Responsibility (not required but good
practice) and Corporate Social Obligation (required by law).
For companies to be sustainable in this day and age they must not only look to the bottom line
but the “Triple Bottom Line” of Economic Prosperity, Environmental Stewardship and Social
Responsibility.
3
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Exam Answer: Not having a CSR policy and program exposes the organization to significant risks
that the board is responsible for controlling. These risks could include but are not restricted to
penalties for noncompliance with laws and regulations. Non-sustainable actions could also
damage the organization’s reputation and its ability to attract investors, employees, and
customers. It can also make the organizational liable for damages, possibly including liability for
the actions of suppliers.
Mere adoption of a CSR framework is not sufficient; an organization’s processes must be
integrated into the framework. Results should be reported both within and outside the
organization to meet the needs of various stakeholders, including regulatory groups. Internal
audit may be involved in auditing the organization’s CSR programs, as long as internal auditing
was not involved in creating the programs.
Internal Auditors should review the CSR Policy and Program to ensure it is operating effectively.
4
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
1. Environmental efforts: One primary focus of corporate social responsibility is the environment.
Businesses regardless of size have a large carbon footprint. Any steps they can take to reduce
those footprints are considered both good for the company and society as a whole.
2. Philanthropy: Businesses also practice social responsibility by donating to national and local
charities. Businesses have a lot of resources that can benefit charities and local community
programs.
3. Ethical labor practices: By treating employees fairly and ethically, companies can also
demonstrate their corporate social responsibility. This is especially true of businesses that operate
in international locations with labor laws that differ from those in the United States.
4. Volunteering: Attending volunteer events says a lot about a company's sincerity. By doing good
deeds without expecting anything in return, companies are able to express their concern for specific
issues and support for certain organizations.
5
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Additional Guidance:
Quality Glossary Definition: ISO 26000
ISO 26000 is the international standard developed to help organizations effectively assess and
address those social responsibilities that are relevant and significant to their mission and vision;
operations and processes; customers, employees, communities, and other stakeholders; and
environmental impact.
• The seven key underlying principles of social responsibility: accountability, transparency, ethical
behavior, respect for stakeholder interests, respect for the rule of law, respect for international
norms of behavior, and respect for human rights
• Recognizing social responsibility and engaging stakeholders
• The seven core subjects and issues pertaining to social responsibility: organizational governance,
human rights, labor practices, the environment, fair operating practices, consumer issues, and
community involvement and development
• Ways to integrate socially responsible behavior into the organization
In addition to providing definitions and information to help organizations understand and address
social responsibility, the standard emphasizes the importance of results and improvements in
performance on social responsibility.
1. Which of the following refers to the corporate behavior in response to market forces or legal
constraints?
a. Social obligation
Correct. Sethi (S. Prakash Sethi, “Dimensions of Corporate Social Performance: An Analytical
Framework,” California Management Review (Spring 1975): 58-64) proposes a three-stage schema
for classifying corporate behavior in responding to social or societal needs: social obligation, social
responsibility, and social responsiveness. Social obligation is corporate behavior in response to
market forces or legal constraints. Obligation (required by law) vs. Responsibility (right thing to do)
b. Social responsibility - Incorrect. See correct answer (a).
c. Social responsiveness - Incorrect. See correct answer (a).
d. Social attitude - Incorrect. See correct answer (a).
Social obligation occurs when a firm engages in social actions because of its obligation to meet its
economic and legal responsibilities. The organization does only what it is obligated to do and
nothing more. This idea reflects the classical view of social responsibility that says that
management's only social responsibility is to maximize profits.
In contrast to social obligation, however, both social responsiveness and social responsibility reflect
the socioeconomic view. According to this view a manager's social responsibilities go beyond making
profits to include protecting and improving society's welfare. This view is based on the belief that
6
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
corporations are not independent entities responsible only to stockholders, but have an obligation to
the larger society.
Social responsiveness occurs when a company engages in social actions in response to some popular
social need. Managers are guided by social norms and values and make practical, market-oriented
decisions about their actions. A socially responsible organization views things differently. It goes
beyond what it is obligated to do or chooses to do because of some popular social need and does
what it can to help improve society because it is the right thing to do.
7
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
2. Which type of social responsibility embraces those activities and practices that are expected or
prohibited by societal members even though they are not codified into law?
a. Ethical responsibilities
Correct. Because laws are important but not adequate, ethical responsibilities embrace
those activities and practices that are expected or prohibited by societal members even
though they are not codified into law. Ethical responsibilities embody the full scope of
norms, standards, and expectations that reflect a belief of what consumers, employees,
shareholders, and the community regard as fair, just, and in keeping with the respect for
or protection of stakeholders’ moral rights. Philanthropic responsibilities include donating
money and property to social programs (Archie B. Carroll, “The Four Faces of Corporate
Citizenship,” Business and Society Review 100-101 (1998): 1-7).
b. Legal responsibilities
Incorrect. See correct answer (a).
c. Philanthropic responsibilities
Incorrect. See correct answer (a).
d. Economic responsibilities
Incorrect. See correct answer (a).
3. A chief audit executive advises the board during a meeting to create a corporate social responsibility
(CSR) policy and begin planning a CSR program. The board resists the suggestion, saying that this is
not really their role and that the organization cannot fulfill its obligations to its shareholders and to
society and the environment at the same time. How could the CAE best respond?
a. Creation of a policy and program may be delayed now but should be considered in the
future.
b. Implementing a CSR policy should not require significant investment of time or money.
c. Not having a CSR policy could pose significant risks to the organization.
d. Having a CSR policy is a matter of compliance.
Not having a CSR policy and program exposes the organization to significant risks that the board is
responsible for controlling. These risks could include but are not restricted to penalties for noncompliance
with laws and regulations. Nonsustainable actions could also damage the organization’s reputation and
its ability to attract investors, employees, and customers. It can also make the organizational liable for
damages, possibly including liability for the actions of suppliers.
8
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Question: What does auditing by element mean? The term Auditing by Element is commonly referred
to in the Practice Guide of CSR Appendix A "Auditing by Element". With this audit approach consider
how compliance with laws, regulations, and contractual obligations is managed for all elements.
So basically if you audit by element that means auditing by all of the various elements (components) of
the CSR program. So just substitute Element for the word Component. Auditing by each respective CSR
Component.
1. Governance - Do the board and management report reliable financial and nonfinancial
information to stakeholders?
2. Ethics - Is there a reporting system for stakeholders to report concerns or allegations of ethics
violations?
3. Environment - Are green or socially responsible procurement pro-cesses in place? How are they
monitored?
4. Transparency - Are CSR related policies available to the public (e.g., on the Web site)?
5. Health, Safety, and Security - Are health and safety management programs included in
procurement processes? How are they monitored?
6. Human Rights and Work Conditions - Does compensation consider fair pay, living wages, and job
opportunities?
7. Community Investment -Does the organization encourage volunteerism? What programs are in
place?
Even if a question regarding Auditing by Element comes up in another area outside of CSR it basically
means the same thing as auditing a component of an area.
Part 3 - An auditor is conducting a Corporate Social Responsibility (CSR) audit and will be Auditing by
Element. With this audit approach the auditor will consider how compliance with laws, regulations, and
contractual obligations is managed for which of the following areas:
I. Governance
II. Customers
III. Environment
IV. Community Investment
A. I and II
B. III and IV
C. I, III, and IV
D. I, II, III and IV
9
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• A process to identify, assess, manage, and control potential events or situations, to provide
reasonable assurance regarding the achievement of the organization’s objectives.
• A Risk Management Framework helps a business meet objectives (financial, operational, and
compliance)
• Organizations measure risk in terms of impact and likelihood
• Know the difference between risk appetite (the amount of risk, on a broad level, an organization is
willing to accept in pursuit of stakeholder value) vs. risk tolerance (the specific maximum risk that an
organization is willing to take regarding each relevant risk, can be more quantifiable and measurable).
• Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-
optimal.
• The chief audit executive (CAE) should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, and external auditors; review
of regulations; and analysis of financial/operating data.
10
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Risk assessment is a systematic process of assessing and integrating professional judgments about
probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
• As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level of
assessed risk of an auditable entity at any time, making appropriate adjustments to the work schedule.
• Risk assessment does not necessarily involve the assignment of dollar values and is not intended to
identify the audit area with the greatest dollar savings.
• Acceptable risk is the level of residual risk that has been determined to be a reasonable level of
potential loss or disruption for a specific computer system (see Holy Grail).
Answer (C) is correct. Risk management is “a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the organization’s
objectives” (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the
improvement of risk management, governance, and control processes using a systematic and
disciplined approach
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
11
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
D. COBIT.
Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission
published Enterprise Risk Management – Integrated Framework. This document describes a model
that incorporates the earlier COSO internal control framework while extending it to the broader
area of enterprise risk management.
• The risk assessment map looks at each type of fraud and determines how likely the fraud is to occur
and how significant it would be if it did occur. Any fraud that has a high probability and high
significance of material effect must be addressed with processes and procedures that prevent this
type of fraud.
• Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the quantification
and prioritization of risks simple.
• In conducting a cultural diversity audit internal audit should:
a. Strategic risks include political risk, regulatory risk, reputation risk, leadership risk, and
market brand risk.
b. Operational risks include an organization’s systems, technology, and people.
c. Financial risks includes risks from volatility in foreign currencies, interest rates, and
commodities. It also includes credit risk, liquidity risk, and market risk.
d. Hazard risks include natural disasters, impairment of physical assets, and terrorism.
• It is important to emphasize that the uncertainties could have a potential upside or downside so that
the scope of ERM encompasses the more traditional view of potential hazards as well as
opportunities.
• Risk is pervasive throughout an organization as it can arise from any business function or process at
any time without warning. Because of this widespread exposure, no single functional department
management, other than the board of directors, can oversee the enterprise-wide risk management
program.
• Exam Alert Understand how to respond to risk (risk response):
• 1. Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?
A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.
Answer (D) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction.
By eliminating checks, the organization avoids all risk associated with them.
2. When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.
Answer (B) is correct. A predetermined risk response may be made when a certain event occurs,
such as when cash is below a given level or a customer has not paid an invoice within a certain
period of time.
13
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
environmental context. As the organization’s risk management activities become more mature the
framework can likewise be augmented.
• Exam Alert: There are two approaches to risk management which are widely practiced: top down
(start with objectives, risk and then controls over the process) and bottom up (start with the process,
then controls, risk, and objectives).
• Exam Alert: Understand bottom up approach. It is a philosophy that an organization need to identify
risk in following level: Process Level - Project/Department Level - Vertical/Functional Level- Business
Unit Level-Organization Level. Bottom-up approach could completely consume all resources and take
all your time, but it would represent the most precise picture of the risk and could be completely
quantified. However, it is not widely used.
• ISO 31000 is based on the Plan, Do, Check, and Act method:
14
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Required Reading – IPPF Practice Guide “Assessing the Adequacy of Risk Management Using ISO3100”
(Issued December 2010). This document can be downloaded from the IIA website.
15
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
16
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Exam Alert: Understand the pros and cons of Centralized vs. Decentralized vs. Matrix
• A centralized configuration has several levels of authority, a long chain of command, and a narrow
span of control. All of these characteristics support management consistency and may discourage
innovation and employee involvement and empowerment.
• Centralized configuration Increased uniformity in decisions is an advantage of centralization. In a
centralized structure, most communication is vertical, up and down a hierarchical chain of command.
This impedes communication and awareness across functional lines, which can be an obstacle for
ERM.
• Span of control is the term now used more commonly in business management, particularly human
resource management. Span of control refers to the number of subordinates a supervisor has.
• A matrix organizational structure allows authority to flow both vertically and horizontally. A matrix
can work regardless of whether the product life cycle is long or short.
• Exam Alert: In a matrix organization project managers may "borrow" specialists from line managers
thus employees may report to multiple managers. Thus a matrix organization can be confusing to
employees who report to multiple bosses.
• Which structure has dual reporting methodology?
A) Product
B) Territorial
C) Matrix
D) Functional
• Decentralized - In order to remain competitive and adaptable many organizations adopt a flatter
organizational structure.
• A "flat" organization structure is one with relatively few levels of hierarchy and characterized by wide
spans of management
• For a flat structure to be successful, employees must be able to work unsupervised most of the time
because the manager, having many employees, has little time for each one.
17
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Conventional distribution systems consist of one or more independent producers, wholesalers, and
retailers, each of which is a separate profit-maximizing business. The profit objective of each
independent channel member may result in actions that are not profit-maximizing for the system as
a whole, and the conventional distribution system offers no means for controlling channel conflict.
• The vertical and lateral approaches are the most widely used supply chain management approaches
globally.
• The operating cycle shows the intended result of operations, from purchase of resources and/or
materials, through production, sales, and collection cycles. The cycle is also known as the cash-to-cash
cycle, since it shows how cash disbursed is converted back into cash received.
18
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• The EOQ decision model calculates the optimum quantity of inventory to order by incorporating only
the ordering costs and carrying costs into the model. These costs behave opposite each other.
Purchase costs, quality costs, and stockout costs are not incorporated into the EOQ model.
• Computer Integrated Manufacturing CIM involves a manufacturing system that completely integrates
all factory and office functions within an organization throughout the life cycle of a product or service.
CIM can help an organization reduce costs of spoilage and scrap, increase productivity, improve
quality, and increase its overall responsiveness to customers.
• Poor quality materials cause major problems in a JIT system because it retains no safety stock to use
for replacing defective materials. Substandard materials cause major production disruptions in JIT
systems and defeat its benefits, which include lowering cost and lead time while increasing product
quality.
• Inventory shipping and handling costs are classified as ordering costs, not as carrying costs. Property
tax, insurance, and depreciation and obsolescence are all classified as inventory carrying costs.
Chapter E – Electronic Funds Transfer (EFT) / Electronic Data Interchange (EDI) / E-commerce
• Successful EDI implementation begins with Mapping the work processes and flows that support the
organization's goals
• Transmission of EDI transactions to trading partners may sometimes fail.
• Internal auditors should look for network security controls, user identification systems, privacy and
confidentiality controls, a list of all e-commerce applications within the enterprise, maintenance
activities to ensure continued operation, failure detection and automated repair features, application
change management controls, and business continuity plans.
• Unauthorized access is a risk which is higher in an EFT environment.
Answer (A) is incorrect because poor product quality is evident during the introduction stage of the
product life cycle.
Answer (B) is correct. In the growth stage, sales and profits increase rapidly, cost per customer decreases,
customers are early adopters, new competitors enter an expanding market, new product models and
features are introduced, and promotion spending declines or remains stable. The firm enters new market
segments and distribution channels and attempts to build brand loyalty and achieve the maximum share
of the market. Thus, prices are set to penetrate the market, distribution channels are extended, and the
mass market is targeted through advertising. The strategy is to advance by these means and by achieving
economies of productive scale.
Answer (C) is incorrect because competitors are most numerous and products become less differentiated
during the maturity stage of the product life cycle. In this stage, imitators have entered the market and
competitors have learned which technologies and features are successful.
Answer (D) is incorrect because the quality of the products becomes more variable and products are less
differentiated
Section IV – Communication
Chapter A: Communication
20
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• The term for barriers in the sender-to-receiver and receiver-to-sender message processes is
communication noise. Communication noise can happen anywhere along the communications
spectrum. Both senders and receivers need to be careful about the intent of the message, the
medium, and the interpretation.
• Communication channel richness refers to the amount of information that can be transmitted during
a communication episode.
• Face-to-face discussion is the richest medium because it permits direct experience, multiple
information cues, immediate feedback, and personal focus. Impersonal written media, including
flyers, bulletins, and standard computer reports, are the lowest in richness. These channels are not
focused on a single receiver, use limited information cues, and do not permit feedback.
• Decoding is how the receiver of a message interprets that message. Interpretations can vary widely
given cultural backgrounds.
• Nonverbal communication is often imprecise. It is influenced heavily by culture and can sometimes
convey more information than verbal communication.
• Deductive reasoning (top down) is the process of reasoning from general principles (hypothesis) to
particular examples. Those that take a CIA Exam Review Course will pass the CIA Exam. We noted of
the 10 students who took the exam the five that took the review course passed.
• Inductive reasoning (bottom up) is the process of reasoning from detailed facts to a general principle.
Most common method used by scientist. Draw a conclusion from evidence (facts). Jane and Wayne
passed the CIA Exam. Jane and Wayne were in Lyndon’s CIA Exam review course. Those that take
Lyndon’s CIA Exam review Course will pass the CIA Exam.
• In both organizations and cultures the distribution of organizational power can interfere with
communication. The person who perceives himself or herself as having little power or authority will
be less likely to initiate discussion, even of important topics.
• Information overload (I) and misrepresentation of feelings and emotions (II) are considered
drawbacks of electronic communication. Information overload, such as numerous electronic mail
messages, may lead to lost time and inefficiencies and is considered a drawback of electronic
communication. Reduced transmission time (III) is considered a positive result of electronic
communication, and electronic communication generally results in an adequate paper trail (such as
saved "sent mail").
• Listen with empathy and intensity. Listening with empathy to the speaker's ideas allows for objective,
not judgmental, listening. Empathy puts the listener in the speaker's shoes, so the listener
understands what the speaker wants to communicate rather than what the listener wants to
understand. A listener must concentrate intensely to avoid being distracted.
• Exam alert: Open (descriptive response) vs. Closed (One word response)
• Selective perception is the process of selecting some information and filtering out other information
as it is received based on an individual's needs, interests, values, opinions, and past experiences.
21
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• The audit charter and annual plan must be aligned with the organization’s strategic objectives and
risk appetite. If not, the annual plan, even if approved, will not meet the board’s and senior
management’s expectations. This will lead to conflict between internal audit activities and
board/senior management’s expectations and risk appetite.
• For internal audit to add value to an organization, it must go beyond assessing present controls
towards identifying root causes of problems and recommending solutions and changes. This will
require support from the board and senior management in the form of example, resources, and
direction. To add value, internal audit must have organizational knowledge and relationships. A new
CAE would be less likely to have sufficient organizational and industry knowledge.
• When handling related parties the most difficult type of transaction is one where a close family
member who is a major shareholder. Transactions involving major shareholders (e.g., close family
and relations), either directly or indirectly, are potentially the most difficult type of transactions.
• The ultimate goal of shareholder and investor communications is honesty. Honesty from
management is the ultimate goal of shareholder and investor communications, although the
communication should provide consistency, clarity, candor, and effectiveness.
• A golden parachute is a contract in which a corporation agrees to make payments to key management
and senior officers in the event of a change in the control of the corporation. Shareholders do not
initiate golden parachutes; management does.
• Industry Life Cycle Four Stages (I, G, M, D) – Introduction, Growth, Maturity and Decline
• During the maturity stage, competition is at its greatest, and costs are at their lowest; thus, prices
would be at their lowest.
• Different strategies are used to manage in each type of industry. Organizations must recognize when
an industry is shifting in some way.
• Franchising and horizontal mergers commonly used to gain market share in a fragmented industry.
• Growth strategy - An organization may decide to enter a new business in the same or a different
industry when the benefits outweigh entry costs and other legal and administrative barriers.
• Quantitative research is based on numbers and mathematical calculations (aka quantitative data),
qualitative research is based on written or spoken narratives (or qualitative data).
22
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Wider span of control at the top means fewer managers. Conversely, a narrower span of control
means more managers.
• Span of control affects delegation, employee participation, and employee learning.
• Understand Environmental Factors Impacting the motivation of employees such as organizational
structure and culture, relationships with managers and supervisors, job design, reward system, and
performance appraisal.
• Group types (structural, functional, task, informal) - A task group is charged with completion of a task,
and the group will disband once the task is complete. Informal groups also may have a task to
complete, but they may not be formally appointed. Structural and functional groups usually are
embedded in the organization's structure and are ongoing.
• CIA Exam Alert: Groups - Some group members go along with what appears to be the group consensus
rather than giving their honest input is the definition of Groupthink which is undesirable.
• Negotiation and Conflict Management skills help auditors build relationships and trust, understand
and handle adversarial communication, and effectively deliver reports and recommendations.
• Conflict should be viewed as a healthy way to facilitate growth in an organization.
• An avoidance strategy aims to resolve the conflict by ignoring it or imposing a solution. It is only
appropriate if the conflict is trivial or if quick action is needed to prevent the conflict from arising.
23
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Utilizing Principled Negotiation skills if an agreement is reachable, results should meet the needs of
both parties to the extent possible and should be fair, long lasting, and in the public good.
• Utilizing the Added-Value Negotiation skills this process usually takes less time because of the
multiple offers presented at the beginning of the process.
• Gannt Chart (scheduling tool) - Divides project into sequential activities with estimated start and
completion times. Internal audit scheduling is effectively accomplished with use of Gantt chart.
• Determining the most efficient path for reaching project goals can be done utilizing:
1. Critical path method (CPM) – Helps determine quickest path
2. Program Evaluation Review Technique (PERT)
• CPM and CRT identify and prioritize tasks which must be completed on time for the whole project to
be completed on time.
• Exam Alert: Know the difference between Gannt Chart vs. CPM
24
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Note: Most of the exam questions for this section are not actually IT questions but risk (events and
vulnerabilities) and control questions. The key is to dumb down the question and focus on the risk and
control. Testing is based on overall concepts of security and not in depth IT.
Chapter A: Security
• Guidance relating to IT
- COSO ERM
• Risks
Malware is short for "malicious software." Malware is any kind of unwanted software that is installed
without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software
that are often grouped together and referred to as malware.
1. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?
A. Trojan horses
B. Worms
C. Viruses
D. Root kits
• To mitigate the risks controls should be implemented. Know some key terms as they relate to
internal controls:
- General Controls = The whole organization (body)
- Application Controls = a specific application (knee)
- Preventive Controls = Separation of duties
- Detective Controls = Reconciliation (back end reviewing, monitoring)
- Effective = Test
• To mitigate IT risk organizations should have IT controls in place. However, the cost of the
controls should be commensurate with the level of risk mitigation.
• Hardware Controls
1. Redundant character check
2. Equipment check
3. Duplicate process check
4. Echo check
5. Fault-tolerant components (allows a system to continue to work even when a fault exists i.e.
nuclear power plant, subway)
Q4. To reduce security exposure when transmitting proprietary data over communication lines, a
company should use
A. asynchronous modems.
B. authentication techniques.
C. cryptographic devices.
D. call-back procedures
Q5. The best means of managing the confidentiality of satellite transmissions would be:
A. monitoring software.
B. access control.
C. encryption.
D. cyclic redundancy checks
26
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Exam Alert: Understand the definition of Change and Patch Management Controls – Change
management includes application code revisions, system upgrades, and infrastructure changes such
as changes to servers, routers, cabling, or firewalls.
• Change control manages changes in information system resources and procedures. It includes a
formal change request procedure; assessments of change requests on technical and business
grounds; scheduling changes; testing, installing, and monitoring changes; and reporting the status of
recorded changes. The analysts were reusing erroneous code that should have been but was not
corrected.
• Changes should be scrutinized, reviewed, approved and bundled.
8. Which of the following is the policy on change and patch management that most high-performing IT
organizations follow?
A. Have IT staff perform those patches that department heads feel are important.
B. Manually install every patch as soon as it is available.
C. Wait to install routine patches until enough are ready for simultaneous testing and installation.
D. Have patches automatically install as soon as they are released by the vendor.
• CIA Exam Alert: There was a question on the systems development life cycle analysis (feasibility)
stage - something along the lines of: in which stage do we make a decision if it makes sense
financially to develop internally or buy software?
• Many programmers are using Rapid Application Development (RAD) techniques to speed up the
SDLC. One approach that will be tested on the exam is object-oriented approach. An object-
oriented approach is intended to produce reusable code. Because code segments can be reused
in other programs, the time and cost of writing software should be reduced.
27
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Gleim Exam Question: Object technology is likely to become more important in companies’ strategic use
of information systems because of its potential to:
A. Permit quicker and more reliable development of systems.
B. Maintain programs written in procedural languages.
C. Minimize data integrity violations in hierarchical databases.
D. Streamline the traditional “waterfall” systems development methodology.
24. Users making database queries often need to combine several tables to get the information
they want. One approach to combining tables is known as
A. projecting.
B. joining.
C. pointing.
D. mail merge.
• Firewalls - Separates two networks and prevents passage of specific types of network traffic while
maintaining a connection between the networks. Generally, an Internet firewall is designed to
protect a system from unauthenticated logins from outside users, although it may provide several
other features as well.
• Intrusion testing – An intrusion test is a localized, time-constrained and authorized attempt to
breach the information security architecture of a system using attackers? Intrusion testing or
ethical hacking, unlike hacking, has a constructive intent: to improve the IS posture of a financial
institution.
- Localized: It requires a definition of scope.
28
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
- Time-constrained: It does not last forever, although it is said that attackers have infinite time
on their hands!
- Using attackers? It is neither a simulation nor a hypothetical attack scenario, but a carefully
executed authorized attack using the same tools and techniques attackers have at hand.
• Exam Alert: What translates HTTP and puts on screen for viewing? The Internet Protocol (IP) is
the method or protocol by which data is sent from one computer to another on the Internet.
• Five Functions of the IT Area:
• VPN encrypts data and provide authentication thus allowing remote connections to the protected
files of a corporation. Example: Remote employees operating over the internet but wanting to
access the corporate intranet.
• Business Continuity Management - “process by which an organization prepares for future
incidents that could jeopardize the organization’s core mission and its long-term viability”
- Hot Site (Hot and Ready) - Fully equipped site ready for immediate use in emergencies
• Cold Site - Site with utilities but no equipment; requires days or weeks to activate
• Best evidence of plan adequacy is testing the plan (e.g., fire drill)
29
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• What would you expect to find in a user developed system vs. an IT developed system?
(documentation question)
• What would be primary benefit of using EFT for international money transfers?
• Auditors role in assessing systems development
• Auditors role in reviewing systems that are outsourced
• Understand Logical Control
Which of the following is an objective of logical security controls for information systems?
A. Radio transmission
B. Infrared laser
C. Satellite transmission
D. Fiber optic cable
30
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Accounting Concepts
An asset account is debited, increasing it by the value of the additional assets. A liability account
is credited, increasing it by the amount of the loan.
• A number of questions about “if this occurs, then what” such as a sale takes place, but the sale is
not posted and inventory is not adjusted. How is inventory and accounts receivable affected?
• The temporary accounts get closed at the end of an accounting year. Temporary accounts include
all of the income statement accounts (revenues, expenses, gains, and losses), the sole proprietor's
drawing account, the income summary account, and any other account that is used for keeping a
tally of the current year amounts. Since the temporary accounts are closed at the end of each
fiscal year, they will begin the new fiscal year with zero balances.
31
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• The accounts that do not get closed (their balances are carried forward to the next accounting
year) are referred to as permanent accounts. The balance sheet accounts are permanent
accounts.
• Accrual versus cash basis accounting. Accrual relies on the principles of revenue recognition and
matching. Accrual basis accounting records transaction as they occur recognizing revenue only
when earned and expenses only when incurred, regardless of when the cash is actually paid out
(GAAP). Cash basis accounting, the organization recognizes revenue only when cash is received
and recognizes expenses only when cash is paid out (Not GAAP) thus payables and receivables are
ignored.
• Accounting assumptions used in preparing the financial statements include Economic entity,
Going concern, monetary unit, and Periodic reporting.
• Accounting principles used in preparing the financial statements include:
• Historical cost
Revenue recognition - The practice of recording advanced payments from customers as liabilities.
32
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Topic 2
1) The lease provides for the transfer of ownership of the leased property.
2) The lease contains a bargain purchase option (BPO).
a) A bargain purchase option gives the lessee the right to purchase the leased property for a price
lower than its expected fair value at the date the BPO becomes exercisable.
3) The lease term is 75% or more of the estimated economic life of the leased property.
4) The present value of the minimum lease payments is at least 90% of the fair value of the leased
property.
a) Minimum lease payments equal minimum rental payments plus the amount of residual value
(or the minimum rental payments plus the amount of BPO).
Topic 3
• Preferred stocks are designed to pay shareholders consistent dividends. They get their name from
the fact that they have preference over common stocks in the payment of dividends. This means
preferred stock dividends are always paid to shareholders before dividends on common stock.
Preferred dividends generally have yields that are competitive with corporate bonds.
• When an organization purchases equity interest in other organizations in the form or capital
or preferred stock and has “Significant Influence” (20% to 50% ownership) they must value this
investment using the Equity method: Proportional share of investee’s net income/loss, dividends
33
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Topic 4
Suppose your chocolate milk factory started out with $2,000 worth of beginning inventory of
finished goods. Your cost of goods manufactured (inputs) was $18,000, and your ending
inventory of finished goods was $500. COGS = $19,500
• Residual income is a metric used to measure performance of a department. It measures the return
earned by the department which is in excess of the minimum required return. RI is often
compared to ROI. ROI is a % while RI is a dollar amount.
Quick Ratio
You will only see one or two ratios on the exam. Thus, NO need to memorize all of the formulas.
Quick Ratio is defined as Current Assets (Cash and AR - Inventory) / Current Liabilities
Current Ratio is defined as Current Assets (Cash, AR and Inventory) / Current Liabilities
Inventory turnover is an efficiency ratio which calculates the number of times per period a
business sells and replaces its entire batch of inventories. It is the ratio of cost of goods sold by a
business during an accounting period to the average inventories of the business during the period.
The inventory turnover ratio is calculated by dividing the cost of goods sold for a period
by the average inventory for that period.
Exam Question: Inventory Turnover Ratio (Cost of Raw Materials = 60k, COGS = 120K, Remaining
Inventory Valued at 40k - what is Inventory Turnover Ratio)
Residual income is a metric used to measure performance of a department. It measures the return
earned by the department which is in excess of the minimum required return. Set minimum return
rate, and if RI is positive, investors will get their return and excess can go to retained earnings.
34
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Topic 6
Topic 7
• Understand Cash Receipt Controls whether taking revenue at a Point of Sale (POS), mail, or
electronically.
• Know the difference between a perpetual inventory (keeps a continuous record of inventory
changes as the occur) vs. periodic inventory (which determines only the inventory on hand at the
end of a period by physical count).
• FIFO (can distort net income and gross profit), LIFO, and Weighted Average (Called “moving” if
perpetual, Simple and Income cannot be manipulated)
• Cost / Retail Ratio and retail method for valuing inventory. The retail method converts ending
inventory stated at retail to cost.
A. No effect No effect
B. No effect Overstatement
35
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
C. Overstatement Overstatement
D. Overstatement Understatement
B. The retail method of inventory estimation applies a cost-retail ratio to the ending inventory at retail to
determine ending inventory at cost. The ratio equals goods available at cost divided by goods available at
retail. Normal inventory shrinkage is deducted from the retail amount of goods available because the
goods are not available. However, abnormal amounts of theft, etc., are deducted in arriving at both the
cost and retail amounts. The reason for the difference in treatment is that normal but not abnormal
inventory losses are anticipated and included in selling price (retail value). Accordingly, failure to account
for normal inventory shrinkage has no effect on the calculation of the cost-retail ratio but overstates
ending inventory at retail.
• Operating Budget - A summary of an organization’s plans that sets specific targets for sales,
production, distribution, and financing activities.
What budget do you complete first?" Then it listed "cash, sales, production, and administrative
expenses." CIA Exam Alert: Always do the Sales budget first. It drives the others.
• A capital budget identifies, evaluates, and selects projects that require large amounts of capital
investment and provide benefits far into the future. To make capital investment decisions,
managers must estimate the quantity and timing of cash flows, assess the risk of the investment,
and consider the impact of the project on the organization's profits.
• Capital budget Discounting Methods:
Net Present Value - Compares present value of a project’s cash inflows to present value of a
project’s cash outflows. Provides realistic assumptions.
Internal Rate of Return - The discount rate often used in capital budgeting that makes the net
present value of all cash flows from a particular project equal to zero. Generally speaking, the
higher a project's internal rate of return, the more desirable it is to undertake the project. As such,
IRR can be used to rank several prospective projects a firm is considering. Assuming all other
factors are equal among the various projects, the project with the highest IRR would probably be
considered the best and undertaken first.
• Progressive (High-income taxpayers pay a larger fraction of income) vs. Regressive tax (Low-
income taxpayers pay a larger fraction of income)
• Example of a regressive tax is a State sales tax.
• In the distribution of liquidation proceeds for a bankrupt firm. Taxes payable is a priority claim.
Priority claims are paid in full before any liquidation proceeds are distributed to general claimants
or shareholders.
36
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
• Exam Alert: What is a 'Marginal Tax Rate' - A marginal tax rate is the amount of tax paid on an
additional dollar of income. The marginal tax rate for an individual will increase as income rises.
This method of taxation aims to fairly tax individuals based upon their earnings, with low-income
earners being taxed at a lower rate than higher income earners.
• Marginal Tax Rates and Example: For the 2016 tax year (taxes due in 2017), in the United States,
there are seven different marginal tax rates based on an individual's income. They are 10%, 15%,
25%, 28%, 33%, 35% and 39.6%. Individuals who make the lowest amount of income are placed
into the lowest marginal tax rate bracket, while higher earning individuals are placed into higher
marginal rate tax brackets. However, the marginal tax bracket in which an individual falls does not
determine how the entire income is taxed. Instead, income taxes are assessed on a progressive
level. Each bracket has a range of income values that are taxed at a particular rate. For example,
in 2016, for a single taxpayer, the marginal tax rates have the following income ranges:
Thus if an individual taxpayer earned $150,000 in income, they would owe the following income taxes,
as shown below:
Exam Alert: Contribution Margin (4) = Sales (30) – Variable Cost (26)
Example: A company makes a product that sells for $30. During the coming year, fixed costs are expected
to be $180,000, and variable costs are estimated at $26 per unit. How many units must the company sell
in order to break even?
• A transfer price is the price charged by one segment of an organization for a product or service
supplied to another segment of the same organization. The three basic criteria that the transfer
pricing system in a decentralized company should satisfy are to (1) provide information allowing
37
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
central management to evaluate divisions with respect to total company profit and each division’s
contribution to profit, (2) stimulate each manager’s efficiency without losing each division’s
autonomy, and (3) motivate each divisional manager to achieve his/her own profit goal in a manner
contributing to the company’s success.
Correct. Market-based transfer prices provide market discipline. Inefficient internal suppliers will tend to
wither while efficient ones prosper, enhancing the overall long-term competitiveness of the firm.
Sample Question: A limitation of transfer prices based on actual cost is that they
The optimal transfer price of a selling division should be set at a point that will have the most desirable
economic effect on the firm as a whole while at the same time continuing to motivate the management
of every division to perform efficiently. Setting the transfer price based on actual costs rather than
standard costs would give the selling division little incentive to control costs.
• Exam Alert: What strategy should a company adopt first to enter into an international market? (There
are many ways to enter the global marketplace, but first organizations need to look at requirements
– key success indicators such as:
- Is global strategy a part of the organization’s overall competitive strategy?
- Is there general global market awareness?
- Is the timing right for expansion?
- Have factors that favor entry for the organization and industry been identified?
- Have the best way to penetrate foreign markets been identified?
• Exam Alert: Porter’s Framework - Porter's five forces analysis is a framework that attempts to
analyze the level of competition within an industry and business strategy development. It draws
38
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
upon industrial organization (IO) economics to derive five forces that determine the competitive
intensity and therefore attractiveness of an Industry. Attractiveness in this context refers to the
overall industry profitability. An "unattractive" industry is one in which the combination of these five
forces acts to drive down overall profitability. A very unattractive industry would be one approaching
"pure competition", in which available profits for all firms are driven to normal profit. This analysis is
associated with its principal innovator Michael E. Porter of Harvard University.
• Porter's five forces include – three forces from 'horizontal' competition: the threat of substitute
products or services, the threat of established rivals, and the threat of new entrants; and two forces
from 'vertical' competition: the bargaining power of suppliers and the bargaining power of
customers.
• Geocentric vs. Ethnocentric (GREP)
1. Which type of organization uses a very high degree of local decision-making, evaluation,
and control?
a. Polycentric
b. Geocentric
39
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
d. Polychromic
A. It uses a high degree of local decision making, evaluation, and control. (False)
C. Assumes that the home country’s personnel and ways of doing things are best. (True)
• Exam Alert: Inflation is defined as a sustained increase in the general level of prices for
goods and services in a county, and is measured as an annual percentage change. Under
conditions of inflation, the prices of things rise over time. Put differently, as inflation rises,
every dollar you own buys a smaller percentage of a good or service. When prices rise, and
alternatively when the value of money falls you have inflation.
• The value of a dollar (or any unit of money) is expressed in terms of its purchasing power,
which is the amount of real, tangible goods or actual services that money can buy at a
moment in time. When inflation goes up, there is a decline in the purchasing power of
money. For example, if the inflation rate is 2% annually, then theoretically a $1 pack of gum
will cost $1.02 in a year. After inflation, your dollar does not go as far as it did in the past.
This why a pack of gum cost just $0.05 in the 1940’s – the price has risen, or from a different
perspective, the value of the dollar has declined. In recent years, most developed countries
have attempted to sustain an inflation rate of 2-3% by using monetary policy tools put to
use by central banks. This general form of monetary policy is known as inflation targeting.
40
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Required Supplemental Reading for Part 3 (All are located in the Dropbox)
https://www.dropbox.com/sh/4m5mti6376rhisp/AAD6oh9-dzMA9KMKu8jhwYFTa?dl=0
• Practice Guide Assessing the Adequacy of Risk Management Using ISO 31000
• Practice Guide Evaluating Corporate Social Responsibility/Sustainable Development
• Practice Guide Business Continuity Management (BCM)
• GTAG Information Technology Risk and Controls
Student Input
CSR – At least 4 questions covered CSR (risks CSR aims to address, stakeholders, elements of triple
bottom line)
Risk management frameworks and objectives
EOQ
Characteristics of business and industry life cycles
Forecasting methods
Principled negotiation skills
EDI – At least 2 questions specifically on EDI risks and controls
Firewalls
Protocol
Databases
Change management
Contribution margin & break-even point
IT questions were framed just as you discussed: they were primarily presented in terms of risks and
related controls. Specific IT topics:
41
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
Financial accounting questions were also based more on underlying concepts/theory as opposed to
specific computations, as you expected. There was only 1 ratio computation to determine sales given
total asset turnover, debt to assets, and total liability.
Lyndon, I passed the part 3 exam and I am finally done with all exams for the certification. Just for your
info here are some of the questions/topics on the exam:
This is high level of what I can recall but if you have specific questions please let me know. Here is my
studying strategy:
42
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
read the flashcards (I didn’t do flashcards on my own)- this method doesn’t work for my learning
style and I found it the least beneficial
post study quiz and CIA practice exam Note: I don’t think the CIA practice exam is a good reflection
of how much you know because its comprised of questions already seen from the quizzes and
post study exam; therefore I took practice exams from Gleim (40Q), Fast Forward Academy (100
Q) and Wiley (100Q). Each of them allow you free access to just certain amount of questions but
it’s a good additional practice. The free access is just for limited amount of time.
I read through the red book twice- before I started taking your classes and during the classes.
Note: I found your classes extremely valuable as they provided me the structure I needed to do readings
and quizzes in a planned and disciplined manner. Also the clarifications and practical application you
provided was very helpful to put the concepts into perspective.
Thank you again! Please let me know when you visit San Francisco. I would love to catch up over coffee
or lunch and thank you in person.
Congratulations! I know you were very determined and worked very hard. I am very happy for you.
Thank you for "paying it forward". Your detailed insight will help future students.
1. Definition of Internet protocol. Can you expand a little on that? I want to make sure I
understand what they were asking.
Sure. They were just asking for the definition of IP such as: The Internet Protocol (IP) is the
method or protocol by which data is sent from one computer to another on the Internet. I just
googled the definition but it was something similar to this.
2. BC? Business Continuity, understanding of what is being done in the planning, Business impact
analysis and other components of the overall BC process. The question was specifically around
when in the BC process do you determine which processes are critical enough to be included in
a business continuity plan. Understand in which stage of BC process and criticality being
determined per process.
3. Any questions from the Accounting Section related to the accounting cycle, debits / credits,
balance sheet, income statement or stockholders equity? It's a long section so I want to see
what if any I need to adjust?
Now that you mentioned it I recall a question around components under procurement, sales,
43
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias
Part 3 – Remias Cheat Sheet
Summary of Key points to remember for the exam
cash, production cycles. They listed few items and you are supposed to select the cycle. There
were few questions asking for the impact on net income and impact on cogs if final inventory
increased (decreased in the other question). Other than these questions and the ones I initially
mentioned I don’t recall anything else but if I think of it I’ll let you know.
• Another question I just recalled is around Database and whether or not is located in between the
application or the software something along those lines, I don’t remember exactly. There was
another question on database controls and who has access to manipulate the data.
• There was a question on the systems development life cycle analysis (feasibility) stage -
something along the lines of: in which stage do we make a decision if it makes sense financially
to develop internally or buy software?
5. Besides retail / cost inventory anything you saw that I did not cover?
Yes I think so there were only few questions I flagged because I was not familiar with the topic
but I could not go back to them as I finished the exam 1 min before the time was up. I can’t
remember now but will let you know once I think of it.
The question on bonds was around board approval of bond components when a bond is issued
i.e. which components are approved by the board i.e. maturity/duration, principal, coupon, etc.
it might be helpful if you briefly cover this piece in the classes.
6. What was the topic for the hardest question that you saw?
IT system infrastructure and application. My background is in finance and banking so this area is
not one of my strengths.
Also there was a question of which one of the 4 options provided represents a component of
business continuity. The response (I believe) was around having a backup facility for data
recovery while the other options were just regular controls.
7. The question where you had to use your calculator what was the topic?
They give you D/A ratio, debt, Asset turnover, and you need to calculate the Sales.
Also there was a question of what 0 correlation shows and another question of which method is
appropriate for a particular scenario and the choice is among scenario analysis, Delphi method,
Courtney method (I think this is made up) and a 4th option. I don’t recall what was the exact
question (I think it’s when entering an emerging market to figure out success levels of different
strategies).
Please let me know if you have other specific questions as they help me recall the exam questions. If I
think of anything else that I have not included I’ll let you know.
44
Part 3 Cheat Sheet All Sections – Updated October 2017
Developed and Provided courtesy of Lyndon S. Remias