Not participate in any activity or Work with honesty,

Engage only in those services for which we have Be prudent in the use and relationship that may impair or be diligence, and responsibility
the necessary knowledge, skills, and experience protection of information presumed to impair their unbiased
4. Competency acquired in the course of duties assessment OR professional judgment Make disclosures
Perform internal audit services in commitment to acquiring
expected by the law
accordance with Standards and maintaining an Not use information for any Disclose all material facts known to
appropriate level of personal gain or in any manner that, if not disclosed, may distort the Not knowingly be a party to any
Continually improve the proficiency and knowledge and skill that would be contrary to the law reporting of activities under review illegal activity, or engage in acts that
the effectiveness and quality of services are discreditable to the profession

3. Confidentiality 2. Objectivity Respect and contribute to the

1. To enhance and protect organizational
Refusal to use Commitment to providing legitimate and ethical
value by providing risk-based and
organizational information stakeholders with unbiased objectives of the organization
objective assurance, advice, and insight.
for private gain information
2. Facilitating the achievement (A) Mission of 1. Integrity
of this mission is the IPPF Internal Audit Refusal to compromise
professional values for
1. Core Principles: Basis for personal gain
internal audit effectiveness
5. principles
2. Definition of Internal Auditing: Concise
of role of the internal audit activity 1. Mandatory
Guidance 4. Components (2)
3. Code of Ethics SU 1 : FOUNDATIONS OF
(4 elements)
4. Standards: International Standards for the INTERNAL AUDITING 1. Principles that are
Professional Practice of Internal Auditing relevant to the profession &
(B) International practice of internal auditing
1) Attribute Standards (1000s) Professional Practices
Framework (IPPF) 2. Rules of Conduct that
2) Performance Standards (2000s) describe behavior norms
expected of internal auditors
3) Interpretations 2. Strongly
4) Implementation Standards Recommended
Guidance (D) CODES OF
ETHICAL The Code are applied to all
3. Applicability
CONDUCT organizations and persons
(a) Implementation (b) Supplemental who perform internal audit
Guidance (IG) Guidance Final approval of the charter
services, not just CIAs
(C) Internal Audit resides with the boar d.
Charter Violations of rules of ethics
should be reported to The
IIA’s board of directors
1. Purpose of the 3. Responsibility
internal audit activity 1. Reasons
To provide the organization 2. Aspects
with assurance and
consulting services that will 1. To promote an ethical 1. Existence of a code does
add value and improve the culture among professionals not ensure that its principles
Assurance Consulting organization’s operations who serve others are followed or trustworthy
services services
2. Communicating acceptable 2. It is impossible to require
2. Authority values to all members equality of competence by
Definition: Objective examination of evidence Definition: activities intended 3. Establishing objective standards all members of a profession
for the purpose of providing an independent to add value and improve an Internal audit activity should against which individuals can
assessment on governance (Opinion) organization’s governance be empowered to require measure their own performance
auditees to grant access to 3. The code should provide for
Nature and Scope: determined by Nature and Scope: Subject 4. Communicating the disciplinary action for violators
all records, personnel, and
the internal auditor to agreement organization’s values to outsiders
physical properties relevant
Participants: 3 parties (Process Participants: 2 parties to the performance of every
owner, internal auditor, & user) (Internal auditor, & Client) engagement

Summary of CIA Part 1 - Gleim 1 samehacc1@gmail.com

 Internal auditors must enhance their
Components: The CAE is responsible for ensuring that the Deming Cycle can be used to knowledge, skills, and other competencies Internal auditors must apply the care and skill expected of a
(a) internal assessments, internal audit activit y conducts: establish the QAIP (4 steps: through continuing professional reasonably prudent and competent internal audit or, through:
(b) external assessments, (a) Internal assessments (ongoing monitoring Plan-Do-Check-Act Cycle) development a. conformance with Code of Ethics, b. systematic and
(c) communication of QAIP results, and periodic self-assessments) disciplined approach included in IA policies & procedures, c.
(d) proper use of a conformance statement, and (b) External assessments (independent applic ation of the IPPF’s Mandatory Guidance
(e) disclosure of nonconformance. assessment every 5 years) CIAs demonstrate their continuing Considerations:
professional development by completing 1. Needs and expectations of clients.
(H) QUALITY continuing professional education (CPE).
The freedom from conditions that threaten the 2. Relative complexity and extent of work needed.
ASSURANCE AND CIAs must complete CPE annually (40
ability of the internal audit activity to carry out 3. Cost of the consulting in relation to benefits
IMPROVEMENT hours for Practicing & 20 hours for
internal audit responsibilities in an unbiased Definition PROGRAM (QAIP) nonpracticing) including at least 2 hours
manner. of ethics training).
(A) INDEPENDENCE (F) DUE PROFESSIONAL CARE
Functional reporting to the board (at
least annual meeting) (G) Continuing Practices will help the CAE to identify the
Achieve Independence through CAE must communicate the result s of Professional available resources:
Administrative reporting to Dual Reporting QAIP to senior management and the Development A. Hiring practices
senior management board.
B. Periodic skills assessments
The internal audit activity conforms with
Internal C. Staff performance apprais als
Unbiased mental attitude that allows internal auditors Standards ONLY if supported by the
Resources D. Continuing professional development
to perform engagements in such a manner that they results of QAIP.
believe in their work product and that no quality Definition
compromises are made. Top of Improvement and innovation

Is any “relationship that is, or

SU 2 : INDEPENDENCE, Framework Internal audit delivery
External
appears to be, not in the best OBJECTIVITY, PROFICIENCY, Resources
Personal Skills Critical thinking

interest of the organization Conflict of (To promote the Persuasion and collaboration
Interest
(B) OBJECTIVITY CARE, AND QUALITY top) Communication
Internal auditors must avoid any Organization may outsource Business acumen
conflict of interest all, or some of the functions Technical
Governance, risk and control
(C) IMPAIRMENT TO (E) INTERNAL of the internal audit activity. Expertise
Objectivity refers to im partial and unbiased INDEPENDENCE AND AUDIT However, oversight of and IPPF

mindset, which is facilitated by avoiding Aspects responsibility for the internal Internal audit management
OBJECTIVITY RESOURCES Foundation/Basis
conflicts of interest audit activity must not be of Framework Professional ethics
If independence or objectivity is impaired in outsourced
Many CAEs have an internal audit policy fact or appearance, the details of the
manual or handbook that may describe: impairment must be disclosed to Competency Framework
appropriate parties (10 core competencies)
(D) PROFICIENCY
a. Critical importance of objectivity Examples of Examples of
independence objectivity
b. Situations that could undermine objectivity
impairments impairments
c. Actions the internal auditor should take if Meaning
1. The CAE has broader functional 1. An internal auditor audits an area in
(s)he becomes aware of a current or potential
responsibility than internal audit which he or she recently worked
objectivity concern
2. The CAE does not have direct communication or 2. An internal auditor audits an area where a Internal auditors must possess
d. Reporting requirements, where each internal interaction with the board relative or close friend is employed the knowledge, skills, and
auditor periodically considers & discloses other competencies needed to
conflicts of interest 3. The budget for the internal audit activity is reduced to 3. An internal auditor assumes, without evidence, that an area
perform Their individual
the point that internal audit cannot fulfill its responsibilities being audited has effectively mitigated risks
responsibilities. Internal audit
When assigning internal auditors to specific as outlined in the charter
4. An internal auditor modifies the planned approach or result s activity is considered
engagements, CAE should avoid assigning team
based on the undue influence of another person proficient if it collectively
members who may have a conflict 4. Scope limitation (restriction placed on a. internal audit possesses or obtains the
charter, b. access to records, personnel, and physical 5. Accept fees, gifts, or entertainment from an employee, client, competencies needed to
CAE needs to be thoughtful in designing the internal audit properties, c. Approved engagement work schedule, or d.
performance evaluation and compensation customer, supplier, or business associate perform its responsibilities
Approved staffing plan and financial budget)

Summary of CIA Part 1 - Gleim 2 samehacc1@gmail.com


Processes + Structures implemented
by board to inform, direct, manage,
and monitor the activities of the
organization toward the achievement
of its objectives (influenced by
internal & external mechanisms)
(A) Definition
(B) Principles (15)
Governance + RM + Control
(GRC)
(C)
Components
Strategic Direction
1) Establis hing policies and procedures 1) Reaction: Organization denies responsibility Global Reporting Initiative
(GRI): reporting that provides ISO 26000: how
2) Setting objectives & strategies 5. CSR 2) Defense: Organization uses legal action or public specific guidance on to implement
Business relations efforts to avoid additional responsibilities measuring CSR performance and manage a
3) integrating CSR into business Activities CSR initiative
3) Accommodation: Organization assumes against predefined criteria
decision-making
additional responsibilities only when pressured
4) Monitoring, evaluating results
4) Proaction: Organization takes the 4. Strategies
5) Engaging stakeholders initiative in implementing a CSR program
3. Frameworks
6) Auditing (by element & by
stakeholder group.
1) Economic responsibility (foundation)
7) External and internal reporting 2. Responsibilities (4) of 2) Legal responsibility (Mandated)
Scholar Archie B. Carroll to be 3) Ethical responsibility (Expected)
[using a 5-level maturity scale (level 1 6. CSR Maturity called socially responsible 4) Philanthropic responsibility (Desired)
is “initial” and level 5 is “optimizing”) Model
(F) CSR
(c) corporate citizenship
1. Element (Corporate Social
7. Auditing CSR Responsibility) (b) sustainable development
2. Stakeholder group (2 Approaches)
Is a voluntary practice 1. Refers to (a) social responsibility
Each person should be an ethics
Chief advocate, whether officially or informally
Oversight Ethics
SU 3 : Governance Officer
Organizations may designate a chief ethics officer

Internal auditors may have the role of chief ethics

1. Business Model
2. Overall Objectives
3. Approach to risk appetite
4. limits of organizational conduct
officer, but this may conflict with the independence
1. Board’s responsibilities to
attribute of the internal audit activity
stakeholders
2. Risk management activities Ethical Culture
3. Internal and external
assurance activities
Advice given by internal audit depend on the
maturity of the governance
(E) Practices
(Organizational culture)
Less mature system: IA emphasizes
(D) Roles compliance with policies, & addresses
Reflected in the basic risks to the organization

Board: Responsible for oversight, identify stakeholders and their More mature system: IA emphasis on
expectations, Selection and removal of officers optimizing structure and practices

Management: establishes & maintains the organizational culture, a) Setting values, objectives, and
and Day-to-day governance functions, and determine who will be risk strategies; Ensure the 1) Complies with society’s legal
owners
b) Defining roles and behaviors; Affect organization 2) Satisfies the accepted business norms
Internal Audit: Assesses and makes recommendations to improve
governance processes 3) Provides overall benefit to society
c) Measuring performance;
Risk owners: Evaluating the adequacy of the design of RM activities 4) Reports fully and truthfully to stakeholders
and whether they are operating as designed & Establishing d) Specifying accountability; and
monitoring activities, and reports are accurate The Overall control environment and individual engagement risks and controls.
e) Complying with corporate social * Risk aggressive = im portance of control is Low = engagement risks and controls is High
Risk committee: a. Identifies key risks, b. Connects them to RM
processes, c. Delegates them to risk owners, d. Considers tolerance responsibilities. * Risk averse = im portance of control is High = engagement risks and controls is Low
levels delegated

Summary of CIA Part 1 - Gleim 3 samehacc1@gmail.com

 Risk is the possibilit y of an event occurring that will have an impact on the achievement
of objectives.
Risk management is “a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of (A) d) Technology
a) Laws and regulations
the organization’s objectives” Definitions
b) Capital projects e) Market risk
(C) COSO
FRAMEWORK c) Business processes f) Organizations
1. Identification of
(ERM) context

SU 4 : RISK
Culture, capabilities, and practices, integrated with
strategy-setting and performance, that organizations rely MANAGEMENT 2. Risk identification
on to manage risk in creating, preserving, and realizing 1. Definition
value.

At every level of internal & external risk

(B) Processes
factors, considering past events (trends)
2. Concepts and future possibilities.
5. Risk monitoring
1) Culture: attitudes about risk and reflect mission, vision, and core values
2) Capabilities: skills needed to carry out the mission & vis ion RA formal or informal using factors, and
(a) Tracks identified risks the results are used to prioritize risks
3) Practices: collective methods used to manage risk. (b) Evaluates current ris k
4) Integrating strategy setting Risk profile for specific strategy response plans
3. Risk assessment
and performance Qualitative
Portfolio view for entity-wide strategy (c) Monitors residual risks (RA) & Prioritization
5) Managing risk. (d) Identifies new risks Quantitativ e
Risk capacity maxim um risks the organization can assume Methods
Risk modeling
Inherent risk the ris k in the absence of actions or controls

6) Value: a) Created, b) Preserved, c) Realized, d) Eroded

4. Risk response

Controls Actions taken by

management to manage risk
3. Components
Risk that remains after risk
Residual
1. Governance and 4. Review & 5. Information, responses are executed
2. Strategy and 3. Performance risk
Culture revision communic ation, and
objective-setting,
reporting Sharing: reduce risk by
1. Board oversight transferring to another party
1. Analyze 1. Changes affect strategy
1. Identify Risks 1. Leverage the
2. Establishment of business context Strategies Reduction: reduce risk within
2. Severity of risk 2. Review performance Information systems
operating structures the organization (internally)
2. Define risk appetite results and consider risk
3. Prioritize risks 2. Communication
3. Define the channels Retention (acceptance): No action is
3. Evaluate alternative 3. Improvement of ERM
desired culture 4. risk responses taken to alter the severity of the risk
strategies 3. Report on risk, culture &
5. portfolio view of risk performance Avoidance: Action is
4. Commitment to 4. Establish business
taken to remove the risk
core values objectives

5. Attracts, develops, and

retains capable individuals

Summary of CIA Part 1 - Gleim 4 samehacc1@gmail.com

SU 4.2 : COSO Framework - ERM Components
Supporting Aspect Common Process
Information, communication, and
Governance and culture Strategy and objective-setting Performance Review and Revision
reporting
5 Principles 4 Principles 5 Principles 3 Principles
3 Principles
1. Board oversight 1. Leverage its Information systems 1. Analyze business context 1. Identify Risks 1. Changes affect strategy

i) Reviewing and challenging decisions Internal and external environments *Affect the reasonable expectation of achieving i) Internal environment include those due to
Elements of effective data management:
related to strategy, risk appetite, Business context may be: strategy rapid growth, innovation, and turnover of key
i) Data and information governance
and significant business decisions. i) Dynamic. *Identify New, emerging, and changing risks and personnel.
ii) Processes and controls
ii) Approving management compensation. ii) Complex. opportunities ii) changes in external environment include those
iii) Data management architecture
iii) Participating in stakeholder relations. iii) Unpredictable. *The risk inventory consists of all risks in the economy or regulations.

2. Reviews performance results and considers

2. Establish operating structures
i) The legal structure
ii) The management structure
3. Define the desired culture
Culture is shaped by internal and external
factors
4. Commitment to core values
When risk-aware culture and tone are
aligned, stakeholders have confidence that
the organization is abiding by its core values.
5. Attract, develop, and retain capable
individuals
Contingency plans for succession.
2. Communication channels
i) Organizations should adopt open
communication channels
ii) Communication methods include written Expressed qualitatively or
documents, electronic messages, public
events or forums, and informal or spoken
communications
3. Report on risk, culture & performance
Qualitative and quantitative risk
information that supports forward-looking
decisions.
2. Define risk appetite
quantitatively
3. Evaluate alternative strategies
SWOT, Competitor analysis, and
scenario analysis.
4. Establishes business objectives
(1) specific, (2) measurable, (3)
observable, and (4) obtainable.
Performance measures, targets, and
tolerances
2. Severity of risk
risk
*Impact & Likelihood with time horizon at Performance results that deviate from target
multiple levels. performance or tolerance may indicate (1)
*Qualitative and quantitative methods may be unidentified risks, (2) improperly assessed risks,
used to assess risk. (3) new risks, (4) opportunities to accept more
*Reassess severity whenever triggering events risk, or (5) the need to revise target performance
occur. or tolerance.
3. Prioritize risks 3. Improvement of ERM
Factors when prioritizing:
i) Agreed-upon criteria. (Complexity, Velocity,
Persistence, Adaptability, and Recovery)
continual or separate evaluations and peer
ii) Risk appetite
comparisons
iii) The importance of the affected business
objective(s)
iv) The organizational level(s) affected
4. Risk responses
Acceptance, Avoidance, Pursuit, Reduction, and
Sharing
5.Portfolio view of risk
Four risk views:
i) Risk view (minimal integration)
ii) Risk category view (limited integration)
iii) Risk profile view (partial integration) Risk and
performance.
iv) Portfolio view (full integration)

When the components, principles, and supporting controls are present and functioning, ERM is reasonably expected to manage risks effectively and to help create, preserve, and realize value.
1) Present means the components, principles, and controls exist in the design and implementation of ERM to achieve objectives.
2) Functioning means the components, principles, and controls continue to operate to achieve objectives.

Summary of CIA Part 1 - Gleim 5 samehacc1@gmail.com

4.3 ISO 31000 RISK MANAGEMENT FRAMEWORK

1. Principles-Based Approach (11 principles that are the

2. ISO 31000 Risk Management Framework (5 components)
foundation for an effective risk management process)
1) Creates and protects value
2) Is an integral part of organizational processes
3) Is part of decision making
4) Explicitly addresses uncertainty
5) Is systematic, structured and timely
6) Is based on the best available information
7) Is tailored to each organization
8) Considers human and cultural factors
9) Is transparent and inclusive
10) Is dynamic, repetitive and responsive to change
11) Promotes continuous improvement
3. The ISO 31000 risk management process (7 elements)
1. Mandate and commitment 1) Communication and consultation
2. Design the framework for managing risk. Foundation involves: 2) Establishing the context
a) Understanding the organization and its context 3) Risk identification
b) Establishing a risk management policy 4) Risk analysis (impact and likelihood)
c) Delegating accountability and authority 5) Risk evaluation (prioritizes the risks)
d) Integrating risk management into organizational processes 6) Risk treatment (decides risk response)
e) Allocating the necessary resources 7) Monitor and review (evaluates whether treatments are effective)
f) Internal & external communication and reporting methods
3. Implementing risk management
4. Monitoring and review of the framework
5. Continual improvement of the framework

5. Maturity Model (maturity curve) is the capability

4. ISO 31000 – Assurance Approaches (3 approaches) 6. Turnbull Risk Management Framework Emphasis is on:
maturity model (CMM) (5 maturity levels)
1) key principles (a) Initial. Few processes 1. Internal control
2) process element (b) Repeatable. basic processes are established 2. Assessment of its effectiveness
3) maturity model (maturity curve) (c) Defined. Standards are developed 3. Risk analysis
(d) Managed. Performance measures are defined
(e) Optimizing. Continuous improvement is enabled
Principle of this approach is that RM must add value.
RM plan should be linked with a performance measurement system
i) Performance standards
ii) How the standards can be satisfied
iii) Comparing actual performance with each standard
iv) Recording and reporting performance and improvements
v) Periodic independent verification of management’s assessment

Summary of CIA Part 1 - Gleim 6 samehacc1@gmail.com

 a. Preventive: deter the c. Corrective: correct the negative
occurrence of unwanted events effects of unwanted events
1. Primary
b. Detective: alert the proper d. Directive: cause or encourage the
Control: Any action taken by management or other parties to manage risk and
people after an unwanted event Controls occurrence of a desirable event
increase the likelihood that established objectives and goals will be achieved
a. Compensatory (mitigative): do not, by
Control processes: Policies, procedures , and activities that are part of a themselves, reduce risk to an acceptable level
control framework, designed and operated to ensure that risks are contained b. Complementary: their synergy is more effective
2. Secondary
within the level that an organization is willing to accept than either control by itself
Controls
Control environment: Attitude and actions of the board and management
a. Batch Processing: Transactions
regarding the importance of control within the organization
accumulated and submitted as a single batch
(A) Definitions 3. Two Basic b. Online, Real-Time Processing: database is
Processing Modes updated immediately upon entry of the transaction
1) Establis hing standards for the operation to be controlled,
(B) Control a. IT General Controls: pertain to all systems
2) Measuring performance against the standards,
Process components, processes, and data in IT environment
3) Examining and analyzing deviations, 4. IT b. Application Controls: pertain to the scope of
individual business processes or application systems
4) Taking corrective action, and
1) Financial totals: summarize monetary amounts
5) Reappraising the standards based on experience. in an information field in a group of records

2) Record counts: track the number of records processed by

Human judgment is faulty 5.Batch Input the system for comparis on to the total produced manually
Controls
Overridden by Management 3) Hash totals: control totals without a defined meaning
(C) Inherent
Can be circumvented by collusion
Limitations 1) Preformatting of data entry screens
Cost must not be greater than benefits SU 5.1 & 5.2:
6. Online Input 2) Field/format checks: test the characters in a field
CONTROLS Controls 3) Validity checks: compare the data entered in a
1. Transaction Trails
given field with a table of valid values for that field
2. Uniform Processing of Transactions
7. Processing 4) Limit (reasonableness) & range checks:
3. Segregation of Functions (E) Types based on known limits for given information
(D) Characteristics of controls
4. Potential for Errors and Fraud 5) Check digits: are an extra reference
Automated Processing Concurrency: manage situations number that follows an identification code
5. Potential for Increased where two or more users attempt
13. People-Based vs. to access or update a file 6) Sequence checks: processing efficiency
Management Supervision
a. People-based controls: System-Based Controls simultaneously is greatly increased when files are sorted on
6. Initiation or Subsequent Execution depend on humans’ intervention some designated field before operations
of Transactions by Computer 7) Zero balance checks: reject any
b. System-based controls: 8. Output ensure that
executed with no human intervention transaction or batch in which sum of all debits
7. Dependence of Controls in Other Areas 11. Time-Based controls processing and credits does not equal zero
on Controls over Computer Processing results are
Classification complete, accurate, and
a. Feedback controls: report properly distributed
12. Financial vs.
information about completed activities monitor data to ensure it
Operating Controls 9. Integrity remains consistent and correct
b. Concurrent controls: adjust ongoing processes controls
a. Financial controls: based on accounting principles
c. Feedforward controls: anticipate and
prevent problems (long-term perspective)
10. Management trail enable management to track transactions
b. Operating controls: based on management
principles (e.g. production and support activities) e.g. policies and procedures (or audit trail) from their source to their output

Summary of CIA Part 1 - Gleim 7 samehacc1@gmail.com

 Control 1. Operating
Soft controls should be distinguished from hard controls (I) Soft Principles objectives
(E) The eSAC
Controls (4) (ORCS) 2. Reporting
Control self-assessment (CSA) is an approach to auditing soft controls Model
3. Compliance
1) General top-down and risk- 1) Availability
Internal Control: Guidance for Directors on the Combined Code (J) Turnbull based approach used too in IT Business 4. Safeguarding of assets
Report (U.K.) 2) Capability
2) General IT risks are those assurance
objectives 3) Functionality
Internal control is a process, effected by an entity’s affect critical IT functionality in
board of directors, management, and other 1. Definition financially significant applications 4) Protectability Establishes best practices that
personnel, designed to provide reasonable contribute to the process of
3) General IT risks exist 5) Accountability
assurance regarding the achievement of objectives value creation, and maximizes
relating to operations, reporting, and compliance. 4) IT risks are mitigated by the the realization of business
achievement of IT control value from investment in IT.
(A) COSO objectives, not individual controls
a) Operations: achieving the mission & Objective
Framework 1) Value governance: relationship
safeguarding of assets. between IT and the organization
(U.S.) Guidance for assessing the scope (D) VAL IT
b) Reporting: Financial and nonfinancial of IT general controls using a top- 2) Investment management:
reporting (Internal or external) 2. Objectives down and risk-based approach manages the organization’s portfolio
c) Compliance: Policies and procedures, (ORC) Consists of 3 of IT-enabled business investments
laws, rules, and regulations. (F) Guides to the Domains 3) Portfolio management:
Assessment of IT Risks maximizes quality of business cases
1. Commitment to integrity
and Ethical values (GAIT) The complexity of the modern enterprise for IT-enabled business investments
requires governance and management
2. Board independence & oversight
to be treated as distinct activities. a) Principles, policies,
3. Organizational structures & authorities Control COBIT5 associates governance with the and frameworks
Environment board of directors, and associates the
(5 EBOCA) b) Processes
4. Commitment to Competence activities with executive management
c) Organizational
5. Accountability SU 5.3 structures
3. Components
(5 CRIME)
CONTROL FRAMEWORKS 5. Separating Governance d) Culture, ethics, and
1. Specify objectives from Management behavior

2. Identify & analyze Risks Risk e) Information

assessment (C) COBIT 5 f) Services, infrastructure,
3. Consider potential Fraud (4 S A F R) and applications
5 Principles 4. Enabling a Holistic
4. Identify & Assess changes Approach (7 enablers) g) People, skills, and
(B) CoCo Model competencies
1. Select and develop
(Canada)
Control Activities
Control
2. Control over Technology activities
1. Meeting Stakeholder 2. Covering the Enterprise 3. Applying a Single,
3. Policies & Procedures (3 CA T P) Integrated Framework
Needs End-to-End
Components COBIT 5 provides an
1. Obtain relevant quality info. IT governance must be
(4 PCCML) 1. Value Creation (Stakeholder Needs): i) Realization overall framework for
Information & integrated with enterprise
2. Internally communicates info. communication of benefits ii) Optimization (not minimization) of risk enterprise IT. Its principles
1) Purpose governance. it cannot be
(3 O I E) iii) Optimal use of resources can be applied regardless
3. Communicate with External viewed as a function
parties Commitment distinct from other of the particular hardware
2. Stakeholder drivers: Influence of Internal &
activities. IT must be and software in use.
External factors
3) Capability considered enterprise-
1. Separate and/or Ongoing evaluations 3. Enterprise goals: A response to stakeholder needs wide and end-to-end
4) Monitoring
Monitoring and Learning
2. Communicate control Deficiencies (2 SO D) 4. IT-related goals: To address the enterprise goals
5. Enablers: Anything that helps to achieve objectives

Summary of CIA Part 1 - Gleim 8 samehacc1@gmail.com

 Uses:
* Are graphical representations of the step-by-step progression
of information. The system depicted may be manual,
Procedures are methods employed to carry out
computerized, or both of them Definition activities in conformity with prescribed policies
* Is used during the preliminary survey to gain an
understanding of the client’s processes and controls. (H)
Procedures Same principles applicable to policies also are
applicable to procedures. In addition Procedures should:
Horizontal Flowcharts (system flowcharts): depict areas of 1) Be coordinated so that one employee’s work is
Principles automatically checked by another.
responsibility (departments or functions) arranged horizontally. So,
activities, controls, and document flows are shown in the same column. 2) Not be so detailed as to stifle the use of judgment.
3) Be as simple and as inexpensive as possible
(A) FLOWCHARTS 4) Not be overlapping, conflicting, or duplicative
5) Be periodically reviewed and improved as necessary
Vertical Flowcharts (program flowcharts): present successive steps in a
top-to-bottom format. Their principal use is in the depiction of the specific
actions carried out by a computer program.

A policy is any stated principle that requires, guides, or

Data Flow Diagrams: show how data flow to, from, and within an Definition restricts action
information system and the processes that manipulate the data. This can
be used to depict at lower-level details & higher-level processes.
SU 6 : CONTROLS:
(G) Policies
Process Mapping a simple form of flowcharting used to depict a client
APPLICATION 1. Stated in writing in systematically organiz ed handbooks,
process. manuals, or other publications and should be properly approved
Principles 2. Systematically communicated to all officials and appropriate
employees
3. Conformed with applicable laws and regulations
4. Designed to promote the conduct of authorized activities in an
Should reduce the risk of errors and prevent an individual (B) Internal effective, efficient, and economical manner
from perpetrating and concealing fraud 5. Periodically reviewed when circumstances change
Controls

Any transaction should be performed by separate
individuals through 3 functions:
(a) Authorization, (b) Recordkeeping, (c) Custody
(F) Sawyer’s The employment of all the means devised in an enterprise to promote, direct,
(C) Segregation of Definition of restrain, govern, and check upon its various activit ies for the purpose of seeing
that enterprise objectives are met. These means of control include, but are not
Duties Control
limited to, form of organization, policies, systems, procedures, instructions,
standards, committees, charts of accounts, forecasts, budgets, schedules, reports,
records, checklists, methods, devices, and internal audit ing.

1) Sales and recognition of receiv ables

2) Collections from receivables

(E) Imposed Control
3) Purchases and recognition of payables (D) Accounting and Self-Control
Cycles
4) Payment (disbursement)h to trade payables

5) Payment of salaries for employees Imposed control is the traditional, mechanical approach. It Self-control evaluates the entire process of management and
measures performance against standards and then takes the functions performed. Thus, it attempts to improve that
corrective action through the individual responsible for the process instead of simply correcting the specific performance of
function or area being evaluated the manager. Management by objectives is an example.

Summary of CIA Part 1 - Gleim 9 samehacc1@gmail.com

 Internal auditors, lawyers,
(1) Policies & procedures and other specialists
1. Internal auditor has already gathered facts and is seeking confirmation 2. Investigators
4. Interrogation of (2) Preserving evidence 3. Controls over
2. Internal auditor should NOT accuse the employee of committing a crime Employees, differs from investigation
interview with (3) Responding to the results Uses accounting and auditing
3. Most evidence should be obtained before Interrogation to obtain a confession
(4) Reporting knowledge and skills in
4. All evidence should subject to chain -of-custody procedures matters having civil or criminal
(5) Communications legal implications.
1. Forensic
Fraud: any illegal act characterized by deceit, concealment, or auditing
violation of trust. These acts are not dependent upon the threat of Procedures: Interviewing,
violence or physical force. Frauds are perpetrated by parties and (K) Fraud investigating, and testing.
organizations to obtain money, property, or services; to avoid payment INVESTIGATION
or loss of services; or to secure personal or business advantage 5. Fraud
Reporting Control is the principal means of managing fraud
Fraud risk: The possibility that fraud will occur and the and ensuring the components of the fraud
potential effects to the organization when it occurs. management program are present and functioning
(A) Definitions CAE is responsible for fraud reporting (oral
or written, interim, or final communications) COSO’s Fraud Risk Management is similar
Pressure or incentive: The need a person to COSO Internal Control Framework
tries to satisfy by committing the fraud Conclusion of the investigation includes:
(e.g., financial difficulties) (a) tim e frames, (b) observations, Preventing fraud: By setting the correct tone at
(c) conclusions, (d) resolution, and (J) Fraud the top and instilling a strong ethical culture.
Opportunity: The ability to commit the fraud (B) (e) corrective action to improve controls. Control
(Lack of controls / segregation of duties) Characteristics Detecting fraud: By employee feedback (whistle-blower
A draft of the proposed final communication hotline, exit interviews & employee surveys)
Rationalization: The ability to justify the fraud should be submitted to legal counsel
1) Company ethics policy
Monetary losses
2) Fraud awareness
Time
(C) Effects SU 7 : FRAUD RISKS AND 3) Fraud risk assessment
Productivity (I) Components Fraud
Reputation
CONTROLS Management Program 4) Ongoing reviews
Customer Relationships 5) Prevention and detection
(D) Types 6) Investigation
1. Asset misappropriation 8. Corruption
(G) Indicators (H) Types of
2. Skimming 9. Bribery of Fraud Fraudulent
3. Payment fraud a. Lapping Processes
10. Conflict of interest
1) Lack of employee rotation in sensit ive positions Receivables
4. Expense reimbursement 11. Diversion
fraud 2) Inappropriate combination of job duties
12. Wrongful use
5. Payroll fraud 3) Unclear lines of responsibility and accountability
13. Related-party fraud
6. Financial statement Meaning: A person (or persons)
14. Tax evasion 4) Unrealistic sales or production goals with access to customer payments
misrepresentation
5) Employee refuses to take vacations or refuses promotion and accounts receivable records
7. Information misrepresentation steals a customer’s payment. The
(E)Low-Level vs. 6) Establis hed controls not applied consistently shortage in that customer’s
Executive Frauds account then is covered by a
7) High reported profits when competitors are
Low-Level: intended to benefit individuals & consists of suffering from an economic downturn subsequent payment from another
theft of property or embezzlement of cash customer. b. Check Kiting
8) High turnover among supervisory positions in
Executive level: intended to benefit the organization & finance and accounting areas
consists of materially misstating financial statements Discover it when (a) a customer
9) Excessive or unjustifiable use of sole-source procurement complains about his or her Kiting exploits the delay
payment not being posted, (b) an between (a) depositing a check
a. Document symptom 10) Increase in sales far out of proportion to the
absence by the perpetrator allows (insufficient funds check) in one
(F) Symptoms increase in cost of goods sold
another employee to discover the bank account and (b) clearing
b. Lifestyle symptom of Fraud
11) Material contract requirements in the actual fraud, or (c) the perpetrator covers the check through the bank on
c. Behavioral symptom contract differ from those in the request for bids the amount stolen. which it was drawn

Summary of CIA Part 1 - Gleim 10 samehacc1@gmail.com