Professional Documents
Culture Documents
By opening and using The IIA’s CIA® Challenge Exam Study Guide
student materials (the “Materials”), the user (“User”) hereby agrees
as follows:
(ii) Provided that the required fee for use of the Materials by
User has been paid to The IIA or its agent, User has the right, by
this License, to use the Materials solely for his/her own educational
use.
Every effort has been made to ensure that all information is current
and correct. However, laws and regulations change, and these
materials are not intended to offer legal or professional services or
advice. This material is consistent with the revised Standards of the
International Professional Practices Framework (IPPF) introduced in
July 2015, effective in 2017.
Copyright
These materials are copyrighted; it is unlawful to copy all or any
portion. Sharing your materials with someone else will limit the
program’s usefulness. The IIA invests significant resources to create
quality professional opportunities for its members. Please do not
violate the copyright.
Acknowledgments
The IIA would like to thank the following dedicated subject matter
experts who shared their time, experience, and insights during
development and subsequent updates.
Subject matter experts
Farah George Araj, CPA, CIA, Jayson Walter Kwasnik, CIA,
CFE, QIAL, Australia CPA, CA, Canada
Scott Blankenship, CIA, Jessica Minshew, CIA, United
CRMA, CPA, CFE, United States
States Joanne F. Prakapas, CIA,
Melissa Clawson, CIA, CRMA, CRMA, CFE, CPA, CFF,
United States United States
Christy Decker-Weber, CIA, James M. Reinhard, CIA,
CRMA, CPA, CFE, CHIAP United States
Elizabeth Sandwith, CFIIA,
United Kingdom
Core Principles
Exhibit 1-3: Core Principles for the Professional Practice of Internal
Auditing
The Principles set out the basic elements that describe internal audit
effectiveness with respect to the aspirations expressed in the Mission
of Internal Audit. They serve as fundamental propositions that form
the basis for the Code of Ethics and the Standards. The placement of
the Core Principles within the IPPF is shown in Exhibit 1-3.
According to The IIA
Core Principles for the Professional Practice of Internal
Auditing
Demonstrates integrity.
Demonstrates competence and due professional care.
Is objective and free from undue influence (independent).
Aligns with the strategies, objectives, and risks of the
organization.
Is appropriately positioned and adequately resourced.
Demonstrates quality and continuous improvement.
Communicates effectively.
Provides risk-based assurance.
Is insightful, proactive, and future-focused.
Promotes organizational improvement.
Each Principle may apply to the individual auditor, the audit activity, or
both. Though internal audit activities may demonstrate achievement of
principles in various ways, each of the Principles must be present and
successfully operating for the audit activity to be considered effective.
Failure to achieve any one of the Principles suggests that the activity
is not as effective as it could be.
The Standards
Exhibit 1-5: Standards
Before writing or revising the internal audit charter, the CAE typically
reviews the IPPF to refresh his or her understanding of the Mission of
Internal Audit and the elements that must be included in the charter,
which are governed by Standard 1010.
Key Point
Once the charter is adopted, it is important for the CAE to monitor
the IIA’s Mandatory Guidance and discuss any changes that may be
warranted during the next charter review with senior management
and the board.
The “Authority” section specifies the internal audit activity’s full access
to the records, physical property, and personnel required to perform
engagements. In the Model Charter, this section also covers the
organization and reporting structure, as seen in Exhibit 1-8. Some
charters may use a separate section for the organization and
reporting structure, which may also delve into specific functional
responsibilities.
Exhibit 1-8: Authority
Assurance Services
Assurance services involve the internal auditor’s objective
assessment of evidence to provide an independent opinion or
conclusion regarding an entity, operation, function, process, system,
or other subject matter. Three parties are generally involved in
assurance services:
The person or group directly involved with the entity, operation,
function, process, system, or other subject matter—the client
The person or group making the assessment—the internal auditor
The person or group using the assessment—the user or
stakeholder
Consulting Services
Consulting services are advisory in nature and are generally
performed at the specific request of an engagement client. They
generally involve two parties:
The person or group offering the advice—the internal auditor
The person or group seeking and receiving the advice—the
engagement client
Blended Engagements
Assurance and consulting services are not mutually exclusive, so an
audit activity can have both assurance and consulting components. A
blended engagement may consolidate elements of assurance and
consulting activities. A blended engagement may take the form of a
due diligence engagement to provide assurance and consulting
services in support of management's evaluation of an acquisition
candidate, for example. In other instances, individual components of
an engagement may be specified as assurance or consulting. This
blending of the two types of services can add value and create
efficiencies.
However, if assurance and consulting services are blended, it must be
ensured that there are no conflicts of independence, objectivity, or
otherwise with regard to roles and responsibilities.
Key Point
It is especially important for the CAE to uphold the Code of Ethics,
thereby setting the tone for the value of ethics among the team.
We will now focus on each of the four main principles in the Code of
Ethics, starting with integrity.
Integrity
The Code of Ethics describes integrity as follows:
As the leader of the internal audit activity, the CAE should cultivate a
culture of integrity by acting with integrity and adhering to the Code of
Ethics. In order to assist in cultivating that culture, the CAE may:
Require internal auditors to agree in writing to follow the IIA’s Code
of Ethics and any additional ethics-related policies.
Emphasize the importance of integrity by providing training that
demonstrates integrity and other ethical principles.
Objectivity
The Code of Ethics describes objectivity as follows:
The CAE may create relevant policies and procedures, for example,
regarding gifts or requiring internal auditors to complete a form
disclosing potential conflicts of interest and impairments to objectivity.
Confidentiality
The Code of Ethics describes confidentiality as follows:
The CAE should also develop polices and procedures that include
regularly reviewing individual performance and should encourage
educational and training opportunities when possible.
This section covers the crucial requirements for the internal audit
activity to be independent and individual internal auditors to be
objective. Lacking either of these crucial traits can render the results
of engagements and the recommendations of internal audit unreliable
and inaccurate, to the detriment of the organization.
Organizational Independence
The assigned roles and responsibilities for internal audit vary from
organization to organization based on factors such as:
Organizational size.
Type of operations.
Capital structure.
Legal and regulatory environment.
Generally, the CAE, the board, and senior management discuss and
agree upon internal audit's responsibility, authority, and expectations
as well as the necessary organizational placement of internal audit
and CAE reporting relationships to enable internal audit to fulfill its
duties. The internal audit charter will reflect the decisions reached
during those discussions.
CAEs without direct access to the board can share Standard 1111
(as well as Standards 1100 and 1110), recommended governance
practices, and board/audit committee best practice studies to pursue
a stronger relationship and direct access. CAEs in this situation may
consider written communications to the board until a direct line of
communication is available.
Objectivity
Objectivity is defined in the IPPF glossary as:
It is the responsibility of the CAE to ensure that internal audit staff are
not placed in situations where they feel unable to make objective
professional judgments. The CAE should monitor potential conflicts of
interest and bias within the internal audit activity and make
assignments accordingly to avoid problems.
The CAE may use an internal audit policy manual or handbook that
describes expectations and requirements for an unbiased mindset. To
reinforce the importance of those policies, some CAEs will hold
routine workshops or training on fundamental concepts.
In situations where the CAE has roles outside of internal audit, the
board and/or senior management will implement safeguards to limit
the impairment. Examples include:
Periodically evaluating CAE responsibilities.
Developing alternate processes to obtain assurance related to the
additional areas of responsibility.
Being aware of the potential objectivity impairment when
considering internal audit risk assessments.
Impairments to Independence
According to The IIA
Attribute Standard 1130, “Impairment to Independence or
Objectivity”
If independence or objectivity is impaired in fact or appearance,
the details of the impairment must be disclosed to appropriate
parties. The nature of the disclosure will depend on the
impairment.
Major economic interest. This threat may arise when the auditor
has a major, direct economic stake in the performance of the client
or fears that significant negative findings could jeopardize the
entity’s future and hence the auditor’s own interest as an
employee. It may also arise due to performance incentives related
to the area under review or when the audit concerns the work or
department of an individual who may subsequently make decisions
that directly affect the auditor’s employment or salary.
Cultural, racial, and gender biases. This threat may occur when
auditors are biased against another culture, race, or gender.
Changes that may affect the industry or the internal audit profession
may be learned about via continuing professional development. The
CAE may help ensure the internal audit activity’s overall proficiency in
this regard.
Demonstrating Proficiency
According to The IIA
Attribute Standard 1210, “Proficiency”
Internal auditors must possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities.
The internal audit activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.
To build and maintain the proficiency of the internal audit activity, the
CAE may develop a competency assessment tool or skills
assessment based on the Competency Framework or another
benchmark. When using a competency tool to identify proficiency
gaps in the internal audit activity, the CAE should consider risks
related to fraud and IT as well as technology-based audit techniques,
as required by Standards 1210.A2 and 1210.A3.
According to The IIA
Implementation Standard 1210.A2 (Assurance Engagements)
Internal auditors must have sufficient knowledge to evaluate the
risk of fraud and the manner in which it is managed by the
organization, but are not expected to have the expertise of a
person whose primary responsibility is detecting and investigating
fraud.
Once the CAE has identified gaps in the internal audit activity’s
collective proficiency, he or she may also use the Competency
Framework to develop plans for filling coverage gaps through hiring,
training, outsourcing, and other methods, as described by Standard
1210.A1.
According to The IIA
Implementation Standard 1210.A1 (Assurance Engagements)
The chief audit executive must obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or
other competencies needed to perform all or part of the
engagement.
Personal (soft) skills can affect how the recommendations that arise
from the applications of technical skills impact the recipients of
assurance and advisory services. Some examples of soft skills that
may be useful to the internal audit activity are:
Written communication.
Oral communication.
Analytical skills.
Critical thinking.
Persuasion and collaboration.
Key Point
Internal auditors are not expected to be infallible and are not
expected to give absolute assurance that noncompliance or
irregularities do not exist.
Implementation Standard 1220.A1, shown elsewhere, and
Implementation Standards 1220.A2, 1220.A3, and 1220.C1, shown
below, describe some of the elements that internal auditors must
consider in exercising due professional care.
Quality
What is quality?
Quality is the degree to which a product, service, or process meets
the customer’s expectations—the degree to which it is fit for
purpose.
Rather than being an absolute, quality is relative.
Quality does not just happen. It is the combination of the right
people, the right systems, and a commitment to excellence.
Quality is driven by the leaders of the organization, but it is
implemented by everyone at the organization.
A formal, structured approach is required to ensure quality.
Quality in internal audit is an obligation to meet customer
expectations and to meet professional responsibilities by
conforming to the IIA’s Standards and Code of Ethics.
Internal audit quality includes operating with proficiency and due
professional care, undertaking continuing professional
development, and conforming to a set of recognized standards.
A QAIP ensures that quality is built in to, rather than on to, internal
audit operations. After all, “demonstrates quality and continuous
improvement” is one of the Core Principles for the Professional
Practice of Internal Auditing.
QAIP
A QAIP is an ongoing and periodic assessment of all assurance and
consulting work performed by the internal audit activity. These
ongoing and periodic assessments are composed of:
Rigorous, comprehensive processes.
Continuous supervision and testing of internal audit assurance and
consulting work.
Periodic evaluations of conformance to the IPPF.
Ongoing measurements and analyses, assessments, and
implementation of improvements.
QAIP evaluation areas can be at the internal audit activity level and
the internal audit engagement level. The following things need to be
evaluated (some of which are at the internal audit activity level only):
Conformance to the IPPF
Adequacy of the internal audit activity’s charter, goals, objectives,
policies, and procedures
Completeness of coverage of the entire audit universe
Internal audit activity’s contribution to the organization’s
governance, risk management, and control (GRC) processes
Internal audit activity compliance with applicable laws, regulations,
and government or industry standards
Internal audit operational risks
Effectiveness of continuous improvement activities and adoption of
best practices
Whether the internal audit activity adds value, improves the
organization’s operations, and contributes to the attainment of
objectives
While CAEs may develop whatever framework works for their internal
audit activity, this framework builds quality into the activity by explicitly
addressing internal audit governance, professional practice, and
communication programs. Exhibit 1-17 expands upon these
programs.
Ongoing Monitoring
According to Standard 1311’s interpretation, ongoing monitoring is
an integral part of the day-to-day supervision, review, and
measurement of the internal audit activity. Ongoing monitoring is part
of routine policies, practices, processes, tools, and information
necessary for evaluating conformance to the IPPF. The focus of
ongoing monitoring is at the engagement level. It is achieved through
continuous activities conducted on an engagement-by-engagement
basis, including engagement supervision, standardized work
practices, workpaper procedures and sign-offs, report reviews,
assessments of areas of weakness, and any related action plans
developed to address those weaknesses.
Source: Quality Assessment Manual for the Internal Audit Activity. © 2017, IIA Foundation.
Consistent processes are needed for gathering, summarizing, and
analyzing measurement data. Responsibility for measuring and
validating data should be established as for any other audit
engagement. A continuous improvement framework for ongoing
monitoring like the one in Exhibit 1-18 helps the internal audit activity
get to this desired level of consistency and quality.
Periodic Self-Assessments
Periodic-self-assessments as part of a QAIP are conducted to
evaluate conformance to the IPPF, according to the interpretation of
Standard 1311. These self-assessments are also the basis for self-
assessments with independent validation (SAIVs), as is discussed
later. The scope of a periodic self-assessment includes evaluating
the:
Quality and supervision of work performed.
Adequacy and appropriateness of internal audit policies and
procedures.
Ways in which the internal audit activity adds value.
Achievement of KPIs.
Degree to which stakeholder expectations are met.
Frequency may need to account for the size and maturity of the
internal audit activity, with smaller or less mature activities leaning
toward the minimum frequency of once every five years. The CAE
may discuss increasing the frequency given:
Changes in CAE or management leadership.
Significant changes in internal audit policies or procedures.
Mergers of two or more internal audit activities into a single unit.
Significant staff turnover.
Industry-specific or environmental issues.
While the team overall needs to have a full set of competencies, there
is no need to require each individual to have all required skills. For
example, only the team leader may need to be an experienced and
professional project team leader. Also, if team size permits,
specialists in risk management can provide assistance.
Here are some examples of KPIs for measuring internal audit activity
effectiveness and efficiency:
Level of contribution to the improvement of governance, risk
management, and control processes
Achievement of key goals and objectives
Evaluation of progress against audit activity plan
Improvement in staff productivity
Increase in efficiency of the audit process
Increase in number of action plans for process improvements
Adequacy of engagement planning and supervision
Effectiveness in meeting stakeholders’ needs
Results of quality assurance assessments and internal audit
activity’s quality improvement programs
Effectiveness in conducting the audit
Clarity of communications with the audit client (i.e., the “auditee”)
and the board
Source: Adapted from A Balanced Scorecard Framework for Internal Auditing Departments by
Mark L. Frigo.
Note that the CAE is responsible for communicating the results of the
entire QAIP program. Demonstrating conformance with Standard
1320 can take the form of relevant board meeting and senior
management meeting minutes.
Conclusions of Assessors
Internal and external QAIP assessment reports include an evaluation
of the internal audit activity’s overall degree of conformance with the
Standards and the Code of Ethics, but such reports can also include
an assessment for each standard or standard series.
Assessment Scales
As interpretation to Standard 1320 states, the results include the
assessor’s or assessment team’s evaluation with respect to the
degree of conformance. While a QAIP report should include a rating
scale to assess the degree of conformance to the Standards, there is
no requirement to use a particular scale or model. Exhibit 1-25
compares two assessment scales from The IIA, the left one from the
Quality Assessment Manual for the Internal Audit Activity and the
right one from “The Path to Quality—Maturity Model for Implementing
a QA&IP.”
Does not conform. The internal audit activity is not aware of, or is
not making good-faith efforts to conform with, or is failing to
achieve the objectives of the Standards and/or the Code of Ethics.
Deficiencies in practice are judged to be so significant that they
seriously impair or preclude the activity from performing adequately
in all or in significant areas of its responsibilities.
The internal audit activity conforms with the Code of Ethics and
the Standards when it achieves the outcomes described therein.
Proper use applies to written or verbal communications.
The CAE uses the conformance statement only if he or she
understands the QAIP requirements and is familiar with the QAIP
results.
The CAE understands and periodically discusses the board's
expectations regarding use of the conformance statement.
Internal audit activities in existence for at least five years will also
have the results of external assessments.
If the internal audit activity has been in existence for less than
five years, use the conformance statement only if a periodic self-
assessment supports this conclusion.
Do not use the conformance statement if the internal audit
activity has been in existence for at least five years but has not
completed an external assessment.
Do not use the conformance statement if more than five years
have passed since the last external assessment.
The CAE can continue to use the conformance statement until the
next external assessment occurs. However, proper use of a
conformance statement requires stopping use if the current internal
assessment or the most recent external assessment does not
indicate general conformance with the Standards and the Code of
Ethics. The internal audit activity cannot resume using the
conformance statement until it has remediated the areas of
nonconformance and has conducted an external assessment that
does show conformance.
Key Point
Note that the Standards are principles-based. Standards 1321 and
1322 address overall, systemic conformance or nonconformance. In
assessing conformance with the Standards, there may be situations
where the internal audit activity achieves only partial conformance
with one or more standards. In such cases, the activity should
consider the overall conformance conclusion when determining its
ability to use the conformance statement.
Disclosure of Nonconformance
Source: Anderson et al., Internal Auditing: Assurance and Advisory Services, 4th edition.
Stakeholder Responsibilities for GRC
While the ultimate responsibility for governance is with the board,
senior management and other stakeholders also play important roles.
The board:
Takes the lead role in governance, including providing strategic
direction and guidance toward setting business objectives.
Provides governance oversight.
Establishes a governance committee.
Articulates requirements for reporting to the board.
Periodically reevaluates governance expectations.
Sets the risk appetite and risk tolerance levels.
Interacts directly with internal and external assurance providers.
The IIA’s Three Lines Model helps clarify the internal audit activity’s
role in GRC.
The IIA’s position paper “The IIA’s Three Lines Model: An Update of
the Three Lines of Defense,” helps clarify GRC roles and
responsibilities. Exhibit 1-28 shows the model.
Exhibit 1-28: Three Lines Model
Source: IIA Position Paper, “The IIA's Three Lines Model: An Update of the Three Lines of
Defense,” © 2020, The IIA.
Key Point
Note that the word “defense” was dropped from the Three Lines
Model to highlight that organizations don’t exist to manage risk; they
exist to achieve their objectives. Risk management therefore needs
to both be proactive in helping achieve those objectives and serve
as a defense.
4. Third line roles. The internal audit activity is the third line role
because it is a systematic, disciplined, competent, independent,
and objective assurance and advice role for GRC. It remains
primarily accountable to the board and reports to it on GRC,
achievement of objectives, continuous improvement, and
disclosures of impairments.
Governance
According to The IIA
Performance Standard 2110, “Governance”
The internal audit activity must assess and make appropriate
recommendations to improve the organization’s governance
processes for:
Making strategic and operational decisions.
Overseeing risk management and control.
Promoting appropriate ethics and values within the
organization.
Ensuring effective organizational performance management
and accountability.
Communicating risk and control information to appropriate
areas of the organization.
Coordinating the activities of, and communicating information
among, the board, external and internal auditors, other
assurance providers, and management.
The CAE may interview key governance roles and review board and
committee charters, meeting agendas, and minutes to:
Gain insight into the role the board plays in the organization’s
governance, especially regarding strategic and operational decision
making.
Understand organization-specific processes and assurance
activities currently in place.
Learn about the board’s and senior management’s understanding
and expectations of governance, the requirements of Standard
2110, the nature of governance processes, and the internal audit
activity’s role in governance.
Source: Adapted from Anderson and Dahle, Applying the International Professional Practices
Framework (IPPF), 4th edition.
Given a clear understanding of how the organization approaches
governance, the CAE can contemplate whether the current internal
audit plan addresses governance processes and their associated
risks, including whether the integration requirements of the
governance, risk management, and compliance functions are
adequate. This may lead to opportunities for the internal audit activity
to improve its plans and approaches for conformance with Standard
2110.
King Report
The King Report on Corporate Governance is the output of South
Africa’s King Committee on Corporate Governance. The latest
version is King IV (2016). The report is principles- and outcomes-
based, focusing on transparency and disclosures that require entities
to explain how the principles are applied.
The King Report addresses the role and function of internal auditing
as well as specific reporting requirements, for example, the need for
audit committees to approve all appointments and dismissals of the
CAE.
IT Governance
According to The IIA
Implementation Standard 2110.A2 (Assurance Engagements)
The internal audit activity must assess whether the information
technology governance of the organization supports the
organization’s strategies and objectives.
Key Point
Because IT is now embedded everywhere throughout most
organizations, it is important to understand that it will be part of
most areas being audited. All three parts of the IIA CIA exam could
have questions that take an IT perspective. IT-related questions in
Parts 1 and 2 of the exam will likely be conceptual rather than
testing on specific IT details.
IT Governance Framework
The IIA’s Global Technology Audit Guide (GTAG) 17, “Auditing IT
Governance” provides a general IT governance framework that
focuses on the areas shown in Exhibit 1-30.
Framework Description
Area
A potential service the internal audit activity could offer in this area
would be to provide education on risk and control topics, especially if
targeting identified deficiencies.
Control Environment
The IPPF glossary defines the control environment as follows.
Key Point
The key point about this cube is that a system of internal controls
requires a number of interconnected elements to function
effectively.
Note that this is just one of several internal control frameworks, and
the internal audit activity needs to fully understand and support
whichever framework the organization has chosen to adopt.
Given this context, let’s explore each of the elements of the control
environment listed in the control environment definition.
A written code of ethics will likely include principles that the majority
of boards or organizational managers would agree are considered
desirable in conducting business. The board and senior management
will come to consensus on the set of principles that are considered
acceptable behavior at the organization. Note that due to the need for
consensus, corporate ethics will likely not match the personal ethics
of all persons. Components of a written code of ethics may include
principles related to honesty, integrity, transparency, fair dealing,
clear delegation, positive personnel practices, and so on.
Organizational Structure
The principle in COSO’s Internal Control—Integrated Framework
related to organizational structure and its point of focus are as
follows:
Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities in
the pursuit of objectives.
Considers all structures of the entity.
Operates Independently
Examples of how the board operates independently include setting
expectations for and evaluating the conduct of the CEO in regard to
ethical values, integrity, and performance.
Competence of Personnel
The Internal Control—Integrated Framework principle related to
competence of personnel and its points of focus are as follows:
The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
Enforces accountability through structures, authorities, and
responsibilities.
Establishes performance measures, incentives, and rewards.
Evaluates performance measures, incentives, and rewards for
ongoing relevance.
Considers excessive pressures.
Evaluates performance and rewards or disciplines individuals.
Enforces Accountabilities Through Structures, Authorities, and
Responsibilities
The board and management hold persons accountable for
accomplishing objectives and fulfilling internal control responsibilities
by exercising their authority as authorized by the organizational
structure, reporting lines, and defined responsibilities. An escalation
process to higher levels of authority exists to ensure that enforcement
occurs and is consistently applied.
Key Point
If the effectiveness of the control environment is not considered in
an audit engagement, there is a risk that the assessment of the
adequacy of controls will be incomplete or misleading.
Assessments of Culture
An organization’s management and board are responsible for risk
management related to culture and conduct. The internal audit activity
can aid management and the board with this task by providing
targeted assessments of culture. Assessments can review:
Root causes for both those areas with culture deficiencies and
those deemed to be operating with best practices (to benchmark
culture impact).
Roles and responsibilities of the governance structure.
Programs for communicating values, strategies, and objectives.
Code of conduct, ethics, and sexual harassment training program
effectiveness.
Incentives, hiring programs, disciplinary actions, escalation
protocols, or treatment of whistleblowers.
Existing information sources for culture insights, such as employee
survey data.
Audit programs can also be developed to test for each specific value
in the written code of conduct. For example, an audit program to
assess “We value and respect all individuals” may focus primarily on
HR policies and procedures and observations of related behavior. If
there is a second-line-of-defense compliance function for a particular
value (e.g., health and safety), the internal audit activity will still need
to evaluate the effectiveness of those programs.
Risk Concepts
The IPPF glossary defines risk as follows:
Note that an organization may adopt its own risk terminology, and it is
the internal auditor’s responsibility to learn such organization-specific
terms and their definitions.
Risk Appetite
The IPPF glossary defines risk appetite as “the level of risk that the
organization is willing to accept.” Some related terms defined by
Anderson et al. in Internal Auditing follow:
Source: Adapted from “Enterprise Risk Management: What’s New? What’s Next” seminar,
The Institute of Internal Auditors.
Key Point
ERM is likely to be effective in creating value when the
organization’s ERM capabilities are aligned with each other and are
fully integrated into operations. Managers should not just manage
their own risks within their own organizational “silos.” Integration is a
sign of ERM maturity that helps prioritize tradeoffs and improves
timeliness.
The organization’s mission, vision, and values need to drive the
strategy, business objectives, and performance objectives to result in
value. Enterprise risk management:
Validates that the strategy and objectives align with the mission,
vision, and values.
Projects the results and implications of the chosen strategy.
Enumerates and evaluates the risks to the strategy and
performance.
Key Point
Management owns ERM, not internal auditing, but the internal audit
activity is important in monitoring and recommending improvements
in the organization’s ERM practices.
A key need and opportunity for adding value for the internal audit
activity is to assess ERM practices and recommend improvements.
Internal auditors also may provide other services such as:
Educating the board and senior management on the importance or
methods of ERM.
Facilitating risk management training sessions.
Promoting risk language and use of the organization’s framework in
internal audit activity work.
Risk Culture
Effective risk management depends on the organization having a
culture that is open to the discussion of positive and negative risks.
For ERM to function properly, persons at all organizational levels
need to be able to raise or escalate risk issues without fear of
retaliation. This enables:
The ERM process to be transparent.
A high level of organizational risk awareness.
A culture that is not ready for ERM can undermine the hard work of
persons performing risk analysis and reporting even when policies
and procedures are in place to ensure that ERM occurs. For
example, if the results of a risk analysis are not discussed or
incorporated into decisions, then the process will be ineffective.
Source: Adapted from Anderson et al., © 2017. Internal Auditing: Assurance and Advisory
Services, 4th Edition.
Key Point
An important audit consideration is that risk analysis scales be used
consistently across the enterprise and that people using the scales
have a shared understanding of the meanings of each element.
Source: Anderson et al., Internal Auditing: Assurance and Consulting Services, 4th edition.
Each risk identified in the earlier parts of the process can be mapped
to a specific location on the heat map. (Note how each cell created in
the grid is assigned a number.) For example, if data privacy risks are
considered high in impact and probable in likelihood, privacy risks
would be placed in box 21 and be considered a critical risk. Risks in
higher- numbered boxes get more analysis in general, but all get
some form of response.
The next step in the analysis phase is to link each risk back to one or
more specific business objectives. This shows what areas of the
organization would be impacted. Risk categories, such those shown
in Exhibit 1-35, will help with this exercise. For example, risks in the
strategic risks category will likely trace back to strategic objectives.
Performing this process could result in modifying a risk’s impact. It
also helps ensure completeness, because it could reveal more risks
that need to be mapped.
Risk Responses
For each risk analyzed, the organization determines a response that
will be cost-effective, meaning that the cost of the response is not
greater than the cost of the impact if the event were to occur.
Categories of risk responses include:
Appropriate risk responses are selected that align risks with the
organization’s risk appetite.
The CAE discusses risk appetite, risk tolerance, and risk culture
with senior management and the board and reviews related
policies and meeting minutes.
The internal audit activity provides recommendations and action
plans for improving risk responses.
The internal audit activity may independently perform gap
analyses to look for significant risks not being identified or
addressed.
The internal audit activity typically also does its own risk
assessments.
Step Description
There are numerous ERM models. They generally vary in their focus
and complexity. Some are highly specialized frameworks applicable
to specific situations (e.g., IT security, insurance). Here we will look
at two major frameworks: COSO’s ERM framework and ISO 31000.
Component Description
Component Principles
Assessments of ERM
Internal audit activity assessments of the organization’s ERM typically
occur either when the organization has no real ERM process or if the
CAE determines that management’s assessment of its ERM
effectiveness is not reliable. Otherwise, the internal audit activity can
typically rely on the organization’s own ERM assessment. ERM
assessments can provide:
Assurance on the risk management process itself (addressed
here).
Assurance on significant risks and management assertions of
control as part of a risk-based audit (addressed elsewhere).
Follow-up on risk treatment plan status or planned control
remediations (addressed here).
Adoption of more than one approach can yield the most informative
and useful results. The approach(es) selected should be tailored to
the organization’s needs.
Key Point
Regardless of the assessment approach(es) selected, always
include normal control-based assurance that determines whether:
Risks are being effectively identified and appropriately analyzed.
There is adequate and appropriate risk treatment and control.
There is effective monitoring and review by management to
detect changes in risks and controls.
Source: The IIA’s “Assessing the Risk Management Process” Practice Guide.
The organization’s desired level of ERM maturity can help set the
scope of ERM assessments and serve as evaluation criteria.
Depending on maturity, scope/criteria may include:
The organization has a process to manage the risk of
noncompliance with external laws and regulations (this is the
minimum scope) and with internal policies and procedures.
The internal audit activity does not have management responsibility
for ERM.
There is a common risk language, and consistent risk assessment
processes are used.
An ERM framework is used and adapted to the organization and
business environment.
Leading risk management practices (e.g., industry and professional
guidance) are used.
Recommendations
Recommendations resulting from ERM assessments should be
appropriate to management’s current and desired ERM maturity
levels.
Allocate Resources
According to The IIA
Performance Standard 2230, “Engagement Resource
Allocation”
Internal auditors must determine appropriate and sufficient
resources to achieve engagement objectives based on an
evaluation of the nature and complexity of each engagement, time
constraints, and available resources.
The key factors to take into account regarding the role of internal
audit are whether the particular activity raises any threats to internal
audit’s independence and objectivity and whether it is likely to improve
the organization’s governance, risk management, and control
processes.
Key Point
Carefully review the “roles internal audit should not undertake” in the
graphic above. These are all things for which the board, senior
management, or other management levels should be responsible
and accountable.
Key Point
Whenever the internal audit activity consults with management to
set up or improve risk management processes, its plan of work
should include a clear strategy and time line for migrating the
responsibility for these activities to members of management.
If there is no ERM function, the internal audit activity advises on how
to set one up and consults on the best ERM methodology for the
organization. The activity’s ERM role should be discussed with senior
management and the board and codified in the internal audit charter.
Here are some potential ERM consulting areas. (Note how all of them
are carefully worded to avoid taking on any actual management
responsibility.)
Assess articulation of strategies and business objectives.
Champion ERM and introduce its concepts, frameworks, and risk
language by providing workshops or coaching that highlights ways
ERM could add value. Use specific examples that leverage the
internal audit activity’s overall knowledge of the organization.
Provide insight on the nature and effectiveness of the control
environment.
Facilitate risk appetite setting.
Brainstorm risk events.
Provide management with internal audit tools and techniques for
analyzing risks and controls.
Facilitate assessment and risk priority setting.
Advise on additional risk criteria.
Advise on choice of risk response/treatment.
Assist management with monitoring external and internal
environments, such as by providing a central point for coordinating,
monitoring, and reporting on risks.
Provide audit results that highlight risk management methodologies
to show their effectiveness.
Consulting Safeguards
Safeguards for consulting on ERM include:
Making it clear to management that they are responsible for risk
management, including by documenting the nature of internal audit
responsibilities in the internal audit charter and related policies and
procedures.
Abstaining from actually managing any of the risks on behalf of
management. Instead, the internal audit activity may challenge or
support management’s decision-making process or provide other
advice.
Recognizing any work beyond assurance activities as consulting
engagements. Implementation Standards related to consulting
engagements should be followed.
Regular review of the audit plan with the board and senior
management will give them opportunities to set new priorities and
adapt to internal and external environment changes.
Section F: Fraud Risks
This section is designed to help you:
Define fraud and the conditions that must exist for fraud to occur.
Discriminate among the major types of fraud.
Identify common types of fraud associated with the engagement
area during the engagement planning process.
Determine if fraud risks require special consideration when
conducting an engagement.
Complete a process review to improve controls to prevent fraud
and recommend changes.
Provide examples of fraud risk management controls.
Use computer data analysis, including continuous online
monitoring, to detect fraud.
Support a culture of fraud awareness, and encourage the
reporting of improprieties.
Describe the features of an effective whistleblower hotline.
Demonstrate an understanding of forensic auditing techniques.
Demonstrate an understanding of fraud interrogation/investigative
techniques.
According to The IIA
The IIA’s guidance referenced in the Challenge Exam Study
Guide may be accessed using the links below. Access to specific
pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-
standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides
Note that the specific legal definition of fraud may vary by jurisdiction.
Examples of Fraud
Fraud is perpetrated by a person knowing that it could result in some
unauthorized benefit to him or her, to the organization, or to another
person, and it can be perpetrated by persons outside or inside the
organization. Some common fraud schemes include the following:
Internal controls must pass a cost-benefit test, and so not all controls
can be designed with a literal zero tolerance for fraud.
Fraud Triangle
The fraud triangle is a set of three conditions that, if present in the
right proportions, suggest the possibility of fraud: opportunity, motive,
and rationalization. The fraud triangle is shown in Exhibit 1-48.
Exhibit 1-48: The Fraud Triangle
Although internal auditors may not be able to know the exact motive
or rationalization leading to fraud, they are expected to understand
enough about internal controls to identify opportunities for fraud.
Auditors also should understand fraud schemes and scenarios and be
aware of the signs that point to fraud and how to prevent such
schemes or scenarios. Information available from The IIA and other
professional associations or organizations should be reviewed to
ensure that the auditor’s knowledge is current.
Other red flags may signal the techniques used to commit the fraud.
These include:
Unexplained variances (e.g., abnormally high expenses versus
previous periods).
Unusual shortages in cash or inventories.
Missing or altered documents.
Invoice items inconsistent with the charge code or business
function.
Approval circumventions (e.g., splitting orders to stay below
approval thresholds).
Vendors with generic names or post office box addresses.
Manual transactions in an area characterized by automated
transactions.
Even amounts in an environment characterized by irregular
amounts.
Duplicate payments.
Using a fictitious “middle man” to divert company cash or assets.
Other methods for fraud detection include surprise audits in high fraud
risk areas, continuous monitoring of critical data, and routine and/or
ad hoc matching of data against relevant transactions, vendor lists,
employee rosters, and other data.
Key Point
The role of the internal audit activity in investigations needs to be
defined in the internal audit charter as well as in the fraud policies
and procedures.
For example, internal audit may have the primary responsibility for
fraud investigations, may act as a resource for investigations, or may
refrain from involvement in investigations entirely. This may vary from
organization to organization, based on organizational policy or
relevant local laws.
Investigation Evidence
The collection and preparation of evidence is critical to understanding
the fraud or misconduct, and it is needed to support the conclusions
reached by the investigation team. The investigation team may use
computer forensic procedures or data analysis. All reports,
documents, and evidence obtained should be recorded
chronologically in an inventory or log. Some examples of evidence
include:
Memos and correspondence, both in hard copy and electronic form
(such as emails or information on personal computers).
Computer files, general ledger postings, etc.
IT or system access records.
Security timekeeping logs, videos, or access badge records.
Internal phone records.
Public or internal customer or vendor information, such as
contracts, invoices, and payment information.
Public records, such as business registrations or property records.
Social networking sites.
Interrogations
Generally the accused is interrogated by two people: 1) an
experienced investigator and 2) another individual who takes notes
and functions as a witness if needed. It is essential that all
information obtained from the interrogation is rendered correctly.
Investigative activities need to be coordinated with management,
legal counsel, and other specialists such as HR and insurance risk
management as appropriate.
Resolution
Management and the board (not the internal audit activity or the
investigator) are responsible for resolving fraud incidents once a fraud
scheme and perpetrators have been fully investigated and evidence
has been reviewed.
Note that internal auditors may not conduct a full fraud risk
assessment during engagement planning. They may also consider
and discuss fraud risk with senior management or review the
organization’s fraud risk assessment, if available, instead of
conducting their own assessment.
Adams, Pat, Sally Culter, Bruce McCuaig, Sajay Rai, and James
Roth. Sawyer’s Internal Auditing, sixth edition. Lake Mary, Florida:
The Institute of Internal Auditors Research Foundation, 2012.
Glover, Hubert D., and James C. Flag. Effective Fraud Detection and
Prevention Techniques Practice Set. Altamonte Springs, Florida: The
Institute of Internal Auditors, 1993.
Gray, Glen L. Changing Internal Audit Practices in the New
Paradigm: The Sarbanes-Oxley Environment. Altamonte Springs,
Florida: The Institute of Internal Auditors, 2004.
Quality Assessment Manual for the Internal Audit Activity, 2017 IPPF
Aligned. Lake Mary, Florida: Internal Audit Foundation, 2017.
B
balanced scorecard [1]
C
codes of conduct [1]
Committee of Sponsoring Organizations frameworks
Enterprise Risk Management—Integrating with Strategy and
Performance [1]
concealed liabilities [1]
conduct, codes of [1]
control(s) [1]
control environment [1] , [2]
Core Principles for the Professional Practice of Internal Auditing [1]
COSO frameworks
Enterprise Risk Management—Integrating with Strategy and
Performance [1]
culture [1] , [2]
D
Definition of Internal Auditing [1]
disclosures [1]
E
effectiveness [1]
efficiency [1]
enterprise risk management [1] , [3]
See also: risk
environmental red flags [1]
EQAs (external quality assessments) [1]
ERM (enterprise risk management) [1] , [3]
See also: risk
ethics [1] , [2]
external auditing [1]
external auditors [1]
external quality assessments [1]
F
fictitious revenues [1]
financial statement red flags [1]
forensic auditing [1]
fraud
awareness [1]
fraud:motive [1]
fraud:opportunity [1]
fraud:rationalization [1]
red flags [1]
risk assessment [1]
risks [1]
training [1]
triangle [1]
G
Global Technology Audit Guide, “Auditing IT Governance” [1]
governance
information technology [1]
principles [1]
GTAG (Global Technology Audit Guide), “Auditing IT Governance” [1]
H
heat maps [1]
I
impact of risk [1]
improper asset valuation [1]
improper disclosures [1]
independence [1]
industry-specific red flags [1]
information technology governance [1]
internal auditing [1]
internal auditors [1]
internal quality assessments [1]
International Organization for Standardization, ISO 31000, “Risk
management—Guidelines” [1]
International Professional Practices Framework
Core Principles for the Professional Practice of Internal Auditing [1]
Definition of Internal Auditing [1]
Mission of Internal Audit [1]
Standards
See: International Standards for the Professional Practice of
Internal Auditing
International Standards for the Professional Practice of Internal
Auditing
1000, “Purpose, Authority, and Responsibility” [1]
1210.A2 [1]
1300, “Quality Assurance and Improvement Program” [1]
1310, “Requirements of the Quality Assurance and Improvement
Program” [1]
1311, “Internal Assessments” [1] , [2]
1312, “External Assessments” [1]
1322, “Disclosure of Nonconformance” [1]
2010, “Planning” [1]
2010.A1 [1]
2060, “Reporting to Senior Management and the Board” [1]
2110, “Governance” [1] , [2]
2110.A2 [1]
2120, “Risk Management” [1]
2120.A1 [1]
2210.A2 [1]
ISO 31000, “Risk management—Guidelines” [1]
K
King Report on Corporate Governance [1]
L
liabilities, concealed [1]
likelihood of risk [1]
M
maturity model approach to assessing risk management [1]
Mission of Internal Audit [1]
motive, and fraud [1]
N
nonconformance [1]
O
objectivity [1]
opportunity, and fraud [1]
P
perpetrator red flags [1]
Practice Guides
“Auditing Culture” [1]
“Measuring Internal Audit Effectiveness and Efficiency” [1]
purpose of internal audit activity [1]
R
rationalization, and fraud [1]
red flags of fraud [1]
responsibility of internal audit activity [1]
risk
assessment [1] , [2]
categorization [1]
fraud [1]
heat maps [1]
identification [1]
impact [1]
likelihood [1]
management [1]
rating [1]
reporting [1]
responses [1]
risk-based audit plan [1]
S
SAIVs (self-assessments with independent external validation) [1]
scope [1]
self-assessments [1]
self-assessments with independent external validation [1]
Standards
See: International Standards for the Professional Practice of
Internal Auditing
T
Three Lines Model [1]
V
values [1]