Professional Documents
Culture Documents
Course Materials
Syllabus of this course:
I. Fundamental concepts of Internal Auditing
II. Independence, Objectivity and Ethics
III. Due Professional Care and Proficiency
IV. Quality Assurance and Improvement Program
V. Governance, Risk Management and Internal Control
VI. Fraud Risks and Culture
© Risk Governance Institute 1
Purpose and Definition of Internal Audit
Internal audit
We provide assurance
We improve operations and
and consulting
add value.
services which are
independent and
objective.
We determine if governance,
risk management and control
are in place and functioning We seek and report
properly. on opportunities for
improvement or risk We support the achieving
exposures. objectives.
Independence Consulting
Value-adding
Internal auditing:
▪ Is Independent and objective
▪ An assurance and consulting activity
▪ Aims to add value and improve operations
Governance
▪ It helps accomplish objectives
▪ The approach used is systematic and disciplined
▪ It aims to improve risk management, control, and
governance processes.
We evaluate whether
controls are effective
and efficient.
We identify how to
improve controls.
We communicate timely
We help coordinate internal and relevant information
and external assurance. (to the governing bodies).
IIA Standard 2110 (Governance) UK Corporate Governance Code 1992, Cadbury Committee © Risk Governance Institute 10
Mission of internal audit
From the Institute of Internal Auditors (IIA)
Principle Source/use
1 Demonstrates integrity. Code of Ethics
3 Is objective and free from Standard 1100 (Independence and Objectivity) and
undue influence Code of Ethics
(independent).
Principle Source/use
6
Demonstrates quality and Standard 1220 (Due Professional Care) and
continuous improvement. Standard 1230 (Continuing Professional Development)
7
Communicates effectively. Key skill (“communicat*” is mentioned 50 times in the Standards)
8 Provides risk-based
Key concept (“risk” is mentioned 73 times in the Standards)
assurance.
9
Is insightful, proactive, and Mission of internal audit (to help “add-value”)
future-focused.
10Promotes organizational
Definition (“improve an organization’s operations”)
improvement.
Implementation Guidance
▪ Expand on the Standards.
▪ Are instructions for
implementing the Standards.
Assurance
An objective examination of
Independence
evidence for the purpose of
providing an independent
The freedom from conditions that
assessment.
threaten the ability of the internal
audit activity to carry out internal
audit responsibilities in an
unbiased manner.
Reporting structure
Organizational
Shareholders
independence exists if
the Chief Audit
Executive:
Audit
▪ Reports functionally to Board
Committee
the Board
▪ Reports
administratively to the Functional
CEO (or similar) reporting
Management
The
The scope of The reporting
performance of
work of results
work
Functional reporting
Functional reporting is in place when the board
(examples)
Ensures the
Approves the CAE has no
Board
Charter undue scope
limitations
Direct
communication Approves the
Approves the between the appointment or
Plan Board and the removal of the
CAE CAE
Administrative reporting
Administrative reporting facilitates day-to-day operations
(examples)
Senior
Management
Standards
1000 Purpose, Authority, and Responsibility
The Standards have been reworded for simplicity. © Risk Governance Institute 26
Code of Ethics
Integrity
Objectivity
Internal auditors…
Objectivity
Internal auditors…
3.1. Shall be prudent in the use
and protection of information
acquired in the course of their
duties.
Internal auditors…
Definition
High
Risk identified
Not identifying a
significant risk can
!
Risk identified be a major failure
Impact ! ! in an internal
Risk identified
Risk identified audit.
! Risk identified
!
Risk identified
!
! Risk identified
!
Low Likelihood High
Standards
1200 Proficiency and Due Professional Care
1210 Proficiency
▪ Internal auditors must have the knowledge, skills, and competencies
needed to perform their work.
The Standards have been reworded for simplicity. © Risk Governance Institute 35
Internal Audit Charter EXAM FOCUS AREA
Standards
1200 Proficiency and Due Professional Care
1210 Proficiency
Specific skill exceptions:
▪ Fraud: internal auditors must be able to evaluate fraud, but are not
expected to have specialised expertise.
▪ IT: internal auditors must know key IT risks, controls and CAATs*, but are
not expected to have specialised expertise.
The Standards have been reworded in certain cases for simplicity. © Risk Governance Institute 36
Internal Audit Staffing
Standards
2030 Resource Management
▪ The chief audit executive must make sure that the resources of internal
audit are sufficient, appropriate and are used effectively to achieve the
objectives of the internal audit plan.
The Standards have been reworded for simplicity. © Risk Governance Institute 38
Internal audit staffing EXAM FOCUS AREA
Standards
1300 Quality Assurance and Improvement Program (QAIP) (1 of 2)
The Standards have been reworded for simplicity. © Risk Governance Institute 41
Quality Assurance and Improvement Program EXAM FOCUS AREA
Standards
1300 Quality Assurance and Improvement Program (QAIP) (2 of 2)
▪ The form and frequency of the external QAIP and any conflicts of
interest must be discussed with the Board.
▪ The results of the external QAIP must be communicated to Senior
Management and the Board.
▪ Disclosing non-conformances to Senior Management and the Board is
required if it impacts internal audit’s scope or activity.
The Standards have been reworded in certain cases for simplicity. © Risk Governance Institute 42
Quality Assurance and Improvement Program EXAM FOCUS AREA
External QAIP
results
Conformance Non-conformance
The practices of internal audit The impact and severity of
satisfy the Standards and the deficiencies in internal audit
Code of Ethics. impairs the activity’s ability to
conduct its responsibilities.
Partially conforms
IIA Standard 1300 (Quality Assurance and Improvement Program) © Risk Governance Institute 43
Internal Control
Definition
Controls
Includes:
▪ Management’s philosophy and style
▪ The organisational structure
Risk Assessment
▪ Integrity, ethical values, etc.
The control
environment is the Control Environment
base of the COSO
Pyramid
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Pyramid © Risk Governance Institute 47
Internal control EXAM FOCUS AREA
Risk
! ! !
C C1
Risk Exception
Unauthorised Audit report
report on Review by
! user accesses
the software
unauthorised
access
draft
supervisor
C2
Review by
Chief Audit
Mitigating Compensating Redundant Executive
Process
Transaction
Benefits
Management
Participate in or teams
directly Develop action
the responsible plans.
assessment. for a business
function:
Assess the
likelihood of
Evaluate risk.
achieving
objectives.
Definition
Risk Management
The risk from the The risk that The risk remaining after
environment before controls will not management takes
internal controls. detect and treat action to reduce the
the risk. risk, including internal
control.
Risk responses
4 main risk responses
!
!
Capability Maturity Model Integration (CMMI), CMMI Institute © Risk Governance Institute 63
Internal Audit's Role in Risk Management
No role Managing
Standards
2120 Risk Management
The Standards have been reworded for simplicity. © Risk Governance Institute 66
Risk management EXAM FOCUS AREA
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Enterprise Risk Management Fan © Risk Governance Institute 67
Risk management EXAM FOCUS AREA
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Enterprise Risk Management Fan © Risk Governance Institute 68
Risk management EXAM FOCUS AREA
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Enterprise Risk Management Fan © Risk Governance Institute 70
Reliance on Internal Assurance
IA communicates to Management
IA must contribute to the improvement
and the Board that the response
of risk management processes(1)
to risks is unacceptable(2)
(1) IIA Standard 2120 (Risk Management); (2) IIA Standard 2060 (Reporting to Senior Management and the Board) © Risk Governance Institute 72
Risk management EXAM FOCUS AREA
Part 1, Section II, Chapter C, Topic 3 (Page 1-115) © Risk Governance Institute 73
Risk management EXAM FOCUS AREA
Assurance maps
Economic profitability
3. Inherent risk rating (risk level before (e.g. lower credit 1st 1st 2nd 2nd 3rd
spreads)
mitigation / control). Systemic risks
1st 1st 2nd 3rd
(e.g. market instability)
4. Residual risk rating (risk level after Regulatory change
1st 1st 2nd 2nd 3rd
(e.g. anti-bank populism)
mitigation / control). New operational risks
1st 1st 1st 1st 1st 1st 1st 1st 1st 2nd 2nd 3rd
(e.g. misconduct)
5. External audit coverage. New IT security risks
1st 2nd 2nd 3rd
(e.g. data protection)
Characteristics of fraud
Deceit Concealment
Fraud are illegal acts which use:
▪ Deceit;
▪ Concealment; or
▪ Violation of trust.
Threats or use of violence or physical force are not required.
Violation of trust
Frauds are perpetrated to:
▪ Obtain property, money or services;
▪ Avoid paying or losing a service; or
▪ To obtain a personal or business advantage.
Fraud
Should be aware of
indicators of fraud.
Motive
Interviewing Interrogating
2. Different goals:
▪ Interviews: aim to uncover information.
▪ Interrogations: aim to secure confession or obtain evidence.
Fraud investigation
Objectives of a fraud investigation
1. Establish facts, protect
the innocent and resolve 9. Recover assets
the matter. 5. Identify and or establish losses.
interview witnesses.
6. Identify patterns
of behavior.
2. Stop losses.
Values
Norms
Artifacts
1. Get to know the test well. 12. Avoid distractions and temptations.
2. Space out your study time. 13. Think about why getting the exam is
3. Create a study plan and schedule. important for you.
4. Read strategically. 14. Sleep enough before exam day.
5. Make notes. 15. Get help if you need it.
6. Track your weaknesses or difficulties. 16. Talk to your family to get their support.
7. Learn to apply what you know. 17. Study whenever you have a bit of idle time.
8. Reflect on your real-life experience. 18. Concentrate hard when studying.
9. Become used to multiple choice questions. 19. Track your incorrect answers.
10. Spot unlikely answers. 20. Manage your time.
1. Perform plenty of practice questions: until consistently scoring well above 75% on new questions
covering all parts.
2. Quickly read through ‘awareness’ sections of the course. Spend a lot more time on the
‘proficiency’ sections.
3. Check-out the IIA’s glossary and make sure you understand all words.
4. Spend (a lot of) time trying to understand the IIA’s Standards.
▪ The Attribute Standards (starting with ‘1’) for CIA Part 1.
▪ The Performance Standards (starting with ‘2’) for CIA Part 2.
5. Spend (a lot of) time trying to understand the IIA’s Code of Ethics, Definition and Principles.
6. Differentiate between absolute words and permissible words: e.g. ‘ensure’, ‘support’,
‘guarantee’, ‘must’, ‘should’, ‘could’, ‘will’, ‘help’, ‘always’, etc.
© Risk Governance Institute 86
CIA Part 1 Summary
Main topics at proficiency level