Certified+Internal+Auditor+ (CIA) +part+1+ +Exam+Focus+Materials

Exam Preparation Course for the
Certified Internal Auditor (CIA) Part 1 Course
Course Materials
Syllabus of this course:
I. Fundamental concepts of Internal Auditing
II. Independence, Objectivity and Ethics
III. Due Professional Care and Proficiency
IV. Quality Assurance and Improvement Program
V. Governance, Risk Management and Internal Control
VI. Fraud Risks and Culture
© Risk Governance Institute 1
Purpose and Definition of Internal Audit

Purpose of internal audit EXAM FOCUS AREA
Why have internal audit?
Internal audit
We provide assurance
We improve operations and
and consulting
add value.
services which are
independent and
objective.
We determine if governance,
risk management and control
are in place and functioning We seek and report
properly. on opportunities for
improvement or risk We support the achieving
exposures. objectives.

Definition of internal audit (1 of 2) EXAM FOCUS AREA
Breakdown of the definition

Objectivity Assurance
Independence Consulting
Value-adding
Internal auditing:
▪ Is Independent and objective
▪ An assurance and consulting activity
▪ Aims to add value and improve operations

Definition of internal audit (continuation: 2 of 2) EXAM FOCUS AREA
Breakdown of the definition
Objectives Risk management Control
Governance
▪ It helps accomplish objectives
▪ The approach used is systematic and disciplined
▪ It aims to improve risk management, control, and
governance processes.

What Internal Audit Does

Nature of work EXAM FOCUS AREA
What internal auditors do
Governance Risk Management Controls
Internal auditors help Internal auditors help in Internal auditors help

assess and improve risk management. maintain effective controls.
governance.
IIA Standard 2100 (Nature of work) © Risk Governance Institute 7


We promote the
Internal auditors help continuous
maintain effective controls. improvement of the
control environment. Controls
We evaluate whether
controls are effective
and efficient.
We identify how to
improve controls.
IIA Standard 2130 (Control) © Risk Governance Institute 8

Internal auditors help in risk

management. Risk Management
We help improve risk

management and internal
control.
We identify and evaluate

significant risks. We evaluate the system
for managing risks.
IIA Standard 2120 (Risk management) © Risk Governance Institute 9


We promote ethics
and values.
Governance
We communicate risk and

Internal auditors help assess
control information (to the
and improve governance. governing bodies).
We provide
assurance on how
performance is
managed and on
accountability.
We communicate timely
We help coordinate internal and relevant information
and external assurance. (to the governing bodies).
IIA Standard 2110 (Governance) UK Corporate Governance Code 1992, Cadbury Committee © Risk Governance Institute 10
Mission of internal audit
From the Institute of Internal Auditors (IIA)
Value-adding Risk-based Objectivity
Mission: to enhance and protect Assurance Consulting

organizational value.
How: by providing assurance, advice, and
insight.
Which are: risk-based and objective

Core Principles

Core Principles EXAM FOCUS AREA
10 principles which internal audit(ors) must strive to follow (1/2)
Principle Source/use
1 Demonstrates integrity. Code of Ethics
2 Demonstrates competence Standard 1200 (Proficiency and Due Professional Care)

and due professional care.
3 Is objective and free from Standard 1100 (Independence and Objectivity) and
undue influence Code of Ethics
(independent).
4 Aligns with the strategies,

objectives, and risks of the Mission of internal audit (to help “add-value”)
organization.
5 Is appropriately positioned Standard 1000 (Purpose, Authority, and Responsibility)

and adequately resourced. and IA Charter
2017 IIA IPPF Core Principles © Risk Governance Institute 13

Core Principles EXAM FOCUS AREA
10 principles which internal audit(ors) must strive to follow (2/2)
Principle Source/use
6
Demonstrates quality and Standard 1220 (Due Professional Care) and
continuous improvement. Standard 1230 (Continuing Professional Development)
7
Communicates effectively. Key skill (“communicat*” is mentioned 50 times in the Standards)
8 Provides risk-based
Key concept (“risk” is mentioned 73 times in the Standards)
assurance.
9
Is insightful, proactive, and Mission of internal audit (to help “add-value”)
future-focused.
10Promotes organizational
Definition (“improve an organization’s operations”)
improvement.
2017 IIA IPPF Core Principles © Risk Governance Institute 14

The Standards

The Standards EXAM FOCUS AREA
From the Institute of Internal Auditors
Attribute Standards Performance Standards

▪ Characteristics of those ▪ Are the quality criteria used for
performing internal audit evaluating internal audit
activities. performance.
▪ Apply to both internal audit ▪ Describe the nature of internal
services and auditors. audit work.
Implementation Guidance
▪ Expand on the Standards.
▪ Are instructions for
implementing the Standards.

Organizational Independence

EXAM FOCUS AREA
Assurance
An objective examination of
Independence
evidence for the purpose of
providing an independent
The freedom from conditions that
assessment.
threaten the ability of the internal
audit activity to carry out internal
audit responsibilities in an
unbiased manner.
Institute of Internal Auditors, IPPF Glossary © Risk Governance Institute 18

Organizational independence EXAM FOCUS AREA
Reporting structure
Organizational
Shareholders
independence exists if
the Chief Audit
Executive:
Audit
▪ Reports functionally to Board
Committee
the Board
▪ Reports
administratively to the Functional
CEO (or similar) reporting
Chief Audit Executive

Administrative
Management Internal Audit
reporting

Measure for independence
▪ CAE has direct and

unrestricted access to Shareholders
the Board and Senior
Management.
▪ Annual reporting on Audit
Board
organizational Committee
independence to the Unrestricted
Unrestricted
Board. access
access
▪ Internal Audit must be Reports
free from interference, independence
or must disclose this to or interference
Chief Audit Executive
the Board.
Unrestricted
Management Internal Audit
access
IIA Standard 1110 (Organizational Independence) © Risk Governance Institute 20

Measure for independence
Internal Audit must control without interference
Management
The
The scope of The reporting
performance of
work of results
work
IIA Standard 1110.A1 (Organizational Independence) © Risk Governance Institute 21

Functional reporting
Functional reporting is in place when the board
(examples)
Ensures the
Approves the CAE has no
Board
Charter undue scope
limitations
Direct
communication Approves the
Approves the between the appointment or
Plan Board and the removal of the
CAE CAE
Approves the Chief Audit Executive Approves the

Budget and remuneration
Resources Internal Audit of the CAE

Administrative reporting
Administrative reporting facilitates day-to-day operations
(examples)
Senior
Management
Budgeting and Internal

accounting communication
Chief Audit Executive Administration

HR
of IA policies
administration
Internal Audit and procedures

Internal Audit Charter

Internal Audit Charter EXAM FOCUS AREA
The Charter establishes Internal Audit’s:

▪ Independence
▪ Position, reporting lines, accountability
▪ Scope
▪ Mission
▪ CAE and internal auditor responsibilities
▪ Unfettered access rights
▪ Right to contact and other rights

Standards
1000 Purpose, Authority, and Responsibility
▪ The purpose, authority and responsibility of internal audit must be

defined in a Charter (for assurance or consulting).
▪ The mandatory nature of the Core Principles, Definition of Internal

Audit, Code of Ethics and Standards must be recognized in the Charter.
▪ The CAE must periodically review the Charter and present it to

Senior Management and the Board for approval.
The Standards have been reworded for simplicity. © Risk Governance Institute 26
Code of Ethics

Code of Ethics EXAM FOCUS AREA
Integrity
Internal auditors… 1.3. Shall not knowingly be a party

to any illegal activity, or engage in
acts that are discreditable to the
profession of internal auditing or to
Integrity the organization.
1.4. Respect and contribute 1.2. Observe the law and

1.1. Perform their work to the legitimate and make disclosures
with honesty, diligence, ethical objectives of the expected by the law and
and responsibility. organization. the profession.
IIA Code of Ethics © Risk Governance Institute 28

Objectivity
Internal auditors…
Objectivity
2.1. Shall not participate in any

activity or relationship that may
impair or be presumed to impair
their unbiased assessment.
This participation includes those
activities or relationships that may
be in conflict with the interests of
2.2. Shall not accept anything that 2.3. Disclose all material facts
the organization.
may impair or be presumed to known to them that, if not disclosed,
impair their professional judgment. may distort the reporting of activities
under review.

3.1. Shall be prudent in the use
and protection of information
acquired in the course of their
duties.
3.2. Shall not use information for

any personal gain or in any
Confidentiality manner that would be contrary to
the law or detrimental to the
legitimate and ethical objectives of
the organization.

4.2. Perform internal audit services 4.3. Continually improve their

in accordance with the Standards. proficiency and the effectiveness
and quality of their services.
4.1. Engage only in those services
for which they have the necessary
knowledge, skills, and
experience. Competency

Due Professional Care and Proficiency

Due Professional Care EXAM FOCUS AREA
Definition
Due Professional Care… Performing internal audits which

conform with the Standards shows
due professional care.
Due
Professional
Care
Is demonstrated by showing the care and

skill which would be expected of a
competent and prudent internal auditor.

Due Professional Care EXAM FOCUS AREA
Coverage of significant risks

Internal auditors must make sure that they cover of significant risks that could affect objectives
Risk likelihood/impact graph:
High
Risk identified
Not identifying a
significant risk can
!
Risk identified be a major failure
Impact ! ! in an internal
Risk identified
Risk identified audit.
! Risk identified
!
Risk identified
!
! Risk identified
!
Low Likelihood High

Standards
1200 Proficiency and Due Professional Care
1210 Proficiency
▪ Internal auditors must have the knowledge, skills, and competencies
needed to perform their work.
▪ Assurance: the internal audit activity must collectively have or acquire

the knowledge, skills and competencies needed to perform its work.
▪ Consulting: the Chief Audit Executive must decline the proposed

consulting engagement or obtain assistance if the current internal audit
team does not have all the required competencies to perform the
engagement.
Standards
1200 Proficiency and Due Professional Care
1210 Proficiency
Specific skill exceptions:
▪ Fraud: internal auditors must be able to evaluate fraud, but are not
expected to have specialised expertise.
▪ IT: internal auditors must know key IT risks, controls and CAATs*, but are
not expected to have specialised expertise.
*Computer Assisted Audit Tools (CAATs)
The Standards have been reworded in certain cases for simplicity. © Risk Governance Institute 36
Internal Audit Staffing

Standards
2030 Resource Management
▪ The chief audit executive must make sure that the resources of internal
audit are sufficient, appropriate and are used effectively to achieve the
objectives of the internal audit plan.
▪ Appropriate: refers to the mix of knowledge, skills and competencies

needed to achieve the objectives of the internal audit plan.
Internal audit staffing EXAM FOCUS AREA
Engagement staffing options
In-house auditing Out-sourcing

▪ Dedicated audit team: usually ▪ Fully outsourced to an external
full-time and from within the service provider, or
organisation ▪ Outsourced to a Group internal
audit function (considered as
outsourced at the local level).
Subcontracting Co-sourcing Secondment

▪ Obtaining an ▪ A mix of internal staff and ▪ Obtaining an
external external-outsourcing individual from
individual for an another function
engagement. in the
▪ E.g. a subject organisation.
matter expert.

Quality Assurance and Improvement Program

Quality Assurance and Improvement Program EXAM FOCUS AREA
Standards
1300 Quality Assurance and Improvement Program (QAIP) (1 of 2)
▪ The Chief Audit Executive must develop and maintain a quality

assurance and improvement program.
▪ The QAIP must include both internal and external assessments.
▪ Internal assessments must include ongoing monitoring and self-
assessment (or internal-assessments).
▪ A qualified independent assessor external to the organisation must
conduct an assessment at least every 5 years.
Standards
1300 Quality Assurance and Improvement Program (QAIP) (2 of 2)
▪ The form and frequency of the external QAIP and any conflicts of
interest must be discussed with the Board.
▪ The results of the external QAIP must be communicated to Senior
Management and the Board.
▪ Disclosing non-conformances to Senior Management and the Board is
required if it impacts internal audit’s scope or activity.
The Standards have been reworded in certain cases for simplicity. © Risk Governance Institute 42
Reporting the results of the QAIP
Internal Audit can use a statement of conformance

with the Standards only if validated by assessments
of an external QAIP (but not otherwise).
External QAIP
results
Conformance Non-conformance
The practices of internal audit The impact and severity of
satisfy the Standards and the deficiencies in internal audit
Code of Ethics. impairs the activity’s ability to
conduct its responsibilities.
Partially conforms
IIA Standard 1300 (Quality Assurance and Improvement Program) © Risk Governance Institute 43
Internal Control

Internal control EXAM FOCUS AREA
Definition
Controls
Internal controls are different processes in an organization

which help keep the organization on track to meeting its goals
and objectives.

Key goals of internal controls

Internal controls aim to:
Help achieve business Contain risks within risk the

objectives at the lowest costs. organization’s tolerance for risk.

Control environment and the COSO Pyramid

The COSO Pyramid Monitoring
Definition of control environment
The board and management’s attitude
and actions on the importance of control
in the organization. Control Activities
Includes:
▪ Management’s philosophy and style
▪ The organisational structure
Risk Assessment
▪ Integrity, ethical values, etc.
The control
environment is the Control Environment
base of the COSO
Pyramid
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Pyramid © Risk Governance Institute 47
Types of controls by function (1/2)

4 main functions of controls
Risk
! ! !
Directive Preventive Detective Corrective

Causes or Deters undesirable Detects Aims to correct
encourages a events from undesirable events errors or
desirable event to occurring. that have irregularities.
occur. occurred.
Access restrictions, Business Continuity
Guidelines, approvals, Reconciliations, Planning, backup and
training, incentives maintenance. exception reports. recovery, audit trails.

Types of controls by function (2/2)

Other functions of controls
C C1
Risk Exception
Unauthorised Audit report
report on Review by
! user accesses
the software
unauthorised
access
draft
supervisor
C2
Review by
Chief Audit
Mitigating Compensating Redundant Executive
Reduces the Compensates for the Duplicate control

impact of a risk if it lack of an expected for extra
occurs. control. assurance.
Insurance Exception reports Several levels of

instead of access review.
restrictions.

Types of controls by level

Level of controls
Entity-level Process-level Transaction-level

Help meet: Organisational Process Transaction-level
objectives. objectives. controls are specific
to individual
transactions.
Mitigate risks: High risk: Medium risk: Low risk:
to the whole to processes. risks (errors) in
organization. transactions.
Entity
Process
Transaction

Control Self-Assessment

Control Self-Assessment (CSA) EXAM FOCUS AREA
Definition and benefits
In Control Self-Assessment (CSA), managers and work

teams directly involved in a function or process take part in
assessing the management of risks, controls and
achievement of objectives.
Benefits
Information on Improves the

internal control
control. environment.

Control Self-Assessment (CSA) EXAM FOCUS AREA
Definition, use and benefits
Management
Participate in or teams
directly Develop action
the responsible plans.
assessment. for a business
function:
Assess the
likelihood of
Evaluate risk.
achieving
objectives.

Internal Control Frameworks

Internal control frameworks EXAM FOCUS AREA
COSO’s Principles of Internal Control

COSO’s 17 Principles of Internal Control
Control Environment: Risk Assessment:
1. Demonstrates 6. Specifies suitable
commitment to integrity objectives
and ethical values 7. Identifies and
2. Exercises oversight analyzes risk
responsibilities 8. Assesses fraud risk
3. Establishes structure, 9. Identifies and
authority, and analyzes significant
responsibility change
4. Demonstrates
commitment to
competence
5. Enforces accountability
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Internal Control – Integrated Framework
Internal control frameworks EXAM FOCUS AREA
COSO’s Principles of Internal Control

COSO’s 17 Principles of Internal Control
Control Activities: Monitoring Activities:
10. Selects and develops 16. Conducts ongoing
control activities and/or separate
11. Selects and develops evaluations
general controls over 17. Evaluates and
technology communicates
12. Deploys through policies deficiencies
and procedures
Information & Communication:

13. Uses relevant information
14. Communicates internally
15. Communicates externally
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Internal Control – Integrated Framework
Risk Management

Risk management EXAM FOCUS AREA
Definition
Risk Management
Risk management is a process which aims to identify, assess,

manage and control potential events in order to provide
reasonable assurance on achieving the organization’s objectives.

Types of risks in the audit risk model

The calculation of residual risk
Inherent risk Control risk Residual risk
The risk from the The risk that The risk remaining after
environment before controls will not management takes
internal controls. detect and treat action to reduce the
the risk. risk, including internal
control.

Types of risks in the audit risk model

The audit risk model
Inherent risk Control risk Detection risk Audit risk

The risk from the The risk that The risk that audit The remaining
environment before controls will not will not detect the undetected risk
internal controls. detect and treat risk. after an audit.
the risk.

Risk assessment process
Understanding the objectives

of the area under review will
help you identify the risk
events which could impact Objectives
you.
By evaluating the likelihood Inherent risk

and impact of the events you
Risk events !
determine the inherent risk.
By assessing how the risk

Risk responses
! Residual risk
responses mitigate the risk,

you can determine the
residual risk.

Risk responses
4 main risk responses
!
!
Avoidance Reduction Sharing Acceptance

Action is taken to Action is taken to reduce Action is taken to reduce No action is taken to
exit the activities the risk likelihood or the risk by transferring affect likelihood or
giving rise to risk. impact or both. or sharing a portion of it. impact.
Exiting a product Diversifying product Joint ventures, Accepting risk that

line or selling a offerings or reallocating partnerships, insurance. conforms to risk
division. funds. tolerances.

Risk management maturity

The Capability Maturity Model Integration
Optimizing
The ERM system is

Quantitatively resilient and
managed adaptable to
Consistent changes in risks.
Defined
Managed capabilities, formal Feedback is valued
Initial Standardized risk processes, and and incorporated.
Repeatable management formal use of KPIs to
Risk management is processes make processes monitor
informal and ad-hoc. successful risk performance on
Consistency achieved managing risks.
responses common. even during change.
Extraordinary
measures and Informal and not Well managed but
emergencies are documented. Informal may be rigid in face
common. performance of change.
Relies on specific monitoring still relies
Root causes may not individuals. on individuals.
be addressed.
Capability Maturity Model Integration (CMMI), CMMI Institute © Risk Governance Institute 63
Internal Audit's Role in Risk Management

Internal audit’s role in risk management
A continuum that ranges from:

1. Auditing the risk management process as part of the internal audit plan, to
2. Providing insight and historical data on risk events identified by internal audit findings, to
3. Active, continuous support in the risk management process, to…
4. Supporting management in the risk management process.
No role Managing
Giving assurance of risks is part of the Internal audit is not allowed to be

Standards, Definition, Core principles, etc. accountable for risk management.
Standards
2120 Risk Management
▪ The IA must evaluate the effectiveness and contribute to the

improvement of Risk Management.
▪ The IA must evaluate risk exposures relating to governance, operations
and information systems.
▪ The IA must evaluate fraud risk and response.
▪ IAs must incorporate their knowledge of risks from consulting into Risk
Management assurance engagements.
▪ When consulting on RM, IAs must refrain from assuming responsibility
by actually managing risks.
COSO’s Risk Management Fan
Defines the roles Legitimate internal audit roles

that internal audit with safeguards
can and cannot
perform in risk
management.
Committee of Sponsoring Organizations of the Treadway Commission (COSO), COSO Enterprise Risk Management Fan © Risk Governance Institute 67

Core internal audit roles in regard to ERM
1. Giving assurance on the risk management process

2. Giving assurance that the risks are correctly identified
3. Evaluating risk management processes
4. Evaluating the reporting of key risks
5. Reviewing the management of key risks

Legitimate internal audit roles with safeguards
1. Facilitating identification &
evaluation of risks
2. Coaching management in
responding to risks
3. Coordinating ERM activities
4. Consolidated reporting on risks
5. Maintaining & developing the ERM
framework
6. Championing the establishment of
ERM
7. Developing ERM strategy for board
approval

Roles internal audit should not undertake
1. Setting the risk appetite
2. Imposing risk management processes
3. Management assurance on risks
4. Taking decisions on risk responses
5. Implementing risk responses
6. Accountability for risk management
Reliance on Internal Assurance

Audit approach based on risk management maturity

Can internal audit rely on internal assurance over risks?
IA must evaluate the

effectiveness of risk management
processes(1)
IA cannot rely on internal IA can rely on internal

assurance over risks assurance over risks
IA communicates to Management
IA must contribute to the improvement
and the Board that the response
of risk management processes(1)
to risks is unacceptable(2)
(1) IIA Standard 2120 (Risk Management); (2) IIA Standard 2060 (Reporting to Senior Management and the Board) © Risk Governance Institute 72
Three lines of defence model
Three lines of defence model:
1st line of defence: functions that manage risk and

are risk owners.
2nd line of defence: functions that oversee (e.g.
risk management, compliance or quality assurance).
3rd line of defence: functions providing
independent assurance (e.g. internal audit).
Part 1, Section II, Chapter C, Topic 3 (Page 1-115) © Risk Governance Institute 73
Assurance maps
Assurance mapping is a technique that uses a visual representation

of assurance activities to demonstrate how they apply to a specific risk
or set of compliance requirements.
Assurance maps often include:

1. Significant risk categories. Front Control
Back office and support functions Int. Ext. Governance
Risks office function
Audit Audit
2. The risk owner and controls in place to CB TR Ops. HR Admn IT Acc. Legal Fin. Cmpl RM Mgt. AC BoD
manage the risk. Strategic risks

(e.g. fintech)
1st 1st 2nd 3rd
Economic profitability
3. Inherent risk rating (risk level before (e.g. lower credit 1st 1st 2nd 2nd 3rd
spreads)
mitigation / control). Systemic risks
1st 1st 2nd 3rd
(e.g. market instability)
4. Residual risk rating (risk level after Regulatory change
1st 1st 2nd 2nd 3rd
(e.g. anti-bank populism)
mitigation / control). New operational risks
1st 1st 1st 1st 1st 1st 1st 1st 1st 2nd 2nd 3rd
(e.g. misconduct)
5. External audit coverage. New IT security risks
1st 2nd 2nd 3rd
(e.g. data protection)
6. Internal audit coverage.

Fraud Risks

Fraud risk EXAM FOCUS AREA
Characteristics of fraud
Deceit Concealment
Fraud are illegal acts which use:
▪ Deceit;
▪ Concealment; or
▪ Violation of trust.
Threats or use of violence or physical force are not required.
Violation of trust
Frauds are perpetrated to:
▪ Obtain property, money or services;
▪ Avoid paying or losing a service; or
▪ To obtain a personal or business advantage.

Purpose of internal audit EXAM FOCUS AREA
Internal audit’s responsibilities related to fraud.
Fraud
Internal auditors… Must perform tests to detect

fraud if fraud risk is assessed as
sufficiently high.
Should be aware of
indicators of fraud.
Must take steps to

address significant
fraud risks. Must determine if any fraud risk
needs further investigation.

The fraud triangle

Three conditions must exist for fraud to occur
(For example: poor

(For example: control design)
“I’m entitled.”)
Motive
(For example: desire for power, greed, pressure)

Interview vs. interrogation
Interviewing Interrogating
1. Interview and interrogation are often used

interchangeably, but they are different.
2. Different goals:
▪ Interviews: aim to uncover information.
▪ Interrogations: aim to secure confession or obtain evidence.
3. Apply different techniques to achieve goals

▪ Interviewing: most answers to questions are not known.
▪ Interrogation: most answers to questions are already known.

Fraud Investigation

Fraud investigation
Objectives of a fraud investigation
1. Establish facts, protect
the innocent and resolve 9. Recover assets
the matter. 5. Identify and or establish losses.
interview witnesses.
6. Identify patterns
of behavior.
2. Stop losses.
3. Support 7. Find motives and

legal potential suspects.
prosecution.
10. Identify
fraud-control
weaknesses.
4. Gather and protect 8. Gather evidence
evidence. for discipline.
Culture and Ethics

Culture and ethics EXAM FOCUS AREA
Internal audit’s role in ethics

The 4 levels of culture
Assumptions
Values
Norms
Artifacts
Adapted from Shein (1985, in Turner, 2009) © Risk Governance Institute 83

Tips and Tricks

Tips and tricks
Exam tips and tricks
Generic exam preparation tips and tricks
1. Get to know the test well. 12. Avoid distractions and temptations.
2. Space out your study time. 13. Think about why getting the exam is
3. Create a study plan and schedule. important for you.
4. Read strategically. 14. Sleep enough before exam day.
5. Make notes. 15. Get help if you need it.
6. Track your weaknesses or difficulties. 16. Talk to your family to get their support.
7. Learn to apply what you know. 17. Study whenever you have a bit of idle time.
8. Reflect on your real-life experience. 18. Concentrate hard when studying.
9. Become used to multiple choice questions. 19. Track your incorrect answers.
10. Spot unlikely answers. 20. Manage your time.

Tips and tricks
Exam tips and tricks
Top CIA exam-specific preparation tips and tricks
1. Perform plenty of practice questions: until consistently scoring well above 75% on new questions
covering all parts.
2. Quickly read through ‘awareness’ sections of the course. Spend a lot more time on the
‘proficiency’ sections.
3. Check-out the IIA’s glossary and make sure you understand all words.
4. Spend (a lot of) time trying to understand the IIA’s Standards.
▪ The Attribute Standards (starting with ‘1’) for CIA Part 1.
▪ The Performance Standards (starting with ‘2’) for CIA Part 2.
5. Spend (a lot of) time trying to understand the IIA’s Code of Ethics, Definition and Principles.
6. Differentiate between absolute words and permissible words: e.g. ‘ensure’, ‘support’,
‘guarantee’, ‘must’, ‘should’, ‘could’, ‘will’, ‘help’, ‘always’, etc.
CIA Part 1 Summary
Main topics at proficiency level
Main topics at proficiency level

 Definition of internal audit, Mission, Core Principles, Charter and
reporting, International Professional Practices Framework (IPPF).
 Assurance and consulting.
 Code of Ethics, independence and objectivity.
 Competencies and knowledge required of an internal auditor.
 Due professional care and continuing professional development.
 Risk management, risk management effectiveness and risk concepts.
 Internal control, internal control efficiency and effectiveness, concepts
and frameworks.
 Fraud types, fraud risks and internal audit fraud considerations.
 Potential for fraud, detection and treatment.
 Fraud awareness and anti-fraud controls.

Congratulations on finishing the course

Certified+Internal+Auditor+ (CIA) +part+1+ +Exam+Focus+Materials

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certified+Internal+Auditor+ (CIA) +part+1+ +Exam+Focus+Materials

Uploaded by

Copyright:

Available Formats

Exam Preparation Course for the

Certified Internal Auditor (CIA) Part 1 Course

© Risk Governance Institute 2

Why have internal audit?

© Risk Governance Institute 3

Breakdown of the definition

© Risk Governance Institute 4

Breakdown of the definition

Objectives Risk management Control

© Risk Governance Institute 5

© Risk Governance Institute 6

What internal auditors do

Governance Risk Management Controls

Internal auditors help Internal auditors help in Internal auditors help

IIA Standard 2100 (Nature of work) © Risk Governance Institute 7

What internal auditors do

IIA Standard 2130 (Control) © Risk Governance Institute 8

What internal auditors do

Internal auditors help in risk

We help improve risk

We identify and evaluate

IIA Standard 2120 (Risk management) © Risk Governance Institute 9

What internal auditors do

We communicate risk and

Value-adding Risk-based Objectivity

Mission: to enhance and protect Assurance Consulting

© Risk Governance Institute 11

© Risk Governance Institute 12

10 principles which internal audit(ors) must strive to follow (1/2)

2 Demonstrates competence Standard 1200 (Proficiency and Due Professional Care)

4 Aligns with the strategies,

5 Is appropriately positioned Standard 1000 (Purpose, Authority, and Responsibility)

2017 IIA IPPF Core Principles © Risk Governance Institute 13

10 principles which internal audit(ors) must strive to follow (2/2)

2017 IIA IPPF Core Principles © Risk Governance Institute 14

© Risk Governance Institute 15

From the Institute of Internal Auditors

Attribute Standards Performance Standards

© Risk Governance Institute 16

© Risk Governance Institute 17

Institute of Internal Auditors, IPPF Glossary © Risk Governance Institute 18

Chief Audit Executive

© Risk Governance Institute 19

Measure for independence

▪ CAE has direct and

IIA Standard 1110 (Organizational Independence) © Risk Governance Institute 20

Measure for independence

Internal Audit must control without interference

IIA Standard 1110.A1 (Organizational Independence) © Risk Governance Institute 21

Approves the Chief Audit Executive Approves the

IIA Standard 1110 (Organizational Independence) © Risk Governance Institute 22

Budgeting and Internal

Chief Audit Executive Administration

IIA Standard 1110 (Organizational Independence) © Risk Governance Institute 23

© Risk Governance Institute 24

The Charter establishes Internal Audit’s:

© Risk Governance Institute 25

▪ The purpose, authority and responsibility of internal audit must be

▪ The mandatory nature of the Core Principles, Definition of Internal

▪ The CAE must periodically review the Charter and present it to

© Risk Governance Institute 27

Internal auditors… 1.3. Shall not knowingly be a party