Internal Auditing & Controls [MU1] Examination Blueprint 2013/2014 Purpose The Internal Auditing & Controls [MU1]

examination has been constructed using an examination blueprint. The blueprint, also referred to as the test specifications, outlines the content areas covered on the examination and the weighting allotted to each content area. This document also lists the topics, the level of competence for each topic, and the related learning objectives and competencies. The learning objectives have been designed to ensure that the competencies are met. In addition, information is provided on the proportion of each question type presented in the examination (that is, multiple choice, quantitative problems, and so on). Use Candidates should use the examination blueprint to prepare for the course examination. The blueprint may not include all the topics listed in the course materials; however, candidates are still responsible for acquiring a broad-based knowledge of all topics not listed in the blueprint since these topics will be tested in assignment and review questions. The topics not listed in the blueprint will also provide candidates with a greater depth of understanding of auditing concepts. Examination Objectives The objective of this four-hour, comprehensive examination is to test CGA candidates on the prerequisite knowledge required for advancement into PA1 and PA2. Examination Guidelines for Questions i) Question Type The following are guidelines on the type of questions and their approximate weightings: Percentage Weighting 20-30% 70-80%

Question Item Multiple-choice questions Short-answer and/or short casetype problems of both a qualitative and quantitative nature.

Description Questions may take a conceptual approach or they may require analytical skills to derive the correct solution. Questions may focus on technical or analytical aspects of the material. Short, integrative cases may be used to pull together related issues. For example, a problem may require candidates to outline alternatives, supporting their recommendations with numerical analysis.

ii) Question Content The following table is organized according to content area and provides information on topics, learning objectives, weighting, competencies, and levels of competence. The competencies applicable to a particular module are identified independent of the learning objectives. Note: Competency codes (such as PK:FN:11) have been added to the Module Competencies column for all Level 4 and PACE examination blueprints. These codes are used to identify the competencies. They do not affect students use of the blueprint. Please see the CGA Competency Framework for more information.
Examination sessions: December 2013; June 2014; September 2014 Page 1 of 17

Table 1. Internal Auditing & Controls [MU1] Examination Blueprint

Content Topics Area 1. Introduction to internal auditing 1.1 Definition of internal auditing Scope of internal auditing Learning Objectives Levels of Competence Module Competencies Weighting (%) 4%-7%

Define internal auditing, and explain the key terms used in the definition. Describe the three elements that determine the scope of internal auditing. Explain the main functions of management and how they relate to achieving control. Define risk and enterprise risk, and explain how they are related to the concept of control. Explain the role of internal auditors in their organization, and compare it with the role of the organizations external auditors. Describe the types of audits carried out by internal auditors. Compare internal auditing and performance measurement. Outline the role of the internal auditor in promoting ethical culture and standards in an organization. Apply ethical judgments in the context of the internal auditors work. Prepare a case analysis report from information provided on an internal auditing issue.

Level 1

1.2

Level 1 Level 2

1.3

Functions of management

1.4

Enterprise risk

Level 1 Level 1

1.5

Role of the internal auditor

1.6

Types of internal audit assignments Performance measurement The ethical climate

Level 1 Level 2

1.7

1.8

Level 1 Level 1

1.9

Ethical considerations

1.10 Introduction to case analysis

Level 1

PK:AS:01: Evaluates and consults on the organizations internal and external reporting needs and related assurance requirements (level of assurance required, attestation versus direct reporting audit, review or compilation engagement, special report engagement). PR:SF:01: Anticipates and meets the needs and expectations of internal and external stakeholders (develops a sound understanding of the organization and its business environment, determines what information is needed by various stakeholders, seeks feedback from various stakeholders, provides relevant and timely information for decision making). LD:OE:02: Designs, evaluates, and reports on internal control systems to ensure organizational effectiveness. LD:OE:03: Advises on issues of corporate governance (audit committee independence, executive compensation, directors liability, board accountability). PK:AS:03: Determines the scope of the engagement or management audit (contents of engagement letter, client expectation, limitations on scope, timing, sign-offs). PK:BE:07: Develops, evaluates, and advises on the organizations risk management policy and processes. PK:BE:10: Advises on organizational structure (levels of responsibility and authority). PK:BE:06: Identifies, analyzes, and evaluates enterprise risk factors (market, legal, environmental, technological, operational). PK:AS:11: Develops and advises on a framework for detection of fraud (payroll fraud, billing fraud, computer fraud, forensic investigation procedures). PK:AS:13: Evaluates and reports on programs using comprehensive auditing (value-formoney audits, government program evaluations, operational audits). PK:AS:14: Evaluates and reports on the environmental impacts of business activities (compliance with environmental regulations

Page 2 of 17

Content Area

Topics

Learning Objectives

Levels of Competence

Module Competencies and required accounting standards). PK:MA:01: Designs, evaluates, and advises on the organizations performance measures to ensure alignment with corporate strategy, and recommends changes as required (KPIs and balanced scorecards). LD:IT:01: Builds and motivates highperformance individuals and teams to achieve goals and objectives (recruits high potential individuals, recognizes the value of and supports working with diverse and crossfunctional teams). LD:IT:08: Manages conflict between individuals and across teams (provides conflict resolution, fosters professional conduct). PR:ET:01: Applies professional ethical standards (understands and follows the word and spirit of CGA-Canada Code of Ethical Principles and Rules of Conduct, takes action in response to situations that are contrary to the ethical code of the profession). PR:ET:03: Maintains objectivity and independence in appearance and fact (avoids real and perceived conflicts of interest). PR:ET:06: Ensures confidentiality of stakeholder information (protects proprietary information). PR:CM:02: Prepares information in formats appropriate for specific purposes (audit reports, memos, management letters, consulting reports, financial reports). PR:IA:01: Aggregates information from a variety of sources and perspectives to assess the impact of issues on the organization (obtains multiple opinions when evaluating contentious issues and reconciles these various opinions). PR:PS:02: Collects, selects, verifies, and evaluates information relevant to the problem. PR:PS:04: Generates and evaluates alternative solutions. PR:PS:05: Creates final recommendations, including an action plan.

Weighting (%)

Page 3 of 17

Content Topics Area 2. Internal auditing standards 2.1 Overview of internal auditing standards

Learning Objectives

Levels of Competence

Module Competencies

Weighting (%) 6%-10%

Describe the attribute standards and the performance standards governing internal auditing and the key provisions of the SarbanesOxley Act. Determine the purposes and content of an internal audit charter. Explain the importance of independence and objectivity in internal auditing and how they are achieved. Identify the main standards for proficiency and due professional care in internal auditing. Outline the main requirements of using outsourced or co-sourced resources in internal auditing. State the standards for the proper management of the internal audit department, including quality assurance.

Level 1

2.2 2.3 Purpose, authority, and responsibility Independence and objectivity Level 1

Level 1

2.4

Proficiency and due professional care

Level 1

2.5

Using outside service providers for internal audit work Managing the internal audit department

Level 2

2.6

Level 1

PK:AS:06: Develops and/or modifies procedures for the engagement or management audit (prepares review or audit procedures, modifies audit procedures in the presence of fraud risk factors or known errors). PK:AS:03: Determines the scope of the engagement or management audit (contents of engagement letter, client expectation, limitations on scope, timing, sign-offs). PK:BE:10: Advises on organizational structure (levels of responsibility and authority). PR:ET:04: Protects the public interest (maintains and raises the visibility of the ethical nature of the profession and professional accounting standards). PR:ET:03: Maintains objectivity and independence in appearance and fact (avoids real and perceived conflicts of interest). PR:ET:01: Applies professional ethical standards (understands and follows the word and spirit of CGA-Canada Code of Ethical Principles and Rules of Conduct, takes action in response to situations that are contrary to the ethical code of the profession). PR:ET:05: Plans and exercises due diligence (plans and constructs due diligence checklist for mergers and acquisitions or public listing cases, conducts financial statement reviews with financial due diligence, conducts operations and manages with due diligence). PR:SE:01: Acts within the scope of professional competence (does not attempt to provide expert advice in areas of specialized knowledge outside own capabilities and qualifications). LD:IT:01: Builds and motivates highperformance individuals and teams to achieve goals and objectives (recruits high potential individuals, recognizes the value of and supports working with diverse and crossfunctional teams). PR:SE:02: Knows when and how to refer to other professionals and experts (seeks advice or refers clients in areas such as law, IT, financial instruments, international business development).

Page 4 of 17

Content Area

Topics

Learning Objectives

Levels of Competence

Module Competencies PK:AS:05: Develops a plan for the engagement or management audit (staffing, use of specialists, time budget, technological tools, timing of the engagement, timing of the management audit). PK:AS:07: Executes the engagement or management audit in accordance with professional standards (understands the purpose of the selected procedures, completes audit procedures as intended).

Weighting (%)

Page 5 of 17

Content Topics Learning Objectives Area 3. Risk management, control frameworks, and governance 3.1 Risk management Explain enterprise risk management and how risk models can help identify specific risks and set appropriate tolerance limits. Explain the role of the internal auditor in the risk management process and how this role changes when there is no established risk management process. Explain how auditors use risk assessment to assist in audit planning, and compare this approach with traditional approaches to internal auditing. Explain the definition, nature, inherent limitations, and criteria of control as set out by the Committee of Sponsoring Organizations (COSO) and compare the COSO control framework with other frameworks. Describe the impact of the development of control frameworks on internal auditing, and outline the steps in using a control framework as the basis of assessing control in an organization. Explain the control self-assessment process, identify its advantages and disadvantages, and outline how continuous monitoring can improve the effectiveness of internal control. Outline the IIA performance standards on governance, the governance responsibilities of the board of directors or equivalent body, and the role of internal audit in corporate governance. Explain the role of the audit committee of the board of directors. Explain how the Sarbanes-Oxley Act of 2002 has affected corporate

Levels of Competence

Module Competencies

Weighting (%) 8%-11%

Level 1

3.2 Role of the internal auditor Level 1

3.3

Risk assessment process

Level 1

3.4

Control frameworks

Level 2

3.5

Auditing using control frameworks

Level 2

Level 2

3.6

Control self-assessment and continuous auditing

3.7 Governance Levels 1 & 2

Levels 1 & 2

3.8

Role of the audit committee The Sarbanes-Oxley Act of 2002

3.9

Level 2

PK:BE:06: Identifies, analyzes, and evaluates enterprise risk factors (market, legal, environmental, technological, operational). PK:BE:07: Develops, evaluates, and advises on the organizations risk management policy and processes. PK:BE:08: Implements and advises on measures to mitigate enterprise risk (works with management to develop a risk management matrix). PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). LD:OE:02: Designs, evaluates, and reports on internal control systems to ensure organizational effectiveness. PK:AS:08: Identifies, evaluates, and advises on internal control systems, and communicates weaknesses to the appropriate level of the organization (financial approval authority, credit control, segregation of duties, evaluation of fraud risk factors). PK:AS:09: Advises on the design and implementation of new or enhanced internal controls (to strengthen systems and operational controls, to reduce exposure to business risks, to enhance operating effectiveness, to comply with rules and regulations). LD:IT:06: Communicates need for changes in the way things are done (encourages innovation, explains reasons for planned organizational or procedural changes, provides support for changes). LD:OE:01: Analyzes and evaluates results and information from business activities and processes against objectives and benchmarks, and advises on further action (conducts and reports on gap analysis). LD:OE:03: Advises on issues of corporate governance (audit committee independence,

Page 6 of 17

Content Area

Topics

Learning Objectives governance, and understand how internal audit may assist in the Sarbanes-Oxley compliance process.

Levels of Competence

Module Competencies executive compensation, directors liability, board accountability). PR:ET:04: Protects the public interest (maintains and raises the visibility of the ethical nature of the profession and professional accounting standards).

Weighting (%)

Page 7 of 17

Content Topics Area 4. Planning the internal audit 4.1 Internal auditing process

Learning Objectives

Levels of Competence

Module Competencies

Weighting (%) 8%-10%

Identify the main phases of the internal auditing process and explain their purposes; explain how to incorporate ethics into the process. Outline the steps for preparing the different types of plans in the planning phase of internal auditing. Explain the steps for preparing a longterm audit plan, including how an audit universe is defined and factors that may affect overall risk assessment. Explain how a risk-assessment matrix is used for long-term audit planning. Outline the process of preparing a longterm audit plan. Explain how the auditor plans a shortterm (annual) audit plan.

Level 1

4.2

Internal audit planning process

Level 1

4.3

Long-term planning Overview

Level 2

4.4

Long-term planning Risk assessment matrix Long-term planning Case study Short-term (annual) audit planning Engagement planning

Level 2

4.5

Level 2

4.6

Level 2

4.7

Design a specific audit engagement plan (including determining the scope, objectives, and audit criteria), and list seven design areas that must be considered. Design a plan for a specific audit engagement using information from a case study.

Level 1

4.8

Engagement planning Case study

Level 1

PK:AS:05: Develops a plan for the engagement or management audit (staffing, use of specialists, time budget, technological tools, timing of the engagement, timing of the management audit). PK:AS:07: Executes the engagement or management audit in accordance with professional standards (understands the purpose of the selected procedures, completes audit procedures as intended). PK:AS:12: Summarizes conclusions and prepares a report, letter, or memo (appropriate review or auditors report, management letter, comfort letter, representation letter, memo to partner, exit interview, internal audit report). PR:ET:01: Applies professional ethical standards (understands and follows the word and spirit of CGA-Canada Code of Ethical Principles and Rules of Conduct, takes action in response to situations that are contrary to the ethical code of the profession). LD:SO:06: Develops, implements, and updates the organizations operational plan in alignment with the strategic plan (business, financial, and IT plans; pricing and market share strategies; customer satisfaction; quality control; product innovation). PK:AS:03: Determines the scope of the engagement or management audit (contents of engagement letter, client expectation, limitations on scope, timing, sign-offs). PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). PR:IA:03: Evaluates implications and assesses the appropriateness of solutions beyond the immediate or short term (considers potential impact of decisions on other systems and processes, such as

Page 8 of 17

Content Area

Topics

Learning Objectives

Levels of Competence

Module Competencies internal controls, impact on other departments, or other functional areas). PK:BE:06: Identifies, analyzes, and evaluates enterprise risk factors (market, legal, environmental, technological, operational). PK:IT:02: Selects and uses appropriate business technology tools in the workplace (spreadsheets, tax compliance software, generalized audit software, online knowledge bases). PK:AS:06: Develops and/or modifies procedures for the engagement or management audit (prepares review or audit procedures, modifies audit procedures in the presence of fraud risk factors or known errors).

Weighting (%)

Page 9 of 17

Content Topics Area 5. Examination phase of the internal audit 5.1 5.2 Overview of the examination phase Preparing the audit work program Testing and evidence

Learning Objectives

Levels of Competence

Module Competencies

Weighting (%) 18%-25%

Identify the main steps in the examination phase of an internal audit. Identify the purpose of an internal audit program, and explain its components and format. Demonstrate how audit evidence is gathered, selected, and assessed, and the importance of the decisions involved. Develop appropriate criteria and prepare an audit program for a riskbased audit. Distinguish between systems-oriented and data-oriented computer-assisted audit techniques (CAATs). Demonstrate how data are analyzed using generalized audit software such as ACL. Assess conditions within an audited unit against audit criteria, and analyze the causes and effects of any observed deficiencies. Explain the standards for preparing audit working papers and the importance of the internal auditors role in supervising the engagement. Identify the roles and responsibilities of management and the internal auditor in the deterrence and detection of fraud. Identify the main steps in a fraud investigation and the auditors responsibility in following up on the results of such an investigation. Identify computer fraud and outline current practices for how internal auditors deal with it; examine how ACL can be used to conduct a payroll fraud investigation.

Level 1 Level 1

Level 1

5.3

5.4

Developing audit criteria and preparing an audit program Case study Computer-assisted audit techniques Generalized audit software Evaluating audit results

Level 1

5.5

Level 1

5.6

Level 1 Level 1

5.7

5.8

Completing and reviewing audit files

Level 2

5.9

Internal auditing and fraud

Level 1

5.10 Conducting a fraud investigation

Level 1

5.11 Fraud in a technological environment

Levels 1 & 2

PK:AS:10: Analyzes and documents the evidence and results of the engagement or management audit to develop conclusions (prepares working papers with sufficient detail and clarity to support the conclusion). PK:AS:06: Develops and/or modifies procedures for the engagement or management audit (prepares review or audit procedures, modifies audit procedures in the presence of fraud risk factors or known errors). PR:PS:02: Collects, selects, verifies, and evaluates information relevant to the problem. PR:PS:03: Integrates and analyzes data for patterns, relationships, and trends. PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). PK:IT:02: Selects and uses appropriate business technology tools in the workplace (spreadsheets, tax compliance software, generalized audit software, online knowledge bases). PK:AS:07: Executes the engagement or management audit in accordance with professional standards (understands the purpose of the selected procedures, completes audit procedures as intended). LD:OE:01: Analyzes and evaluates results and information from business activities and processes against objectives and benchmarks, and advises on further action (conducts and reports on gap analysis). PK:AS:08: Identifies, evaluates, and advises on internal control systems, and communicates weaknesses to the appropriate level of the organization (financial approval authority, credit control, segregation of duties, evaluation of fraud risk factors). PK:AS:09: Advises on the design and implementation of new or enhanced internal

Page 10 of 17

Content Area

Topics

Learning Objectives

Levels of Competence

Module Competencies operational controls, to reduce exposure to business risks, to enhance operating effectiveness, to comply with rules and regulations). PK:AS:11: Develops and advises on a framework for detection of fraud (payroll fraud, billing fraud, computer fraud, forensic investigation procedures). PR:SE:03: Applies professional skepticism (maintains an inquisitive mind that is vigilant for potential misstatements, considers where problems are likely to arise and monitors these areas). PK:AS:12: Summarizes conclusions and prepares a report, letter, or memo (appropriate review or auditors report, management letter, comfort letter, representation letter, memo to partner, exit interview, internal audit report). PK:IT:04:Evaluates and advises on the impact of new technologies on business processes (e-commerce; Internet, intranet, and extranet technologies; biometrics).

Weighting (%)

Page 11 of 17

Content Topics Area 6. Internal audit communications and reporting 6.1 Interviewing skills

Learning Objectives

Levels of Competence

Module Competencies

Weighting (%) 10%-18%

Explain the importance of effective interviewing skills in internal auditing, and describe the recommended approach to managing conflict during an audit. Identify the purpose and objectives of internal audit reporting.

Level 2

Level 1

6.2

Purpose and objectives of internal audit reporting Standards for internal audit reports Contents of the internal audit report

6.3

State the IIA Standards and guidelines for internal audit reports. Develop the information that should be included in an internal audit report, including the main factors the internal auditor considers in developing recommendations, and explain why the report (including recommendations) should be reviewed with management before its release. Draft an internal audit report.

Level 1 Level 1

6.4

6.5 Presentation of the internal audit report Monitoring recommendations Levels 1 & 2

6.6

Explain why it is important for internal auditors to monitor the implementation of their recommendations, and determine the steps in a monitoring program. Report audit findings from the information provided in a case study.

Level 1

6.7

Internal audit reporting Case study

Level 2

LD:IT:08: Manages conflict between individuals and across teams (provides conflict resolution, fosters professional conduct). PR:CM:05: Follows up to ensure that communications are clearly understood (both internal and external to the organization). PR:PS:02: Collects, selects, verifies, and evaluates information relevant to the problem. PK:AS:12: Summarizes conclusions and prepares a report, letter, or memo (appropriate review or auditors report, management letter, comfort letter, representation letter, memo to partner, exit interview, internal audit report). PR:CM:02: Prepares information in formats appropriate for specific purposes (audit reports, memos, management letters, consulting reports, financial reports). PK:AS:09: Advises on the design and implementation of new or enhanced internal controls (to strengthen systems and operational controls, to reduce exposure to business risks, to enhance operating effectiveness, to comply with rules and regulations). PR:ET:07: Demonstrates professional courtesy (notifies another firm that an issue has arisen about its work). PR:CM:03: Communicates information in a timely, clear, and concise manner (explains quantitative and qualitative information in language adapted to various stakeholders). PR:ET:05: Plans and exercises due diligence (plans and constructs due diligence checklist for mergers and acquisitions or public listing cases, conducts financial statement reviews with financial due diligence, conducts operations and manages with due diligence).

Page 12 of 17

Content Topics Area 7. Information technology auditing 7.1 How IT affects the internal audit process IT auditing

Learning Objectives

Levels of Competence

Module Competencies

Weighting (%) 8%-12%

Explain the concerns for internal auditors around IT auditing. Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems. Identify the various IT risks, and explain how they affect an organization. Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT). Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. Identify the types of application controls (procedures) used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. Outline the types of controls used to address risks in an IT communications and networking environment. Analyze the advantages and risks of an end-user computing environment and the types of controls used. Explain the implications of emerging technologies for the internal auditing profession. Determine the impact of e-commerce on internal auditing.

Level 2

7.2

Level 1

7.3

Risk in an IT environment

Level 1 Level 2

7.4

IT control frameworks

Level 1

7.5

General controls

7.6

Application controls

Level 1

7.7

Communications network controls

Level 2

7.8

Controls for end-user computing

Level 1

7.9

Emerging technologies and the auditor

Level 2

7.10 Impact of e-commerce

Level 2

PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). PR:PD:01: Engages in continuing professional development to maintain and enhance professional knowledge and skills. PR:SE:02: Knows when and how to refer to other professionals and experts (seeks advice or refers clients in areas such as law, IT, financial instruments, international business development). PK:BE:06: Identifies, analyzes, and evaluates enterprise risk factors (market, legal, environmental, technological, operational). PK:BE:08: Implements and advises on measures to mitigate enterprise risk (works with management to develop a risk management matrix). PK:AS:08: Identifies, evaluates, and advises on internal control systems, and communicates weaknesses to the appropriate level of the organization (financial approval authority, credit control, segregation of duties, evaluation of fraud risk factors). PK:IT:07: Evaluates and advises on the safeguarding of IT assets to ensure organizational ability to meet business objectives (analyzes and evaluates IT controls, control environment, systems acquisition and/or development). PK:IT:08: Evaluates and advises on the development of IT disaster recovery plans (written procedures for off-site backup of data and system, order of recovery, succession plan). PK:AS:09: Advises on the design and implementation of new or enhanced internal controls (to strengthen systems and operational controls, to reduce exposure to business risks, to enhance operating effectiveness, to comply with rules and

Page 13 of 17

Content Area

Topics

Learning Objectives

Levels of Competence

Module Competencies regulations). PK:IT:04: Evaluates and advises on the impact of new technologies on business processes (e-commerce; Internet, intranet, and extranet technologies; biometrics).

Weighting (%)

Page 14 of 17

Content Topics Area 8. Marketing, purchasing, and production functions 8.1 Marketing

Learning Objectives

Levels of Competence

Module Competencies

Weighting (%) 7%-9%

Explain the role, main activities, and risks of the marketing function in an organization. Develop an audit program for a riskbased internal audit of the marketing function. Use ACL to analyze the data compiled from a sales and marketing audit program. Explain the role, main activities, and risks of the purchasing function in an organization. Develop an audit program for a riskbased internal audit of the purchasing function. Determine the role, main activities, and risks of the production function in an organization. Develop an audit program for a riskbased internal audit of the production function.

Level 2

8.2

Marketing audit Case study

Level 1 Level 2

8.3

Marketing audit Data analysis

8.4

Purchasing

Level 2 Level 1 Level 2 Level 1

8.5

Purchasing audit Case study

8.6

Production

8.7

Production audit Case study

PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). PK:BE:03: Anticipates and recognizes market factors and stakeholders interests, and adapts business decisions and processes (changes to market share through acquisitions, diversification, or divestment of certain business units; supply chain management; customer relationship management; agency theory). PK:BE:06: Identifies, analyzes, and evaluates enterprise risk factors (market, legal, environmental, technological, operational). LD:OE:01: Analyzes and evaluates results and information from business activities and processes against objectives and benchmarks, and advises on further action (conducts and reports on gap analysis). PK:AS:06: Develops and/or modifies procedures for the engagement or management audit (prepares review or audit procedures, modifies audit procedures in the presence of fraud risk factors or known errors). PK:IT:02: Selects and uses appropriate business technology tools in the workplace (spreadsheets, tax compliance software, generalized audit software, online knowledge bases). PR:PS:03: Integrates and analyzes data for patterns, relationships, and trends.

Page 15 of 17

Content Topics Learning Objectives Area 9. Human resources management, treasury, and strategic planning 9.1 Human resources management Explain the role, main activities, and risks of human resources management in an organization. Develop an audit program for a riskbased internal audit of human resources planning. Use ACL to analyze payroll data.

Levels of Competence

Module Competencies

Weighting (%) 5%-8%

Level 2

9.2

Human resources planning audit Case study Human resources planning audit Data analysis Treasury

Level 1 Level 2 Level 2 Level 1

9.3

9.4

Explain the role, main activities, and risks of the financial and treasury functions in an organization. Develop an audit program for a riskbased internal audit of the treasury function. Explain the role of the internal auditor in the financial reporting process and regulatory reporting requirements in light of the Sarbanes-Oxley Act of 2002 and International Financial Reporting Standards. Explain the role, main activities, and risks of strategic planning in an organization. Develop an audit program for a riskbased internal audit of strategic planning.

9.5

Treasury audit Case study

9.6

Auditing the financial reporting process

Level 1

Level 2

9.7

Strategic planning

9.8

Strategic planning audit Case study

Level 1

PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). PK:BE:06: Identifies, analyzes, and evaluates enterprise risk factors (market, legal, environmental, technological, operational). LD:OE:01: Analyzes and evaluates results and information from business activities and processes against objectives and benchmarks, and advises on further action (conducts and reports on gap analysis). PK:AS:06: Develops and/or modifies procedures for the engagement or management audit (prepares review or audit procedures, modifies audit procedures in the presence of fraud risk factors or known errors). PK:IT:02: Selects and uses appropriate business technology tools in the workplace (spreadsheets, tax compliance software, generalized audit software, online knowledge bases). PR:PS:03: Integrates and analyzes data for patterns, relationships, and trends. PK:AS:01: Evaluates and consults on the organizations internal and external reporting needs and related assurance requirements (level of assurance required, attestation versus direct reporting audit, review or compilation engagement, special report engagement). PK:FA:05: Interprets and advises on the organizations reporting obligations (determining appropriate basis of accounting, determining required reporting to shareholders and to government and regulatory agencies). LD:SO:02: Evaluates the organizations strengths, weaknesses, opportunities, and threats (reputation, process, finances, human resources, location, brand recognition, competition).

Page 16 of 17

Content Topics Learning Objectives Area 10. Internal auditing in the public sector and not-for-profit sectors 10.1 Roles, activities, and risks in the public sector 10.2 Governance in the public sector Identify the roles, activities, and risks specific to the public sector in Canada.

Levels of Competence

Module Competencies

Weighting (%) 6%-10%

Level 1

Outline public sector governance; explain how public sector auditors and audit committees can contribute to the effectiveness of governance. Explain the role of the Auditor General of Canada and its counterpart at other levels of government; explain the difference between the role of the Auditor General and internal auditors in the public sector. Explain the standards and considerations for internal auditing in the public sector in Canada and internationally. Explain the characteristics and components of comprehensive auditing. Outline the roles, activities, risks, and governance issues specific to the notfor-profit sector in Canada. Develop the specific considerations that apply in the internal audit of not-forprofit organizations, including performance audits of NFPs.

Level 2

10.3 Legislative auditing Role of the Auditor General

Level 2

Levels 1 & 2

10.4 Internal auditing in the public sector

10.5 Comprehensive auditing

Level 2 Level 2

10.6 Roles, activities, risks, and governance in the not-for-profit sector 10.7 Internal audit considerations for NFPs

Level 1

PK:AS:04: Evaluates risks and business issues (nature of organization, control environment) to determine their impact on the engagement or management audit (extent, materiality, nature, and timing of engagement). PK:AS:13: Evaluates and reports on programs using comprehensive auditing (value-for-money audits, government program evaluations, operational audits). LD:OE:03: Advises on issues of corporate governance (audit committee independence, executive compensation, directors liability, board accountability). PR:ET:04: Protects the public interest (maintains and raises the visibility of the ethical nature of the profession and professional accounting standards). PK:BE:02: Advises on business decisions in the context of larger economic and geopolitical conditions (national and world economic conditions, government priorities, and financial markets). PK:AS:01: Evaluates and consults on the organizations internal and external reporting needs and related assurance requirements (level of assurance required, attestation versus direct reporting audit, review or compilation engagement, special report engagement).

Page 17 of 17