Internal Audit Updates PDF

Internal Audit
Forum
Internal audit updates
18 December 2012
Georgiana Iancu (Timofte), KPMG Romania
Contents
Revision of the International Standards for the Professional Practice of

Internal Auditing
Changes to the Certified Internal Auditor (CIA) exam
New IIA exam Certification in Risk Management Assurance
Updated COSO Internal Control Integrated Framework
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
Revision of the
International Standards
for the Professional
Practice of Internal
Auditing
Revision process
The International Internal Audit Standards Board (IIASB)

proposed changes to the Standards after consideration of input
received from internal auditors and stakeholders, as well as
global surveys and other research focused on the Standards.
The proposed changes to the Standards had a 90-day exposure

(feedback) period from 20 February, 2012 to 20 May, 2012.
The new Standards will be effective on January 1, 2013.
Summary of key changes
Clarify responsibilities for conforming with the Standards
Increased focus on Quality Assurance & Improvement
Clarify the CAEs role to communicate unacceptable risk
Explicitly require timely audit plan adjustments
Emphasize coverage of risks to strategic objectives
Changes to Glossary Terms
Clarify responsibilities for conforming with the Standards
Added the following wording to the Introduction of the Standards

The Standards apply to individual internal auditors and internal
audit activities.
All internal auditors are accountable for conforming with the
Standards related to individual objectivity, proficiency, and due
professional care. In addition, internal auditors are accountable for
conforming with the Standards, which are relevant to the
performance of their job responsibilities.
Chief audit executives are accountable for overall conformance
with the Standards.
Increased focus on Quality Assurance & Improvement
Old version
New version
1312 - External Assessments
1312 - External Assessments
External assessments must be conducted at least once

every five years by a qualified, independent reviewer or
review team from outside the organization. The chief audit
executive must discuss with the board:
External assessments must be conducted at least once every

five years by a qualified, independent assessor or
assessment team from outside the organization. The chief
audit executive must discuss with the board:
The need for more frequent external assessments;

and;
The qualifications and independence of the external
reviewer or review team, including any potential conflict
of interest.
The form and frequency of external assessments; and;

The qualifications and independence of the external
assessor or assessment team, including any potential
conflict of interest.
Interpretation:
External assessments can be in the form of a full
external assessment, or a self-assessment with
independent external validation.
Clarify the CAEs role to communicate unacceptable risk
Old version
New version
2600 Resolution of Senior Management's Acceptance

of Risks
2600 Communicating the Acceptance of Risks
When the chief audit executive believes that senior

management has accepted a level of residual risk that
may be unacceptable to the organization, the chief audit
executive must discuss the matter with senior
management. If the decision regarding residual risk is
not resolved, the chief audit executive must report the
matter to the board for resolution.
When the chief audit executive concludes that senior

management has accepted a level of risk that may be
unacceptable to the organization, the chief audit executive
must discuss the matter with senior management. If the chief
audit executive determines that the matter has not been
resolved, the chief audit executive must communicate the
matter to the board.
Interpretation:
The identification of risk accepted by management may
be observed through an assurance or consulting
engagement, monitoring progress on actions taken by
management as a result of prior engagements, or other
means.
It is not the responsibility of the chief audit executive to
resolve the risk.
Explicitly require timely audit plan adjustments
Old version
New version
2010Planning
2010Planning
The chief audit executive must establish risk-based plans

to determine the priorities of the internal audit activity,
consistent with the organizations goals.
The chief audit executive must establish a risk-based plan to

determine the priorities of the internal audit activity, consistent
with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a
risk-based plan. The chief audit executive takes into
account the organizations risk management framework,
including using risk appetite levels set by management for
the different activities or parts of the organization. If a
framework does not exist, the chief audit executive uses
his/her own judgment of risks after consultation with
senior management and the board.
Interpretation:
The chief audit executive is responsible for developing a riskbased plan. The chief audit executive takes into account the
organizations risk management framework, including using
risk appetite levels set by management for the different
activities or parts of the organization. If a framework does not
exist, the chief audit executive uses his/her own judgment of
risks after consideration of input from senior management
and the board.
The chief audit executive must review and adjust the plan,
as necessary, in response to changes in the
organizations business, risks, operations, programs,
systems, and controls.
Emphasize coverage of risks to strategic objectives
2120.A1 Risk Management

The internal audit activity must evaluate risk exposures relating to the organizations governance, operations,
and information systems regarding the:
Achievement of the organizations strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
2130.A1 Control
The internal audit activity must evaluate the adequacy and effectiveness of controls responding to risks
within the organizations governance, operations, and information systems regarding the:
Achievement of the organizations strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
10
Changes to Glossary Terms
Clarified the definition of Board

A board is an organizations governing body, such as a board of directors, supervisory board, head of an
agency or legislative body, board of governors or trustees of a non-profit organization, or any other
designated body of the organization, including the audit committee to whom the chief audit executive may
functionally report.
The highest level of governing body charged with the responsibility to direct and/or oversee the activities and
management of the organization. Typically, this includes an independent group of directors (e.g., a board of
directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the
board may refer to the head of the organization. Board may refer to an audit committee to which the
governing body has delegated certain functions.
New definitions
Engagement Opinion (as noted in Standard 2410 Criteria for communicating)
The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating
to those aspects within the objectives and scope of the engagement.
Overall Opinion (as noted in Standard 2450 Overall Opinions)
The overall ratings, conclusions, or other descriptions of results provided by the chief audit executive
addressing, at a broad level, governance, risk management and control processes of the organization. An
overall opinion is based on the results of a number of individual engagements and other activities for a
specific time interval.
11
Other minor changes
1311 Internal Assessment
1320 Reporting on the Quality Assurance and Improvement Program
2201 Plan Consideration
2210 Engagement Objectives
2220 Engagement Scope
Updated definition of Control Processes
Deleted the definition of residual risk
12
Changes to the Certified

Internal Auditor (CIA)
exam
Overview
In 2011, The IIA conducted a Job Analysis Study (JAS) for the
CIA exam. More than 40,000 internal auditors globally were
surveyed on:
knowledge, competency, and skills required by todays

internal auditors;
frequency and importance of tasks performed by internal

auditors
The Study determined that the body of knowledge related to

the profession of internal auditing has changed since the last
exam content update in 2004, and therefore needs to be
adjusted to reflect changes, such as: environmental and social
safeguards, corporate social responsibility, stakeholders
relationships etc.
The new exam will be available starting July 1, 2013.

Registrations for the new exam will start on May 1, 2013.
14
The new CIA exam
What is changing
A new three-part exam structure
Elimination of recognition credit previously applicable to
Part 4
Realignment of the exam content outline and question
count of each part
What is NOT changing

Entry and experience requirements (i.e. 2 years);
CIA exam in other languages: exams in 15 languages are
scheduled to be available starting October 1, 2013 and

January 1, 2014 (no date for Romanian version is
available yet)
No changes to other IIA certifications (i.e. CCSA, CGAP,
CFSA)
15
New content outline
Part 1 Internal Audit Basics

2.5 hours exam 125 questions
IIA Mandatory Guidance
Internal Control and Risk

Tools and Techniques for Conducting the Audit
Engagement
Part 2 Internal Audit Practice

2 hours exam 100 questions
Managing the internal audit function
Managing individual engagements
Fraud risks and controls
16
New content outline (continued)
Part 3 Internal Audit Knowledge Elements

2 hours exam 100 questions
Governance
Risk Management
Organizational Structure and Business Processes
Communication
Leadership
IT/Business Continuity
Financial Management
Global Business Environment
The IIA provides information on its website on the:

Specific content outline for each exam;
Mapping of contents of the 4-part exam to the new 3-part
exam
Reference resources (study materials to be used)
17
Other considerations
Review materials
According to the IIA, the preparation of review materials is
independent from the exam development process.
The final content outline has been released to the review
providers effective October 10, 2011.
Candidates should check with review providers for updated
materials.
Current candidates
For candidates that did not pass any exams and candidates
that passed part of the exams, the IIA provides a tool that helps
identify their options going forward. The Transition Planning
Tool can be accessed from IIAs website, under the
Certification tab.
Key things to consider:
Four part exam will end on December 31, 2013 (English
version);
Part 1 and 2 will be recognizable under the new structure.
18
New IIA exam

Certification in Risk
Management Assurance
Overview
What is CRMA
The Certification in Risk Management Assurance (CRMA) is the
newest certification program offered by the IIA. The certification
will assist you in demonstrating the ability to:
Provide assurance on core business processes in risk
management and governance;
Educate management and the audit committee on risk and
risk management concepts;
Focus on strategic organizational risks;

Add value for your organization.
The exam is designed for internal auditors and other individuals
interested in Risk Management Assurance.
Start date
The first exams will be offered beginning July 1, 2013. The
registration for the exam will be available starting May 1, 2013.
The exam will be offered in English.
20
Requirements
Eligibility requirements
University degree (four years) or two years of University level
education plus three years of professional experience;
Candidates must submit a Character Reference Form signed

by a CIA, CCSA, CFSA, CRMA or the candidates
supervisor;
24 months of auditing experience or controls-related
business experience.
Continuous Professional Education (CPE) requirements

A CRMA who is practicing risk management assurance must
complete a total of 20 hours of acceptable CPE every year.
A non-practicing CRMA must complete a total of 10 hours of
acceptable CPE every year.
21
Professional Experience Recognition (PER) Provision
Candidates that meet certain requirements can obtain the

CRMA certification before the exam is offered. The deadline for
submitting applications is December 31, 2012.
Process
Candidates will need to submit an application form that provides
detailed information regarding:
Education;
Current certifications held;
Professional experience in CRMA Domains:
Assessing/Assurance of Risk Management Activities;
Risk Management Fundamentals;
Elements of Risk Management;
Control Theory and Application;
Business Objectives and Organizational Performance.
Candidates must obtain a minimum of 155 points on the
application in order to earn the designation prior to the launch of
the CRMA exam.
Additional details can be found on the IIA website, under the

Certification section.
22
Exam syllabus
CIA Part 1 exam

The candidate must pass Part 1 of the CIA exam. This can be
done before, during, or after completion of the CRMA exam, but
must be completed before the certification is appointed.
CRMA exam
A 2 hour exam consisting of 100 multiple choice questions,
covering four domains:
Organizational governance related to risk management;
Principles of risk management processes;
Assurance role of the Internal Auditor;
Consulting role of the Internal Auditor.
Additional details for each domain and study resources

recommended by the IIA can be found on the IIA website, under
the Certification section.
23
Updated COSO Internal

Control Integrated
Framework
Overview
In November 2010, COSO announced a project to review and update the 1992 Internal Control-Integrated
Framework. COSOs goal in updating the framework is to increase its relevance in the increasingly
complex and global business environment.
In addition to updating the Framework, COSO is developing a compendium of approaches and examples
that illustrate how the principles set forth in the Framework can be applied in designing, implementing and
conducting internal control over external financial reporting.
Project timetable
2010 Assess and survey stakeholders
2011 Design and Build
2012 Public exposure and assessment
2013 Issuance of updated guidance
25
The integrated framework at a glance
The Internal Control Integrated Framework was published in 1992. It gained wide acceptance
following financial control failures of early 2000s.
26
Major changes
Expands the reporting category of objectives

The financial reporting objective category is expanded to consider other external reporting beyond financial
reporting, as well as internal reporting, both financial and non-financial.
Considers different business models and organizational structures

The updated Framework explicitly considers the extended business model, including the responsibilities for
internal control in this model and the achievement of effective internal control.
27
Major changes (continued)
Enhances governance concepts

The updated publication includes expanded discussion on governance relating to the board of directors and
committees of the board, including audit, compensation, nomination/governance committees.
Considers expectations for competencies and accountabilities

Reflects the increased relevance of technology
Enhances consideration of anti-fraud expectations
This updated Framework contains considerably more discussion on fraud and also considers the potential of
fraud as a principle of internal control.
Applies a principles-based approach
The updated Framework focuses greater attention on principles. While the original framework implicitly
reflected the core principles of internal control, the updated version explicitly states the 17 principles, which
represent the fundamental concepts associated with the components of internal control.
28
Major changes Principles
Control environment
Risk assessment
Control activities
1.
Demonstrates commitment to integrity and ethical values
2.
Exercises oversight responsibility
3.
Establishes structure, authority and responsibility
4.
Demonstrates commitment to competence
5.
Enforces accountability
6.
Specifies suitable objectives
7.
Identifies and analyzes risk
8.
Assesses fraud risk
9.
Identifies and analyzes significant change
10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Information and Communication
13. Uses relevant information

14. Communicates internally
15. Communicates externally
Monitoring activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
29
What is NOT changing
Retains the core definition of internal control

Internal control is a process, effected by an entitys board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating to operations,
reporting, and compliance.
Retains the five components of internal control
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Retains the requirement of five components for an effective system of internal control
Retains important role of judgment in designing, implementing, and conducting internal control, and
in assessing effectiveness of internal control
30
Thank You!
Presentation by Georgiana Iancu (Timofte)
Senior Manager, Internal Audit Services, KPMG
Romania
atimofte@kpmg.com
Tel. 0743 139 405
network of independent member firms affiliated with KPMG International Cooperative (KPMG
International), a Swiss entity. All rights reserved.
The KPMG name, logo and "cutting through complexity" are registered
trademarks or trademarks of KPMG International Cooperative ("KPMG
International").

Internal Audit Updates PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Updates PDF

Uploaded by

Copyright:

Available Formats

Internal Audit

Revision of the International Standards for the Professional Practice of

Changes to the Certified Internal Auditor (CIA) exam

New IIA exam Certification in Risk Management Assurance

Updated COSO Internal Control Integrated Framework

The International Internal Audit Standards Board (IIASB)

The proposed changes to the Standards had a 90-day exposure

The new Standards will be effective on January 1, 2013.

Summary of key changes

Clarify responsibilities for conforming with the Standards

Increased focus on Quality Assurance & Improvement

Clarify the CAEs role to communicate unacceptable risk

Explicitly require timely audit plan adjustments

Emphasize coverage of risks to strategic objectives

Changes to Glossary Terms

Clarify responsibilities for conforming with the Standards

Added the following wording to the Introduction of the Standards

Increased focus on Quality Assurance & Improvement

1312 - External Assessments

1312 - External Assessments

External assessments must be conducted at least once

External assessments must be conducted at least once every

The need for more frequent external assessments;

The form and frequency of external assessments; and;

Clarify the CAEs role to communicate unacceptable risk

2600 Resolution of Senior Management's Acceptance

2600 Communicating the Acceptance of Risks

When the chief audit executive believes that senior

When the chief audit executive concludes that senior

Explicitly require timely audit plan adjustments

The chief audit executive must establish risk-based plans

The chief audit executive must establish a risk-based plan to

Emphasize coverage of risks to strategic objectives

2120.A1 Risk Management

Changes to Glossary Terms

Clarified the definition of Board

Other minor changes

1311 Internal Assessment

1320 Reporting on the Quality Assurance and Improvement Program

2201 Plan Consideration

2210 Engagement Objectives

2220 Engagement Scope

Updated definition of Control Processes

Deleted the definition of residual risk

Changes to the Certified

knowledge, competency, and skills required by todays

frequency and importance of tasks performed by internal

The Study determined that the body of knowledge related to

The new exam will be available starting July 1, 2013.

The new CIA exam

count of each part

What is NOT changing

scheduled to be available starting October 1, 2013 and

New content outline

Part 1 Internal Audit Basics

Internal Control and Risk

Part 2 Internal Audit Practice

New content outline (continued)

Part 3 Internal Audit Knowledge Elements

The IIA provides information on its website on the:

New IIA exam

Focus on strategic organizational risks;

Candidates must submit a Character Reference Form signed