Professional Documents
Culture Documents
This study unit is the first of four covering Section Function from
The IIA's CIA Exam Syllabus. This section makes IA exam and is
tested at the proficiency level (unless otherwise in portion of the syllabus
is highlighted below. (The complete syllabus is in Appe
. djspositictnof.
., .... 7>,.:·
,,1 'I
B.
. procedures for the planning; organizing, directing; and monitoring of internal audit
2.' Review of the internal.audit function within the risk management framework
3. Direct administrative activities (e.g., budgeting, human resources) of the internalaudit.department
4. Interview candidates for internal audit positions
5. Report on the effectiveness of corporate risk management processes to senior management and the board
6. Report on the effectiveness of the internal control and risk management frameworks
7. Maintain effective Quality Assurance Improvement Program
C. Establish Risk-Based IA Plan
16 SU 1.' Strategic and Operational Roles of Internal Audit
t~ lai and procedural changes often are resisted by the individuals and
ffected. This response may be caused by simple surprise, inertia, or fear of
But it also may arise from the following:
1) Misunderstandings or lack of needed skills
2) Conflicts with, or lack of trust of, management
3) Emotional reactions when change is forced
4) Bad timing
5) Insensitivity to employees' needs
6) Perceived threats to employees' status or job security
7) Dissolutien of tightly knit work groups
8) Interference with achievement of other objectives
.'
-
SU 1: Strategic and Operational Roles of internal Audit 47
3)
b)
2)
3.
a. the audit committee is to promote the independence of
uditors by protecting them from management's influence.
unctions of the audit committee regarding the internal audit
c. The following are other functions of the audit committee regarding the external auditor:
1) Selecting the external auditing firm and negotiating its fee
2) Overseeing and reviewing the work of the external auditor
3) Resolving disputes between the external auditor and management
1! 4) Reviewing the external auditor's internal control and audit reports
4. Relationships with Management
a. According to Sawyer's Guide for Internal Auditors, 6th edition, j'n tarn......
I auditors are
responsible for performing their mission, maintaining their ob . d ensuring
the internal audit activity's independence. They also maintain
good working relationships with m_anagement.
b. Good relationships are developed by communicating
constructively, and using participative auditing
1) Participative auditing is a collaboration
management durinq the auditing p
and build a shared interest in the eng
accept changes if they have p
used to implement changes
2) However, internal auditors uiding and directing
the audit because the respons ,~lopinion is theirs.
Stop and review! You have completed the tudy multiple-choice
questions 4 through 6 on page 41.
1.
"'"anization's
policies and standards established to ensure
lorby its members.
e principles of conduct expected to be followed by individuals.
b. The internal a
corporate
organi .
3) Because of their skills and position in the organization, auditors should actively
support the ethical culture. Auditor roles may include
a) Chief ethics officer,
b) Member of an ethics council, or
c) Assessor of the ethical climate.
4) The minimum internal audit activity role is assessor of (a) the ethical climate and
(b) the effectiveness of processes to achieve legal and ethical compliance.
Internal auditors should evaluate the effectiveness of the folio 'ng features of
an enhanced, highly effective ethical culture:
a) A formal code of conduct and related stateme
procedures covering fraud and corruption)
b) Frequent demonstrations of ethical attitudes
leaders
c) Explicit strateqies to enhance the ethical
d) Easily accessible means of confid
e) Regular declarations by emp
requirements for ethical
f) Clear delegation of res
(2) investigation, and (
g)
h) Positive personnel r::l"""I"TII~"'C'
i) Regular s
state of
j) Regular
k) Regula
c. Other internal
complaints, (
ethics cli
1. Nature of Work
a. According to The IIA's Definition of lnternal Auditing, the int
an organization accomplish its objectives by bringing,
approach to evaluate and improve-the effectiveness
governance processes."
1) These processes are closely related. The II ) defines
them as follows:
a) Governance - "The combination
by the board to inform, di
organization toward
b) Risk management - " , manage, and control
potential events or . Ie assurance regarding
the achievement of the
c) Control- "Any e~ , the board, and other parties
to man - od that established objectives and
goals plans, organizes, and directs the
perfo provide reasonable assurance that
obj ved."
i) ,
1.5 COORDINATION
The chief audit executive should shar e activities with other internal and
external providers of assurance an ure proper coverage and minimize
duplication of efforts.
1,
a,
.external auditors, including coordination with the
s the responsibility of the board, Coordination of internal
U~~i ork is the responsibility of the chief audit executive (CAE).
the support of the board to coordinate audit work effectively"
3) "The external auditor may rely on the work of the internal audit activity in
performing their work. In this case, the CAE needs to provide sufficient
information to enable external auditors to understand the internal auditors'
techniques, methods, and terminology to facilitate reliance by external auditors
on work performed. Access to the internal auditors' programs and working
papers is provided to external auditors in order for external auditors to be
satisfied as to the acceptability for external audit purposes of relying on the
internal auditors' work" (para. 3).
NOTE: Professional standards place sole responsibility for th
external auditors. Only the external auditors have the
permit the provision of assurance to external parties.
the external auditors use the work" of other independe
cannot be shared with the internal auditors.
EXAMPLE
From CIA Exam
Which at the following is not a true statement about the relationship between internal auditors and
external auditors?
A. External auditors must assess the competence and objectivity ot internal auditors.
B. There may be periodic meetings between internal and external auditors to discuss matters of
mutual interest.
C. There may be an exchange of engagement communications and manage
D. Internal auditors may provide engagement work programs and
auditors.
(A) is correct. The external auditor assesses the objectivity and com
auditors only if (s)he intends to rely on their work.
(B) is incorrect. The relationship involves a sufficient number of
(C) is incorrect. .The relationship involves reasonable mu
communications and management letters.
(D) is incorrect. The relationship involves reaso
programs and working papers.
1) Below is a sam
acquisitions
and trading
dities
vernments may have their own regulatory bodies.
rganizations, entire departments or functions are established to
with the regulations issued by these governmental bodies.
qpn e, broker-dealers in securities establish compliance departments to
. that trades are executed according to the requirements of securities
. Moreover, manufacturers have departments to monitor wage-and-hour
pliance, workplace safety issues, and discharge of toxic wastes.
the responsibilities of the internal audit activity is the evaluation of the
anization's compliance with applicable laws and regulations.
1) The internal audit activity coordinates its work with that of inspectors and other
personnel from the appropriate governmental bodies and with personnel from
internal assurance functions.
Stop and review! You have completed the outline for this subunit Study multiple-choice
questions 13 through i5 on page 44.
.'
-
SU 1: Strategic and Operational Roles of Internal Audit
The internal audit activity must assess and make appropriate recom
governance process in its accomplishment of the foftowing objectives:
• Promoting appropriate ethics and values within the organizatio
e Ensuring effective organizational performance management a
Q Communicating risk and control information to appropria
e Coordinating the activities of and communicating i
internal auditors, and.management.
1.7
Stop and review! You have completed the outline for this subunit. Study multiple-cholce
. questions 18 through 20 beginning on page 45.
At one time, audit professionals thought of risk only in the context of an audit (e.q., the probability of not
discovering a material financial statement misstatement). Today, after extensive research and many
scholarly publications, risk is recognized as something that must be examined and mitigated in every aspect
of an organization's operations. Thus, CIA candidates should understand the distin nsibilities of
(1) the internal audit activity and (2) senior management and the board for enterpri
1. Overview
a. The IIA Position Paper: The Role
Management states that "risk man lement of corporate
governance. Management is respon nd operating the risk
management framework on If of th
b. "Enterprise-wide risk mana
structured, consi
relation to ERM sho
the effectiveness
c. "When internal
certain safe
therefore,
indep
2.
e to an organization by providing the board with objective
'"he IIA Position Paper groups the internal audit activity's roles into three
categories:
a) ~ore internal audit roles in regard to ERM
b) Legitirnate internal audit roles with safeguards
c) Roles the internal audit activity should not undertake
?'
-} ,A, helpful memory aid is
C Catch
h .Lying
R Records
·'
.'? ~Fgi~nizatiQn's:".;)
..,<::{
' -. :. i;
,","""""'" .(for;.the
.
.
~'t~urrence'of
~ . ,'.
fraud and
2) If the organization has no formal RMPs, the CAE has formal discussions with
management and the board about their obligations for understanding,
managing, and monitoring risks.
3) The CAE must understand management's and the board's expectations of the
internal audit activity in risk management. The understanding is codified in-the
charters of the internal audit activity and the board.
4) Senior management and the board determine the internal audit activity's role in
risk management based on factors such as (a) organizational culture, (b)
abilities of the internal audit activity staff, and (c) local co . ns and customs.
a) That role may range from no role, to auditi the
audit plan, to active, continuous support
to managing and cooroinatinq the proces
i) But assuming management respo . internal
audit activity independence m ard-
approved.
5) RMPs may be formal or informal, qua
business units or centralized. anization's
culture, management style, small entity may
use an informal risk comm
a)
6) To form an opinion 0
sufficient, a .
nature, timing, and extent of certain tests must be determined before tile
trol processes can be evaluated.
(B) is incorrect. Internal auditors have no authority to ensure correction of material weaknesses.
(C) is correct. Risk management, control, and governance processes are adequate if
management has planned and designed them to provide reasonable assurance of achieving tile
organization's objectives efficiently and economically. Efficient performance accomplishes
objectives in an accurate, timely, and economical fashion. Economical performance accomplishes
objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.
(0) is incorrect. The scope of internal auditing is much broader than concern for the fairness of
financial statements.
Stop and review! You have completed the outline for this subunit. Study multiple-choice
questions 21 through 23 beginning on page 46.
SU 1: Strategic and Operational Roles of Internal Audit
b.
c) Job sample simulation - "Can you show LIS how to compose and send an
e-mail message?"
d) Worker requirements - "Are you able to spend 25 percent of your time on
the road?"
2) Behavioral interviews determine how candidates handled past situations. Past
performance is generally indicative of future performance.
4. Reporting
a. Reporting to senior management and the board provides assu
1) Governance,
2) Risk management, and
3) Control.
b. Periodic reports also are made on internal audit's ility,
and performance.
c. Reporting to senior management and the boa
Unit 2, Subunit 3.
Stop and review! You have completed the outli
questions 24 through 27 beginning on page 47
1.
a. ssurance and Improvement Program, provides
in the continuous examination of their processes
. of stakeholders.
processes designed to provide reasonable assurance to
internal audit activity
n accordance with its charter, the Definition of Internal Auditing,
e of Ethics, and the Standards
_jDerates effectively and efficiently
1'5 perceived as addi;lg value and improving operations
~Jl"'ese
processes include appropriate supervision, periodic internal and external
""assessments,and ongoing monitoring of quality assurance.
The QAIP embraces all facets of the internal audit activity as reflected in the
pronouncements of The IIA and best practices of the profession.
a) Its processes are performed or supervised by the CAE.
b) A large or complex entity has a formal, independent QAIP administered
and monitored by an audit executive.
.'
-
SU 1: Strategic and Operational Roles of !nt.;:rna! Audit 35
~:-.
2. Internal Assessments
a. Ongoing and periodic internal assessments are addre
1311-1, Internal Assessment:
1) The processes and tools used in ongoing intern
a) Engagement supervision;
b) Checklists and procedures;
c) Feedback;
d) Peer reviews of working pa
e) Budget.s, timekeeping,
recoveries; and
f) Analyses of other pe
2) The IIA's Quality Assessment Man
assessments. These volve .:q.,,)';'
,~~~
b)
c)
d)
3, External Assessments
a. External assessments provide an independent and . ternal
audit activity's compliance with the Standards and
b. Further specifics are provided in Practice Advi .s ssments:
~.~~.
1) An external assessment may be a full ,''independent
external reviewer or review If-assessment
with independent valldat
a) nal audit activity.
b) ~, identification, and
c) The scopemu
2) Individuals sment should have no obligation to,
or interest in, r its personnel. External assessors
have no rea erest due to current or past
relations rganizatiQ~@'.
a) to in ,::lldence include conflicts of former employees or
idin h'~}financial statement audit, (2) significant
(3) assistance to the internal audit activity.
er part of the organization or in a related organization
. an affiliate) is not independent.
'i.'lll'
Stop and review! You have completed the outline for this subunit. Study multiple-choice
questions 28 through 30 on page 49.
40 SU 1: Strategic and Operational Roles of Internal Audit
QUESTIONS
1.1 Change Management
of ethical conduct is
A. Are typically required by governments. organization wishes to
B. Express standards of individual behavior for municates organizational
members of the organization. es uniform ethical guidelines
inclu nee on behavior for members in
C. Provide a quantifiable basis for personnel A code, ." blishes high standards against
evaluations. m~j3sti(etheir own performance. It also
outside the organization the value system
O. Have tremendous public relations potenti~~ ,
,,,,,, be must not be asked to deviate.
rrect. Governments typically have no such
r (C) is incorrect. Codes of conduct provide
qualitative, antitative, standards. Answer (0) is incorrect.
Other purposes of a code of conduct are much more significant.
.."if'
"'.i~~
9. The code of ethics of a profes ..(.Alns (A) is correct. .
sets forth ¥ ~\"REQUIRED: the content of a code of ethics of a
rn'fessional organization.
DISCUSSION: An organization's code of ethical conduct is
A. the established general value system tile organization wishes to
apply to its members' activities by communicating organizational
8. purposes and beliefs and establishing uniform ethical guidelines
for members, which include guidance on behavior tor members in
making decisions. A code establishes high standards against
C. which individuals can measure their own performance and
communicates to those outside the organization the value system
D. from which the organization's members must not be asked to
deviate.
Answer (8) is incorrect. The organizational details of the
profession's governing body are stated in the by-laws of the
professional organization. Answer (C) is incorrect. Certain
actions may be legal but contrary to an organization's code of
ethics. For example, an internal auditor may not perform a
service for which (s)he does not possess the necessary
knowledge, skills, and experience. Answer (0) is incorrect. I ne
Standards establish a basis for the measurement of internal audit
performance.
..
SU 1: Strategic and Operationai Roles of Internal Audit 43
10. The purpose of the internal audit activity's Answer (B) is correct.
evaluation of the effectiveness of existing risk REQUIRED: The purpose of the evaluation of the
management processes is to determine that effectiveness of risk management processes.
DISCUSSION: Risk management, control, and qovernance
processes are effective if management directs processes to
A. Management has planned and designed so as provide reasonable assurance of achieving the organization's
to provide reasonable assurance of achieving objectives. In addition to accomplishing the objectives and
objectives.
planned activities, management directs by authorizing activities
B. Management directs processes so as to and transactions, monitoring.resulting ance, and verifying
provide reasonable assurance of achieving that the organization's processes are s designed.
objectives.
C. The organization's objectives will be achieved
efficiently and economically.
O. The organization's objectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
1.5 Coordination
13. Who has primary responsibility for providing Answer (8) is correct.
information to the board on the professional and REQUIRED: The responsible party for providing information
organizational benefits of coordinating internal audit about the benefits of coordin-ationof internal audit activities with
activities with those of other providers of similar those of other providers. .
services? DISCUSSION: The chief audit executive should share
information and coordinate activities with other internal and
external providers of assurance and consulting services to
A. The external auditor. ensure proper coverage and minimize duplication of efforts
8. The chief audit executive. (Perf. Std. 2050). While oversight of the of external auditors
is the responsibility of the board, rnal and
C. The chief executive officer. external audit work is the responsibility (PA 2050-1,
D. Each assurance and consulting function. para. 1). 3
Answer (A) is incorrect
thatthe internal audit
achievable from coo
consulting activities. Iways
form part of any activi
auditor, to the board.
is not responsible
internal audit as
17. The internal audit activity has a role in an Answer (0) is correct.
organization's governance process. The internal REQUIRED:
audit activity most directly contributes to this process contributes to
by DISCUSSI
C. Performance appraisals.
O. Policies and procedures.
46 SU 1: Strategic and Operational Roles of Internal Audit
C.
.»
"
22. internal auditors should review the means of Answer (C) is correct.
physicaily safeguarding assets from losses arising REQUIRED: The cause of losses giving rise to physical
from safeguards that should be reviewed by the auditor.
. DISCUSSION: The internal audit activity must evaluate risk
exposures relating to governance, operations, and information
A. Misapplication of accounting principles. systems regarding the safeguarding of assets
B. Procedures that are not cost justified. (Imp!. Std. 2120.A 1). For example, internal auditors evaluate risk
exposure arising from theft, fire, improper or illegal activities, and
C. Exposure to the elements. exposure to the elements.
Answer (A) is incorrect. Misapplication of accounting
O. Underusage of physical facilities. principles relates to the reliability of i and not physical
safeguards. Answer (B) is incorrect. that are not
cost justified relate to efficiency, not of operations.
Answer (01 is incorrect. Un to
efficiency of operations.
4f~~\~
~~r
Answer (B) is correct.
REQUIRED: The most important reason for the chief audit
executive to ensure that the internal audit department has
adequate and sufficient resources.
DISCUSSION: The CAE must ensure that internal audit
A. resources are appropriate, sufficient, and effectively deployed to
achieve the approved plan (Perf. Std. 2030).
Answer (A) is incorrect. The decision to outsource the
B.
internal audit function is not primarily based on existing
resources. Answer (C) is incorrect. The amount of resources is
r-
'-'. not a significant factor in establishing credibility. Answer (0) is
incorrect. Succession planning is not related to the amount of
audit resources.
O.
48 SU 1: Strategic and Operational Roles of Internal Audit
25. The key factor in the success of an internal audit Answer (C) is correct.
activity's human resources program is REQUIRED: The key factor in the success of an internal
audit activity's human resources program.
DISCUSSION: Internal auditors should be'qualified and
A. An informal program for developing and -cornpetent. Because the selection of a superior staff is
counseling staff. dependent on the ability to evaluate applicants, selection criteria
B. A compensation plan based on years of must be well-developed. Appropriate questions and forms
experience. should be prepared in advance to evaluate, among other things,
the applicant's technical qualifications, educational background,
C. A well-developed set of selection criteria. personal appearance, ability to communicate, maturity,
D. A program for recognizing the special interests persuasiveness, self-confidence, intelligen otivation, and
of individual staff members. potential to contribute to the organization
Answer (A) is incorrect. The human
should be formal. Answer i
human resources is more
Answer (0) is incorrect. The
more significant than special
28. The chief audit executive should develop and Answer (A) is correct.
maintain a quality assurance and improvement REQUIRED: The element not part of a quality assurance
program that covers all aspects of the internal audit progffim. .
activity and continuously monitors its effectiveness. DISCUSSION: Appraising each internal auditor's work at
All of the following are included in a quality program least annually is properly a function of the human resources
except program of the internal audit activity.
Use the additional quest~ns in Gleim CIA Test Prep Online to create Practice Exams tha;~';':';:;~~ear;onu~C~~
...J
I
•
50
._' \~~
",','
'. ~:
gleim'.C:o,m/_da
800.87'4~5346