15

STUDY UN~T ONE

STRATEGIC AND OPERATIONAL
ROLES OF INTERNAL AUDIT
(25 pages of outline)

This study unit is the first of four covering Section Function from
The IIA's CIA Exam Syllabus. This section makes IA exam and is
tested at the proficiency level (unless otherwise in portion of the syllabus
is highlighted below. (The complete syllabus is in Appe

. djspositictnof.

regulatory oversightbodies ~nd'otherintemai assurance functions

system, a~hj~yepient of:SQiporateobjective .; ....
.: ' '. - -_ , ':'" '\' " .,';,', ;';'.' ': c',' '. ,_". ~:; " ,

., .... 7>,.:·
,,1 'I

B.
. procedures for the planning; organizing, directing; and monitoring of internal audit

2.' Review of the internal.audit function within the risk management framework
3. Direct administrative activities (e.g., budgeting, human resources) of the internalaudit.department
4. Interview candidates for internal audit positions
5. Report on the effectiveness of corporate risk management processes to senior management and the board
6. Report on the effectiveness of the internal control and risk management frameworks
7. Maintain effective Quality Assurance Improvement Program
C. Establish Risk-Based IA Plan
16 SU 1.' Strategic and Operational Roles of Internal Audit

1.1 CHANGE MANAGEMENT

1. Overview
a. Change management is important to all organizations. An appropriate balance
between change and stability is necessary for an organization to thrive.
1) Organizational change is conducted through change agents, who may include
managers, employees, and consultants hired for the purpose.
2. Interpersonal Skills
a. The internal audit activity can add value to an organization by
change. According to The IIA competency framework, "
following interpersonal skills to interact with others
do the following:
1) Champion the change, enlist others in its purs trategy
that includes milestones and a timeline.
2) Model the change expected of others.
3) Accurately assess the potential b
4) Provide resources, remove ba
change.
5) Maintain work efficiency and
6) Promptly switch strategies if the cu ones a'~~i;),~working.
7) Provide direction and 'ng the chan e prbcess.
8) Support new id .'
9) Respond quickly , ving creative ideas and taking
appropriate i
10) Support the
11)
12) Ope
13) C
3.

attitudes and mindset, for example, when a total quality

adopted.
ange in a product's physical attributes and usefulness to

is a change in an organization's systems or structures.

t~ lai and procedural changes often are resisted by the individuals and
ffected. This response may be caused by simple surprise, inertia, or fear of
But it also may arise from the following:
1) Misunderstandings or lack of needed skills
2) Conflicts with, or lack of trust of, management
3) Emotional reactions when change is forced
4) Bad timing
5) Insensitivity to employees' needs
6) Perceived threats to employees' status or job security
7) Dissolutien of tightly knit work groups
8) Interference with achievement of other objectives
 .'
-
SU 1: Strategic and Operational Roles of internal Audit 47

b. Methods of coping with employee resistance include the following:

1) Prevention through education and communication
2) Participation in designing and implementing a change
3) Facilitation and support through training and coLlnseling
4) Negotiation by providing a benefit in exchange for cooperation
- 5) Manipulation of information or events
6) Co-optation through allowing some participation but without meaningful input
7) Coercion
5. Models for Planned Change
a. Change management has been studied by man
models have emerged:
1) Kurt Lewin's process model consists of
a) Unfreezing is the diagnosis stage.
preparing employees for the
b) Change is the intervention in
c) Refreezing makes the
not reassert the
2) hat change is ongoing
rocess from being
agent coordinates steps b)

3)

. ge must be planned and deliberate.

ange must actually improve the organization. Changes forced
regulatory requirements or changes that merely attempt to follow
management trends and fads are not included.
The change must be implemented using the findings of the
behavioral sciences, such as organizational behavior and group
psychology.
The following are the objectives of 00:
i) Oeepen the sense of organizational purpose and align individuals
with it
ii) Promote interpersonal trust, communication, cooperation, and
support
iii) Encourage a problem-solving approach
~
iv) Develop a satisfying work experience
v) Supplement formal authority with authority based on expertise
~
vi) Increase personal responsibility
vii) Encourage willingness to change
Stop and review! You have completed the outline for this subunit. Study multiple-choice
questions 1 through 3 on page 40.
-18 SU 1: Strategic and Operational Roles of Internal Audit

t.z STAKEHOLDER RELATIONSHIPS

1. Stakeholder Relationships
a For internal auditors to be effective, Sawyer's Guide for Internal Auditors, 6th edition,
states that they must build and maintain strong constructive relationships with
managers and other stakeholders within the organization.
b. These relationships require conscious ongoing focus to ensure that risks are
appropriately identified and evaluated to best meet the needs of th rganization.
c. Internal auditors have a responsibility to work together with and other
stakeholders to facilitate work efforts and compliance with
d. Key stakeholders include the board oj directors, audit
external auditors, and regulators.
2. The Board and the Audit Committee
a. For the internal audit activity to achieve organization
executive (CAE) must have direct and unrestri
the board.
1) The IIA Glossary defines a boa
a board of directors or other
audit committee, to whom
b. The audit committee is a subunit of the
member of the board is ne
1) Some statutes h
membership of
a) e organization except in his/her

b)
2)

3.
a. the audit committee is to promote the independence of
uditors by protecting them from management's influence.
unctions of the audit committee regarding the internal audit

ii%, .c~ removing the CAE and setting his/her compensation

ApfJl,~' the internal audit charter
l ['ing and approving the internal audit activity's work plan
"', uring that the internal audit activity is allocated sufficient resources
esolving disputes between the internal audit activity and management
6) Communicating with the CAE, who attends all audit committee meetings
7) Reviewing the internal audit activity's work product (e.g., interim and final
engagement communications)
8) Ensuring that engagement results are given due consideration
9) Overseeing appropriate corrective action for deficiencies noted by the internal
audit activity
10) Making appropriate inquiries of management and the CAE to determine whether
audit scope or budgetary limitations impede the ability of the internal audit
activity to meet its responsibilities .
 SU 1.' Streieqic and Operational Roles of Internal Audit

c. The following are other functions of the audit committee regarding the external auditor:
1) Selecting the external auditing firm and negotiating its fee
2) Overseeing and reviewing the work of the external auditor
3) Resolving disputes between the external auditor and management
1! 4) Reviewing the external auditor's internal control and audit reports
4. Relationships with Management
a. According to Sawyer's Guide for Internal Auditors, 6th edition, j'n tarn......
I auditors are
responsible for performing their mission, maintaining their ob . d ensuring
the internal audit activity's independence. They also maintain
good working relationships with m_anagement.
b. Good relationships are developed by communicating
constructively, and using participative auditing
1) Participative auditing is a collaboration
management durinq the auditing p
and build a shared interest in the eng
accept changes if they have p
used to implement changes
2) However, internal auditors uiding and directing
the audit because the respons ,~lopinion is theirs.
Stop and review! You have completed the tudy multiple-choice
questions 4 through 6 on page 41.

1.3 ETHICAL CLIMATE

process, governance principles, and ethical culture.

o apply knowledge to a set of facts.

1.
"'"anization's
policies and standards established to ensure
lorby its members.
e principles of conduct expected to be followed by individuals.

• e re the major issues:

1) .&:, fil' ral business understanding of ethical issues
~ mpliance with laws (e.g., tax, securities, antitrust, environmental, privacy, and
labor)
3) External financial reporting
4) Conflicts of interest
5) Entertainment and gift expenses
6) Relations with customers and suppliers (Should gifts or kickbacks be given or
accepted?)
7) Social responsibility
20 SU 1: Strategic and Operational Roles of Internal Audit

3. Factors That May Lead to Unethical Behavior

a. In any normal population, some people behave unethically. if these people hold
. leadership positions, they may have a bad influence Or} subordinates.
1) Organizational Factors
a) Pressure to improve short-run performance is an incentive for wrongdoing.
b) Emphasis on strict chain-at-command authority may excuse unethical
behavior when following orders.
c) Informal work-group loyalties may result in tolerance
behavior. s

d) Committee decision processes reduce indiv .

2) External Factors
a) Competitive pressures may result in u
of survival.
b) The advantage obtained by a
imitation of that behavior.
c) Definitions of ethical e to another. For
example, bribes to stent with customary
business practices in s
4. Criteria for Evaluating Ethical Behavior
a. The following questions aid
1) "Would my be I respect were aware of it?"
2) "What are the or for myself, other employees,
customers,
b. Ethics are indivi . he1;'are influenced by the following:
r ,ling right, punishment for doing wrong)
..'._alassoclations, informal groups) .'
e'tponsibilities to superiors and the organization)
5.
hics is the established general value system the
apply to its members' activities by
organizational purposes and beliefs and
niform ethical guidelines for members.
guidance extends to decision making.
~. ecific rules cannot cover all situations. Thus, organizations benefit from
#' ing a code of ethics that effectively communicates acceptable values to all
sted internal and external parties. For example, a code may do the following:
1) Require compliance with the law
2) Prohibit conflicts of interest
3) Provide a method of policing and disciplining members for violations through
a) Formal review panels and
b) Group pressure (informal).
A) Set high standards against which individuals can measure their own
performance .
5) Communicate to those outside the organization the value system from which its
members must not be asked to deviate
·'

SU 1: Strategic and Operational Roles of Internal Audit

c. A typical code for auditors or accountants in an organization requires the following:

1) Independence from conflicts of economic or professional interest
a) They are responsible for presenting information fairly to stakeholders
rather than protecting management.
b) They are responsible for presenting appropriate information to all
managers. They should not favor certain managers or conceal
unfavorable information.
c) They are responsible for maintaining an ethical conduct of
professional activities. s

i) They should do what they can to ens

with the spirit as well as the letter of
ii) They should conduct themselves
legal standards.
iii) They should report to a
fraudulent or other illegal
2) Integrity and a refusal to comp
3) Objectivity in presenting info
6. Role of the Internal Audit Activity
a.

. The ipt,enlal audit"adivitYfTl '-

,:c)fth'e orqanization's 'ethi '.

b. The internal a
corporate
organi .

s meets four responsibilities:

Compl,i,.aflitc.ith legal and regulatory rules
.s_af ....tt~~·of generally accepted norms and social expectations
Pro :g" Qenefits to society and specific stakeholders
,"b Ing fully and truthfully to ensure accountability
Governance Process
Responsibilities
Compliance Creditors
.satisfaction ~end
--
Benefits Billing
Reporting Reminders
I
2) Governance practices reflect the organization's culture and largely depend on it
for effectiveness, The culture
a) Sets values, objectives, and strategies;
b) Defines roles and behaviors;
c) Measures performance;
d) Specifies accountability; and
e) Determines the degree of sensitivity to social responsibility,
 -
22 SU 1: Strategic and Operational Roles of Internal Audit

3) Because of their skills and position in the organization, auditors should actively
support the ethical culture. Auditor roles may include
a) Chief ethics officer,
b) Member of an ethics council, or
c) Assessor of the ethical climate.
4) The minimum internal audit activity role is assessor of (a) the ethical climate and
(b) the effectiveness of processes to achieve legal and ethical compliance.
Internal auditors should evaluate the effectiveness of the folio 'ng features of
an enhanced, highly effective ethical culture:
a) A formal code of conduct and related stateme
procedures covering fraud and corruption)
b) Frequent demonstrations of ethical attitudes
leaders
c) Explicit strateqies to enhance the ethical
d) Easily accessible means of confid
e) Regular declarations by emp
requirements for ethical
f) Clear delegation of res
(2) investigation, and (
g)
h) Positive personnel r::l"""I"TII~"'C'

i) Regular s
state of
j) Regular
k) Regula
c. Other internal
complaints, (
ethics cli

s er of benefits between an employee and those with

• qanization deals.
Ii
use of organizational information for private gain.
Stop meted the outline for this subunit. Study multiple-choice
ques 42.
·'

SU 1, Strategic and Operational Roles of Internal Audit 23

1.4 EDUCATION IN BEST PRACTICES

Performance Standard 2100

Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.

1. Nature of Work
a. According to The IIA's Definition of lnternal Auditing, the int
an organization accomplish its objectives by bringing,
approach to evaluate and improve-the effectiveness
governance processes."
1) These processes are closely related. The II ) defines
them as follows:
a) Governance - "The combination
by the board to inform, di
organization toward
b) Risk management - " , manage, and control
potential events or . Ie assurance regarding
the achievement of the
c) Control- "Any e~ , the board, and other parties
to man - od that established objectives and
goals plans, organizes, and directs the
perfo provide reasonable assurance that
obj ved."
i) ,

. b. senior management and the board about best

management, control, and compliance.
ed in The IIA Glossary as "adherence to policies, plans,
, regulations, contracts, or other requirements."
hEt~ mal audit activity must evaluate the risks involved in governance,
"y rations, and information systems that relate to compliance with laws,
ulations, policies, procedures, and contracts. The internal audit
activity also must evaluate the controls regarding compliance.
2.
a. mance, risk management, and control processes are adequate if management
has planned and designed them to provide reasonable assurance of achieving the
organization's objectives efficiently and economically.
1) Efficient performance accomplishes objectives in an accurate, timely, and
economical fashion. Economica!·performance accomplishes objectives with
minimal use of resources (i.e" cost) proportionate to the risk exposure.
2) Reasonable assurance is provided if the most cost-effective measures are
taken in the design and implementation stages to reduce risks and restrict
expected deviations to a tolerable level.
·'

24 SU'I: Strategic and Operational Roles of Internal Audit

3. Basic Types of internal Audit Engagements

a. The essential strategic function of the internal audit activity is to provide assurance
services and consulting services. Thus, the Definition of Internal Auditing describes
internal auditing as "an independent, objective assurance and consulting activity."
b. Separate groups of Implementation Standards have been issued for assurance
services and consulting services. These services are defined in The IIA Glossary as
follows:
1) Assurance services - "An objective examination of
providing an independent assessment on governance, ri •
control processes for the organizaUon. Exampl
performance, compliance, sy_stemsecurity, and'
2) Consulting services - "Advisory and related eli
and scope of which are agreed with the client
improve an organization's governance, risk
processes without the internal auditor as
Examples include counsel, advice, f
Stop and review! You have completed the outline
questions 10 through 12 on page 43.

1.5 COORDINATION

The chief audit executive should shar e activities with other internal and
external providers of assurance an ure proper coverage and minimize
duplication of efforts.

1,
a,
.external auditors, including coordination with the
s the responsibility of the board, Coordination of internal
U~~i ork is the responsibility of the chief audit executive (CAE).
the support of the board to coordinate audit work effectively"

. ati s may use the work of external auditors to provide assurance

activities within the scope of internal auditing. In these cases, the
l es the steps necessary to understand the work performed by the
nal auditors, including:
The nature, extent, and timing of work planned by external auditors, to be
satisfied that the external auditors' planned work, in conjunction with the
internal auditors' planned work, satisfies the requirements of
Standard 2100,
b) The external auditor's assessment of risk and materiality.
c) The external auditors' techniques, methods, and terminology to enable the
CAE to (1) coordinate internal and external auditing work; (2) evaluate, for
purposes of reliance, the external auditors' work; and (3) communicate
effectively with external auditors.
d) Access to the external auditors' programs and working papers, to be
satisfied that the external auditors' work call be relied upon for internal
audit purposes. lnternal.auditors are responsible for respecting the
confidentiaiity of those programs and working papers" (para. 2).
·'

SU 1: Strategic and Operational RoJesof Internal Audit 25

3) "The external auditor may rely on the work of the internal audit activity in
performing their work. In this case, the CAE needs to provide sufficient
information to enable external auditors to understand the internal auditors'
techniques, methods, and terminology to facilitate reliance by external auditors
on work performed. Access to the internal auditors' programs and working
papers is provided to external auditors in order for external auditors to be
satisfied as to the acceptability for external audit purposes of relying on the
internal auditors' work" (para. 3).
NOTE: Professional standards place sole responsibility for th
external auditors. Only the external auditors have the
permit the provision of assurance to external parties.
the external auditors use the work" of other independe
cannot be shared with the internal auditors.

4) "Planned audit activities of internal and

ensure that audit coverage is coordin minimized
where possible. Sufficient meetings e audit
process to ensure coordination timely completion
of audit activities, and to d d
recommendations from
planned work be adjusted" (
5) "The internal audit activity's final
those cornrnunrcauons
available to external .
in determinin
internal audito
and manag
included i
input to
audit

",,",'e for regular evaluations of the coordination between

I auditors. Such evaiuations may also include assessments
over ciency and effectiveness Of internal and external audit
activitie~:\. ",' ing aggregate audit cost. The CAE communicates the results of
thes~,..ev1tI~:glions to senior management and the board, including relevant
conirf~:~s about the performance of external auditors" (para. 7).
. <tv1"
.'
-
26 SU 1: Strategic and Operational Roles of Internal Audit

EXAMPLE
From CIA Exam
Which at the following is not a true statement about the relationship between internal auditors and
external auditors?
A. External auditors must assess the competence and objectivity ot internal auditors.
B. There may be periodic meetings between internal and external auditors to discuss matters of
mutual interest.
C. There may be an exchange of engagement communications and manage
D. Internal auditors may provide engagement work programs and
auditors.
(A) is correct. The external auditor assesses the objectivity and com
auditors only if (s)he intends to rely on their work.
(B) is incorrect. The relationship involves a sufficient number of
(C) is incorrect. .The relationship involves reasonable mu
communications and management letters.
(D) is incorrect. The relationship involves reaso
programs and working papers.

2. Coordinating with Regulatory Oversight

a. Businesses and not-f uJJijeetto governmental regulation in
many countries. =

1) Below is a sam

acquisitions
and trading
dities
vernments may have their own regulatory bodies.
rganizations, entire departments or functions are established to
with the regulations issued by these governmental bodies.
qpn e, broker-dealers in securities establish compliance departments to
. that trades are executed according to the requirements of securities
. Moreover, manufacturers have departments to monitor wage-and-hour
pliance, workplace safety issues, and discharge of toxic wastes.
the responsibilities of the internal audit activity is the evaluation of the
anization's compliance with applicable laws and regulations.
1) The internal audit activity coordinates its work with that of inspectors and other
personnel from the appropriate governmental bodies and with personnel from
internal assurance functions.
Stop and review! You have completed the outline for this subunit Study multiple-choice
questions 13 through i5 on page 44.
.'
-
SU 1: Strategic and Operational Roles of Internal Audit

1.6 OTHER TOPiCS

1. Governance
a. Internal auditors evaluate and improve governance processes as part of their
assurance function. This subunit addresses the overall role of internal auditing in'
governance. It also outlines more specific governance activities, such as the
assessment of the internal audit activity's own performance.

Performance Standard 2110'

Governance
_j

The internal audit activity must assess and make appropriate recom
governance process in its accomplishment of the foftowing objectives:
• Promoting appropriate ethics and values within the organizatio
e Ensuring effective organizational performance management a
Q Communicating risk and control information to appropria
e Coordinating the activities of and communicating i
internal auditors, and.management.

2. Strategic Role of the Internal Audit Acti

a. , "Internal auditors
. and contributing to the
I auditors provide
IInlti'.'ntnn' ....

and operating effectiveness of the

may provide consulting services
s. In some cases, internal auditors
oard selt;r8ssessments of governance practices"

b. ys an important strategic role in the governance

ole includes providing leadership, assessinq the
urement systems, making appropriate
Ing the achievement of corporate objectives.
3.
s of internal auditors involves organizing and leading a team in
d business process improvement.
ap is a simple flowchart or narrative description used to depict a
It aids in assessing the effectiveness and efficiency of processes and

uditors evaluate the whole management process of planning, organizing, and

fl g to determine whether reasonable assurance exists that objectives will be
ved.
c. All business systems, processes, operations, functions, and activities within the
organization are subject to the internal auditor's evaluations. Internal auditing
provides reasonable assurance that management's
1} Risk management activities are effective;
2) Internal control is effective and efficient; and
3) Governance process is effective by establishing and preserving values, setting
goals, monitoring activities and performance, and defining the measures of
accountability.
·'

28 SU 1. Strategic and Operational Roles of Internal Audit

4. Internal Audit PerformanceMeasurements

3. Key performance measurements for the internal audit activity provide criteria against
which it is judged.
b. The following guidance is provided by The IIA Practice 'Guide, Measuring Internal
Audit Effectiveness and Efficiency:
1) Establishing performance measures is critical in determining whether an audit
activity is meeting its objectives, consistent with the highest quality practices
and standards.
2) The first step is to identify key performance measures for
stakeholders believe add value and improve
3) Once key effectiveness and €fficiency measure
identified, a monitoring process and a method
should be established (e.g., format, timing,
reporting should be based on stakeholder n
4) It is important that the internal audit acti
stakeholders on audit effectiveness
5. Performance Measurement Systems a
a. An important element of co
objectives. Internal auditors can u
b. Internal auditors can add value to an
performance measurem and
c. Internal auditors ma
results of these en
system is adequ
Stop and review! You have Study multiple-choice
questions 16 and 17 on pa

1.7

policies and procedures to guide the internal audit activity.

. ractice Advisory 2040~1, Policies and Procedures, policies and

developed by the CAE do not necessarily need to be contained in formal
rative and technical manuals.
A small internal audit activity may be managed informally through daily, close
supervision and memoranda.
2) In a large internal audit activity, more forma! and comprehensive policies and
procedures are essential to guide the execution of the internal audit plan.
b. The importance of the relationship of the particular internal audit activity to the extent
of its formal policies and procedures is made clear in this Interpretation:

Interpretation of Standard 2040

The form and content of policies and procedures are dependent upon the size and structure of
the internal audit activity and the complexity of its work.
·'

SI) 1: Strategic and Operational Roles of internal Audit 29

Stop and review! You have completed the outline for this subunit. Study multiple-cholce
. questions 18 through 20 beginning on page 45.

1.8 ROLE OF iNTERNAL AUDiT IN RiSK MANAGEMENT

At one time, audit professionals thought of risk only in the context of an audit (e.q., the probability of not
discovering a material financial statement misstatement). Today, after extensive research and many
scholarly publications, risk is recognized as something that must be examined and mitigated in every aspect
of an organization's operations. Thus, CIA candidates should understand the distin nsibilities of
(1) the internal audit activity and (2) senior management and the board for enterpri

Performance Standard 2120

Risk Management
The internal audit activity must evaluate the effectiveness and
management processes.

1. Overview
a. The IIA Position Paper: The Role
Management states that "risk man lement of corporate
governance. Management is respon nd operating the risk
management framework on If of th
b. "Enterprise-wide risk mana
structured, consi
relation to ERM sho
the effectiveness
c. "When internal
certain safe
therefore,
indep

2.
e to an organization by providing the board with objective

can undertake a broad range of ERM activities. However, internal

auld not undertake any activities that could threaten their independence

'"he IIA Position Paper groups the internal audit activity's roles into three
categories:
a) ~ore internal audit roles in regard to ERM
b) Legitirnate internal audit roles with safeguards
c) Roles the internal audit activity should not undertake
?'
-} ,A, helpful memory aid is

C Catch
h .Lying
R Records
·'

30 SU 1.' Strategic and Operational Roles of Internal Audit

3. Core lnternal Audit Activity Roles in ERM

a. Giving assurance on the risk management process
b. Giving assurance that risks are correctly evaluated
c. Evaluating risk management processes
d. Evaluating the reporting of key risks
e. Reviewing the management of key risks
4. Legitimate Internal Audit Activity Roles Given Safeguards
a. Facilitating identification and evaluation of risks
b. Coaching management in responding to risks
c. Coordinating ERM activities ~
d. Consolidating the reporting on risks
e. Maintaining and developing the ERM"framework
f. Championing establishment of ERM
g. Developing an ERM strategy for board approval
5'. Roles the Internal Audit Activity Should Not Unde
a. Setting the risk appetite
1) Risk appetite is the amount of in pursuit of
value. It reflects the risk ma uences the entity's
culture and operating style.
b. Imposing risk management processes
c. Management assurance on ri
d. Making decisions on
e. Implementing risk res'
f. Accountability for

Which' of the following th n internal auditor who had participated in

the initial establishme ess? .
A.
B.
C. veness of management's risk processes.
D. the risks identified.
ity that threatens independence.
ssessments and reports on the organization's risk management
.mal audit role but also a high audit priority.
management's responsibility for the risk management process is a
internal audit activity's independence. It requires a full discussion and board
-1, para. 5).
(C) is incorrect. Internal auditors assist both management and the board by examining,
evaluating, reporting, and recommending improvements of the adequacy and effectiveness of risk
management processes.
(0) is incorrect. Internal auditors may recommend controls without losing independence.
.'

SU 1: Strategic and Operational Roles of Internal Audit 31

6. Role in Risk Management

a. The following Interpretation clarifies the internal audit activity's role:

Interpretation of Standard 2120

Determining whether risk management processes are effective is a judgment resulting from the
internal auditor's assessment that:
~ Organizational objectives support and align with the orqanization's mission'
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the
appetite; and
• Relevant risk information is captured and communicated in a
organization, enabling staff, management, and the board
responsibilities.
The internal audit activity may gather the information to support
engagements. The results of these engagements, when vi
understanding of the organization's risk management
Risk management processes are monitored th
evaluations, or both.

.'? ~Fgi~nizatiQn's:".;)
..,<::{
' -. :. i;

"'.,' .' , ' :' .

,","""""'" .(for;.the
.
.
~'t~urrence'of
~ . ,'.
fraud and

blishing.._JI.QS.ased audit model and participating in the organization's risk

anage~~2processes are ways for the internal audit activity to add value.
~.JI
nsibil r-Organizational Risk Management
t1~
The" _.:s ion of responsibility is described in Practice Advisory 2120-1, Assessing the
'-~cy of Risk Management Processes.
1) Risk management is a key responsibility of senior management and the board.
a) Management ensures that sound risk management processes (RMPs)
are in place and functioning.
b) Boards have an oversight function. They determine that RMPs are in
place, adequate, and effective.
c) The internal audit activity may be directed to examine, evaluate, report,
or recommend improvements.
i) It also has a consulting role in identifying, evaluating, and
implementing risk management methods and controls.
.'
"

32 SU 1: Strategic and Operational Roles of Internal Audit

2) If the organization has no formal RMPs, the CAE has formal discussions with
management and the board about their obligations for understanding,
managing, and monitoring risks.
3) The CAE must understand management's and the board's expectations of the
internal audit activity in risk management. The understanding is codified in-the
charters of the internal audit activity and the board.
4) Senior management and the board determine the internal audit activity's role in
risk management based on factors such as (a) organizational culture, (b)
abilities of the internal audit activity staff, and (c) local co . ns and customs.
a) That role may range from no role, to auditi the
audit plan, to active, continuous support
to managing and cooroinatinq the proces
i) But assuming management respo . internal
audit activity independence m ard-
approved.
5) RMPs may be formal or informal, qua
business units or centralized. anization's
culture, management style, small entity may
use an informal risk comm
a)

6) To form an opinion 0
sufficient, a .

Which of the following

adequacy of risk manag
A. To help riot,orrn
object
B.
C. n'l!Jgement,control, and governance processes provide
, anization's objectives are achieved efficiently and

sk management, control, and governance processes ensure that

nature, timing, and extent of certain tests must be determined before tile
trol processes can be evaluated.
(B) is incorrect. Internal auditors have no authority to ensure correction of material weaknesses.
(C) is correct. Risk management, control, and governance processes are adequate if
management has planned and designed them to provide reasonable assurance of achieving tile
organization's objectives efficiently and economically. Efficient performance accomplishes
objectives in an accurate, timely, and economical fashion. Economical performance accomplishes
objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.
(0) is incorrect. The scope of internal auditing is much broader than concern for the fairness of
financial statements.

Stop and review! You have completed the outline for this subunit. Study multiple-choice
questions 21 through 23 beginning on page 46.
 SU 1: Strategic and Operational Roles of Internal Audit

1.9 INTERNAL AUDIT ADMINISTRATIVE ACTIVITIES

1. Overview
. a. The chief audit executive (CAE) is responsible for management of internal audit
activity resources in a manner that ensures fulfillment of its responsibilities. Like any
well-managed department, the internal audit activity should operate effectively and
efficiently. This can be accomplished through proper planning, which includes
budgeting and human resources management.
b. Management oversees the day-to-day operations of the internal
including the foilowing administrative activities:
1) Budgeting and management accounting
2) Human resource administration, including pe
compensation
3) Internal communications and information fl
4) Administration of the internal audit activity'
2. Budgeting
a. The CA.Eis responsible for creating et. Generally, the
CAE, audit managers, and the i r to develop the
budget annually. The budget is t and the board for
their review and approval.
3. Human Resources
a. The skill set and
help the organizatio
Assurance & C
associates to fill

b.

que nd forms should be prepared in advance to evaluate,

othejj ~"'theapplicant's (a) technical qualifications, (b) educational
rQuncfl¢~!i.personalappearance, (d) ability to communicate, (e) maturity,
pers'l~ivJiess, (g) self-confidence, (h) intelligence, (i) motivation, and
U) p91er}ti"t'b contribute to the organization.
j~.~l~fs
need a diverse set of skills to perform their jobs effectively. These
skinsffi:Ai)'0( always apparent in a standard resume. Developing effective
int~lliWj.flg techniques will ensure that the internal audit function acquires the proper
:~\ Q!:Skills,capabilities, and technical knowledge needed to accomplish its goals.
Cl. E.~ive interviewing techniques involve structured interviews and behavioral
interviewing.
1) Structured interviews are designed to eliminate individual bias. These interviews
use a set of job-related questions with standardized answers, which then are
.. scored by a committee of three to six members. According to Management
(Kreitner & Cassidy, 12th edition), interviewers can use four general types of
questions:
a) Situational - "What would you do if you saw two people arguing loudly in
the work area?"
b) job knowledge - "Do you know how to do an Internet search?"
 -
34 SU 1: Strategic and Operational Roles of Internal Audit

c) Job sample simulation - "Can you show LIS how to compose and send an
e-mail message?"
d) Worker requirements - "Are you able to spend 25 percent of your time on
the road?"
2) Behavioral interviews determine how candidates handled past situations. Past
performance is generally indicative of future performance.
4. Reporting
a. Reporting to senior management and the board provides assu
1) Governance,
2) Risk management, and
3) Control.
b. Periodic reports also are made on internal audit's ility,
and performance.
c. Reporting to senior management and the boa
Unit 2, Subunit 3.
Stop and review! You have completed the outli
questions 24 through 27 beginning on page 47

1.10 QUALITY ASSURANCE AND IMPROVEM

The chief audit executive must ssurance and improvement program

that covers all aspects of the i

1.
a. ssurance and Improvement Program, provides
in the continuous examination of their processes
. of stakeholders.
processes designed to provide reasonable assurance to
internal audit activity
n accordance with its charter, the Definition of Internal Auditing,
e of Ethics, and the Standards
_jDerates effectively and efficiently
1'5 perceived as addi;lg value and improving operations
~Jl"'ese
processes include appropriate supervision, periodic internal and external
""assessments,and ongoing monitoring of quality assurance.
The QAIP embraces all facets of the internal audit activity as reflected in the
pronouncements of The IIA and best practices of the profession.
a) Its processes are performed or supervised by the CAE.
b) A large or complex entity has a formal, independent QAIP administered
and monitored by an audit executive.
.'
-
SU 1: Strategic and Operational Roles of !nt.;:rna! Audit 35

Attribute Standard 1310

Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement proqrarn must include both internal and external
assessments.

b. Practice Advisory 1310-1, Requirements of the Quality Assurance and Improvement

Program, provides detailed guidance:
1) A OAIP is an ongoing and periodic assessment of all wo
activity. These rigorous assessments include
a) Continuous supervision-and testing of perf
b) Periodic validation of conformance with
c) Measurement and analysis of perform
accomplishment and customer
2) Indicated improvements are impl
3) Assessments evaluate and
audit activity and produce.
a) Conformance with man
b) Adequacy of the internal a
procedures;
c) The contri mana~emenj~f0ntr6L and gove.rnanee;
d) Complia: .. atio nmgovernment or Industry standards;
e) Continuer and' n of best practices; and
f) VVheth udit ac ds value and improves operations.
4) OAIP efta up invojvi appropriate and timely modification of
ures, and technology.
5) . communicated to stakeholders. The CAE
and the board on OAIP efforts at least annually.

nprovernent program should include evaluation of all of

e work of external auditors.

dards and Code of Ethics.

~:-.

organization's governance processes.

question sizes the element not required in the assessment of a QAIP.
(A) is corre ersight of the work of external auditors, including coordination with the internal
audit activity, is the responsibility of the board (PA 2050-1). It is not within the scope of the
process for monitoring and assessing the quality program.
(B) is incorrect. Conformance with the Definition of Internal Auditing, Standards, and Code of
Ethics, including timely corrective actions to remedy any significant instances of nonconformance,
is an element of the assessment of a quality program.
(C) is incorrect. Adequacy of the internal audit activity's charter, objectives, policies, and
procedures is an element of the assessment of a quality program.
(D) is incorrect. Contribution to the organization's governance, risk management, and control
processes is an element of the assessment of a quality program.
36 SU 1. Strategic and Operational Roles of Internal Audit

Attribute Standard 1311

Intema! Assessments
Internal assessments must include:
€I Ongoing monitoring of the performance of the internal audit activity; and
til Periodic self-assessments or assessments by other persons within the organization with
sufficient knowledge of internal audit practices.

2. Internal Assessments
a. Ongoing and periodic internal assessments are addre
1311-1, Internal Assessment:
1) The processes and tools used in ongoing intern
a) Engagement supervision;
b) Checklists and procedures;
c) Feedback;
d) Peer reviews of working pa
e) Budget.s, timekeeping,
recoveries; and
f) Analyses of other pe
2) The IIA's Quality Assessment Man
assessments. These volve .:q.,,)';'
,~~~

a) bl~f~rs (in interviews and surveys)

b)
c)
d)

should not communicate assurances about the outcome of

I assessment, although the report may give recommendations
e practices.
r~e .er, the periodic internal assessment may be the self-assessment
of a self-assessment with independent validation.
~
.. ~. ongoing or periodic internal assessment, conclusions about
~" orrnance are reached, and appropriate action is begun to ensure
iiifrflprOVements are made.
hose conducting internal assessments generally report directly to the CAE, who
should establish a structure for reporting results that maintains credibility and
objectivity.
6) At least annually, the CAE reports results, action plans, and implementation
information ~osenior management and the board.
"

SU L Strategic and Operational Roles of Internal Audit

Attribute Standard 1312

External Assessments
External assessments must be conducted at least once every five years by a qualified, independent
assessor 'or assessment team from outside the organization. The chief audit executive must discuss
with the board:
e The form and frequency of external assessments; and
• The qualifications and independence of the external reviewer or assessmen
potential conflict of interest.

3, External Assessments
a. External assessments provide an independent and . ternal
audit activity's compliance with the Standards and
b. Further specifics are provided in Practice Advi .s ssments:
~.~~.
1) An external assessment may be a full ,''independent
external reviewer or review If-assessment
with independent valldat
a) nal audit activity.
b) ~, identification, and

c) The scopemu
2) Individuals sment should have no obligation to,
or interest in, r its personnel. External assessors
have no rea erest due to current or past
relations rganizatiQ~@'.
a) to in ,::lldence include conflicts of former employees or
idin h'~}financial statement audit, (2) significant
(3) assistance to the internal audit activity.
er part of the organization or in a related organization
. an affiliate) is not independent.
'i.'lll'

mong three unrelated organizations (but not between two)

the independence requirement.
cerns about independence, one or more independent
duals may provide separate validation.
is honesty and candor limited by confidentiality, with no subordination
vice and the public trust to personal gain.
Objectivity is impartiality, intellectual honesty, and freedom from conflicts
of interest.
An external reviewer should be a certified audit professional well versed in the
Standards and best practices with at least 3 years of management experience
in internal auditing or related consulting,
a) Leaders of independent review teams and those who validate a
self-assessment must have additional competence and experience,
i) Qualifications include prior external assessment work, quality
assessment training, or service as a senior internal auditor,
5) The reviewer(s) should have relevant technical and industry experience, and
other specialists may be needed.
6) Senior management and the board are involved in selecting (a) the approach
and (b) the external quality assessment provider,
 -
38 SU 1: Strategic and Operational Roles of Internal Audit

7) The scope of the review extends to conformance with mandatory guidance of

The IIA, the internal audit activity's charter, laws, etc. It also extends to
a) The expectations of management and the board,
b) Integration of the internal audit activity with the" governance process,
c) The internal audit activity's tools and techniques,
d) Competence (mix of the staffs knowledge, experience, and disciplines),
and
e) Whether the internal audit activity adds value and i
8) Preliminary results are discussed with the CAE. Final
communicated to the CAE, and a formal commu
management and the board. -
9) The communication includes an opinion on
guidance of The IIA. Conformance means
activity satisfy such guidance.
a)
responsibilities is impaired
i) The degree of pa
b) Expression of an opinion
due professional care.
c) The cornrnuruc "'Tlr,n
practices, (2)
action pia.
10) The results, inc
accomplish
(e.g., senio
a) ccountability and transparency.
4. Reporting Res
a. Se must be kept informed about the extent to which
t the degree of professionalism required by The IIA.

The nicate the results of the quality assurance and improvement

prog prIJ.~Jjlll''';..Jnd
the board.

from the interpretation of Standard 1320 addresses the frequency of

on the QAIP:
demonstrate conformance with the Definition of Internal Auditing, the
Code of Ethics, and the Standards, the results of external and periodic
internal assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are communicated at
least annually.
.'

SU 1: Strategic and Operational Roles of Internal Audit 39

5. Importance of Conforming with the Standards

a. Compliance with the Standards requires an effective QAIP.

Attribute Standard 1321

Use of "Conforms with the International Standards for the Professional Practice of
Internal Auditing"
The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of ity assurance
and improvement program support this statement.

6. Importance of Reporting Nonconformance

a. The internal audit activity is a crucial part of a cornpl ce
processes. Senior management and the board
assessment discovers significant nonconfo

CS, or the Standards

audit executive must
the board.

b. Nonconformance of I audit activity and not to

specific engageme

Internal auditors may rep They may use this

statement only if
A. It is supported ;: ogram.
B. e internal audit activity is conducted annually.
C. .ccountable for implementing a quality program.
al audit activity are made by external auditors.
izes t gftion permitting internai auditors to report that their activities
\1>.
Standard~
,iT
''Wditexecutive may state that the internal audit activity conforms with the
fefthe Professional Practice of Internal Auditing only if the results of the
provement program support this statement" (Attr. Std. 1321).
. ~ndependent external assessment of the internal audit activity must be
t once every 5 years.
(C) is incorrect. The CAE must develop and maintain a QAIP that covers all aspects of the
internal audit activity.
(0) is incorrect. Assessments also may be made by others who are (1) independent, (2) qualified,
and (3) from outside the organization.

Stop and review! You have completed the outline for this subunit. Study multiple-choice
questions 28 through 30 on page 49.
40 SU 1: Strategic and Operational Roles of Internal Audit

QUESTIONS
1.1 Change Management

1. An organization's management perceives the Answer (C) is correct.

need to make significant changes. Which of the REQUIRED: The factor management is least likely to be
following factors is management least likely to be able to change.
able to change? DISCUSSION: The environment of an organization consists
of external forces outside its direct control that may affect its
performance. These forces include competitors, suppliers,
A. The organization's members. customers, regulators, climate, culture, pol technological
change, and many other factors. The members
B. The organization's structure.
are a factor that managers are clearly
C. The organization's environment. Answe~(A) is incorrect.
factor that managers are
D. The organization's technology. incorrect. The organiz I
are clearly able to change.
organization's technology'
able to change.

2. Lack of skills, threats to job status or security, and

fear of failure all have been identified as reasons that
employees often

A. Want to change the culture of their

organization.
B. Are dissatisfied with the structure of their
organization. .
C. Are unable to perform their jobs.
Lack of skills, threats to job status or
D. Resist organizational change. re inhibit changes in the culture of the
(8) is incorrect. Lack of skills, threats to
job status . rity, and fear of failure are not symptoms of
dissatistacjion with the structure of the organization. Answer (C)
is iORprret1. Lack of skills, threats to job status or security, and
featot failure do not indicate an inability to perform.
. \~~
~.,:,~.
nswer (A) is correct.
REQUIRED: The true statement about resistance to
organizational change.
DISCUSSION: Resistance to change may be caused by
A. fear of the personal adjustments that may be required.
Employees may have a genuine concern about the usefulness of
the change, perceive a lack of concern for workers' feelings, fear
B. the outcome, worry about downgrading of job status, and resent
deviations from past procedures for implementing change
C. (especially if new procedures are less participative than the old).
Social adjustments also may be required that violate the
behavioral norms of informal groups or disrupt the social status
D. quo within groups. Economic adjustments may involve potential
economic loss or insecurity based on perceived threats to jobs.
In general, any perceived deterioration in the work situation that
is seen as a threat to economic, social, and/or psychological
needs will produce resistance. The various adjustments required
are most likely to be resisted when imposed unilaterally by higher
authority. However, employees who share in finding solutions to
the problems requiring change are less likely to resist because
they will have some responsibility for the change.
.'

SU 1: Strategic and Operational Roles of Internal Audit

1.2 Stakeholder Relationships

4. Audit committees have been identified as a major Answer (A) is correct.

factor in promoting the independence of both internal
and external auditors. Which of the following is the
most important limitation on the effectiveness of audit
committees?
A. Audit committees may be composed of
independent directors. However, those
directors may have close personal and
professional friendships with management.
B. Audit committee members are compensated
by the organization and thus favor an owner's
view.
C. Audit committees devote most of their efforts to
external audit concerns and do not pay much
attention to the internal audit activity and the
overall control environment.
D. Audit committee members do not normally
have degrees in the accounting or auditing
fields.
REQUIRED: The most important limitation on the
effectiveness of audit committees. ..
DISCUSSION: The audit committee is a subcommittee
made up of outside directors who are independent of
management. Its purpose is to help keep external and internal
auditors independent of management and to ensure that the
directors are exercising due care. However, if independence is
impaired by personal and professional ps, the
effectiveness of the audit committee ited.
Answer (8) is incorrect. The
members receive is usually
independenf and therefore
Answer (C) is incorrect.
concerned with external audi
internal audit activity.
members do not need
understand engage

5... The audit committee strengthens the control

processes of an organization by

A. Assigning the internal audit activity

respo~sibility for interaction with governrn~~;
agencIes. •
B. Using the chief audit executive as a major
resource in selecting the external a
C. Following up on recommendations
the chief audit executive.
D.

6. An audit committee nswer (D) is correct.

enhance the inAo.,onrior REQUIRED: The most effective composition of an audit
external auditing committee.
functions from DISCUSSION: The audit committee of the board of directors
this criterion, a should be composed entirely of outside directors. Outside
of directors are members of the board who are independent of
internal management. Because the primary purpose of the audit
committee is to promote the independence of the internal and
A. external auditors from management, an audit committee
composed of inside directors would be ineffective.
B. Answer (A) is incorrect. The audit committee is not required
regu to be rotated periodically. Answer (8) is incorrect. Regulators
ordinarily do not serve as directors. Answer (C) is incorrect.
C. Mem from a Officers are not outside directors.
specifically inclu
banking, labor, re tory agencies,
shareholders, and officers.
D. Only external members of the board of
directors or its equivalent.
42 SU 1: Strategic and Operational Roles of Interna! Audit
1.3 Ethical Climate
7. An accounting association established a code of
ethics for all members. What is one of the
association's primary purposes of establishing the
code of ethics?
A. To outline criteria for professional behavior to
maintain standards of integrity and objectivity.
B. To establish standards to follow for effective
accounting practice.
C. To provide a framework within which
accounting policies could be effectively
developed and executed.
O. To outline criteria that can be used in
conducting interviews of potential new
accountants.
8. The best reason for establishing a code of
conduct within an organization is that such codes
A. Are typically required by governments.
B. Express standards of individual behavior for
members of the organization.
C. Provide a quantifiable basis for personnel
evaluations.
O. Have tremendous public relations potenti~~ ,
,,,,,,
9. The code of ethics of a profes
sets forth
A.
8.
C.
D.
Answer (A) is correct.
. REQUIRED: The primary purpose of establishing a code of
ethics.
DISCUSSION: The primary purpose of a code of ethical
behavior for a professional organization is to promote an ethical
culture among professionals who serve others.
Answer (B) is incorrect. National standards-setting bodies,
not codes of ethics, provide guidance for effective accounting
practice. Answer (C) is incorrect. A code of ethics does not
provide the framework within which policies are
developed. Answer (0) is incorrect. rpose is not
for interviewing new accountants.
of ethical conduct is
organization wishes to
municates organizational
es uniform ethical guidelines
inclu nee on behavior for members in
A code, ." blishes high standards against
m~j3sti(etheir own performance. It also
outside the organization the value system
be must not be asked to deviate.
rrect. Governments typically have no such
r (C) is incorrect. Codes of conduct provide
qualitative, antitative, standards. Answer (0) is incorrect.
Other purposes of a code of conduct are much more significant.
.."if'
"'.i~~
..(.Alns (A) is correct. .
¥ ~\"REQUIRED: the content of a code of ethics of a
rn'fessional organization.
DISCUSSION: An organization's code of ethical conduct is
the established general value system tile organization wishes to
apply to its members' activities by communicating organizational
purposes and beliefs and establishing uniform ethical guidelines
for members, which include guidance on behavior tor members in
making decisions. A code establishes high standards against
which individuals can measure their own performance and
communicates to those outside the organization the value system
from which the organization's members must not be asked to
deviate.
Answer (8) is incorrect. The organizational details of the
profession's governing body are stated in the by-laws of the
professional organization. Answer (C) is incorrect. Certain
actions may be legal but contrary to an organization's code of
ethics. For example, an internal auditor may not perform a
service for which (s)he does not possess the necessary
knowledge, skills, and experience. Answer (0) is incorrect. I ne
Standards establish a basis for the measurement of internal audit
performance.
..
 SU 1: Strategic and Operationai Roles of Internal Audit
1.4 Education in Best Practices
10. The purpose of the internal audit activity's
evaluation of the effectiveness of existing risk
management processes is to determine that
A. Management has planned and designed so as
to provide reasonable assurance of achieving
objectives.
B. Management directs processes so as to
provide reasonable assurance of achieving
objectives.
C. The organization's objectives will be achieved
efficiently and economically.
O. The organization's objectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
11. Control by management is the result of
A. Planning, organizing, and directing of
organizational activities.
B. Ascertaining needs, identifying alternative
courses of action, setting standards for
measuring performance, and comparing
outcomes with predetermined standards.
C. Authorizing and monitoring perforrnancegg
comparing actual performance with planwlti
performance.
D. Determining efficiency and economy
operations, including whether 0 .
been met.
A.
B.
C.
D.
43
Answer (B) is correct.
REQUIRED: The purpose of the evaluation of the
effectiveness of risk management processes.
DISCUSSION: Risk management, control, and qovernance
processes are effective if management directs processes to
provide reasonable assurance of achieving the organization's
objectives. In addition to accomplishing the objectives and
planned activities, management directs by authorizing activities
and transactions, monitoring.resulting ance, and verifying
that the organization's processes are s designed.
taken by
to manage risk and
objectives will be
, and directs the
to provide reasonable
IV"".SiW'.1I1 be achieved. Thus, control by
of proper planning, organizing, and
Ascertaining needs, identifying
action, setting standards for measuring
comparing outcomes with predetermined
standards i ic management function. Answer (C) is
incorrects-Authorizinq and monitoring performance and
c ."~'aring actual performance with planned performance is a
anagement function. Answer (D) is incorrect.
ining efficiency and economy of operations, including
ether objectives have been met, is a basic management
nction.
Answer (A) is correct.
REQUIRED: The most accurate term for the means of
providing oversight of processes administered by management.
DISCUSSION: Governance is the "combination of
processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization
toward the achievement of its objectives" (The IIA Glossary).
Answer (8) is incorrect. Control is "any action taken by'
management, the board, and other parties to manage risk and
increase the likelihood til at established objectives and goals will
be achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved" (The IIA
Glossary). Answer (C) is incorrect. Risk management is "a
process to identify, assess, manage, and control potential events
or situations to provide reasonable assurance regarding the
achievement of the organization's objectives" (The IIA Glossary).
Answer (D) is incorrect. Monitoring consists of actions taken by
management and others to assess the quality of internal control
performance over time. It is not currently defined in the
Standards and The !IA Glossary.
44 SU 1: Strategic and Operational Roles of Internal Audit

1.5 Coordination

13. Who has primary responsibility for providing Answer (8) is correct.
information to the board on the professional and REQUIRED: The responsible party for providing information
organizational benefits of coordinating internal audit about the benefits of coordin-ationof internal audit activities with
activities with those of other providers of similar those of other providers. .
services? DISCUSSION: The chief audit executive should share
information and coordinate activities with other internal and
external providers of assurance and consulting services to
A. The external auditor. ensure proper coverage and minimize duplication of efforts
8. The chief audit executive. (Perf. Std. 2050). While oversight of the of external auditors
is the responsibility of the board, rnal and
C. The chief executive officer. external audit work is the responsibility (PA 2050-1,
D. Each assurance and consulting function. para. 1). 3
Answer (A) is incorrect
thatthe internal audit
achievable from coo
consulting activities. Iways
form part of any activi
auditor, to the board.
is not responsible
internal audit as

14. To improve their efficiency, internal auditors may

rely upon the work of external auditors if it is cift stances in which internal auditors
of external auditors.
A. Performed after the internal auditing worR'
o anizations may use the work of external
"ssurance related to activities within the
8. Primarily concerned with operational diting (PA 2050-1, para. 2). Coordination of
and activities. internal an nal audit work is the responsibility of the CAE
(PA 2050,J, para. 1). .
C. Coordinated with internal auditi ",cj}.nsv{er(A) is incorrect. Duplication of effort may result if the
ext'€'(malaudit is performed after the internal auditing
D. Conducted in accordance with
.Agrga'·~ment. Answer (8) is incorrect. Internal auditing
Ethics.
.j~p-'~f0fl!passes both financial and operational objectives and
atJvllies. Thus, Internal auditing coverage could also be
, rovided by external audit work that included primarily financial
objectives and activities. Answer (0) is incorrect. External
auditing work is conducted in accordance with auditing standards
generally accepted in the host country.

Answer (A) is correct.

REQUIRED: The person responsible for coordinating
internal and external audit efforts.
DISCUSSION: Coordination of internal and external audit
work is the responsibility of the CAE. The CAE obtains the
support of the board to coordinate audit work effectively
A. (PA 2050-1, para. 1).
B. Answer (8) is incorrect. The external auditor is an interested
party but not one that has direct responsibility for coordinating
C. The board. internal and external auditing efforts. Answer (C) is incorrect.
The board has oversight responsibility, but the CAE is
D. Management.
responsible for the actual coordination of internal and external
auditing work. Answer (0) is incorrect. Management is an
interested party but not one that has direct responsibility for
coordinating internal and external auditing efforts.
.'
SU 1: Strategic and Operational Rofes of Internal Audit
1.6 Other Topics
16. A basic principle of governance is
A. Assessment of the governance process by an
independent internal audit activity.
B. Holding the board, senior management, and
the internal audit activity accountable for its
effectiveness.
C. Exclusive use of external auditors to provide
assurance about the governance process.
O. Separation of the governance process from
promoting an ethical culture in the
organization.
17. The internal audit activity has a role in an
organization's governance process. The internal
audit activity most directly contributes to this process
by
A. Identifying significant exposures to risk.
'. B. Evaluating the effectiveness of the risk-
management system.
C. Promoting continuous improvement of
controls.
O. Evaluating the design of ethics-related
activities.
A.
B. Position descriptions.
C. Performance appraisals.
O. Policies and procedures.
45
Answer (A) is correct. .
. REQUIRED: The basic principle of governance.
DISCUSSION: The internal audit activity must assess and
make appropriate recommendations for improving the .
governance process (Perf. Std. 2110).
Answer (B) is incorrect. The internal audit activity is an
assessor of the governance process. It is not accountable for
that process. Answer (C) is incorrect. External parties and
internal auditors may provide'assurance the governance
process. Answer (0) is incorrect. The' it activity must
assess and make appropriate improving
the governance process in ethics
and~values within the orga
Answer (0) is correct.
REQUIRED:
contributes to
DISCUSSI
TILl:!s,in~.frnassurance engagement, "The internal audit activity
.e~tevaluate the design, implementation, and effectiveness of
e qrt€Janization'sethics-related objectives, programs, and
tivrties': (Imp!. Std. 2110.A1).. .'
Answer (A) is incorrect. Identifying significant exposures to
risk most directly relates to risk management rather than to
governance. Answer (8) is incorrect. Evaluating the
effectiveness of the risk-management system most directly
relates to risk management rather than to governance.
Answer (C) is incorrect. Promoting continuous improvement of
controls relates to controls rather than to governance.
Answer (0) is correct.
REQUIRED: The item most essential for guiding the internal
audit staff.
DISCUSSION: The chief audit executive must establish
policies and procedures to guide the internal audit activity
(Perf. Std. 2040).
46 SU 1: Strategic and Operational Roles of Internal Audit
19. Policies and procedures must be established to
guide the internal audit activity. Which of the
following statements is false with respect to this
requirement?
A. The form and content of written policies and
procedures depend on the size of the internal
audit activity.
B. All internal audit activities must have a detailed
policies and procedures manual.
C. Formal administrative and technical manuals
may not be needed by all internal audit
activities.
O. A small internal audit activity may be managed
informally through close supervision and
memoranda.
20. Written policies and procedures relative to
managing the internal audit activity should
A. Ensure compliance with its performance
standards.
B. Give consideration to its structure and the
complexity of the work performed.
C. Result in consistent job performance.
D. Prescribe the format and distribution of
engagement communications and the
classification of observations. ~
fJ.
A.
B.
C.
O. The organization jectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
Answer (B) is correct.
REQUIRED: The false statement about policies and
procedures to guide the internal audit activity.
DISCUSSION: Formal administrative and technical audit
manuals may not be needed by all internal audit entities. A small
internal audit activity may be managed informally. Its audit staff
may be directed and controlled through daily, close supervision
and written memoranda. In a large internal audit activity, more
formal and comprehensive policies and procedures are essential
to guide the internal audit staff in the execution of the internal
audit plan (PA 2040-1, para. 1).
Answer (A) is incorrect. The
procedures depend on the.size
Answer (0) is incorrect. Fo
manuals may not be n
Answer (0) is incorrect.
managed informally throu
Answer (B) is correct.
REQUIRED: The purpose of the evaluation of the
effectiveness of risk management processes.
DISCUSSION: Risk management, control, and governance
processes are effective if management directs processes to
provide reasonable assurance of achieving the organization's
objectives. in addition to accomplishing the objectives and
planned activities. management directs by authorizing activities
and transactions, monitoring resulting performance, and verifying
that the organization's processes are operating as designed.
.»
"

SU 1: Strategic and Operational Roles of internal Audit

22. internal auditors should review the means of
physicaily safeguarding assets from losses arising
from
A. Misapplication of accounting principles.
B. Procedures that are not cost justified.
C. Exposure to the elements.
O. Underusage of physical facilities.
Answer (C) is correct.
REQUIRED: The cause of losses giving rise to physical
safeguards that should be reviewed by the auditor.
. DISCUSSION: The internal audit activity must evaluate risk
exposures relating to governance, operations, and information
systems regarding the safeguarding of assets
(Imp!. Std. 2120.A 1). For example, internal auditors evaluate risk
exposure arising from theft, fire, improper or illegal activities, and
exposure to the elements.
Answer (A) is incorrect. Misapplication of accounting
principles relates to the reliability of i and not physical
safeguards. Answer (B) is incorrect. that are not
cost justified relate to efficiency, not of operations.
Answer (01 is incorrect. Un to
efficiency of operations.

23. If an organization has no formal risk Answer (0) is correct.

management processes, the chief audit executive REQUIRED: The al a an
should organization has no e cess.
DISCUSSIO ariizaiion does not
have formal ris ief audit
A. Establish risk management processes based and the board
on industry norms. monitor risks within
mselves that there
B. Formulate hypothetical results of possible
ization, even if informal,
consequences resulting from risks not being
sibility into the key risks.
managed.
and monitored (PA 2120-1,
C. Inform regulators that the organization is guilty
of an infraction. is incorre . nternal auditors have no authority
m agEf"m~ntprocesses. They must seek
o. Formally discuss with the directors their ent and the board as to their role in the
obligations for risk management proces~~ incorrect. Internal auditors are not
risk analysis of the possible consequences
a risk management process. However, such a
request mi made by management. Answer (C) is
incorrects In the absence of a specific legal requirement, internal
a_l>!.€lltors""are
not required to report to outside parties.

4f~~\~
~~r
Answer (B) is correct.
REQUIRED: The most important reason for the chief audit
executive to ensure that the internal audit department has
adequate and sufficient resources.
DISCUSSION: The CAE must ensure that internal audit
A. resources are appropriate, sufficient, and effectively deployed to
achieve the approved plan (Perf. Std. 2030).
Answer (A) is incorrect. The decision to outsource the
B.
internal audit function is not primarily based on existing
resources. Answer (C) is incorrect. The amount of resources is
r-
'-'. not a significant factor in establishing credibility. Answer (0) is
incorrect. Succession planning is not related to the amount of
audit resources.
O.
48 SU 1: Strategic and Operational Roles of Internal Audit
25. The key factor in the success of an internal audit
activity's human resources program is
A. An informal program for developing and
counseling staff.
B. A compensation plan based on years of
experience.
C. A well-developed set of selection criteria.
D. A program for recognizing the special interests
of individual staff members.
26. Directors, management, external auditors, and
internal auditors all play important roles in creating
proper control processes. Senior management is
prirnariiy responsible for
A. Establishing and maintaining an organizational
culture.
B. Reviewing the reliability and integrity of
financial and operational information.
C. Ensuring that external and internal auditors
oversee the administration of the system of risk
management and control processes. ;Il
O. Implementing and monitoring controls
designed by the board of directors.
27. A basic principle of
A.
B.
C.
O.
Answer (C) is correct.
REQUIRED: The key factor in the success of an internal
audit activity's human resources program.
DISCUSSION: Internal auditors should be'qualified and
-cornpetent. Because the selection of a superior staff is
dependent on the ability to evaluate applicants, selection criteria
must be well-developed. Appropriate questions and forms
should be prepared in advance to evaluate, among other things,
the applicant's technical qualifications, educational background,
personal appearance, ability to communicate, maturity,
persuasiveness, self-confidence, intelligen otivation, and
potential to contribute to the organization
Answer (A) is incorrect. The human
should be formal. Answer i
human resources is more
Answer (0) is incorrect. The
more significant than special
es, and directs
.' reasonable
achieved.
ives and goals and
," changes in internal and
I~ establishes and maintains
an ethical climate that fosters
tnr,,,rrt,,.,t·{·'I~ternal
auditors are responsible for
effectiveness of controls, including
lity and integrity of financial and
Answer (C) is incorrect. Senior
to oversee the establishment,
assessment of the system of risk
managemeqt control processes. Answer (0) is incorrect.
The ard"has oversight responsibilities but ordinarily does not
bee;> involved in the details of operations.
er (A) is correct.
REQUIRED: The basic principle of governance.
DISCUSSION: The internal audit activity must assess and
make appropriate recommendations for improving the
governance process (Perf. Std. 2110).
Answer (B) is incorrect. The internal audit activity is an
assessor of the governance process. It is not accountable for
that process. Answer (C) is incorrect. External parties and
internal auditors may provide assurance about the governance
process. Answer (D) is incorrect. The internal audit activity must
assess and make appropriate recommendations for.improving
the governance process in its promotion of appropriate ethics
and values within the organization.
.'
SU 1: Strategic and Operational Roles of Internal Audit
1.10 Quality Assurance and Improvement Program (QAIP)
28. The chief audit executive should develop and
maintain a quality assurance and improvement
program that covers all aspects of the internal audit
activity and continuously monitors its effectiveness.
All of the following are included in a quality program
except
A. Annual appraisals of individual internal
auditors' performance.
B. Periodic internal assessment.
C. Supervision.
D. Periodic external assessments.
29. As a part of a quality program, internal
assessment teams most likely will examine which of
the following to evaluate the quality of engagement
planning and documentation for individual
engagements?
A. Written engagement work programs.
B. Project assignment documentation.
C. Weekly status reports.
O. The long-range engagement work schedule.
30. An external assessment of an i
activity contains an expressed
applies
A.
B.
C.
D.
Use the additional quest~ns in Gleim CIA Test Prep Online to create Practice Exams
-
49
Answer (A) is correct.
REQUIRED: The element not part of a quality assurance
progffim. .
DISCUSSION: Appraising each internal auditor's work at
least annually is properly a function of the human resources
program of the internal audit activity.
Answer (A) is correct.
REQUIRED:
the quality of pi
engagements.
D st include ongoing
audit activity and
ssessment or by other
ufficient knowledge of
1311). The processes and
include, among other
of working papers by staff not
. dits (PA 1311-1, para. 1).
Project assignment documentation
rmation for assessment purposes than
(C) is incorrect. Status reports do not
ning. Answer (0) is incorrect. The
. gement work schedule does not relate to
ocumentation for individual engagements.
r (0) is correct.
EQUIRED: The subject of the opinion expressed in a
. mmunication after an external assessmentof a quality
program.
DISCUSSION: External assessments of an internal audit
activity contain an expressed opinion as to the entire spectrum of
assurance and consulting work performed (or that should have
been performed under its charter). including (but not limited to)
conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards. An external assessment also
includes, as appropriate, recommendations for improvement
(PA 1312-1, para. 2). On completion of the review, a formal
communication should be given to senior management and the
board (PA 1312-1, para. 3).
Answer (A) is incorrect. An opinion is expressed on all
assurance and consulting work performed (or that should have
been performed under its charter). Answer (B) is incorrect. The
scope of an external assessment extends to more than the
effectiveness of the internal auditing coverage. Answer (C) is
incorrect. An external assessment addresses the internal audit
activity, not the adequacy of ihe organization's controls.
tha;~';':';:;~~ear;onu~C~~
...J
I
 •

50

._' \~~

",','

'. ~:

gleim'.C:o,m/_da
800.87'4~5346