3. 3
3
Section A
Section A comprises approximately 15% to 25% (15 to
25 questions) of the Part 1 exam.
There are six primary sections in Section A, including:
1) Purpose, Authority and Responsibility,
2) Organizational Independence & Objectivity,
3) Proficiency and Due Professional Care,
4) Continuing Professional Development,
5) Quality Assurance & Improvement Program, and
6) The IIA’s ‘Code of Ethics’.
4. 4
4
The Development of Internal Auditing
The concept of internal auditing goes back as far as
5,000 years. Early civilizations had to verify what they
had, particularly verifying the amount of grain they had.
The formal development of internal auditing as a
profession was started by the railroads.
Railroad executives had to have some assurance that their
stationmasters in many distant places were properly handling
receipts and submitting all of the money that they should.
Railroad executives felt that the external auditors did not
adequately address this issue because of a focus on the
financial statements.
5. 5
5
DifferencebetweenExternal & Internal Auditors
The Internal Auditor…
Is employed by the organization.
Focuses on futureeventsby evaluating controls designed to
assure the accomplishment of entity goals and objectives.
Is notindependentof the activities audited but is ready to
respond to the needs and desires of management.
Behaves with objectivity even though they are not
independent.
Is directlyconcernedwith the prevention of fraud in any
form or extent in all aspects of the business.
Reviews activities continually.
The External Auditor…
Is an independent contractor.
Serves third parties who need reliable financial
information.
Focuses on the accuracy and understandability of historical
eventsas expressed in the financial statements.
Is independentof management and the board of directors
both in fact and in mental attitude.
Is incidentallyconcernedwith the prevention and detection
of fraud in general, but is directly concerned when
financial statements may be materially affected.
Reviews records supporting financial statements
periodically – usually annually.
6. 6
6
The Definition of Internal Auditing
Over the past few decades, the profession of internal
auditing has undergone major changes.
The IIA defines Internal Auditing as:
“An independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control and
governance processes.”
7. 7
7
IIA Professional Standards
The Standards are the criteria by which internal auditors
perform their work.
The Standards are intended to represent the best
practices of internal auditing.
The Standards have the following four purposes:
1) Delineate basic principles that represent the practice of internal
auditing as it should be.
2) Provide a framework for performing and promoting a broad
range of value-added internal audit activities.
3) Establish the basis for the evaluation of the internal audit
performance.
4) Foster (support) improved organizational processes and
operations.
8. 8
8
Professional Standards
The professional Standards consist of Attribute
Standards, Performance Standards and
Implementation Standards.
Attribute Standards are concerned with the characteristics of
the organization and the parties who will be performing the
auditing activities.
Performance Standards describe the internal audit activities
and criteria against which the performance of these services can
be evaluated.
Implementation Standards apply to the specific types of
engagements, whether assurance or consulting.
9. 9
9
1000: Purpose, Authority and Responsibility
According to the Standards, “the purpose, authority, and
responsibility of the internal audit activity (IAA) must be:
Formally defined in a charter,
Consistent with the Definition of Internal Auditing, the Code of
Ethics, and Standards, and
Approved by the board.”
The IAA should encompass every part of the
organization’s operation, and should have access to the
company’s documents, records or properties.
Internal auditing has developed to assist management in
carrying out its monitoring responsibilities effectively and
efficiently.
The IAA should promote effective control at a
reasonable cost.
10. 10
10
Organizational Status of the IAA
In order for the IAA to accomplish its responsibilities it
must have the necessary status within the
organization.
To have the necessary status the IAA should report to the
board of directors through the audit committee.
Along with organizational status the IAA must also have
organizational independence.
This means that the IAA should not have relationships with the
various departments it will be auditing.
Status and independence can be achieved by having a
properly designed Internal Audit Charter.
12. 12
12
The Internal Audit Charter
It is the Charter that provides the IAA with the formal
mandate to do its work.
The Charter should be written by and come from the
board of directors and senior management.
The Charter should include:
The scope of the services and work to be performed,
The objectives of the IAA,
The authority that the IAA has to access records, personnel and
physical properties in the organization,
The accountability of the IAA, and
The responsibility of the IAA.
13. 13
13
The Charter
The IAA should report to an organizational level that is
high enough to be effective, and independent of the
functions that will be audited.
This means that the Chief Audit Executive (CAE) should report
to the Chief Executive Officer (CEO), or board of directors.
The accounting department, chief accountant or finance director
would not normally be a good level to report to.
Ideally the CAE should:
Functionally report to the audit committee or its equivalent and
Administratively to the CEO.
14. 14
14
The Audit Committee
The audit committee is a subcommittee of the board of
directors.
The members of the audit committee should be external
directors.
The audit committee itself should have its charter
approved by the board.
15. 15
15
The Audit Committee, continued
The primary duties and responsibilities of the audit
committee are:
To ensure that the external auditors are completely independent.
Discuss with management and external auditor the effects of
changes in accounting standards, and the implications of these
proposed changes.
Ensure that both internal and external auditors have sufficient
resources to carry out their functions.
Act as a mediator between management and the auditors if
there is a dispute.
Appoint or replace the external auditor, who shall report directly
to the Audit Committee.
Be directly responsible for the compensation and oversight of
the work of the external auditor.
16. 16
16
The Audit Committee, continued
Other functions of the Audit Committee include:
Review copies of all external and internal audit reports and
communications, and management’s response to them.
Review all financial communications and statements to be
publicly issued.
Review the strategy, activity and work plan of the IAA.
Review evaluations of risk management, control and governance
reported by the auditors.
Communication as necessary with the CEO.
Review policies to eliminate illegal and unethical practices.
19. 19
19
ConsultingServices
As we have seen in the beginning, internal auditing has
expanded to include consulting services.
Consulting services are defined as
“advisory and related client services, the nature and
scope of which are agreed upon with the client and which
are intended to add value and improve an organization's
operations.”
Examples include counsel, advice, facilitation, process
design and training.
20. 20
20
ConsultingServices, continued
Consulting services undertaken by the IAA may be formal
or informal, and they may or may not be connected to an
assurance engagement.
There are 12 principles to help guide the internal auditor.
Valueis addedby the IAA when they perform both assurance and consulting services. The
IAA is in a very good position to provide consulting services to the company because of its
professional standards and its knowledge of the company and its operations.
The fact that the IAA is able to provide consulting services (and any other appropriate
services) should be includedin theinternalaudit charter. Additionally, any rules or standards
applicable to the consulting services should also be included in the charter.
21. 21
21
ConsultingServices, continued
Principles, continued.
The IAA may also provide other services besides assurance and consulting, i.e., investigating
fraud, and due diligence.
Consulting servicesdo not impair the objectivityof either the individual internal auditor or the
IAA (objectivity is addressed in more detail separately). However, the auditor needs to
remember that his/her first duty is as an auditor and so all actions need to be governed by
the applicable internal audit guidelines and standards as applicable. Objectivity is not
impaired as long as the internal auditor provides advice and does not take ownership of a
specific process.
23. 23
23
1100: Independence andObjectivity
Independence is an issue for the internal auditor, as well
as the external auditor.
Because internal auditors are auditing the company that
employs them, it is impossible for the internal auditors to
be independent in the same manner as external auditors.
Therefore, internal auditors use a different term to refer to
the way they act in the performance of their work. The
term is “objective.”
Internal auditors must be objective in their work, and the
IAA needs to be independent with the organization.
Considered independent and objective if they perform
their work freely and objectively.
24. 24
24
Independence and Objectivity, continued
Independence is achieved largely through the
organizational status of the IAA.
The independence of the IAA is enhanced if it reports
directly to the board of directors.
If they report to the chief accountants and it is perceived that
they do not add value to the organization, or are not viewed as
important by the board, the IAA will have less independence and
their work will be less useful to the organization.
25. 25
25
1110: Organizational Independence
The ideal reporting line is for the CAE to report
administratively to the CEO of the organization, and
functionally to the audit committee, board of directors,
or some other appropriate governing authority.
Functional reporting is the ultimate source of
independence and authority for the IAA.
Administrative reporting is the reporting relationship
within the organization’s management structure that
facilitates the day-to-day operation of the IAA.
26. 26
26
1120: Individual Objectivity
In addition to independence, the IAA as a whole has to
remain objective.
Remaining objective means
Being impartial,
Having an unbiased attitude, and
Avoiding conflicts of interest.
Conflicts of interest should be minimized.
For example, someone involved in an engagement should not
audit an area where that person’s friend works.
In addition, the acceptance of a gift or money from a
client will impair the objectivity of the auditor, even if the
auditor maintained objectivity.
27. 27
27
1130: Impairments to Independence or Objectivity
Any time that there is a conflict of interest, or objectivity
has been impaired, the auditor should inform the CAE
and the auditor should be removed from that particular
engagement.
If impairment arises during an engagement, it should be
reported immediately to the manager of the engagement.
Objectivity is not considered impaired if the auditor
recommends standards of control or review procedures
before being implemented.
Objectivity is considered to be impaired if the auditor
designs, installs, or draft procedures for, or operates
such systems.
28. 28
28
Impairment to Objectivity, continued
Objectivity is assumed to be impaired if an auditor
performs an assurance review of any activity over which
he or she recently had responsibility.
Individuals who are assigned to or transferred to the IAA
should not audit areas that worked unit a reasonable
period of time has elapsed (at least one year).
29. 29
29
Objectivity in ConsultingEngagements
For a number of reasons it is more common for internal
auditors to provide consulting services relating to
operations for which they had previous responsibility.
This is not forbidden, but the internal auditor should still
act in an independent and objective manner.
To assess objectivity, the internal auditor should
consider:
The appropriate requirements of the standards of the profession.
Expectations of the stakeholders, directors, the audit committee
and legislative bodies.
Restrictions that are in the charter.
Disclosures that may be required by standards.
Subsequent audit work, its scope and coverage.
32. 32
32
1200: Proficiency and Due Professional care
The Standards states that
“Engagements must be performed with proficiency
and with due professional care.”
33. 33
33
1210: Proficiency
Proficiency is when an individual possesses the
knowledge, skills and other competencies needed to
perform their individual responsibilities.
The skills and knowledge necessary for the internal auditor to
perform his or her job will depend on the work needed to be
performed. For example, if an internal auditor does a lot of
financial statement work, then he or she needs skills related to
the appropriate GAAP (IFRS, US GAAP…).
On the other hand, if an internal auditor works in the area of
internal controls, then detailed knowledge of GAAP would
probably not be necessary.
34. 34
Proficiency, continued
Related to proficiency are two other terms that you have
to understand. These terms are understanding and
appreciation.
Understanding is the ability to
Apply broad knowledge to situations likely to be encountered,
Recognize material deviations, and
Be able to perform research to arrive at conclusions.
Appreciation is the ability to:
Recognize the existence of problems and potential problems,
and
Determine if further work is required.
34
35. 35
35
Proficiency, continued
If the internal auditor does not have the needed skills and
competencies to perform the engagement, the CAE has
to either decline the engagement or go outside the
department to get the skills.
If using the services from an outside service organization,
the CAE also needs to consider the independence and
objectivity of the outside organizations.
Any work done by an outside organization needs to be
reviewed by either the CAE or other internal person with
sufficient experience and understanding to review the
work.
37. 37
37
1220: Due Professional Care
Due professional care means that internal auditors need
to apply the skill and care expected of a reasonable
competent and prudent internal auditor.
This means that an internal auditor is not expected to
perform a detailed review of every statement or
document they receive, but are expected to examine and
verify the documents as appropriate given the information
contained in them.
Material items will be examined in more detail than
immaterial items.
39. 39
39
1230: Continuing Professional Development
Certified Internal Auditors (CIA) are required to maintain
the skills and knowledge necessary to successfully
complete their tasks, which is done through Continued
Professional Development, referred to as Continuous
Professional Education (CPE).
CPE is a method of helping keep the internal auditor
informed about improvements and current developments
in internal audit standards, procedures, and techniques.
CIAs must obtain sufficient CPE credits in order to satisfy
requirements related to the professional certification held.
41. 41
41
1300: Quality Assurance and ImprovementProgram
A function of the CAE is to be assured of the quality of
the work performed by the internal audit activity.
Based on the Standards, the CAE must develop and
maintain a Quality Assurance and Improvement
Program (QAIP) that covers all aspects of the IAA and
continuously monitors its effectiveness.
The QAIP should include both
Periodic internal and external quality assessments and
Ongoing internal monitoring.
In essence, the IAA is really auditing itself.
42. 42
42
1310: Requirement of QAIP
The CAE is responsible to implement a quality program
that monitors and assesses the overall effectiveness of
the quality program.
Quality program must include both internal and external
assessments.
The purpose of the quality program is for the company’s
stakeholders to feel comfortable with the services the IAA
is providing to the organization.
43. 43
43
1311: Internal Assessments
Internal reviews should be carried out periodically to
assure the CAE that subordinates are complying with the
Standards and other applicable criteria.
Internal assessment must include ongoing review of
performance of the IAA, as well as a periodic review of
the program from an independent person within the
organization who is familiar with the internal auditing
program.
Ongoing review could include:
Supervising the internal auditor’s work during an engagement,
Feedback from audit customers and other stakeholders,
Analyses of performance metrics (e.g., cycle time and
recommendations accepted), and
Project budgets, cost recoveries, etc.
44. 44
Internal Assessments, continued
Periodic internal assessments may:
Be more in-depth interviews and surveys of stakeholder groups,
Be performed by members of the IAA (self-assessment),
Be performed by CIAs, or other competent audit professionals,
Encompass a combination of self-assessment and preparation
of materials subsequently reviewed by CIAs, or other competent
professionals, and
Include benchmarking of the IAA practices and performance
metrics against relevant best practices of the internal audit
profession.
45. 45
45
External Assessments
External assessments are performed by an external
party.
It is recommended that an external assessment is
conducted at least once every five years.
External reviewers must be independent of the
organization and of the IAA.
External assessor will tend to focus on:
The adequacy of the IAA charter,
The goals, objectives, policies and procedures of the IAA,
Whether or not the IAA complies with the Definition of Internal
Auditing, Code of Ethics, and Standards,
The skills and work performed by the individuals in the IAA, and
Whether or not the IAA adds value and improves operations.
46. 46
46
External Assessments, continued
There are two approaches to conducting an external
assessment:
1. Have a full external assessment conducted by an
external assessor, or review team, or
2. Have an independent validation of the internal self-
assessment and a report completed by the internal audit
activity.
You would prefer to have the full external assessment,
but might not always be possible, or practical. Examples,
might include:
Be in an industry that is subjected to strict regulation and
supervision,
Have been subjected to an external review in which there was
extensive benchmarking with best practices, and
47. 47
47
1320: Reportingon the QAIP
The results of the external assessment must be reported
to the board.
The assessor issues a formal, written report that contains
an opinion on the IAA’s compliance with the Standards.
The report should also address compliance with the IAA
charter and other applicable standards and include
appropriate recommendations for improvement.
Appropriate follow-up is the responsibility of the CAE.
48. 48
48
1321: “Conforms withthe Standards”
Internal auditors are encouraged to report that their
activities conforms with the International Standards for
the Professional Practice of Internal Auditing.
This statement can be used only if the quality
assessments demonstrate that the internal auditors are,
in fact, in compliance with the Standards.
In case full compliance is not possible due to lack of
skilled and qualified personnel, or for some other reason,
disclosure of noncompliance should be made to senior
management and the board. Noncompliance might be
due to the lack of skill and qualified people, or for some
other reason.
51. 51
51
The IAA‘Codeof Ethics’
The ‘Code of Ethics’ is intended to be an ethical guide of
conduct for internal auditors.
The IAA ‘Code of Ethics’ applies to both individuals and
entities that provide internal auditing services.
The two essential components of the Code are:
Principles are the values that internal auditors are expected to
uphold, and
Rules of Conduct are an aid for interpreting the Principles into
practical applications and are intended to guide the ethical
behavior of the internal auditors.
52. 52
52
Principles
There are four principles that internal auditors are
expected to follow:
1. Integrity – The integrity of the internal auditors establishes trust
and thus provides the basis for reliance on their judgment.
2. Objectivity – The internal auditors are expected to exhibit the
highest level of professional objectivity in gathering, evaluating,
and communicating information about the activity or process
being examined.
3. Confidentiality – Internal auditors respect the value and
ownership of information they receive and do not disclose
information without appropriate authority unless there is a legal
or professional obligation to do so.
4. Competency - Internal auditors apply the knowledge, skills, and
experience needed in the performance of internal auditing.
53. 53
53
Rulesof Conduct
1. Integrity - Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility. [In other words,
the auditor does the right thing.]
1.2. Shall observe the law and make disclosures expected by
the law and the profession.
1.3. Shall not knowingly by a party to any illegal activity, or
engage in acts that are discreditable to the profession of internal
auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical
objectives of the organization.
54. 54
54
Rulesof Conduct
2. Objectivity – Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment. This participation includes those activities or relationships
that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional
judgment. [For example, a material gift (use of beach house) is considered to impair
objectivity.]
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review. [For example, there may be some items that were
capitalized instead of expensed. This fact needs to be disclosed to management and the Audit
Committee.]
55. 55
55
Rulesof Conduct
3. Confidentiality – Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their
duties.
3.2. Shall not use information for any personal gain or in any manner that would be
contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
4. Competency – Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills,
and experience.
4.2. Shall perform internal auditing services in accordance with the International Standards
for the Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their
services.
58. 58
58
Section B
Section B covers the topics of planning, communications,
resource management, policies and procedures, and
coordination.
This section will account for approximately 15 – 25%
(15 – 25 questions) of the Part 1 Exam.
The main topics within this section are:
Planning and Communication,
Resource Management,
Policies and Procedures, and
Coordination.
59. 59
59
2000: Managingthe IAA
The CAE must manage the IAA to ensure that it adds
value to the organization as a whole.
The CAE’s responsibility is to ensure that:
The engagement work fulfills the general purposes and responsibilities described in the
charter that was approved by senior management and accepted by the board of directors (or
audit committee).
The resources of the IAA are efficiently and effectively employed.
Engagement work that is performed conforms to the Standards for the Professional Practice
of Internal Auditing.
60. 60
60
2010: Planning
The CAE must establish risk based plans to determine
the priorities of the IAA, and make certain that they are
consistent with the organization goals.
Planning includes the establishment of:
Goals,
Engagement work schedules,
Staffing plans and financial budgets, and
Activity reports.
Now we want to discuss next category in more depth.
61. 61
61
Goals
The goals that are set for the IAA should be:
Specific - Goals should be specifically defined.
Measurable - The method of measuring the goals should be defined.
Agreedto – All interested parties should agree on the stated goals. Interested parties include
senior management and the board.
Realistic andAchievable– Goals must realistic and they should be attainable. If they’re not,
then they are superfluous.
Timely- Goals should be specific as to when they are to be achieved.
As we can see, the goals of the IAA should be SMART.
62. 62
62
Engagement WorkSchedule
The engagement work schedule is a critical
responsibility and is relevant at both the larger IAA level
as well as each individual engagement.
Specific work schedule should include:
What engagements should be performed,
When they will be performed,
The estimated time required to perform the engagements, and
Which engagements should be given higher priority.
Once these questions have been answered, it is then
possible for the individual work program for a specific
engagement to be developed.
63. 63
63
Engagement WorkSchedule, continued
The CAE makes the final decision regarding which
engagements will be performed.
The consideration of risk is one of the most important
elements in determining which engagements have the
highest priority.
But, risk is not the only factor in prioritizing the
engagements. Other important factors are:
The length of time since the last engagement was performed.
Request from senior management, audit committee, etc.
Changing circumstances in the business, programs, etc.
Changes in risk environment.
Potential benefits that could be achieved.
Changes in the skills of the staff.
64. 64
64
Long-termPlanning
The CAE needs to look beyond the short or immediate
term.
The CAE needs to establish a longer term strategic plan.
The purpose of this plan is to make sure that all areas of
the business are audited at least periodically.
Some areas (based on risk assessment) might need
annual auditing, or even more often, while other areas
may be addressed once every two or three years.
Without a long-term plan, it could be possible that one
area of the business would never be audited because it
would never meet the requirements for the short-term
audit.
66. 66
66
2030: Resource Management
The CAE has to make sure the internal audit staff are
professional. This means the “right people are in the
right positions.”
According to the Standards, “the CAE must ensure that
internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.”
The CAE needs to oversee the assignment of individual
staff to the engagements (both short and long term).
In the short term, engagements should be staffed by auditors
who can get the job done at the highest level.
However, in the long term, staff might be assigned to jobs that
will allow them to grow so they can become senior auditors.
67. 67
67
Resource Management, continued
Some of the things to consider when assigning staff to
individual engagements.
The complexity of the engagement,
The resources that are available in IAA,
The experience (skill level) of the staff, and
The training and developmental needs of the audit staff.
68. 68
68
Recruitingand Promoting
A big issue for the IAA is its ability to recruit qualified
audit staff and keeping them within the organization.
This is something that both the CAE and the HR function
will be involved in.
When recruiting, the most important criterion is the
education and experience of the candidate.
This does not mean that every candidate needs to be a CIA, but
they should be able to provide some indication that they can get
the job done.
Not every staff member needs to be a trained accountant.
Candidates should be good communicators (both written and
oral).
69. 69
69
Recruitingand Promoting, continued
Once the staff has been hired, the next HR issue relates
to staff promotion and filling of higher-level positions in
the IAA.
When a higher-level position become available, there are
two basic options in filling the position.
Hire someone from inside the organization, or
Hire someone outside the organization.
The advantage of hiring someone from inside the
organization are:
It is often done quicker and requires less ‘start-up’ time for the
person.
The person knows the company, so there is less risk involved.
It is also a good motivating factor.
70. 70
70
Recruitingand Promoting, continued
Hiring someone from outside the organization is riskier,
but it also has its advantages.
The outside person could bring new ideas and new perspective
to the job.
It is also possible that management training costs could be lower
since it is assumed that the person is already trained.
An important basis for recruitment and promotion of staff
is the job description.
The job description lists the necessary skills and
requirements for the position.
Having detailed and complete job descriptions makes it
easier for the CAE to determine if the IAA is properly
staffed.
71. 71
71
Training, Staff Development and Performance Evaluations
The CAE is also responsible for the training, counseling
and performance evaluations of the staff.
Training should have the goal of providing the staff with
the necessary skills to perform their jobs in the short
term, and broaden skills in the long term.
A well-developed training program is an excellent
recruiting tool for the company.
Counseling and mentoring program is an excellent
way of developing staff.
72. 72
72
Training, Staff Development and Performance Evaluations
Performance appraisals should be conducted at least
annually, and more often if needed.
Performance reviews give employees the opportunity to identify
their weaknesses and give them an opportunity to improve their
performance.
The evaluation should not be based on likes or dislikes, or other
non-job related factors.
There should be sufficient time for everyone to prepare for the
evaluation.
The evaluation can be a standard form (and will be standard
form in large companies).
74. 74
74
2060: Reportingto Senior Management and Board
“The CAE must periodically report to senior management
and the board on the IAA’s purpose, authority,
responsibility, and performance relative to its plan.”
“Reporting must also include significant risk exposures
and control issues, corporate governance issues, and
other matters needed or requested by senior
management and the board.”
75. 75
75
ActivityReports
The CAE must submit and activity report to senior
management and the board at least once a year.
This should be done if the work volume or nature of the
work requires closer involvement of the board. This
may be the case if there are high-risk areas that are
being audited.
Activity reports should:
Be communicated in writing (preferably),
Highlight significant engagement observations,
Identify recommendations that have arisen from the
engagement,
Compare actual performance with the IAA’s goals,
Compare expenditures to financial budgets.
76. 76
76
Significant Engagement Observations
Significant observations are those conditions that, in the
judgment of the CAE, could adversely affect the
organization.
Examples might include: illegal acts, errors, inefficiency,
waste, ineffectiveness, conflicts of interest, and others.
After discussion with senior management, the CAE
should communicate these significant engagement
observations and recommendations with the board,
whether or not they have been satisfactorily resolved.
77. 77
77
Management Responsibility for Significant Engagement Observations
Management is responsible to make decisions on the
appropriate action to take regarding significant
engagement observations and recommendations.
Management may decide to assume the risk of not
correcting the reported condition because of cost and
other considerations.
Management needs to inform the board of their decision
on all significant observations and recommendations.
Internal auditors should only provide the information and
alternative courses of action.
78. 78
78
CAE Considerations on ReportingSignificant Engagement Observations
The CAE should consider whether it is appropriate to
inform the board regarding previously reported,
significant observations and recommendations in those
instances where senior management and the board
assumed the risk of not correcting the reported condition.
If the board is aware of the risks and has chosen to not
address them, the item probably does not need to be
reported each year.
However, if there has been significant changes in the
organization, board, or senior management, the item
should probably be reported again.
79. 79
79
Relationship withAudit Committee
Internal auditors are the “eyes and ears” of the audit
committee.
Internal auditors should be the committees’ trusted
advisors.
Keys to the relationship are:
Assisting the audit committee to ensure that its charter,
activities, and processes are appropriate to fulfill its
responsibilities.
Ensuring that the charter, role, and activities of internal audit are
clearly understood and responsive to the needs of the audit
committee and the board.
Maintaining an open, effective communications with the audit
committee and the chairperson.
80. 80
80
Communications withthe Audit Committee
To a great extent, the effectiveness of the CAE will
revolve around the communications between the CAE
and the audit committee.
Good communications is fostered by:
Meeting regularly with the committee to discuss sensitive issues.
Providing annual summary reports.
Issuing periodic reports summarizing results of the IAA.
Keeping the audit committee informed of emerging trends, etc.
Discussing fulfillment of committee information needs.
Reviewing information submitted to the committee for
completeness and accuracy.
Confirming there is an effective and efficient work coordination of
activities between internal and external auditors.
82. 82
82
2020: Communication and Approval
CAE needs to ensure that the plans and resources
requirements are communicated to senior management
and to the board for review and approval.
Communications should include any significant interim
changes, and the impact of resources limitations.
Engagement plans and resource requirements must be
submitted on an annual basis and should include a
summary of the IAA’s work schedule, staffing plan and
financial budget.
This type of information will ascertain whether the IAA
objectives and plans are congruent with the
organization.
83. 83
83
2040: Policies and Procedures
The CAE must also establish policies and procedures to
guide the IAA and the individual internal auditors in their
work.
The extent, depth and formalization of the policies and
procedures will depend upon the size and structure of the
IAA and the complexity of the IAA’s work.
A small IAA will be managed much more informally with a lot of
personal and daily contact.
A larger IAA will be managed much more formally with a more
formal set of policies and procedures.
85. 85
85
2050: Coordination of Activities
The CAE has the responsibility to share information and
coordinate activities with other internal and external
providers of relevant assurance and consulting services
to ensure proper coverage and minimize duplication of
efforts.
Internal and external participants might include:
External auditors,
Regulatory oversight bodies (e.g., government auditors, etc.),
and
Other internal assurance functions (e.g., health and safety dept.)
86. 86
86
Coordination withExternal Auditor
Coordination with external auditor is important because of
the potential to increase the efficiency of both audit areas
and reduce the cost of the external audit.
Two main reasons why the level of coordination between
the external and internal auditors is growing and
becoming more of an issue for companies:
The internal auditing profession has become increasingly
professional with more internal auditors being former external
auditors or professional internal auditors.
The cost of external audit has grown so much in recent years
that companies are looking for any way to reduce the costs.
87. 87
87
Assistance Provided by the Internal Auditor
This is the area where the CAE can reduce the cost of
the external audit by providing support, direction and do
some of the testing for the external auditor.
Before the external auditor will rely on any of the work of
the internal auditor, the external auditor needs to assess
the competence and objectivity of the internal auditor.
Competence is whether or not the IAA has the needed skills
and abilities to perform acceptable work.
Objectivity is whether or not the IAA performs its work without
any influence from management or others in the organization.
Even if the the external auditor relies on the work done by
the IAA, the external auditor will still need to review the
work of the IAA.
88. 88
88
Assistance Provided by the External Auditor
There might be cases where the work of the external
auditor will be beneficial and useful to the internal auditor.
In these cases, the internal auditor can rely on some of
the work performed by the external auditor, as long as
the CAE is comfortable with the work that was done by
the external auditor.
Just as the external auditor reviewed the work of the
internal auditor, the internal auditor will want to review the
work that was done and the conclusions drawn.
Review of the external’s work will require the permission
of the external auditor.
89. 89
89
Control andUse of the Auditors’ Working Papers
Working papers contain all of the work and tests that
were performed during the engagement and they will be
the basis for the conclusions drawn by the internal
auditor.
Working papers belong to the party that developed them.
This means that the working papers of the external
auditor belong to the external auditor.
Likewise, the working papers of the internal auditor
belong to the internal auditor.
The CAE should not provide the external working papers
to anyone without the permission of the external auditor.
91. 91
91
Coordination withRegulatoryBodies
Some industries such as banking and insurance are
heavily regulated. Thus, they will be audited by a
government agency.
In these cases, the CAE should coordinate audits with
the regulatory body that is responsible for the oversight of
the company.
This coordination should be done with the approval of the
board.
A benefit to the organization is that the internal auditor
would be given the chance to provide of compliance
testing through its internal working papers and other
documents.
92. 92
92
Coordination withother Internal Assurance Functions
It is possible that there are other dept within the
organization are equally concerned with control.
Even though, their interest might be only on the technical
aspect, it is highly probably that these control measures
may complement the internal auditor’s interest in the
administrative forms of controls. Examples might be:
Security dept is concerned with control over specific
irregularities.
Quality control dept is concerned with control over product
reliability and conformance to specifications.
Safety and health dept is concerned with control over accidental
prevention.
Industrial engineering dept is concerned with control over
operating practices and procedures.
95. 95
95
Sarbanes-Oxley Act
The Public Company Accounting Reform and Investor
Protection Act of 2002, or more commonly referred to as
the Sarbanes-Oxley Act (SOX) was enacted in response
to the accounting scandals of Enron, WorldCom and
others.
The primary purpose of SOX is to:
Improve quality and transparency of financial reports.
Enhance the standard setting process for accounting practices.
Strengthen the independence of public accounting firms.
Increase corporate responsibility.
Protect the objectivity and independence of securities analysts.
96. 96
96
SOX provisions
Many of the act’s provisions had to do with the external
auditor, but many had to do with internal control issues,
particularly in regard to the audit committee and board.
These provisions include:
Audit committees are to be directly responsible for the
appointment (subject to shareholder approval), compensation,
and supervision of the registered public accounting firm. This
overview includes resolution of any disagreements between
management and the auditor regarding financial reporting.
Audit committees are to be provided with the proper authority
and funding to engage independent counsel and advisors.
Auditors (both internal and external) are required to report to the
audit committee.
Members of audit committee have to be independent.
97. 97
97
SOX provisions
The audit committee should have at least one financial expert. If
not, then the fact should be disclosed.
Audit committee should adopt written procedures to receive and
address complaints regarding accounting, internal controls and
auditing issues, including procedures to maintain the
confidentiality of the whistle blower.
It is unlawful for any corporate officers or director to knowingly to
manipulate or mislead any accountant engaged in preparing an
audit for the purpose or rendering the audit report materially
misleading.
There should be a statement saying management is responsible
the company’s internal controls.
The company is required to disclose whether it has adopted a
Code of Ethics.
100. 100
100
Section C
In Section C we start to discuss the nature of the internal
auditor’s work, including what it entails and how it
contributes to the improvement of an organization’s risk
management, control and governance processes.
Control and control processes will be discussed in
Section D.
This section will account for approximately 15 – 25% (15
– 25 questions) of the Part 1 Exam.
101. 101
101
2100: Nature of the Internal Auditor’s Work
The work that the internal auditor is going to be doing is
diverse and covers all of the different areas of the
business.
The function of the IAA is to contribute to the
improvement of risk management, control and
governance processes.
“The adequacy of risk management, control, and
governance processes is present if management has
planned and designed for these items in a manner, which
provides reasonable assurance that the organization’s
objectives and goals will be achieved efficiently and
economically.”
102. 102
102
Nature of Work
Management is responsible:
For the sustainability of the whole organization, and
Accountability for the organization’s actions, conduct and
performance to the owners, other stakeholders, regulators, and
general public.
Primary purpose of the overall management process are
to achieve:
Relevant, reliable and credible financial/operating information,
Effective/efficient use of the org. resources,
Safeguarding of assets,
Compliance with laws, regulations, etc.,
Identification of risk exposures and use of strategies to control
them, and
Establish objectives and goals for operations or programs.
103. 103
103
Nature of Work, continued
Control is any action taken by management to enhance
the likelihood that established objectives and goals will be
achieved.
Controls may be:
Preventive – to deter undesirable events from occurring,
Detective – to detect and correct undesirable events which
occur, or
Directive – to cause or encourage a desirable event to occur.
105. 105
105
Information Security
It is management’s responsibility to ensure that company
information is properly safeguarded.
Internal auditors should also work to ensure that any
potential problems related to information security will be
reported to management and the board.
The CAE has to make certain that the IAA has the
necessary skills and resources to evaluate the
information security.
Internal auditors need to assess the effectiveness of the
controls in place.
This assessment should be made periodically, including
recommendations for improvement.
106. 106
106
The Internal Auditor’s Role in Risk Management
Risk management is the responsibility of management.
The role of the IA is to assist both management and the
board, i.e., audit committee by examining, evaluating,
reporting and recommending improvements on the
adequacy and effectiveness of management’s risk
processes.
The role of the IA is likely to be determined by such
factors as culture in the organization, ability of the IA
staff, and local conditions and customs of the country.
If IA’s come across risk exposures in any engagement,
this should be addressed and evaluated further as
necessary.
107. 107
107
IA’s Role without a Risk Management Process
Possible that the company does not have an established
risk management process.
If this is the case, than the IA needs to bring this to the
attention of management.
It is generally acceptable for IA to play a proactive role in
the development of such system.
However, caution must be taken to ensure that the IAA is
not too closely involved as this might impair their
independence for future work regarding risk.
108. 108
108
Compliance Programs
All companies in all countries have to be in compliance
with something.
Compliance programs provide guidance for individuals
within the organization to prevent inadvertent employee
violations, detect illegal activities and discourage
intentional employee violations.
In addition, these compliance programs can also help
prove insurance claims, determine director and officer
liability, create or enhance corporate identity, and decide
the appropriateness of punitive damages.
Regarding compliance, organizations should develop a
written business code of conduct.
109. 109
109
Compliance Programs, continued
In addition, there should be an organizational chart that
outlines who is responsible for compliance issues.
The code of conduct must be communicated to all
members of the organization once it is created.
Important that the code is enforced in the same manner
for all individuals, regardless of level.
When a violation occurs, it must be documented and kept
in the individual’s personal file. This is necessary to
support why the individual was fired.
The violation should be documented even if not
significant disciplinary action is taken.
111. 111
111
Control & Audit Implications of E-commerce Activities
E-commerce is defined as “conducting commercial
activities over the Internet.” E-commerce can be B2B
(business to business), B2C (business to consumer), and
B2E (business to employee).
Major elements of auditing E-commerce are:
Assess the internal audit structure, including the tone at the top,
Provide reasonable assurance that goals and objectives can be
achieved,
Determine if the risks are acceptable,
Understand the information flow,
Review interface issues,
Evaluate the business continuity and disaster recovery plans.
112. 112
112
E-commerce, continued
The CAE needs to assess whether the IAA has the
necessary skills and capacity to conduct an E-commerce
engagement.
Factors that constrain the IAA are:
Does the IAA have the sufficient skills to conduct the
engagement?
Are training or other resources necessary?
Is the staffing level sufficient for the near-term and long-term?
Can the expected audit plan be delivered?
113. 113
113
E-commerce, continued
The difference between auditing a regular business
system and an e-commerce system are that
There may not be any hard copies,
Some data may exist for a very short period of time, or
There is no paper trail at all.
The critical risk and control issues that the IA must
address are:
General project risk,
Specific security threats, such as denial of service, physical
attacks, viruses, identity theft, and unauthorized access or
disclosure of data,
Maintenance of transaction integrity under complex network of
links to legacy systems and data warehouses,
114. 114
114
E-commerce, continued
Website content review and approval when there are frequent
changes and sophisticated customer features and capabilities
that offer around-the-clock service,
Rapid technology changes,
Legal issues, such as increasing regulations throughout the
world to protect individual privacy; enforceability of contracts
outside of the organization’s country; and tax and accounting
issues, and
Changes to surrounding business processes and organizational
structures.
115. 115
115
Audit Objectives forE-commerce Audit
The audit objectives for an E-commerce engagement
may include:
Evidence of E-commerce transactions,
Availability and reliability of security systems,
Effective interface between E-commerce and financial systems,
Security of monetary transactions,
Effectiveness of customer authentication process,
Compliance with common security standards,
Effective use and control of digital signatures,
Adequacy of systems policies and procedures,
Adequacy and timeliness of operating data and information,
Documented evidence of an effective system of internal control.
117. 117
117
Environmental Risks
Internal auditors should include risks in the areas of the
environment, health and safety (EH&S).
This is particularly important where there are very high
fines and penalties for environmental damages,
employees rights lawsuits, and safety liability.
The CAE needs to determine that these risks have been
assessed and addressed as needed.
In larger companies, this may be done by a separate
environmental audit function.
When there is a separate function, the org. needs to
make sure that it does not report to the group or
individuals responsible for these areas.
118. 118
118
Privacy
Privacy includes “individuals’ rights to be left alone and
for any pertinent information of an individual not to be
disclosed by other parties that happen to possess such
information. This means that a company must keep
control over the personal information it has about its
customers and may not release this information to third
parties without parties without the individual’s
agreement.”
The privacy of information is also maintained and not
distributed to unauthorized people, even within the
organization. Example, the company’s database should
not be disclosed to a third party without the proper
consent of the customer.
119. 119
119
Privacy, continued
Implications to the organization for these vulnerabilities
are numerous.
To the individual, this could be embarrassment,
inconvenience, unfairness, and others.
To the organization, these negative implications could
include lawsuits, penalties, fines and of particular
importance, negative goodwill and negative publicity.
There are no guarantees, but organizations have the
responsibility to ensure that all reasonable measures
have been enacted to safeguard data and information.
120. 120
120
2110: Risk Management
The IAA must assist the organization by identifying and
evaluating significant exposures to risk and contributing
to the improvement of risk management and control
systems.
Risk is the probability that some future envent or action could
adversely impact the organization. Risk is based in terms of
impact (in dollars) and likelihood (probability).
Risk assessment is the process of assessing and integrating
professional judgment about probable adverse conditions and/or
events.
Risk management is the process to identify, assess, manage,
and control potential events or situations, to provide reasonable
assurance regarding the achievement of the organizations
121. 121
121
Roles in Risk Management Process
The responsibility of assessing the potential risks falls on
the shoulders of management.
This is an on-going process and management has the
responsibility to review and make necessary changes in
order to mitigate potential risks that can hinder the
achievement of objectives.
The board of directors (and audit committee) have the
responsibility to provide an oversight role, making sure
that the proper level of risk management is in place and
effective.
122. 122
122
Roles, continued
Internal Auditors assist management, board, and/or
committee by examining, evaluating, testing, reporting
and recommending improvements in the adequacy of the
organization’s risk management system.
The IAA’s role in the risk management process can range
from:
No role, to
Auditing the risk management process as part of the internal
audit plan, to
Active, continuous support and involvement in the risk
management process.
Managing and coordinating the risk management process. In this
case, the IA is not taking ownership of the risk, only the process.
123. 123
123
Assessing the Adequacy of Risk Management Process
The IAA should evaluate risk exposures relating to the
organization’s governance, operations, and information
systems regarding the:
Reliability and integrity of financial and operational information,
Effectiveness and efficiency of operations,
Safeguarding of assets, and
Compliance with laws, regulations, and contracts.
The five key objectives of a risk management process
are:
1. Risks that arise are identified and prioritized.
2. Management and the board have determined the level of risk
that is acceptable to the organization.
124. 124
124
Risk Management Processes
3. Risk mitigation activities are designed and implemented to
reduce risk at levels that are acceptable.
4. Risk is periodically reassessed on an ongoing basis.
5. Reports are given periodically to the board and management on
the results of the risk assessment process.
The IAA needs to assess whether or not these five
objectives have been met in order to form an opinion on
the adequacy of the risk management processes.
Internal auditors need to continuously look for things that
may indicate a problem or cause for concern related to
risk management.
125. 125
125
Assessing the Adequacy of Risk Management ProcessesforFormal
ConsultingServices
Consulting service is defined as advisory and related
client service activities, the nature and scope of which are
agreed upon with the client, i.e., counsel, advise,
facilitation and training.
Internal auditors should address risk consistent with the
engagement’s objectives and should be alert to the
existence of other significant risks.
With consulting services, the internal auditor should:
Determine the significance of exposures or weaknesses and the
actions taken or contemplated to mitigate or correct these
exposures or weaknesses; and
Ascertain the expectations of management, the audit committee
and board in having these matters reported.
127. 127
127
Business Continuity Process
Business continuity process has to do with the
organization’s ability to continue to operate during some
sort of crisis or disaster, and its ability to restart
operations after having been interrupted.
It is not a matter if a crisis will occur, but when.
Internal auditors can assist in the planning for disasters
and other interruptions to the business; evaluate the
design and comprehensiveness of the plan after it has
been drawn up; and perform periodic assurance
engagements to verify that the plan is kept up-to-date.
128. 128
128
Business Continuity Process, continued
Need to be aware that disaster recovery plans can
become quickly outdated.
Coping with and responding to changes is an inevitable
part of the task of management.
Turnover of managers and executives and changes in
system configurations, interfaces, and software can have
a major impact on these plans.
The IAA needs to determine whether the recovery plan:
Is structured to incorporate important changes that could take
place over time, and
The revised plan will be communicated to the appropriate
people, inside and outside the organization.
129. 129
129
Internal Auditor’s Role aftera Disaster
Once there has been a disaster, the internal auditor can
play an important role immediately after a disaster
occurs.
This is when the company is most vulnerable to lapses in
controls and procedures, and could possibly lead to
exploitation (internally and externally).
During recovery process the internal auditor should:
Supervise the effectiveness of the recovery and control of
operations;
Identify areas where controls and mitigating actions can be
improved;
Recommend improvements to the plan; and
Possibly provide support during the recovery activity.
131. 131
131
2130: Governance
The IIA defines governance as the system by which
organizations are directed and controlled.
Governance also includes the rules and procedures for
making decisions on corporate affairs to ensure success
while maintaining the right balance with the stakeholders’
interest.
The four cornerstones of corporate governance are the
board, management, internal auditors and external
auditors.
Effective governance means making sure that
inappropriate and unethical behavior is not tolerated.
Review the 10 basic principles necessary in the
development of sound corporate governance (pg. 72).
132. 132
132
Role of the IAA in the Governance Process
The IAA serves as the “eyes and ears” of management,
audit committee and external auditors.
As such, the IAA should assess and make appropriate
recommendations for improving the governance process
in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization,
Ensuring effective organizational performance management and
accountability,
Effectively communicating risk and control information within the
organization, and
Effectively coordinating the activities of and communicating
information among the board, external and internal auditors and
management.
133. 133
133
Role of IAA in the Ethical Culture of an Org.
Corporate culture of the organization is very important in
the creation of the ethical climate of the organization.
Ethical climate starts at the top, but all people should
assume the role of ethics advocates.
Organizations use various forms, structure, strategies,
and procedures to ensure that it:
Complies with society’s legal and regulatory rules,
Satisfies the generally accepted business norms, ethical
precepts, and social expectations of society,
Provides overall benefit to society and enhances the interest of
the specific stakeholders in both long term and short term, and
Reports fully and truthfully to its owners, regulators, other
stakeholders, and general public to ensure accountability for its
decisions, actions, conduct, and performance.
134. 134
134
IAA as Ethical Advocate
Internal auditors and the IAA should take an active role in
support of the organization’s ethical culture.
They possess a high level of trust and integrity within the
organization and the skills to the effective advocates of
ethical conduct.
They have the competence and capacity to appeal to the
enterprise’s leaders, managers, and the other employees
to comply with the legal, ethical, and societal
responsibilities of the organization.
135. 135
135
Assessment of the Organization’s Ethical Climate
Occasionally, the IAA should assess the state of the
ethical climate of the organization and the effectiveness
of its strategies, tactics, communications, and other
processes in achieving the desired level of legal and
ethical compliance.
Having written well-stated code of ethics does not
necessarily guarantee that an organization will not have a
higher standard of ethical behavior.
Nor does not having a code of conduct prevent the
internal auditor from conducting a successful audit of
ethical behavior since this behavior may already be
documented in the company’s protocols.
138. 138
138
Section D
In Section D we will be covering topic of control, what it
is, what are the components of control, and what are the
tools used for controlling.
This section will account for approximately 20 – 30% (20
– 30 questions) of the Part 1 Exam.
139. 139
139
2120: Control
It is through control that management is able to
accomplish its wishes.
As defined by the IIA, control is
“any action taken by management, the board, and other
parties to enhance risk management and increase the
likelihood that established objectives and goals will be
achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.”
140. 140
140
DefiningControl
Control can also be defined as
“any action taken by management to enhance the
likelihood that established objectives and goals would be
achieved. Controls may be preventive (to deter
undesirable events from occurring), detective (to detect
and correct undesirable events which occurred), or
directive (to cause or encourage a desirable event to
occur). The concept of a system of control is the
integrated collection of control components and activities
that are used by an organization to achieve its objectives
and goals.”
141. 141
141
Benefits of Control
Controls are meant to provide assurance on the
following:
Reliability and integrity of financial and operational
information,
Effectiveness and efficiency of operations,
Safeguarding assets, and
Compliance with laws, regulations, and contracts.
Other benefits of control are:
Lower external audit costs,
Better control over and usage of company assets, and
More reliable information that may be used for decision making
by managers and others in the company.
142. 142
142
Who Benefits fromHavinga StrongInternal Control System?
There are a number of diverse parties that are interested
in the internal control system of a company:
Potential investors rely on the IC system to be able to evaluate
management and the performance of the company.
External auditors will base the amount of work that they
perform in part on the effectiveness of the IC system.
Legislative and regulatory bodies rely on the IC system to
help ensure that the company is operating in compliance with
applicable laws and regulations.
Management uses the information that comes out of the internal
systems so management needs to make certain that the
information that they receive is correct.
Customers benefit with reduced costs.
143. 143
143
Who is Responsible for Internal Controls
The Board of Directors is responsible for overseeing the
internal control system.
The CEO is responsible for the “tone at the top.”
Senior management delegates the responsibility for the
implementation of the IC system to the appropriate
departments and personnel.
Financial and accounting officers and staff are the
people with the most close contact with the IC system.
External parties such as independent auditors often
provide information useful to effective internal control.
144. 144
144
The Internal Auditor’s Role in the Control Process
Internal auditors is to evaluate the effectiveness of the
organization’s systems of controls based on the
aggregation of many individual assessments.
These assessments might come from the internal auditors own
engagements, or from management’s self-assessment, or from
the external auditors.
During the course of the internal auditor’s own
engagement, the internal auditor should communicate to
the appropriate level of management any, and all control
discrepancies and weaknesses.
If discrepancies or weaknesses are found, this does not
necessarily mean that it is pervasive and poses an unacceptable
risk to the company.
145. 145
145
Internal Auditor’s Role, continued
A report of the CAE on the state of the organization’s
control processes should be presented, at least, once a
year. More if deemed necessary.
The report should include major recommendations for
improvement and information about current control
discrepancies or weaknesses.
In addition the report can include information about
current control issues and trends, such as technology
and information security exposures, patterns of control
discrepancies or weaknesses.
This information can add value to the report and minimize
potential difficulties in complying with laws or regulations.
146. 146
146
Internal Auditor’s Role, continued
In regards to the internal auditors role, there is a term to
be familiar with. This term is “expectancy gap.”
Expectancy gap is where on the one hand management
and the board usually have high expectations as to the
level of assurance that is provided by the IAA.
But, on the other hand, there is the reality of what the IAA
can actually provide assurance on. The IAA can only
provide reasonable assurance but not a guarantee.
149. 149
149
Control Self-Assessment (CSA)
Control Self-Assessment (CSA) is an examination and
assessment process of the effectiveness of the control
system within an organization performed by the
organization’s personnel with the help of facilitators.
This process is shared among all employees of the
organization and responsibility for control is expanded to
include all individuals of the organization.
The employees thereby become the process owners.
An important aspect of CSA is when people are able to
identify their own problems, they are more committed to
resolving them than they are if the same problems are
identified for them in an audit.
150. 150
150
CSA, continued
Assessments are performed through a series of
workshops or meetings or by means of questionnaires.
Assessments can be applied to any area of the
organization: projects, processes, business units, or
functions.
Whatever format is used, the goal is to help organizations
assess the likelihood of achieving their objectives by
using the knowledge of the workers who are responsible
for making it happen.
151. 151
151
CSA Procedures
CSA procedures include the following:
Identifying potential risks and exposures,
Assessing the control processes that mitigate or manage those
risks,
Developing action plans to reduce risks to acceptable levels, and
Determining the likelihood of achieving the business objectives.
152. 152
152
Advantages of CSA
For an organization the primary advantages of a CSA
program are that it:
Enhances employee understanding of the company’s risk and
controls.
Enhances employee control consciousness.
Provides a mechanism for early risk detection.
Encourages more open communication, teamwork and
continuous improvement.
Empowers the employees and enhances accountability.
153. 153
153
Approachesto CSA
Each CSA program that is implemented by an
organization should be customized to fit that
organization.
This means that the program should be dynamic and be
able to change as the organization changes.
The three primary approaches to CSA are:
Facilitated team workshops,
Surveys / Questionnaires, and
Management-produced, or self-auditing/self certification.
Organizations often combine more than one approach to
accommodate their self-assessment.
154. 154
154
Facilitated TeamWorkshop
The facilitated team workshop is the process of
gathering information from work teams that represent
different levels in the organization.
For a facilitated team workshop, there needs to be a
facilitator who brings the team together, and in essence,
facilitates the process.
It is crucial for the facilitator to have no hidden agenda.
The team members need to be very truthful about what is
working well and what is not working well.
155. 155
155
Facilitated TeamWorkshop formats
There are four basic CSA-facilitated meeting formats:
Control-based. This format reviews how well the control in
place are working. The purpose of the workshop is to produce
an analysis of the gap between how controls are working and
how well management expects those controls to work.
Objective-based. This format focuses on the best way to
accomplish the organization’s objectives. The aim of the
workshop is to decide whether the necessary controls are in
place and working effectively and are resulting in residual risks
within an acceptable level.
156. 156
156
Facilitated TeamWorkshop formats, continued
Risk-based. This format focuses on listing the risks to achieving
the organization’s objectives. The aim of the workshop is to
determine significant residual risk. This workshop starts by listing
all possible barriers, obstacles, threats and exposures that might
prevent the organization from achieving its objects.
Process-based. This format focuses on selected activities that
are elements of the process chain. The general aim of this
workshop is to evaluate, update, validate, improve and even
streamline the whole process and its component activities.
157. 157
157
Surveysand Questionnaires
Surveys or questionnaires tend to ask simple
“Yes-No” or “Have-Have Not” questions.
The questions may be customized for the unit’s
regulatory environment or other specific needs.
The questions relate to the primary internal
controls and how the controls are monitored.
158. 158
158
Management-produced Analysis
This approach does not use a facilitated meeting or
survey.
Through this approach, management produces a staff
study of the organizational processes.
The CSA specialist (who is generally an internal auditor)
combines the results of the study with information
gathered from sources such as other managers and key
personnel.
The specialist then synthesizes the information and
develops an analysis that process owners can use in
their CSA efforts.
160. 160
160
IA’s Role in QuarterlyFinancial Reporting, Disclosures, and Management
Certification
Because of the recent accounting scandals, internal
auditors are now playing an even more important role.
The role the internal auditor plays may range from
The initial designer of the process, participant on a disclosure
committee, coordinator, or
Liaison between management and its auditors, to
Independent assessor of the process.
161. 161
161
Recommended Actionsfor Internal Auditors
Summary of recommendations of the IA’s role, including:
Be involved in some capacity in the quarterly reporting and
disclosure process.
Ensure that the organizations have written policies and
procedures that govern the quarterly financial reports.
Encourage the establishment of a disclosure committee. This
disclosure committee’s help with transparency.
Periodically review and evaluate the quarterly reporting and
disclosure processes.
Recommend appropriate improvement in the policies, etc.
Compare processes for compliance with SOX.
163. 163
163
Establishingthe Control Process
The control process is established by management.
Without any control process, the planning process
becomes much less valuable and less useful to the
organization than it should.
Three main steps in the control process are:
Setting the standards (objectives) that are to be achieved,
Measuring the performance against a standard, and
Evaluating the results and then correcting, or regulating the
performance as a result of what was measured.
164. 164
164
Setting the Standards
Setting Standards (Objectives) – When setting
standards that are expected to be achieved in terms of
something (Quantity – number of units produced,
Quality – number of defects, Time – the length of time
required, Cost – cost of materials), it is critical to use the
item that is most responsible for the incurrence of
additional costs.
After the achievable standards are determined, it is
important to select the time (or point) in the process at
which you will measure performance compared to the
standard. These points are called Control Points.
165. 165
165
Setting the Standards, continued
Whatever standards an organization sets, the
organization must remember that these are the standards
for a moment in time.
The standards need to be reviewed on an ongoing basis
and revised (or even eliminated) based on changes in the
circumstances or processes.
It is important to get the people involved in the
measurement process to also be involved in the process
of developing the standards and methods used. By being
involved, the employees will feel more ownership of the
process and should be more motivated to achieve
something that they contributed setting up.
166. 166
166
MeasuringPerformance
Every product or service can be measured in some way
against some standard.
It is management’s job to determine what measurement
is to be used.
For example, if management is simply trying to increase
production, then efficiency measurements might not be
appropriate.
Another important part of the measuring process is determining
who is going to do the measurement.
Self-measurement is preferable in it builds employee morale and
empowerment and it is cheaper.
Second party measurement is more expensive, but may lead to better
and more pertinent results.
167. 167
167
MeasuringPerformance, continued
A performance report should be aligned with the
objectives of the firm and include a specific time frame.
This report should also be limited to items that are
controllable by the person responsible. The report should
not get into items that are outside the scope of the
timeframe or the responsibilities of the person.
168. 168
168
Evaluation and Correction
This is the critical part of the control process. Without
this last part the control process is useless.
There are a number of items that you must keep in mind
when making the evaluations of results.
Need to make sure you are comparing like items to like items.
If there are significant changes in the process from one period to
the next, it is not accurate or effective to compare to prior
periods.
It is easier to measure something that is either yes or no. For
example, something like defects will be measured and evaluated
this way.
169. 169
169
Evaluation and Correction, continued
However, some things are measured in a more subjective
manner, for example, “How well does the person
complete his or her tasks?”
These are trait-based decisions, and more care must
be taken in the evaluation of the results and it may be
best to have more than one person involved in the
decision process.
Trait-based decisions are more subjective and more
easily influenced by the emotions of the people involved.
170. 170
170
Systems of Control
A control system is designed so it will help the company
achieve or maintain the desired actions, behaviors or
results.
There are three elements to any control system: input,
processing, and output.
Systems may be classified as either open or closed.
Open system is impacted by its environment. System may
receive uncontrollable input information from the outside and this
information will affect the system.
Closed system does not receive any uncontrollable inputs.
Example of a closed system is the one to regulate the
temperature in your house.
171. 171
171
Feedback Element of the Control System
Feedback plays an important part in any control system.
Feedback ensures that a desired state is attained and
maintained.
The five components to a feedback system are:
A control object – this is the element or variable that is being
monitored,
The detector – this is what is happening in the control object,
The reference point – this is the standard that the control object
is measured against,
The comparator (analyzer) – this is comparing what is
happening and what should be happening, and
The activator – this is the decision-maker in respect to the
decision.
172. 172
172
The Timingof Controls
It is better to prevent mistakes than to detect them after
they have occurred.
There are three types of controls that are classified
depending on when in the production process the control
identifies the defective unit.
Feedforward controls detect the problem before it occurs.
Concurrent controls operate at the same time as the
production process.
Feedback controls identify when something has already gone
wrong.
174. 174
174
Characteristics of Effective Controls
An effective control system has the following
characteristics.
Economical - there is a positive cost/benefit, meaning that the
organization saves more than it costs to implement the control.
Meaningful – it is important to only control important items.
Appropriate – the control system should actually reflect what
we are trying to measure and control.
Congruent – the control should be in line with what it is
measuring.
Timely – the information must be available in enough time to act
upon it.
Simple – the control must be understandable.
Operational – the control should provide benefit to real
operations.
176. 176
176
Control andTechnology
Computer technology has made it easier and cheaper to
have control systems that cover many areas and that are
able to provide real-time feedback.
Has lead to the increased popularity of Total Quality
Management (TQM) and Reengineering.
177. 177
177
Total Quality Management (TQM)
The premise of TQM is that quality improvement is a way
of increasing revenues and decreasing costs.
It is based on producing a product “right the first time.”
Another feature of TQM is quality circles. Quality circle
is a small group of employees who work together and
meet regularly to discuss and resolve work-related
problems.
With TQM, every person in the organization is
responsible for finding errors and correcting problems.
178. 178
178
Reengineering
Reengineering is when a company is determined to find a
new way of doing something.
Reengineering is NOT simply improving an existing
system, but developing a completely new system or
approach.
Because of effort and time involved, reengineering should
only be done for the most important processes.
181. 181
181
Means of Achieving Control
There are a number of different ways that internal
controls can be set up. Some of the different means are
discussed below:
Organizational methods is where responsibilities are split up
so no one individual controls more than one part of a transaction
(segregation of duties).
Policies are stated principles that provide guidance in behavior.
Policies are directive controls.
Policies should be clearly written and communicated to all employees.
Policies should be occasionally reviewed to make sure they are still
relevant.
Procedures are the actions for carrying out the policies.
182. 182
182
Means of Achieving Control, continued
Pre-numbered forms is another method to control and
safeguard documents.
Need to remember that no pre-numbered form should be disposed of,
even if the form is not correct. In these cases, the pre-numbered form
should be kept and stated that it was cancelled.
Personnel is making sure that good people are hired and there
is a high standard of supervision.
Employees should be trained and reviewed on a periodic basis.
Accounting is a crucial part of the system because this is where
the financial information is accumulated and produced.
Budgeting is done so actual results can be compared with
anticipated results.
People who will be held responsible for the achievement of the budget
should be involved in creating it.
183. 183
183
Means of Achieving Control, continued
Reporting has to do with management receiving the reports that
are relevant to their responsibilities.
Reports should not only include actual results, but compared against the
budget.
Reports have to be provided in a timely manner so management can act
upon the information. This timeliness is control function that helps
management identify potential problems.
186. 186
186
Internal Control Models
A series of control models were developed during the
1990s. The models we will be looking at are:
Internal Control – Integrated Framework (COSO),
CoCo model, and
The IIA model.
For the most part, these controls have the same goal as
to provide management with a better understanding of
their control systems so they can make judgment about
their effectiveness.
187. 187
187
The COSOModel
During the 1980s there was a private sector initiative,
sponsored by five organizations, that attempted to
identify the causes of fraudulent financial reporting and to
make recommendations to reduce its incidence.
The five sponsoring organizations are:
American Institute of Certified Public Accountants (AICPA),
American Accounting Association (AAA),
Institute of Internal Auditors (IIA),
Institute of Management Accountants (IMA), and
Financial Executives International (FEI).
188. 188
188
Componentsof Internal Control
There are five components that make up internal control
The Control Environment,
Risk assessment,
Control activities,
Information and communication, and
Monitoring.
You can remember these components by the mnemonic
CRIME (bolded letters).
189. 189
Control Environment, continued
This is the most important element of internal controls
because it is the basis on which the other elements are
built.
This element sets the tone for the entire organization.
Control environment factors include:
Integrity, ethical values and the competence of the company’s
people.
Management’s commitment to competence.
Human Resource policies and procedures.
Assigning authority and responsibility (assigning decision
rights).
Management’s philosophy and operating style.
Board of directors and audit committee oversight.
190. 190
Control Environment, continued
The control environment is set by management by the
actions, deeds and behaviors. If management
communicates and behaves in such a way to indicate
that controls are important, employees are more likely to
follow the controls in place.
Management plays the most important role in
establishing the control environment.
Management’s commitment to competence is another
factor influencing the control environment. All personnel
need to be competent enough to accomplish their duties.
191. 191
191
Control Environment,continued
Controls are more likely to work if management believes
controls are important and communicate that support
to all employees.
Organizations with effective controls set a positive “tone
at the top.”
Transmit guidance both verbally and by example.
Foster a “control consciousness” by setting formal and clearly
communicated policies and procedures that are followed at all
times, without exception.
Making sure employees are in the right positions can be done
through training, as well as providing counseling, and
performance evaluations.
Board of directors is responsible for setting corporate policy and
for seeing that the company is operated in the best interest of
shareholders.
192. 192
Control Environment, continued
A company’s organizational structure plays an
important role in internal controls.
Factors that need to be properly addressed are:
Defining authority and responsibility, as well as the
corresponding delegations,
Matching a structure with the needs of the business, and
Creating an atmosphere of accountability within the company
193. 193
193
Risk Assessment
This is management’s assessment of the risks that the
agency faces. Risks may be internal or external.
Internal Risks include employee embezzlement accompanied
by falsification of records to conceal theft; lack of compliance
with governmental regulations; or other illegal acts by
employees, such as taking a bribe. These risks can include
disruption in computer systems, poor management decisions,
errors, or accidents.
External Risks include changes in technology, changes in
federal legislation, natural disasters, economic changes, or being
defrauded, or robbed.
194. 194
194
Risk Assessment, continued
A pre-condition of risk assessment is the establishment of
objectives.
Once risks have been identified, management needs to
analyze their possible effect. Risk analysis includes:
Estimating the likelihood of the risk’s occurrence,
Deciding how to best manage the risk, and
What actions can be taken to mitigate the risk.
If management is unable to identify the risks that the
agency faces, they are much less likely to be able to
address those risks.
195. 195
195
Control Activities
These are the policies that are developed to address
the risks of the agency. These risks may be fraudulent
reporting or theft (misappropriation of assets).
Control activities should be designed to mitigate risk,
wherever risk exposure is determined to exist, for the
purpose of protecting the organization’s ability to achieve
its objectives.
Controls that are implemented must have a benefit that
is greater than the cost of that control.
Because of this, not all controls are implemented and the control
environment cannot provide a guarantee that all risks are
eliminated.
196. 196
196
Classifications of Control Activities
Control activities may be classified by their objective
Preventive controls attempt to prevent the mistake from ever
occurring in the first place.
Examples would include segregation of duties, suitable authorization of
transactions, checking the credit worthiness of a customer before goods
are shipped.
Directive controls attempt to ensure the occurrence of a
desirable event.
Examples would include managers of a construction company
instruction their project managers to hire local workers in order to create
a favorable image in the community in which the company operates.
197. 197
197
Classifications of Control Activities, continued
Detective controls attempt to find the mistake after it has
occurred.
Examples would include bank reconciliations, check for missing
document numbers in pre-numbered documents, performance reporting
with variances.
Corrective controls attempt to fix the problem after it has
occurred.
Examples of corrective control would be finding an error when doing a
bank reconciliation, etc.
Compensating controls attempt to address a weakness in
controls in one place by setting up additional controls in a related
area. We look at compensating controls in more detail a bit later.
198. 198
198
Examples of Control Activities
Top level review of actual
performance
Reviews by management at
the functional or activity level
Management of human capital
Controls over information
processing
Physical controls to protect
assets (cash and other assets)
Various performance indicators
Documents and record
protection and authorization
Pre-numbered documents
Performance evaluations
Hiring controls to ensure that
qualified personnel are hired
Control over system
modifications
Segregation of Duties
199. 199
199
Segregation of Duties
By dividing specific duties (listed on the next slide)
between different individuals, the likelihood of errors or
inappropriate behavior (theft or fraud) is greatly reduced.
The separation of duties can be done in the following
steps:
Identify a function that is indispensable, but potentially subject to
abuse.
Divide that function into separate steps, each of which is
necessary for the function to work, or for the power that enables
that function to be abused.
Assign each step (or duty) to a different person or organization.
200. 200
200
Dutiesto be Segregated
The following duties need to be segregated between
different people:
The authorization of a transaction,
The recording (record keeping) of the transaction,
Keeping physical custody of the asset, and
The periodic reconciliation of the records of the asset (how
much there should be) to the actual amount of the asset (how
much there is).
201. 201
201
Dutiesto be Segregated, continued
More examples of Segregation of Duties:
One person has authority to adjust accounts receivable,
while a different person posts payments on customer
accounts. Without segregation here, one person could
divert cash receipts and then falsify the account
balances of the customers who paid the cash in order to
conceal the diversion.
One person is responsible for preparing the bank
deposit, while a different person reconciles the checking
account. Without segregation, one person could divert
cash receipts and cover the activity by creating
“reconciling items” in the account reconciliation.
202. 202
202
Dutiesto be Segregated, continued
Examples of Segregations of Duties:
One person has custody of cash receipts, while a
different person has the authority to authorize account
write-offs. Without segregation, one person could
authorize a false write-off while diverting the collection
on the account.
One person authorizes issuance of purchase orders,
while a different person is responsible for recording
receipt of inventory. Without such segregation, one
person could issue a purchase order to a fictitious
vendor using a post office box rented for the purpose,
then prepare a fictitious receiving record and mail an
invoice to the company using a post office box
personally rented for the purpose, resulting in the
company’s paying for something it never ordered or
received.
203. 203
203
Limitationsof Segregation of Duties
No system is perfect and no system can eliminate all of
the risks that a company faces.
Some of the reasons that risk can not be completely
eliminated are:
Collusion - when two or more people work together to get
around the controls in place. If the people whose duties are
segregated collude, the benefit of the segregation of duties is
lost.
Human judgment - decisions are made by humans, often under
pressure and time constraints, based only on information at
hand. If this is not enough information, then poor decisions will
be made and controls may not be maintained.
205. 205
205
Information and Communication
Information needs to be obtained and communicated to
people to allow them to perform their duties.
Information needs to be
Relevant,
Reliable, and
Timely.
Information needs to be available before a decision
needs to be made.
Duties and responsibilities need to be communicated to
all effected parties.
Communication needs to be both internal and external.
206. 206
206
Information and Communication, continued
Communication must be on-going, both within and
between the various levels and activities of the
organization.
Effective communications flows up, down and across the
organization.
Program managers use reports containing operational
and financial information in order determine whether they
are meeting their objectives.
Operational information is also necessary to determine whether
the agency is in compliance with various laws and regulations.
Financial information is needed for periodic external reporting,
and, on a day-to-day basis.