CIA Part 1 Chapter 1

15
STUDY UN~T ONE

STRATEGIC AND OPERATIONAL
ROLES OF INTERNAL AUDIT
(25 pages of outline)
Function from
IA exam and is
portion of the syllabus
This study unit is the first of four covering Section

The IIA's CIA Exam Syllabus. This section makes
tested at the proficiency level (unless otherwise in
is highlighted below. (The complete syllabus is in Appe
,
. djspositictnof.
regulatory oversightbodies ~nd'otherintemai assurance functions

system, a~hj~yepient of:SQiporateobjective .; ....
.:
'
'.
-_ , ':'"
'\'
., ....
,,1
"
.,';,',
;';'.' ': c',' '.
,_".
~:;
"
7>,.:
'I
B.
. procedures for the planning; organizing, directing; and monitoring of internal audit
2.' Review
of the internal.audit function within the risk management framework
3. Direct administrative activities (e.g., budgeting, human resources) of the internalaudit.department
4. Interview candidates for internal audit positions
5. Report on the effectiveness of corporate risk management processes to senior management and the board
6. Report on the effectiveness of the internal control and risk management frameworks
7. Maintain effective Quality Assurance Improvement Program
C.
Establish Risk-Based IA Plan
16
SU 1.' Strategic and Operational Roles of Internal Audit
1.1 CHANGE MANAGEMENT
1.
Overview
a.
Change management is important to all organizations. An appropriate balance

between change and stability is necessary for an organization to thrive.
1)
2.
Organizational change is conducted through change agents, who may include

managers, employees, and consultants hired for the purpose.
Interpersonal Skills
a.
The internal audit activity can add value to an organization by

change. According to The IIA competency framework, "
following interpersonal skills to interact with others
do the following:
1)
Champion the change, enlist others in its purs

trategy
that includes milestones and a timeline.
2) Model the change expected of others.
3) Accurately assess the potential b
4) Provide resources, remove ba
change.
5) Maintain work efficiency and
6) Promptly switch strategies if the cu
ones a'~~i;),~working.
7) Provide direction and
'ng the chan e prbcess.
8) Support new id
9) Respond quickly
, ving creative ideas and taking
appropriate
10) Support the
11)
12) Ope
13) C
3.
attitudes and mindset, for example, when a total quality

adopted.
ange in a product's physical attributes and usefulness to
is a change in an organization's systems or structures.
t~ lai and procedural changes often are resisted by the individuals and
ffected. This response may be caused by simple surprise, inertia, or fear of
But it also may arise from the following:
1)
2)
3)
4)
5)
6)
7)
8)
Misunderstandings or lack of needed skills

Conflicts with, or lack of trust of, management
Emotional reactions when change is forced
Bad timing
Insensitivity to employees' needs
Perceived threats to employees' status or job security
Dissolutien of tightly knit work groups
Interference with achievement of other objectives
.'
i
.'
SU 1: Strategic and Operational Roles of internal Audit
b.
Methods of coping with employee resistance include the following:

1)
2)
3)
4)
5)
6)
7)
5.
47
Prevention through education and communication

Participation in designing and implementing a change
Facilitation and support through training and coLlnseling
Negotiation by providing a benefit in exchange for cooperation
Manipulation of information or events
Co-optation through allowing some participation but without meaningful input
Coercion
Models for Planned Change

a.
Change management has been studied by man

models have emerged:
1)
Kurt Lewin's process model consists of

a)
b)
c)
Unfreezing is the diagnosis stage.

preparing employees for the
Change is the intervention in
Refreezing makes the
not reassert the
2)
hat change is ongoing

rocess from being
agent coordinates steps b)
3)
. ge must be planned and deliberate.

ange must actually improve the organization. Changes forced
regulatory requirements or changes that merely attempt to follow
management trends and fads are not included.
The change must be implemented using the findings of the
behavioral sciences, such as organizational behavior and group
psychology.
The following are the objectives of 00:
i)
Oeepen the sense of organizational purpose and align individuals

with it
ii) Promote interpersonal trust, communication, cooperation, and
support
iii) Encourage a problem-solving approach
iv) Develop a satisfying work experience
v) Supplement formal authority with authority based on expertise
vi) Increase personal responsibility
vii) Encourage willingness to change
Stop and review! You have completed the outline for this subunit. Study multiple-choice
questions 1 through 3 on page 40.
-18
t.z
SU 1: Strategic and Operational Roles of Internal Audit
STAKEHOLDER RELATIONSHIPS
1.
Stakeholder Relationships
b.
c.
d.
2.
For internal auditors to be effective, Sawyer's Guide for Internal Auditors, 6th edition,
states that they must build and maintain strong constructive relationships with
managers and other stakeholders within the organization.
These relationships require conscious ongoing focus to ensure that risks are
appropriately identified and evaluated to best meet the needs of th rganization.
Internal auditors have a responsibility to work together with
and other
stakeholders to facilitate work efforts and compliance with
Key stakeholders include the board oj directors, audit
external auditors, and regulators.
The Board and the Audit Committee

a.
For the internal audit activity to achieve organization

executive (CAE) must have direct and unrestri
the board.
1)
b.
The IIA Glossary defines a boa

a board of directors or other
audit committee, to whom
The audit committee is a subunit of the

member of the board is ne
1)
Some statutes h
membership of
a)
e organization except in his/her
b)
2)
3.
a.
the audit committee is to promote the independence of

uditors by protecting them from management's influence.
unctions of the audit committee regarding the internal audit
ii%,
.c~
removing the CAE and setting his/her compensation
ApfJl,~'
the internal audit charter
l
['ing and approving the internal audit activity's work plan
"', uring that the internal audit activity is allocated sufficient resources
esolving disputes between the internal audit activity and management
6) Communicating with the CAE, who attends all audit committee meetings
7) Reviewing the internal audit activity's work product (e.g., interim and final
engagement communications)
8) Ensuring that engagement results are given due consideration
9) Overseeing appropriate corrective action for deficiencies noted by the internal
audit activity
10) Making appropriate inquiries of management and the CAE to determine whether
audit scope or budgetary limitations impede the ability of the internal audit
activity to meet its responsibilities
.
SU 1.' Streieqic and Operational Roles of Internal Audit
c.
The following are other functions of the audit committee regarding the external auditor:
1)
2)
3)
4)
1!
4.
Selecting the external auditing firm and negotiating its fee

Overseeing and reviewing the work of the external auditor
Resolving disputes between the external auditor and management
Reviewing the external auditor's internal control and audit reports
Relationships with Management

a.
b.
According to Sawyer's Guide for Internal Auditors, 6th edition, j'n tarn......
I auditors are
responsible for performing their mission, maintaining their ob
. d ensuring
the internal audit activity's independence. They also
maintain
good working relationships with m_anagement.
Good relationships are developed by communicating
constructively, and using participative auditing
1)
Participative auditing is a collaboration

management durinq the auditing p
and build a shared interest in the eng
accept changes if they have p
used to implement changes
However, internal auditors
the audit because the respons
2)
Stop and review! You have completed the

uiding and directing
,~lopinion is theirs.
tudy multiple-choice
1.3 ETHICAL CLIMATE
process, governance principles, and ethical culture.

o apply knowledge to a set of facts.
1.
"'"anization's
policies and standards established to ensure

by its members.
e principles of conduct expected to be followed by individuals.
lor
1)
3)
4)
5)
6)
7)
.&:,
re the major issues:
fil' ral business understanding of ethical issues
~ mpliance with laws (e.g., tax, securities, antitrust, environmental, privacy, and
labor)
External financial reporting
Conflicts of interest
Entertainment and gift expenses
Relations with customers and suppliers (Should gifts or kickbacks be given or
accepted?)
Social responsibility
20
3.
Factors That May Lead to Unethical Behavior

a.
In any normal population, some people behave unethically. if these people hold
. leadership positions, they may have a bad influence Or} subordinates.
1)
Organizational Factors
a)
b)
c)
d)
2)
External Factors
a)
Competitive pressures may result in u

of survival.
b)
The advantage obtained by a

imitation of that behavior.
Definitions of ethical
example, bribes to
business practices in s
c)
4.
Pressure to improve short-run performance is an incentive for wrongdoing.

Emphasis on strict chain-at-command authority may excuse unethical
behavior when following orders.
Informal work-group loyalties may result in tolerance
behavior.
s
Committee decision processes reduce indiv .
e to another. For
stent with customary
Criteria for Evaluating Ethical Behavior

a.
The following questions aid

1)
2)
b.
I respect were aware of it?"

or for myself, other employees,
"Would my be
"What are the
customers,
Ethics are indivi
. he1;'are influenced by the following:

r ,ling right, punishment for doing wrong)
..'._alassoclations, informal groups) .'
e'tponsibilities to superiors and the organization)
5.
hics is the established general value system the
apply to its members' activities by
organizational purposes and beliefs and
niform ethical guidelines for members.
guidance extends to decision making.
~. ecific rules cannot cover all situations. Thus, organizations benefit from
ing a code of ethics that effectively communicates acceptable values to all
sted internal and external parties. For example, a code may do the following:
#'
1)
2)
3)
Require compliance with the law

Prohibit conflicts of interest
Provide a method of policing and disciplining members for violations through
a)
b)
A)
5)
Formal review panels and

Group pressure (informal).
Set high standards against which individuals can measure their own
performance
.
Communicate to those outside the organization the value system from which its
members must not be asked to deviate
'
c.
A typical code for auditors or accountants in an organization requires the following:

1)
Independence from conflicts of economic or professional interest

a)
b)
c)
They are responsible for presenting information fairly to stakeholders

rather than protecting management.
They are responsible for presenting appropriate information to all
managers. They should not favor certain managers or conceal
unfavorable information.
They are responsible for maintaining an ethical
conduct of
professional activities.
s
i)
ii)
iii)
2)
3)
6.
They should do what they can to ens

with the spirit as well as the letter of
They should conduct themselves
legal standards.
They should report to a
fraudulent or other illegal
Integrity and a refusal to comp

Objectivity in presenting info
Role of the Internal Audit Activity
a.
. The ipt,enlal audit"adivitYfTl ',:c)fth'e orqanization's 'ethi '.

b.
The internal a
corporate
organi .
s meets four responsibilities:

Compl,i,.aflitc.ith legal and regulatory rules
.s_af ....tt~~of generally accepted norms and social expectations
Pro
:g" Qenefits to society and specific stakeholders
,"b Ing fully and truthfully to ensure accountability
Governance Process
Responsibilities
2)
Compliance
Creditors
.satisfaction
~end
Benefits
Billing
Reporting
Reminders
--
Governance practices reflect the organization's culture and largely depend on it

for effectiveness, The culture
a)
b)
c)
d)
e)
Sets values, objectives, and strategies;

Defines roles and behaviors;
Measures performance;
Specifies accountability; and
Determines the degree of sensitivity to social responsibility,
22
3)
Because of their skills and position in the organization, auditors should actively
support the ethical culture. Auditor roles may include
a)
b)
c)
4)
The minimum internal audit activity role is assessor of (a) the ethical climate and
(b) the effectiveness of processes to achieve legal and ethical compliance.
Internal auditors should evaluate the effectiveness of the folio 'ng features of
an enhanced, highly effective ethical culture:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
c.
Chief ethics officer,

Member of an ethics council, or
Assessor of the ethical climate.
A formal code of conduct and related stateme

procedures covering fraud and corruption)
Frequent demonstrations of ethical attitudes
leaders
Explicit strateqies to enhance the ethical
Easily accessible means of confid
Regular declarations by emp
requirements for ethical
Clear delegation of res
(2) investigation, and (
Positive personnel
r::l"""I"TII~"'C'
Regular s
state of
Regular
Regula
Other internal
complaints, (
ethics cli
s er of benefits between an employee and those with

qanization deals.
use of organizational information for private gain.
Stop
ques
meted
42.
the outline
for this subunit.
Study multiple-choice
Ii
'
23
SU 1, Strategic and Operational Roles of Internal Audit
1.4 EDUCATION IN BEST PRACTICES
Performance Standard 2100

Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.
1.
Nature of Work
a.
According to The IIA's Definition of lnternal Auditing, the int

an organization accomplish its objectives by bringing,
approach to evaluate and improve-the effectiveness
governance processes."
1)
These processes are closely related. The II

them as follows:
a)
b)
c)
) defines
Governance - "The combination

by the board to inform, di
organization toward
Risk management - "
, manage, and control
potential events or .
Ie assurance regarding
the achievement of the
Control- "Any
e~
, the board, and other parties
to man
- od that established objectives and
goals
plans, organizes, and directs the
perfo
provide reasonable assurance that
ved."
obj
i) ,
. b.
senior management and the board about best

management, control, and compliance.
ed in The IIA Glossary as "adherence to policies, plans,
, regulations, contracts, or other requirements."
hEt~ mal audit activity must evaluate the risks involved in governance,
"y rations, and information systems that relate to compliance with laws,
ulations, policies, procedures, and contracts. The internal audit
activity also must evaluate the controls regarding compliance.
2.
a.
mance, risk management, and control processes are adequate if management

has planned and designed them to provide reasonable assurance of achieving the
organization's objectives efficiently and economically.
1)
2)
Efficient performance accomplishes objectives in an accurate, timely, and

economical fashion. Economica!performance accomplishes objectives with
minimal use of resources (i.e" cost) proportionate to the risk exposure.
Reasonable assurance is provided if the most cost-effective measures are
taken in the design and implementation stages to reduce risks and restrict
expected deviations to a tolerable level.
'
24
SU'I:
3.
Strategic and Operational Roles of Internal Audit
Basic Types of internal Audit Engagements

a.
b.
The essential strategic function of the internal audit activity is to provide assurance
services and consulting services. Thus, the Definition of Internal Auditing describes
internal auditing as "an independent, objective assurance and consulting activity."
Separate groups of Implementation Standards have been issued for assurance
services and consulting services. These services are defined in The IIA Glossary as
follows:
1) Assurance services - "An objective examination of
2)
providing an independent assessment on governance, ri

control processes for the organizaUon. Exampl
performance, compliance, sy_stemsecurity, and'
Consulting services - "Advisory and related eli
and scope of which are agreed with the client
improve an organization's governance, risk
processes without the internal auditor as
Examples include counsel, advice, f
Stop and review! You have completed the outline

1.5 COORDINATION
The chief audit executive should shar

external providers of assurance an
duplication of efforts.
e activities with other internal and

ure proper coverage and minimize
1,
a,
.external auditors, including coordination with the
s the responsibility of the board, Coordination of internal
U~~i ork is the responsibility of the chief audit executive (CAE).
the support of the board to coordinate audit work effectively"
. ati
s may use the work of external auditors to provide assurance

activities within the scope of internal auditing. In these cases, the
l
es the steps necessary to understand the work performed by the
nal auditors, including:
b)
c)
d)
The nature, extent, and timing of work planned by external auditors, to be

satisfied that the external auditors' planned work, in conjunction with the
internal auditors' planned work, satisfies the requirements of
Standard 2100,
The external auditor's assessment of risk and materiality.
The external auditors' techniques, methods, and terminology to enable the
CAE to (1) coordinate internal and external auditing work; (2) evaluate, for
purposes of reliance, the external auditors' work; and (3) communicate
effectively with external auditors.
Access to the external auditors' programs and working papers, to be
satisfied that the external auditors' work call be relied upon for internal
audit purposes. lnternal.auditors are responsible for respecting the
confidentiaiity of those programs and working papers" (para. 2).
'
25
SU 1: Strategic and Operational RoJesof Internal Audit
3)
"The external auditor may rely on the work of the internal audit activity in
performing their work. In this case, the CAE needs to provide sufficient
information to enable external auditors to understand the internal auditors'
techniques, methods, and terminology to facilitate reliance by external auditors
on work performed. Access to the internal auditors' programs and working
papers is provided to external auditors in order for external auditors to be
satisfied as to the acceptability for external audit purposes of relying on the
internal auditors' work" (para. 3).
NOTE: Professional standards place sole responsibility for th

external auditors. Only the external auditors have the
permit the provision of assurance to external parties.
the external auditors use the work" of other independe
cannot be shared with the internal auditors.
4)
5)
"Planned audit activities of internal and

ensure that audit coverage is coordin
where possible. Sufficient meetings
process to ensure coordination
of audit activities, and to d
recommendations from
planned work be adjusted" (
minimized
e audit
timely completion
"The internal audit activity's final

those cornrnunrcauons
available to external .
in determinin
internal audito
and manag
included i
input to
audit
",,",'e for regular evaluations of the coordination between

I auditors. Such evaiuations may also include assessments
over
ciency and effectiveness Of internal and external audit
activitie~:\. ",' ing aggregate audit cost. The CAE communicates the results of
thes~,..ev1tI~:glions to senior management and the board, including relevant
conirf~:~s about the performance of external auditors" (para. 7).
<tv1"
.'
26
EXAMPLE
From CIA Exam
Which at the following is not a true statement about the relationship between internal auditors and
external auditors?
A.
External auditors must assess the competence and objectivity ot internal auditors.
B.
There may be periodic meetings between internal and external auditors to discuss matters of
mutual interest.
C.
There may be an exchange of engagement communications and manage
D.
Internal auditors may provide engagement work programs and

auditors.
(A) is correct. The external auditor assesses the objectivity and com
auditors only if (s)he intends to rely on their work.
(B) is incorrect. The relationship involves a sufficient number of
(C) is incorrect. .The relationship involves reasonable mu
communications and management letters.
(D) is incorrect. The relationship involves reaso
programs and working papers.
2.
Coordinating with Regulatory Oversight

a.
Businesses and not-f

many countries.
1)
uJJijeetto governmental regulation in

=
Below is a sam
acquisitions
and trading
dities
vernments may have their own regulatory bodies.
rganizations, entire departments or functions are established to
with the regulations issued by these governmental bodies.
qpn e, broker-dealers in securities establish compliance departments to

. that trades are executed according to the requirements of securities
. Moreover, manufacturers have departments to monitor wage-and-hour
pliance, workplace safety issues, and discharge of toxic wastes.
the responsibilities of the internal audit activity is the evaluation of the
anization's compliance with applicable laws and regulations.
1)
The internal audit activity coordinates its work with that of inspectors and other
personnel from the appropriate governmental bodies and with personnel from
internal assurance functions.
Stop and review! You have completed the outline for this subunit
questions 13 through i5 on page 44.
.'
1.6 OTHER TOPiCS

1.
Governance
a.
Internal auditors evaluate and improve governance processes as part of their

assurance function. This subunit addresses the overall role of internal auditing in'
governance. It also outlines more specific governance activities, such as the
assessment of the internal audit activity's own performance.
Performance Standard 2110'

Governance
_j
The internal audit activity must assess and make appropriate recom
governance process in its accomplishment of the foftowing objectives:
e
Q
Promoting appropriate ethics and values within the organizatio

Ensuring effective organizational performance management a
Communicating risk and control information to appropria
Coordinating the activities of and communicating i
internal auditors, and.management.
2.
Strategic Role of the Internal Audit Acti

a.
, "Internal auditors
. and contributing to the
IInlti'.'ntnn' ....
I auditors provide
and operating effectiveness of the
may provide consulting services
s. In some cases, internal auditors
oard selt;r8ssessments of governance practices"
b.
ys an important strategic role in the governance

ole includes providing leadership, assessinq the
urement systems, making appropriate
Ing the achievement of corporate objectives.
3.
s of internal auditors involves organizing and leading a team in
d business process improvement.
ap is a simple flowchart or narrative description used to depict a
It aids in assessing the effectiveness and efficiency of processes and
uditors evaluate the whole management process of planning, organizing, and
fl g to determine whether reasonable assurance exists that objectives will be

c.
ved.
All business systems, processes, operations, functions, and activities within the
organization are subject to the internal auditor's evaluations. Internal auditing
provides reasonable assurance that management's
1}
2)
3)
Risk management activities are effective;

Internal control is effective and efficient; and
Governance process is effective by establishing and preserving values, setting
goals, monitoring activities and performance, and defining the measures of
accountability.
'
28
SU 1. Strategic and Operational Roles of Internal Audit
4.
Internal Audit PerformanceMeasurements

3.
b.
Key performance measurements for the internal audit activity provide criteria against
which it is judged.
The following guidance is provided by The IIA Practice 'Guide, Measuring Internal
Audit Effectiveness and Efficiency:
1)
2)
3)
4)
5.
Establishing performance measures is critical in determining whether an audit

activity is meeting its objectives, consistent with the highest quality practices
and standards.
The first step is to identify key performance measures for
stakeholders believe add value and improve
Once key effectiveness and fficiency measure
identified, a monitoring process and a method
should be established (e.g., format, timing,
reporting should be based on stakeholder n
It is important that the internal audit acti
stakeholders on audit effectiveness
Performance Measurement Systems a

a.
b.
c.
An important element of co
objectives. Internal auditors can u
Internal auditors can add value to an
performance measurem
and
Internal auditors ma
results of these en
system is adequ
Stop and review! You have

questions 16 and 17 on pa
1.7
policies and procedures to guide the internal audit activity.
. ractice Advisory 2040~1, Policies and Procedures, policies and

developed by the CAE do not necessarily need to be contained in formal
rative and technical manuals.
2)
b.
A small internal audit activity may be managed informally through daily, close
supervision and memoranda.
In a large internal audit activity, more forma! and comprehensive policies and
procedures are essential to guide the execution of the internal audit plan.
The importance of the relationship of the particular internal audit activity to the extent
of its formal policies and procedures is made clear in this Interpretation:
Interpretation of Standard 2040
The form and content of policies and procedures are dependent upon the size and structure of
the internal audit activity and the complexity of its work.
'
SI) 1: Strategic and Operational Roles of internal Audit
Stop and review! You have completed the outline for this subunit.
. questions 18 through 20 beginning on page 45.
29
Study multiple-cholce
1.8 ROLE OF iNTERNAL AUDiT IN RiSK MANAGEMENT

At one time, audit professionals thought of risk only in the context of an audit (e.q., the probability of not
discovering a material financial statement misstatement). Today, after extensive research and many
scholarly publications, risk is recognized as something that must be examined and mitigated in every aspect
of an organization's operations. Thus, CIA candidates should understand the distin
nsibilities of
(1) the internal audit activity and (2) senior management and the board for enterpri
Performance Standard 2120

Risk Management
The internal audit activity must evaluate the effectiveness and
management processes.
1.
Overview
a.
b.
c.
The IIA Position Paper: The Role

Management states that "risk man
governance. Management is respon
management framework on
If of th
"Enterprise-wide risk mana
structured, consi
relation to ERM sho
the effectiveness
"When internal
certain safe
therefore,
indep
lement of corporate
nd operating the risk
2.
e to an organization by providing the board with objective
can undertake a broad range of ERM activities. However, internal

auld not undertake any activities that could threaten their independence
'"he IIA Position Paper groups the internal audit activity's roles into three
categories:
a)
b)
c)
~ore internal audit roles in regard to ERM

Legitirnate internal audit roles with safeguards
Roles the internal audit activity should not undertake
?'
-} ,A, helpful memory aid is
C
Catch
.Lying
Records
'
30
SU 1.' Strategic and Operational Roles of Internal Audit
3.
Core lnternal Audit Activity Roles in ERM

a.
b.
c.
d.
e.
4.
Legitimate Internal Audit Activity Roles Given Safeguards

a.
b.
c.
d.
e.
f.
g.
5'.
Giving assurance on the risk management process

Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks
Facilitating identification and evaluation of risks

Coaching management in responding to risks
Coordinating ERM activities
~
Consolidating the reporting on risks
Maintaining and developing the ERM"framework
Championing establishment of ERM
Developing an ERM strategy for board approval
Roles the Internal Audit Activity Should Not Unde

a.
Setting the risk appetite

1)
b.
c.
d.
e.
f.
Risk appetite is the amount of

value. It reflects the risk ma
culture and operating style.
in pursuit of
uences the entity's
Imposing risk management processes

Management assurance on ri
Making decisions on
Implementing risk res'
Accountability for
Which' of the following th

the initial establishme
n internal auditor who had participated in

ess? .
A.
B.
C.
veness of management's risk processes.
D.
the risks identified.

ity that threatens independence.
ssessments and reports on the organization's risk management
.mal audit role but also a high audit priority.
management's responsibility for the risk management process is a
internal audit activity's independence. It requires a full discussion and board
-1, para. 5).
(C) is incorrect. Internal auditors assist both management and the board by examining,
evaluating, reporting, and recommending improvements of the adequacy and effectiveness of risk
management processes.
(0) is incorrect. Internal auditors may recommend controls without losing independence.
.'
31
6.
Role in Risk Management

a.
The following Interpretation clarifies the internal audit activity's role:

Interpretation of Standard 2120
Determining whether risk management processes are effective is a judgment resulting from the
internal auditor's assessment that:
~
Organizational objectives support and align with the orqanization's mission'
Significant risks are identified and assessed;

Appropriate risk responses are selected that align risks with the
appetite; and
Relevant risk information is captured and communicated in a
organization, enabling staff, management, and the board
responsibilities.
The internal audit activity may gather the information to support

engagements. The results of these engagements, when vi
understanding of the organization's risk management
Risk management processes are monitored th
evaluations, or both.
.'? ~Fgi~nizatiQn's:".;)
..,<::{
' -. :. i;
"'.,'
.'
'
:'
,","""""'" .(for;.the
~'t~urrence'of
fraud and
.
~
.
.
,'.
blishing.._JI.QS.ased audit model and participating in the organization's risk

anage~~2processes are ways for the internal audit activity to add value.
~.JI
nsibil
t1~
r-Organizational Risk Management
The" _.:s ion of responsibility is described in Practice Advisory 2120-1, Assessing the
'-~cy of Risk Management Processes.
1)
Risk management is a key responsibility of senior management and the board.

a)
b)
c)
Management ensures that sound risk management processes (RMPs)

are in place and functioning.
Boards have an oversight function. They determine that RMPs are in
place, adequate, and effective.
The internal audit activity may be directed to examine, evaluate, report,
or recommend improvements.
i)
It also has a consulting role in identifying, evaluating, and

implementing risk management methods and controls.
.'
"
32
2)
If the organization has no formal RMPs, the CAE has formal discussions with
management and the board about their obligations for understanding,
managing, and monitoring risks.
3)
The CAE must understand management's and the board's expectations of the
internal audit activity in risk management. The understanding is codified in-the
charters of the internal audit activity and the board.
4)
Senior management and the board determine the internal audit activity's role in
risk management based on factors such as (a) organizational culture, (b)
abilities of the internal audit activity staff, and (c) local co
. ns and customs.
a)
That role may range from no role, to auditi

audit plan, to active, continuous support
to managing and cooroinatinq the proces
i)
5)
the
. internal
ard-
But assuming management respo

audit activity independence m
approved.
RMPs may be formal or informal, qua

business units or centralized.
culture, management style,
use an informal risk comm
anization's
small entity may
a)
6)
To form an opinion 0
sufficient, a
.
Which of the following

adequacy of risk manag
A.
To help riot,orrn
object
B.
C.
n'l!Jgement,control, and governance processes provide

, anization's objectives are achieved efficiently and
sk management, control, and governance processes ensure that
nature, timing, and extent of certain tests must be determined before tile
trol processes can be evaluated.
(B) is incorrect. Internal auditors have no authority to ensure correction of material weaknesses.
(C) is correct. Risk management, control, and governance processes are adequate if
management has planned and designed them to provide reasonable assurance of achieving tile
organization's objectives efficiently and economically. Efficient performance accomplishes
objectives in an accurate, timely, and economical fashion. Economical performance accomplishes
objectives with minimal use of resources (i.e., cost) proportionate to the risk exposure.
(0) is incorrect. The scope of internal auditing is much broader than concern for the fairness of
financial statements.
questions 21 through 23 beginning on page 46.
1.9 INTERNAL AUDIT ADMINISTRATIVE ACTIVITIES

1.
Overview
. a.
b.
The chief audit executive (CAE) is responsible for management of internal audit
activity resources in a manner that ensures fulfillment of its responsibilities. Like any
well-managed department, the internal audit activity should operate effectively and
efficiently. This can be accomplished through proper planning, which includes
budgeting and human resources management.
Management oversees the day-to-day operations of the internal
including the foilowing administrative activities:
1)
2)
3)
4)
2.
Budgeting
a.
3.
Budgeting and management accounting

Human resource administration, including pe
compensation
Internal communications and information fl
Administration of the internal audit activity'
The CA.Eis responsible for creating

CAE, audit managers, and the i
budget annually. The budget is
their review and approval.
et. Generally, the

r to develop the
t and the board for
Human Resources
a.
The skill set and

help the organizatio
Assurance & C
associates to fill
b.
que
nd forms should be prepared in advance to evaluate,
othejj
~"'theapplicant's (a) technical qualifications, (b) educational
rQuncfl~!i.personalappearance, (d) ability to communicate, (e) maturity,
pers'l~ivJiess, (g) self-confidence, (h) intelligence, (i) motivation, and
U)
er}ti"t'b contribute to the organization.
p91
j~.~l~fs
need a diverse set of skills to perform their jobs effectively. These
Cl.
skinsffi:Ai)'0( always apparent in a standard resume. Developing effective

int~lliWj.flg techniques will ensure that the internal audit function acquires the proper
:~\ Q!:Skills,capabilities, and technical knowledge needed to accomplish its goals.
E.~ive interviewing techniques involve structured interviews and behavioral
interviewing.
1)
..
Structured interviews are designed to eliminate individual bias. These interviews

use a set of job-related questions with standardized answers, which then are
scored by a committee of three to six members. According to Management
(Kreitner & Cassidy, 12th edition), interviewers can use four general types of
questions:
a)
b)
Situational - "What would you do if you saw two people arguing loudly in
the work area?"
job knowledge - "Do you know how to do an Internet search?"
34
c)
d)
2)
4.
Job sample simulation - "Can you show LIS how to compose and send an
e-mail message?"
Worker requirements - "Are you able to spend 25 percent of your time on
the road?"
Behavioral interviews determine how candidates handled past situations. Past

performance is generally indicative of future performance.
Reporting
a.
Reporting to senior management and the board provides assu
b.
1) Governance,
2) Risk management, and
3) Control.
Periodic reports also are made on internal audit's
and performance.
Reporting to senior management and the boa
Unit 2, Subunit 3.
c.
ility,
Stop and review! You have completed the outli

questions 24 through 27 beginning on page 47
1.10 QUALITY ASSURANCE AND IMPROVEM
The chief audit executive must

that covers all aspects of the i
ssurance and improvement program
1.
a.
ssurance and Improvement Program, provides

in the continuous examination of their processes
. of stakeholders.
processes designed to provide reasonable assurance to
internal audit activity
n accordance with its charter, the Definition of Internal Auditing,
e of Ethics, and the Standards
_jDerates effectively and efficiently
1'5 perceived as addi;lg value and improving operations
~Jl"'ese
processes include appropriate supervision, periodic internal and external
""assessments,and ongoing monitoring of quality assurance.
The QAIP embraces all facets of the internal audit activity as reflected in the
pronouncements of The IIA and best practices of the profession.
a)
b)
Its processes are performed or supervised by the CAE.

A large or complex entity has a formal, independent QAIP administered
and monitored by an audit executive.
.'
SU 1: Strategic and Operational Roles of !nt.;:rna! Audit
35
Attribute Standard 1310

Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement proqrarn must include both internal and external
assessments.
b.
Practice Advisory 1310-1, Requirements of the Quality Assurance and Improvement
Program, provides detailed guidance:

1)
2)
3)
A OAIP is an ongoing and periodic assessment of all wo

activity. These rigorous assessments include
a)
Continuous supervision-and testing of perf
b)
c)
Periodic validation of conformance with

Measurement and analysis of perform
accomplishment and customer
Indicated improvements are impl

Assessments evaluate and
audit activity and produce.
a)
b)
c)
d)
e)
f)
4)
Conformance with man

Adequacy of the internal a
procedures;
The contri
mana~emenj~f0ntr6L and gove.rnanee;
Complia:
.. atio
nmgovernment or Industry standards;
Continuer
and'
n of best practices; and
VVheth
udit ac
ds value and improves operations.
OAIP efta
5)
up invojvi appropriate and timely modification of

ures, and technology.
. communicated to stakeholders. The CAE
and the board on OAIP efforts at least annually.
nprovernent program should include evaluation of all of

e work of external auditors.
dards and Code of Ethics.

~:-.
organization's governance processes.

question
sizes the element not required in the assessment of a QAIP.
(A) is corre
ersight of the work of external auditors, including coordination with the internal
audit activity, is the responsibility of the board (PA 2050-1). It is not within the scope of the
process for monitoring and assessing the quality program.
(B) is incorrect. Conformance with the Definition of Internal Auditing, Standards, and Code of
Ethics, including timely corrective actions to remedy any significant instances of nonconformance,
is an element of the assessment of a quality program.
(C) is incorrect. Adequacy of the internal audit activity's charter, objectives, policies, and
procedures is an element of the assessment of a quality program.
(D) is incorrect. Contribution to the organization's governance, risk management, and control
processes is an element of the assessment of a quality program.
36
SU 1. Strategic and Operational Roles of Internal Audit

Intema! Assessments
Internal assessments must include:
I
Ongoing monitoring of the performance of the internal audit activity; and
til
Periodic self-assessments or assessments by other persons within the organization with

sufficient knowledge of internal audit practices.
2.
Internal Assessments
a.
Ongoing and periodic internal assessments are addre

1311-1, Internal Assessment:
1)
The processes and tools used in ongoing intern

a)
b)
c)
d)
e)
f)
2)
Engagement supervision;
Checklists and procedures;
Feedback;
Peer reviews of working pa
Budget.s, timekeeping,
recoveries; and
Analyses of other pe
The IIA's Quality Assessment Man

assessments. These
volve
.:q.,,)';'
,~~~
a)
bl~f~rs (in interviews and surveys)
b)
c)
d)
should not communicate assurances about the outcome of

I assessment, although the report may give recommendations
e practices.
r~e .er, the periodic internal assessment may be the self-assessment
of a self-assessment with independent validation.
6)
~
.. ~. ongoing or periodic internal assessment, conclusions about
~" orrnance are reached, and appropriate action is begun to ensure
iiifrflprOVements are made.
hose conducting internal assessments generally report directly to the CAE, who
should establish a structure for reporting results that maintains credibility and
objectivity.
At least annually, the CAE reports results, action plans, and implementation
information ~osenior management and the board.
"
SU L Strategic and Operational Roles of Internal Audit

External Assessments
External assessments must be conducted at least once every five years by a qualified, independent
assessor 'or assessment team from outside the organization. The chief audit executive must discuss
with the board:
e
The form and frequency of external assessments; and

The qualifications and independence of the external reviewer or assessmen
potential conflict of interest.
3,
External Assessments
a.
b.
External assessments provide an independent and

audit activity's compliance with the Standards and
Further specifics are provided in Practice Advi
. ternal
.s ssments:
~.~~.
1)
An external assessment may be a full

external reviewer or review
with independent valldat
a)
nal audit activity.
b)
c)
2)
,''independent
If-assessment
~, identification, and
The scopemu
Individuals
or interest in,
have no rea
relations
sment should have no obligation to,

r its personnel. External assessors
erest due to current or past
rganizatiQ~@'.
to in
idin
,::lldence include conflicts of former employees or

h'~}financial statement audit, (2) significant
(3) assistance to the internal audit activity.
er part of the organization or in a related organization
. an affiliate) is not independent.
'i.'lll'
mong three unrelated organizations (but not between two)
the independence requirement.
cerns about independence, one or more independent
duals may provide separate validation.
a)
is honesty and candor limited by confidentiality, with no subordination

vice and the public trust to personal gain.
Objectivity is impartiality, intellectual honesty, and freedom from conflicts
of interest.
An external reviewer should be a certified audit professional well versed in the
Standards and best practices with at least 3 years of management experience
in internal auditing or related consulting,
a)
Leaders of independent review teams and those who validate a

self-assessment must have additional competence and experience,
i)
5)
6)
Qualifications include prior external assessment work, quality

assessment training, or service as a senior internal auditor,
The reviewer(s) should have relevant technical and industry experience, and
other specialists may be needed.
Senior management and the board are involved in selecting (a) the approach
and (b) the external quality assessment provider,
38
7)
The scope of the review extends to conformance with mandatory guidance of

The IIA, the internal audit activity's charter, laws, etc. It also extends to
a)
The expectations of management
b)
Integration of the internal audit activity with the" governance
c)
The internal audit activity's tools and techniques,
d)
Competence (mix of the staffs knowledge, experience, and disciplines),

and
e)
Whether the internal audit activity adds value and
and the board,
8)
Preliminary results are discussed with the CAE. Final

communicated to the CAE, and a formal commu
management and the board. -
9)
The communication includes an opinion on

guidance of The IIA. Conformance means
activity satisfy such guidance.
process,
a)
responsibilities
i)
is impaired
The degree of pa
b)
Expression of an opinion
due professional care.
c)
The cornrnuruc "'Tlr,n

practices, (2)
action pia.
10) The results, inc

accomplish
(e.g., senio
a)
4.
ccountability
Reporting Res
a.
Se
must be kept informed about the extent to which

the degree of professionalism required by The IIA.
The
prog
and transparency.
nicate the results of the quality assurance and improvement

prIJ.~Jjlll''';..Jnd
the board.
from the interpretation
on the QAIP:
of Standard 1320 addresses the frequency of
demonstrate conformance with the Definition of Internal Auditing, the

Code of Ethics, and the Standards, the results of external and periodic
internal assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are communicated at
least annually.
.'
39
5.
Importance of Conforming with the Standards

a.
Compliance with the Standards requires an effective QAIP.

Use of "Conforms with the International Standards for the Professional Practice of
Internal Auditing"
The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of
ity assurance
and improvement program support this statement.
6.
Importance of Reporting Nonconformance

a.
The internal audit activity is a crucial part of a cornpl

processes. Senior management and the board
assessment discovers significant nonconfo
ce
CS, or the Standards

audit executive must
the board.
b.
Nonconformance of
specific engageme
I audit activity and not to
Internal auditors may rep

statement only if
A.
B.
C.
It is supported
They may use this

;: ogram.
e internal audit activity is conducted annually.
.ccountable for implementing a quality program.
al audit activity are made by external auditors.
gftion permitting internai auditors to report that their activities

izes t
\1>.
Standard~
,iT
''Wditexecutive may state that the internal audit activity conforms with the
fefthe Professional Practice of Internal Auditing only if the results of the
provement program support this statement" (Attr. Std. 1321).
. ~ndependent external assessment of the internal audit activity must be
t once every 5 years.
(C) is incorrect. The CAE must develop and maintain a QAIP that covers all aspects of the
internal audit activity.
(0) is incorrect. Assessments also may be made by others who are (1) independent, (2) qualified,
and (3) from outside the organization.
40
QUESTIONS
1.1 Change Management
1. An organization's management perceives the
need to make significant changes. Which of the
following factors is management least likely to be
able to change?
A. The organization's members.

B. The organization's structure.
C. The organization's environment.
D. The organization's technology.
Answer (C) is correct.

REQUIRED: The factor management is least likely to be
able to change.
DISCUSSION: The environment of an organization consists
of external forces outside its direct control that may affect its
performance. These forces include competitors, suppliers,
customers, regulators, climate, culture, pol
technological
change, and many other factors. The
members
are a factor that managers are clearly
Answe~(A) is incorrect.
factor that managers are
incorrect. The organiz I
are clearly able to change.
organization's technology'
able to change.
2. Lack of skills, threats to job status or security, and

fear of failure all have been identified as reasons that
employees often
A. Want to change the culture of their
organization.
B. Are dissatisfied with the structure of their
organization.
.
C. Are unable to perform their jobs.
D. Resist organizational change.
Lack of skills, threats to job status or

re inhibit changes in the culture of the
(8) is incorrect. Lack of skills, threats to
job status
. rity, and fear of failure are not symptoms of
dissatistacjion with the structure of the organization. Answer (C)
is iORprret1. Lack of skills, threats to job status or security, and
featot failure do not indicate an inability to perform.
~.,:,~.
A.
B.
C.
D.
\~~
nswer (A) is correct.

REQUIRED: The true statement about resistance to
organizational change.
DISCUSSION: Resistance to change may be caused by
fear of the personal adjustments that may be required.
Employees may have a genuine concern about the usefulness of
the change, perceive a lack of concern for workers' feelings, fear
the outcome, worry about downgrading of job status, and resent
deviations from past procedures for implementing change
(especially if new procedures are less participative than the old).
Social adjustments also may be required that violate the
behavioral norms of informal groups or disrupt the social status
quo within groups. Economic adjustments may involve potential
economic loss or insecurity based on perceived threats to jobs.
In general, any perceived deterioration in the work situation that
is seen as a threat to economic, social, and/or psychological
needs will produce resistance. The various adjustments required
are most likely to be resisted when imposed unilaterally by higher
authority. However, employees who share in finding solutions to
the problems requiring change are less likely to resist because
they will have some responsibility for the change.
.'
1.2 Stakeholder Relationships

4. Audit committees have been identified as a major
factor in promoting the independence of both internal
and external auditors. Which of the following is the
most important limitation on the effectiveness of audit
committees?
A. Audit committees may be composed of
independent directors. However, those
directors may have close personal and
professional friendships with management.
B. Audit committee members are compensated
by the organization and thus favor an owner's
view.
C. Audit committees devote most of their efforts to

external audit concerns and do not pay much
attention to the internal audit activity and the
overall control environment.
Answer (A) is correct.

REQUIRED: The most important limitation on the
effectiveness of audit committees.
..
DISCUSSION: The audit committee is a subcommittee
made up of outside directors who are independent of
management. Its purpose is to help keep external and internal
auditors independent of management and to ensure that the
directors are exercising due care. However, if independence is
impaired by personal and professional
ps, the
effectiveness of the audit committee
ited.
Answer (8) is incorrect. The
members receive is usually
independenf and therefore
Answer (C) is incorrect.
concerned with external audi
internal audit activity.
members do not need
understand engage
D. Audit committee members do not normally

have degrees in the accounting or auditing
fields.
5... The audit committee strengthens the control

processes of an organization by
A. Assigning the internal audit activity
respo~sibility for interaction with governrn~~;
agencIes.
B. Using the chief audit executive as a major

resource in selecting the external a
C. Following up on recommendations
the chief audit executive.
D.
6. An audit committee
enhance the inAo.,onrior
external auditing
functions from
this criterion, a
of
A.
B.
regu
C. Mem
from a
specifically inclu
banking, labor, re
tory agencies,
shareholders, and officers.
D. Only external members of the board of
directors or its equivalent.
nswer (D) is correct.

REQUIRED: The most effective composition of an audit
committee.
DISCUSSION: The audit committee of the board of directors
should be composed entirely of outside directors. Outside
directors are members of the board who are independent of
internal management. Because the primary purpose of the audit
committee is to promote the independence of the internal and
external auditors from management, an audit committee
composed of inside directors would be ineffective.
Answer (A) is incorrect. The audit committee is not required
to be rotated periodically. Answer (8) is incorrect. Regulators
ordinarily do not serve as directors. Answer (C) is incorrect.
Officers are not outside directors.
42
SU 1: Strategic and Operational Roles of Interna! Audit
1.3 Ethical Climate

7. An accounting association established a code of
ethics for all members. What is one of the
association's primary purposes of establishing the
code of ethics?
A. To outline criteria for professional behavior to
maintain standards of integrity and objectivity.
B. To establish standards to follow for effective
accounting practice.
C. To provide a framework within which
accounting policies could be effectively
developed and executed.

. REQUIRED: The primary purpose of establishing a code of
ethics.
DISCUSSION: The primary purpose of a code of ethical
behavior for a professional organization is to promote an ethical
culture among professionals who serve others.
Answer (B) is incorrect. National standards-setting bodies,
not codes of ethics, provide guidance for effective accounting
practice. Answer (C) is incorrect. A code of ethics does not
provide the framework within which
policies are
developed. Answer (0) is incorrect.
rpose is not
for interviewing new accountants.
O. To outline criteria that can be used in

conducting interviews of potential new
accountants.
8. The best reason for establishing a code of

conduct within an organization is that such codes
A. Are typically required by governments.
B. Express standards of individual behavior for
members of the organization.
C. Provide a quantifiable basis for personnel
evaluations.
O. Have tremendous public relations potenti~~ ,
,,,,,,
of ethical conduct is
organization wishes to
municates organizational
es uniform ethical guidelines
inclu
nee on behavior for members in
A code, ." blishes high standards against
m~j3sti(etheir own performance. It also
outside the organization the value system
be must not be asked to deviate.
rrect. Governments typically have no such
r (C) is incorrect. Codes of conduct provide
qualitative,
antitative, standards. Answer (0) is incorrect.
Other purposes of a code of conduct are much more significant.
.."if'
"'.i~~
9. The code of ethics of a profes

sets forth
A.
8.
C.
D.
..(.Alns (A) is correct.

.
~\"REQUIRED: the content of a code of ethics of a
rn'fessional organization.
DISCUSSION: An organization's code of ethical conduct is
the established general value system tile organization wishes to
apply to its members' activities by communicating organizational
purposes and beliefs and establishing uniform ethical guidelines
for members, which include guidance on behavior tor members in
making decisions. A code establishes high standards against
which individuals can measure their own performance and
communicates to those outside the organization the value system
from which the organization's members must not be asked to
deviate.
Answer (8) is incorrect. The organizational details of the
profession's governing body are stated in the by-laws of the
professional organization. Answer (C) is incorrect. Certain
actions may be legal but contrary to an organization's code of
ethics. For example, an internal auditor may not perform a
service for which (s)he does not possess the necessary
knowledge, skills, and experience. Answer (0) is incorrect. I ne
Standards establish a basis for the measurement of internal audit
performance.
..
43
SU 1: Strategic and Operationai Roles of Internal Audit
1.4 Education in Best Practices

10. The purpose of the internal audit activity's
evaluation of the effectiveness of existing risk
management processes is to determine that
A. Management has planned and designed so as

to provide reasonable assurance of achieving
objectives.
B. Management directs processes so as to
provide reasonable assurance of achieving
objectives.
Answer (B) is correct.

REQUIRED: The purpose of the evaluation of the
effectiveness of risk management processes.
DISCUSSION: Risk management, control, and qovernance
processes are effective if management directs processes to
provide reasonable assurance of achieving the organization's
objectives. In addition to accomplishing the objectives and
planned activities, management directs by authorizing activities
and transactions, monitoring.resulting
ance, and verifying
that the organization's processes are
s designed.
C. The organization's objectives will be achieved

efficiently and economically.
O. The organization's objectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
11. Control by management is the result of
A. Planning, organizing, and directing of

organizational activities.
B. Ascertaining needs, identifying alternative
courses of action, setting standards for
measuring performance, and comparing
outcomes with predetermined standards.
C. Authorizing and monitoring perforrnancegg
comparing actual performance with planwlti
performance.
D. Determining efficiency and economy
operations, including whether 0
.
been met.
A.
B.
C.
D.
taken by
to manage risk and
objectives will be
, and directs the
to provide reasonable
IV"".SiW'.1I1 be achieved. Thus, control by
of proper planning, organizing, and
Ascertaining needs, identifying
action, setting standards for measuring
comparing outcomes with predetermined
standards i
ic management function. Answer (C) is
incorrects-Authorizinq and monitoring performance and
c ."~'aring actual performance with planned performance is a
anagement function. Answer (D) is incorrect.
ining efficiency and economy of operations, including
ether objectives have been met, is a basic management
nction.

REQUIRED: The most accurate term for the means of
providing oversight of processes administered by management.
DISCUSSION: Governance is the "combination of
processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization
toward the achievement of its objectives" (The IIA Glossary).
Answer (8) is incorrect. Control is "any action taken by'
management, the board, and other parties to manage risk and
increase the likelihood til at established objectives and goals will
be achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved" (The IIA
Glossary). Answer (C) is incorrect. Risk management is "a
process to identify, assess, manage, and control potential events
or situations to provide reasonable assurance regarding the
achievement of the organization's objectives" (The IIA Glossary).
Answer (D) is incorrect. Monitoring consists of actions taken by
management and others to assess the quality of internal control
performance over time. It is not currently defined in the
Standards and The !IA Glossary.
44
1.5 Coordination
13. Who has primary responsibility for providing
information to the board on the professional and
organizational benefits of coordinating internal audit
activities with those of other providers of similar
services?
A. The external auditor.
8. The chief audit executive.
C. The chief executive officer.
D. Each assurance and consulting function.
14. To improve their efficiency, internal auditors may

rely upon the work of external auditors if it is
A. Performed after the internal auditing worR'
8.
Primarily concerned with operational

and activities.
C. Coordinated with internal auditi

D. Conducted in accordance with
Ethics.
A.
B.
C. The board.
D. Management.
Answer (8) is correct.

REQUIRED: The responsible party for providing information
about the benefits of coordin-ationof internal audit activities with
those of other providers.
.
DISCUSSION: The chief audit executive should share
information and coordinate activities with other internal and
external providers of assurance and consulting services to
ensure proper coverage and minimize duplication of efforts
(Perf. Std. 2050). While oversight of the
of external auditors
is the responsibility of the board,
rnal and
external audit work is the responsibility
(PA 2050-1,
para. 1). 3
Answer (A) is incorrect
thatthe internal audit
achievable from coo
consulting activities.
Iways
form part of any activi
auditor, to the board.
is not responsible
internal audit as
cift
stances in which internal auditors

of external auditors.
anizations may use the work of external
"ssurance related to activities within the
diting (PA 2050-1, para. 2). Coordination of
internal an
nal audit work is the responsibility of the CAE
(PA 2050,J, para. 1).
.
",cj}.nsv{er(A) is incorrect. Duplication of effort may result if the
ext''(malaudit is performed after the internal auditing
.Agrga'~ment. Answer (8) is incorrect. Internal auditing
.j~p-'~f0fl!passes both financial and operational objectives and
atJvllies. Thus, Internal auditing coverage could also be
, rovided by external audit work that included primarily financial
objectives and activities. Answer (0) is incorrect. External
auditing work is conducted in accordance with auditing standards
generally accepted in the host country.

REQUIRED: The person responsible for coordinating
internal and external audit efforts.
DISCUSSION: Coordination of internal and external audit
work is the responsibility of the CAE. The CAE obtains the
support of the board to coordinate audit work effectively
(PA 2050-1, para. 1).
Answer (8) is incorrect. The external auditor is an interested
party but not one that has direct responsibility for coordinating
internal and external auditing efforts. Answer (C) is incorrect.
The board has oversight responsibility, but the CAE is
responsible for the actual coordination of internal and external
auditing work. Answer (0) is incorrect. Management is an
interested party but not one that has direct responsibility for
coordinating internal and external auditing efforts.
.'
SU 1: Strategic and Operational Rofes of Internal Audit
45
1.6 Other Topics

16. A basic principle of governance is
A. Assessment of the governance process by an
independent internal audit activity.
B. Holding the board, senior management, and

the internal audit activity accountable for its
effectiveness.
C. Exclusive use of external auditors to provide
assurance about the governance process.
O. Separation of the governance process from

promoting an ethical culture in the
organization.
17. The internal audit activity has a role in an

organization's governance process. The internal
audit activity most directly contributes to this process
by

.
. REQUIRED: The basic principle of governance.
DISCUSSION: The internal audit activity must assess and
make appropriate recommendations for improving the
.
governance process (Perf. Std. 2110).
Answer (B) is incorrect. The internal audit activity is an
assessor of the governance process. It is not accountable for
that process. Answer (C) is incorrect. External parties and
internal auditors may provide'assurance
the governance
process. Answer (0) is incorrect. The'
it activity must
assess and make appropriate
improving
the governance process in
ethics
and~values within the orga

REQUIRED:
contributes to
DISCUSSI
A. Identifying significant exposures to risk.

'. B. Evaluating the effectiveness of the riskmanagement system.
C. Promoting continuous improvement of
controls.
O. Evaluating the design of ethics-related
activities.
TILl:!s,in~.frnassurance engagement, "The internal audit activity

.e~tevaluate the design, implementation, and effectiveness of
e qrtJanization'sethics-related objectives, programs, and
tivrties': (Imp!. Std. 2110.A1)..
.'
Answer (A) is incorrect. Identifying significant exposures to
risk most directly relates to risk management rather than to
governance. Answer (8) is incorrect. Evaluating the
effectiveness of the risk-management system most directly
relates to risk management rather than to governance.
Answer (C) is incorrect. Promoting continuous improvement of
controls relates to controls rather than to governance.
A.
B. Position descriptions.
C. Performance appraisals.
O. Policies and procedures.

REQUIRED: The item most essential for guiding the internal
audit staff.
DISCUSSION: The chief audit executive must establish
policies and procedures to guide the internal audit activity
(Perf. Std. 2040).
46
19. Policies and procedures must be established to

guide the internal audit activity. Which of the
following statements is false with respect to this
requirement?
A. The form and content of written policies and
procedures depend on the size of the internal
audit activity.
B. All internal audit activities must have a detailed
policies and procedures manual.
C. Formal administrative and technical manuals
may not be needed by all internal audit
activities.
O. A small internal audit activity may be managed
informally through close supervision and
memoranda.

REQUIRED: The false statement about policies and
procedures to guide the internal audit activity.
DISCUSSION: Formal administrative and technical audit
manuals may not be needed by all internal audit entities. A small
internal audit activity may be managed informally. Its audit staff
may be directed and controlled through daily, close supervision
and written memoranda. In a large internal audit activity, more
formal and comprehensive policies and procedures are essential
to guide the internal audit staff in the execution of the internal
audit plan (PA 2040-1, para. 1).
Answer (A) is incorrect. The
procedures depend on the.size
Answer (0) is incorrect. Fo
manuals may not be n
Answer (0) is incorrect.
managed informally throu
20. Written policies and procedures relative to

managing the internal audit activity should
A. Ensure compliance with its performance
standards.
B. Give consideration to its structure and the
complexity of the work performed.
C. Result in consistent job performance.
fJ.
D. Prescribe the format and distribution of

engagement communications and the
classification of observations.
~
A.
B.

REQUIRED: The purpose of the evaluation of the
effectiveness of risk management processes.
DISCUSSION: Risk management, control, and governance
processes are effective if management directs processes to
provide reasonable assurance of achieving the organization's
objectives. in addition to accomplishing the objectives and
planned activities. management directs by authorizing activities
and transactions, monitoring resulting performance, and verifying
that the organization's processes are operating as designed.
C.
O. The organization
jectives will be achieved
in an accurate and timely manner and with
minimal use of resources.
.
"
SU 1: Strategic and Operational Roles of internal Audit
22. internal auditors should review the means of

physicaily safeguarding assets from losses arising
from
A. Misapplication of accounting principles.
B. Procedures that are not cost justified.
C. Exposure
to the elements.
O. Underusage of physical facilities.
23. If an organization has no formal risk

management processes, the chief audit executive
should
A. Establish risk management processes based
on industry norms.

REQUIRED: The cause of losses giving rise to physical
safeguards that should be reviewed by the auditor.
. DISCUSSION: The internal audit activity must evaluate risk
exposures relating to governance, operations, and information
systems regarding the safeguarding of assets
(Imp!. Std. 2120.A 1). For example, internal auditors evaluate risk
exposure arising from theft, fire, improper or illegal activities, and
exposure to the elements.
Answer (A) is incorrect. Misapplication of accounting
principles relates to the reliability of i
and not physical
safeguards. Answer (B) is incorrect.
that are not
cost justified relate to efficiency, not
of operations.
Answer (01 is incorrect. Un
to
efficiency of operations.

REQUIRED: The
organization has no
DISCUSSIO
have formal ris
B. Formulate hypothetical results of possible

consequences resulting from risks not being
managed.
C. Inform regulators that the organization is guilty
of an infraction.
o.
Formally discuss with the directors their

obligations for risk management proces~~
al
an
cess.
ariizaiion does not
ief audit
and the board
monitor risks within
mselves that there
ization, even if informal,
sibility into the key risks.
and monitored (PA 2120-1,
e
is incorre . nternal auditors have no authority

m agEf"m~ntprocesses. They must seek
ent and the board as to their role in the
incorrect. Internal auditors are not
risk analysis of the possible consequences
a risk management process. However, such a
request mi
made by management. Answer (C) is
incorrects In the absence of a specific legal requirement, internal
a_l>!.lltors""are
not required to report to outside parties.
4f~~\~
~~r
A.
B.
r'-'.
O.

REQUIRED: The most important reason for the chief audit
executive to ensure that the internal audit department has
adequate and sufficient resources.
DISCUSSION: The CAE must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to
achieve the approved plan (Perf. Std. 2030).
Answer (A) is incorrect. The decision to outsource the
internal audit function is not primarily based on existing
resources. Answer (C) is incorrect. The amount of resources is
not a significant factor in establishing credibility. Answer (0) is
incorrect. Succession planning is not related to the amount of
audit resources.
48
25. The key factor in the success of an internal audit

activity's human resources program is
A. An informal program for developing and
counseling staff.
B. A compensation plan based on years of
experience.
C. A well-developed set of selection criteria.
D. A program for recognizing the special interests
of individual staff members.
26. Directors, management, external auditors, and

internal auditors all play important roles in creating
proper control processes. Senior management is
prirnariiy responsible for
A. Establishing and maintaining an organizational
culture.
B. Reviewing the reliability and integrity of
financial and operational information.
C. Ensuring that external and internal auditors
oversee the administration of the system of risk
management and control processes.
;Il
O. Implementing and monitoring controls
designed by the board of directors.
27. A basic principle of

A.
B.
C.
O.

REQUIRED: The key factor in the success of an internal
audit activity's human resources program.
DISCUSSION: Internal auditors should be'qualified and
-cornpetent. Because the selection of a superior staff is
dependent on the ability to evaluate applicants, selection criteria
must be well-developed. Appropriate questions and forms
should be prepared in advance to evaluate, among other things,
the applicant's technical qualifications, educational background,
personal appearance, ability to communicate, maturity,
persuasiveness, self-confidence, intelligen
otivation, and
potential to contribute to the organization
Answer (A) is incorrect. The human
should be formal. Answer
i
human resources is more
Answer (0) is incorrect. The
more significant than special
es, and directs

.' reasonable
achieved.
ives and goals and
," changes in internal and
I~ establishes and maintains
an ethical climate that fosters
tnr,,,rrt,,.,t{'I~ternal
auditors are responsible for
effectiveness of controls, including
lity and integrity of financial and
Answer (C) is incorrect. Senior
to oversee the establishment,
assessment of the system of risk
managemeqt
control processes. Answer (0) is incorrect.
The ard"has oversight responsibilities but ordinarily does not
bee;> involved in the details of operations.
er (A) is correct.
REQUIRED: The basic principle of governance.
DISCUSSION: The internal audit activity must assess and
make appropriate recommendations for improving the
governance process (Perf. Std. 2110).
Answer (B) is incorrect. The internal audit activity is an
assessor of the governance process. It is not accountable for
that process. Answer (C) is incorrect. External parties and
internal auditors may provide assurance about the governance
process. Answer (D) is incorrect. The internal audit activity must
assess and make appropriate recommendations for.improving
the governance process in its promotion of appropriate ethics
and values within the organization.
.'
49
1.10 Quality Assurance and Improvement Program (QAIP)

28. The chief audit executive should develop and
maintain a quality assurance and improvement
program that covers all aspects of the internal audit
activity and continuously monitors its effectiveness.
All of the following are included in a quality program
except

REQUIRED: The element not part of a quality assurance
progffim.
.
DISCUSSION: Appraising each internal auditor's work at
least annually is properly a function of the human resources
program of the internal audit activity.
A. Annual appraisals of individual internal

auditors' performance.
B. Periodic internal assessment.
C. Supervision.
D. Periodic external assessments.
29. As a part of a quality program, internal

assessment teams most likely will examine which of
the following to evaluate the quality of engagement
planning and documentation for individual
engagements?
A. Written engagement work programs.
B. Project assignment documentation.
C. Weekly status reports.
O. The long-range engagement work schedule.
30. An external assessment of an i

activity contains an expressed
applies
A.
B.
C.
D.

REQUIRED:
the quality of pi
engagements.
D
st include ongoing
audit activity and
ssessment or by other
ufficient knowledge of
1311). The processes and
include, among other
of working papers by staff not
. dits (PA 1311-1, para. 1).
Project assignment documentation
rmation for assessment purposes than
(C) is incorrect. Status reports do not
ning. Answer (0) is incorrect. The
. gement work schedule does not relate to
ocumentation for individual engagements.
r (0) is correct.
EQUIRED: The subject of the opinion expressed in a
. mmunication after an external assessmentof a quality
program.
DISCUSSION: External assessments of an internal audit
activity contain an expressed opinion as to the entire spectrum of
assurance and consulting work performed (or that should have
been performed under its charter). including (but not limited to)
conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards. An external assessment also
includes, as appropriate, recommendations for improvement
(PA 1312-1, para. 2). On completion of the review, a formal
communication should be given to senior management and the
board (PA 1312-1, para. 3).
Answer (A) is incorrect. An opinion is expressed on all
assurance and consulting work performed (or that should have
been performed under its charter). Answer (B) is incorrect. The
scope of an external assessment extends to more than the
effectiveness of the internal auditing coverage. Answer (C) is
incorrect. An external assessment addresses the internal audit
activity, not the adequacy of ihe organization's controls.
Use the additional quest~ns in Gleim CIA Test Prep Online to create Practice Exams
tha;~';':';:;~
~ear;onu~C~~
...J

50
._' \~~
",','
'.
~:
gleim'.C:o,m/_da
800.87'4~5346

CIA Part 1 Chapter 1

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CIA Part 1 Chapter 1

Hochgeladen von

Copyright:

Verfügbare Formate

15

STUDY UN~T ONE

This study unit is the first of four covering Section

regulatory oversightbodies ~nd'otherintemai assurance functions

;';'.' ': c',' '.

Establish Risk-Based IA Plan

SU 1.' Strategic and Operational Roles of Internal Audit

1.1 CHANGE MANAGEMENT

Change management is important to all organizations. An appropriate balance

Organizational change is conducted through change agents, who may include

The internal audit activity can add value to an organization by

Champion the change, enlist others in its purs

attitudes and mindset, for example, when a total quality

Misunderstandings or lack of needed skills

SU 1: Strategic and Operational Roles of internal Audit

Methods of coping with employee resistance include the following:

Prevention through education and communication

Models for Planned Change

Change management has been studied by man

Kurt Lewin's process model consists of

Unfreezing is the diagnosis stage.

hat change is ongoing

. ge must be planned and deliberate.

Oeepen the sense of organizational purpose and align individuals

SU 1: Strategic and Operational Roles of Internal Audit

The Board and the Audit Committee

For the internal audit activity to achieve organization

The IIA Glossary defines a boa

The audit committee is a subunit of the

e organization except in his/her

the audit committee is to promote the independence of

removing the CAE and setting his/her compensation

SU 1.' Streieqic and Operational Roles of Internal Audit

Selecting the external auditing firm and negotiating its fee

Relationships with Management

Participative auditing is a collaboration

Stop and review! You have completed the

uiding and directing

1.3 ETHICAL CLIMATE

process, governance principles, and ethical culture.

policies and standards established to ensure

re the major issues:

fil' ral business understanding of ethical issues

SU 1: Strategic and Operational Roles of Internal Audit

Factors That May Lead to Unethical Behavior

Competitive pressures may result in u

The advantage obtained by a

Pressure to improve short-run performance is an incentive for wrongdoing.

Criteria for Evaluating Ethical Behavior

The following questions aid

I respect were aware of it?"

Ethics are indivi

. he1;'are influenced by the following:

Require compliance with the law

Formal review panels and

SU 1: Strategic and Operational Roles of Internal Audit

A typical code for auditors or accountants in an organization requires the following:

Independence from conflicts of economic or professional interest

They are responsible for presenting information fairly to stakeholders

They should do what they can to ens

Integrity and a refusal to comp

Role of the Internal Audit Activity

. The ipt,enlal audit"adivitYfTl ',:c)fth'e orqanization's 'ethi '.