You are on page 1of 28

Part 1: Internal Audit Basics – Remias Cheat Sheet

Section I: Mandatory Guidance (DCS)


Introduction
Chapter A: Definition of Internal Auditing
Topic 1: Define and Break Down the Definition of Internal Auditing (Level P)

• The IIA defines internal auditing as “an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.” In delineating this working
domain for internal auditors is the understanding that controls help the organization manage risk
and promote effective governance.
• Auditors are charged with an involved role in the organization’s risk management and governance
processes.

Topic 2: Define Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P)
• The internal audit manual and the annual audit plan help in determining the resource requirements.
• Internal auditors are expected to be able to recognize good business practices, to understand
human relations, and to be skilled in oral and written communications.

Chapter B: Code of Ethics


Topic 1: Abide By and Promote Compliance with the IIA’s Code of Ethics (Level P)
• Four components of a Code of Ethics IOCC. I (Integrity) O (Objectivity) C (Competence) C
(Confidentiality)
• Competency Rule of Conduct of the Code of Ethics, which requires auditors to continually strive for
improvement in their proficiency and in the effectiveness of their audits.
• Auditors must exhibit loyalty to the organization, but they must not be a party to any illegal activity.
Thus, auditors must comply with legal subpoenas. Answer: In response to a subpoena, an auditor
appeared in a court of law and disclosed confidential, audit-related information that could
potentially damage the auditor’s organization.
• A formalized corporate code of ethics presents objective criteria by which actions can be evaluated
and would thus serve as criteria against which activities could be evaluated.

Chapter C: International Standards


Topic 1: Comply With The IIA’s Attribute Standards (Level P)
• Note: It is important and will pay dividends to read the Standards. If I did not provide you a hard
copy a pdf version can be found in the DropBox.
• There is no need to memorize Standard numbers but be very familiar with each of the Standards.
- 1000 Purpose, Authority, and Responsibility
Audit Charter (several questions) defines: PAR (Purpose, Authority, Responsibility)
- Also position in company, access to records and scope of services
- Describes nature of assurance and consulting activities
- Charter must be approved by senior management and then the board

1
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Topic 2: Maintain Independence and Objectivity (Level P)
• Exam Alert: Tested heavily. Internal audit organizations must maintain independence (reporting
structure) and objectivity (frame of mind). CAEs have to establish and promote what internal
auditing can do for the organization while at the same time ensuring that boundaries are clear and
expectations for internal auditing are realistic.
• According to the Interpretation of Standard 1100, “To achieve the degree of independence necessary
to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has
direct and unrestricted access to senior management and the board. This can be achieved through a
dual-reporting relationship… Objectivity requires that internal auditors do not subordinate their
judgment on audit matters to others.”
• Internal auditors may accept gifts of promotional items from audit clients if they are not of material
value.
• When an internal auditor participates directly in the functioning of other areas in the organization,
he or she may compromise the ability to assess those areas objectively in future audits.

Topic 3: Determine Availability of Required Knowledge, Skills, and Competencies (Level P)


• Internal auditor proficiency in information technology (IT) that supports business processes is best
exemplified by Answer: ensuring appropriate manual and automated controls are identified,
documented, evaluated, and tested.
• Internal auditors do not have to be an expert but do have the knowledge, skills, and competencies
required of an internal auditor.

Topic 4: Develop and/or Produce Necessary Knowledge, Skills and Competencies Collectively Required
by internal Audit Activity (Level P)
• "Obtaining External Service Providers to Support or Complement the Internal Audit Activity," when
assessing competency, the best way of checking on the reputation of an outside service provider is
to do which of the following? Call past clients to find out how satisfied they were with the service
provider's work.
• The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement. The internal audit
activity may use external service providers or internal resources that are qualified.

Topic 5: Exercise Due Professional Care (Level P)


• An auditor finds a situation where there is some suspicion, but no evidence, of potential
misstatement. The Standard of due professional care would be violated if the auditor Answer: did
not test for possible misstatement because the audit program had already been approved by audit
management.
• Due professional care requires the internal auditor to conduct examinations and verifications to a
reasonable extent. Internal auditors cannot give absolute assurance that noncompliance or
irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance
needs to be considered.
2
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet

Topic 6: Promote Continuing Professional Development (Level P)


• Professional certification communicates professionalism and proficiency to employers and others.
• CAE should develop with each internal auditor, a schedule of training opportunities based upon the
goals of the auditor and the objectives of the internal audit activity.

Topic 7: Promote Quality Assurance and Improvement of the Internal Audit Activity (Level P)
• QAIP – Key is Supervision is done throughout the entire audit process to ensure DCS is met. D-
Definition of Internal Audit, C – Compliance with Code of Ethics, S – Compliance with Standards
• A benefit of a QAIP is to:
- Helps with continuous improvement of IAA
- Provides assurance IAA is in compliance with DCS (Definition of Internal Audit, Code of Ethics,
and Standards)
- Evaluates effectiveness and efficiency of IAA
- Evaluates if IAA is adding value
• An internal audit activity has many stakeholders with an interest in its successful performance.
Internal quality assurance reviews of an internal audit activity are primarily meant to benefit which
of the following stakeholders? Answer: CAE
• The chief audit executive (CAE) must discuss with the board the need for more frequent external
assessments. More frequent reviews may be appropriate, particularly when there have been
significant changes in the internal audit function or the organization itself.
• Exam Alert: After the completion of a QAIP the results should be provided to the Board and
Management.
• See the “Holy Grail” for more on QAIP (last page of Cheat Sheet).

Section II Internal Control and Risk


Section Introduction

• Enterprise risk management involves the identification of events with negative impacts on
organizational objectives.
• Preventive controls are actions taken prior to the occurrence of transactions with the intent of
stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of
unacceptable suppliers.

3
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet

Chapter A: Types of Controls and Management Control Techniques


Topic 1: Define Types of Controls (Level A)
• A small business uses segregation of duties for processing checks and cash received at its office. No
financial transaction is handled by one person from start to finish. This is an example of a Preventive
Control.
• Organizations should not have unrealistic expectations about internal control. Internal control can
help with all of the objectives listed but cannot ensure any of them.
• Which of the following internal controls would have most likely prevented this fraud from
occurring? Answer: Segregating the receiving function from the authorization of parts purchases
• Exam Alert: Preventive vs. Detective. Preventive controls are proactive controls that deter
undesirable events from occurring. Specific control activities for segregation of duties should be
documented in the accounting policies and procedures manual. Detective controls are reactive and
detect undesirable events that have occurred. Directive controls are proactive controls that cause or
encourage a desirable event to occur. Mitigating or compensating controls compensate for the lack
of an expected control.
• Exam Alert: If you see a question with the term Preventive Control think Separation of Duties
• Exam Alert: If you see a question with the term Detective Control think Reconciliation, Monitoring,
and other type of back end reports to help management detect something is wrong.
• Transaction Control - Control that operates at individual transaction level. They can be a Preventive
Control (approval) or Detective (error messages).
• Process Control - Control that operates at transaction level or higher level (reconciliation). Can be a
detective or preventive control.

Topic 2: Describe Types of Management Control Techniques (Level A)


• A good system of internal controls is likely to expose an irregularity if it is perpetrated by one
employee, without the aid of others. Management can often override controls, singularly or in
groups. A group has a better chance of successfully perpetrating an irregularity than does an
individual employee.

4
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Chapter B: Internal Control Framework Characteristics and Use
Chapter Introduction
Topic 1: Demonstrate an Understanding of COSO’s Internal Control-Integrated Framework (Level P)
Student Input: At least ten questions on COSO Framework but nothing on the other frameworks (except
for one generic question about the difference between COSO and Turnbull) centering around core
concepts and most important.
• The COSO framework includes five components: control environment (most important), risk
assessment, control activities, information and communication, and monitoring (CRIME).
• COSO = CRIME
- Control Activities
- Risk Management
- Information & Communication
- Monitoring
- Control Environment (most important component as it sets the “tone at the Top”)

The updated principles-based framework, which supersedes the original 1992 framework, now explicitly
describes its principles rather than simply implying them, thus making it easier for companies to apply
the principles. The revised COSO framework’s 17 principles of effective internal control are as follows:

Internal Control
Principles
Component
1. Demonstrate commitment to integrity and ethical values
2. Ensure that board exercises oversight responsibility
Control environment 3. Establish structures, reporting lines, authorities and responsibilities
4. Demonstrate commitment to a competent workforce
5. Hold people accountable
1. Specify appropriate objectives
2. Identify and analyze risks
Risk assessment 3. Evaluate fraud risks
4. Identify and analyze changes that could significantly affect internal
controls
1. Select and develop control activities that mitigate risks
Control activities 2. Select and develop technology controls
3. Deploy control activities through policies and procedures
1. Use relevant, quality information to support the internal control
Information and function
communication 2. Communicate internal control information internally
3. Communicate internal control information externally
1. Perform ongoing or periodic evaluations of internal controls (or a
Monitoring combination of the two)
2. Communicate internal control deficiencies

Example of “Awareness” Type CIA Exam Question

5
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Which of the following control models is fully incorporated into the broader integrated framework
of enterprise risk management (ERM)?

A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.

Answer (B) is correct. The Committee of Sponsoring Organizations of the Treadway Commission
published Enterprise Risk Management – Integrated Framework. This document describes a model
that incorporates the earlier COSO internal control framework while extending it to the broader
area of enterprise risk management.
• The risk assessment map looks at each type of fraud and determines how likely the fraud is to occur
and how significant it would be if it did occur. Any fraud that has a high probability and high
significance of material effect must be addressed with processes and procedures that prevent this
type of fraud.
• Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the quantification
and prioritization of risks simple.
• In conducting a cultural diversity audit internal audit should:

I. Review the organization’s Web site.


II. Verify compliance with country and regional laws and regulations.
III. Assess overt and subtle business practices for different cultures.
IV. Evaluate the political environment of the nations in which the organization conducts business.
• Managing risk includes a variety of activities that attempt to identify, assess, manage, and control risk
across the entire spectrum of an organization, ranging from single events or projects to narrowly
defined types of risk (e.g., market risk) to threats and opportunities facing the entire enterprise.
Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical
to warrant continuous oversight and monitoring.
• A risk framework provides a master list that enables all risks identified in the organization to be
tracked and categorized. An important step in ERM is to assess risks identified, and the ranking
provides a standardized view of risks.
• Risk management is a key responsibility of senior management and the board, not the CAE. To achieve
its business objectives, management ensures that sound risk management processes are in place and
functioning.
• ERM takes a broader (as opposed to a focused) portfolio approach than traditional risk management
and deals with risks and opportunities affecting the creation or preservation of organizational value.
• Risk sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk.
The most widely used form of risk transfer is insurance. Risk acceptance is taking no action to affect
likelihood or impact.
• Exam Alert: The function of the chief risk officer (CRO) is most effective when the CRO works with
management in their areas of responsibility.
• Management is responsible for controls.
6
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• Risk is the possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
• Types of Risk:
a. Strategic risks include political risk, regulatory risk, reputation risk, leadership risk, and
market brand risk.
b. Operational risks include an organization’s systems, technology, and people.
c. Financial risks includes risks from volatility in foreign currencies, interest rates, and
commodities. It also includes credit risk, liquidity risk, and market risk.
d. Hazard risks include natural disasters, impairment of physical assets, and terrorism.
• It is important to emphasize that the uncertainties could have a potential upside or downside so that
the scope of ERM encompasses the more traditional view of potential hazards as well as
opportunities.
• Risk is pervasive throughout an organization as it can arise from any business function or process at
any time without warning. Because of this widespread exposure, no single functional department
management, other than the board of directors, can oversee the enterprise-wide risk management
program.
• Exam Alert Understand how to respond to risk (risk response):

1. Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?

A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.

Answer (D) is correct. Risk responses may include avoidance, acceptance, sharing, and reduction.
By eliminating checks, the organization avoids all risk associated with them.

2. When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.

Answer (B) is correct. A predetermined risk response may be made when a certain event occurs,
such as when cash is below a given level or a customer has not paid an invoice within a certain
period of time.
• See the Holy Grail (last page) to see how COSO fits in the overall Risk Assessment process.

Topic 2: Demonstrate an Understanding of Alternative Control Frameworks (Level A)

7
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• ISO 31000:2009 “Risk Management – Principles and Guidelines” is an international standard
framework for risk management that is simple and concise. ISO 31000 is a framework for the
systematic development of enterprise risk management that can be used successfully by any size or
type of organization because the organization can adapt the framework to the proper scope and
environmental context. As the organization’s risk management activities become more mature the
framework can likewise be augmented.
• Exam Alert: There are two approaches to risk management which are widely practiced: top down
(start with objectives, risk and then controls over the process) and bottom up (start with the process,
then controls, risk, and objectives).
• Exam Alert: Understand bottom up approach. It is a philosophy that an organization need to identify
risk in following level: Process Level - Project/Department Level - Vertical/Functional Level- Business
Unit Level-Organization Level. Bottom-up approach could completely consume all resources and take
all your time, but it would represent the most precise picture of the risk and could be completely
quantified. However, it is not widely used.
• ISO 31000 is based on the Plan, Do, Check, and Act method:

Required Reading – IPPF Practice Guide “Assessing the Adequacy of Risk Management Using ISO3100”
(Issued December 2010). This document can be downloaded from the IIA website.

Exam Alert: Three Lines of Defense for Managing Risk:

8
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet

• COBIT is the framework to “Help an organization to meet their IT business objectives”.


• Other terms to be familiar with:
- Maturity Model - Maturity model is a measurement of the ability of an organization for
continuous improvement in a particular discipline. The higher the maturity, the higher will be
the chances that incidents or errors will lead to improvements either in the quality or in the use
of the resources of the discipline as implemented by the organization.
- Turnbull Internal Control: Guidance for Directors on the Combined Code also known as the
"Turnbull Report" was a report drawn up with the London Stock Exchange for listed companies.
The committee which wrote the report was chaired by Nigel Turnbull of The Rank Group plc. The
report informed directors of their obligations under the Combined Code with regard to keeping
good "internal controls" in their companies, or having good audits and checks to ensure the
quality of financial reporting and catch any fraud before it becomes a problem.
Note: Do not waste your time memorizing any of the other frameworks. What you do need to
understand is that the purpose of a framework is to “Help an organization to meet their
business objectives”. It does not matter which framework it is.

Chapter C: Risk Vocabulary and Concepts


Chapter Introduction
Topic 1: Define Risk Terminology (Level A)
• Risk is the possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.
• Residual risk is that risk left over after all controls and risk management techniques have been
applied.
• Understand the definition of the various risk terms. Put on flaschcards.
 Exam Alert: Formula on the Exam Audit Risk = Inherent Risk x Control Risk x Detection
Risk

Audit Risk is the risk that an auditor “expresses an inappropriate opinion” on the financial
statements.
9
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
The others are components of audit risk but it is the overall “audit risk” that leads to the
expression of an inappropriate opinion.

Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial
statements. By itself it may or may not lead to “expressing an inappropriate opinion” on the
financial statements based on inherent and control risk factors.

Audit risk may be considered as the product of the various risks which may be encountered in
the performance of the audit. In order to keep the overall audit risk of engagements below
acceptable limit, the auditor must assess the level of risk pertaining to each component of audit
risk.

Topic 2: Describe Risk Elements (Level A)


• This order ranks the risks by a combination of probability and impact.
• Focus on areas in the high/high on the risk map could be referred to as a heat map

Topic 3: Demonstrate an Understanding of Risk Management (Level A)


• Enterprise Risk Management (ERM) takes a broader portfolio approach than traditional risk
management and deals with risks and opportunities affecting the creation or preservation of
organizational value.

Exam Alert: Risk Management is tested heavily on the exam.

• A process to identify, assess, manage, and control potential events or situations, to provide
reasonable assurance regarding the achievement of the organization’s objectives.
• A Risk Management Framework helps a business meet objectives (financial, operational, and
compliance)
• Organizations measure risk in terms of impact and likelihood
• Know the difference between risk appetite (the amount of risk, on a broad level, an organization is
willing to accept in pursuit of stakeholder value) vs. risk tolerance (the specific maximum risk that an
organization is willing to take regarding each relevant risk, can be more quantifiable and measurable).

• Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-
optimal.
10
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• The chief audit executive (CAE) should incorporate information from a variety of sources into the risk
assessment process, including discussions with the board, management, and external auditors; review
of regulations; and analysis of financial/operating data.
• Risk assessment is a systematic process of assessing and integrating professional judgments about
probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
• As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level of
assessed risk of an auditable entity at any time, making appropriate adjustments to the work schedule.
• Risk assessment does not necessarily involve the assignment of dollar values and is not intended to
identify the audit area with the greatest dollar savings.
• Acceptable risk is the level of residual risk that has been determined to be a reasonable level of
potential loss or disruption for a specific computer system (see Holy Grail which is on the last page for
a visual view of a risk assessment process).

Example of “Awareness” Type CIA Exam Question


Which of the following is the most accurate term for a process to identify, assess, manage, and
control potential events or situations to provide reasonable assurance regarding the achievement of
the organization’s objectives?

A. The internal audit activity.


B. Control process.
C. Risk management.
D. Consulting service.

Answer (C) is correct. Risk management is “a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the organization’s
objectives” (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the
improvement of risk management, governance, and control processes using a systematic and
disciplined approach.

Chapter D: Fraud Risk Awareness


Chapter Introduction
Topic 1: Define and Introduce Fraud (Level A)
• Fraud Triangle
• To minimize fraud risk must have internal controls
Topic 2: Describe Types of Fraud (Level A)
• Understand business cycle and types of fraud that can occur in that cycle
- Skimming - Form of white-collar crime, skimming is slang for taking cash "off the top" of the

11
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
daily receipts of a business (or from any cash transaction involving a third interested party) and
officially reporting a lower total. The formal legal term is defalcation.
- Misappropriation of assets (stealing)
• If auditor discovers fraud must report to management and board not responsible for reporting
to outside third party
Student input: “I honestly don't remember much about fraud except for a couple questions
related to what should an auditor do if they suspect it.”
Topic 3: List Fraud Red Flags (Level A)
• (4) Most fraud perpetrators would attempt to conceal their theft by charging it against an
expense account.

Section III Conducting Internal Audit Engagements-Audit Tools and Techniques


Section Introduction
• Considering the strategic plan in the development of the internal audit plan will ensure that the
audit objectives support the overall business objectives stated in the strategic plan.
• The audit schedule should be reduced only as a last resort once all other viable alternatives have
been explored, including the request for additional resources.

Chapter A: Data Gathering and Process Mapping


Chapter Introduction
Topic 1: Review Previous Audit Reports and Other Relevant Documentation
• As Part of a Preliminary Survey of the Engagement Area (Level P)
• Internal auditors consider management's assessment of risks relevant to the activity under
review, obtain or update background information about the activities to be reviewed, and, if
appropriate, conduct surveys to become familiar with the activities, risks, and controls to
identify areas for engagement emphasis and to invite comments and suggestions from
engagement clients.
• If a department's operating standards are vague and thus subject to interpretation, an auditor
should seek agreement with the departmental manager as to the criteria needed to measure
operating performance.
• Internal auditors have immediate access to working papers and reports, which can supply
evidence of compliance testing to the regulatory examiners.

Topic 2: Develop Checklists/Internal Control Questionnaires as Part of a Preliminary Survey of the


Engagement Area
• Checklists increase the uniformity of data acquisition. Checklists are developed during the
planning phase, typically at the end of the preliminary survey.

Topic 3: Conduct Interviews and Walk-Throughs as Part of a Preliminary Survey of the Engagement
Area (Level P)

12
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
• When you need people to open up and provide opinions and analysis, as in this situation, an
open-ended question such as, "Tell me about your work environment" has the best chance of
succeeding. Closed-ended questions that can be answered by yes, no, or a fact are less likely to
get people to open up. Questionnaires also provide less opportunity to open up, especially if
staff feel threatened and therefore unwilling to put an opinion in writing unless they are
absolutely certain of anonymity. (In a difficult situation like this one, a variety of approaches
may be necessary.)

Topic 4: Use Observation to Gather Data (Level P)


• Understand the pros and cons of gathering data by using observation. Know the least benefit of
observation and know people can act differently when observed.

Topic 5: Conduct Engagement Risk Assessment to Assure Identification of Key Risks and Controls
(Level P)
• Assessment of the risk levels of current and future events, their effect on achievement of the
organization's objectives, and their underlying causes is the best risk assessment technique as it
takes a comprehensive approach to risk management; it not only considers the event and the
impact but also the causes.
• Risk assessment for audit planning provides a systematic process for assessing and integrating
professional judgment about probable adverse conditions.

Topic 6: Conduct Sampling (Level P)


• Sampling is important in auditing because a complete census, i.e., measuring an entire
population, is usually too costly, too time-consuming, impossible (as in the case of destructive
testing), and error-prone. In addition to auditing, sampling is used extensively in quality control,
market research, and analytical studies of business operations.
• The objective of discovery sampling is to provide a specified level of assurance that a sample will
show at least one example of an attribute if the rate of occurrence of that attribute within the
population is at or above a specified limit. The audit decision is made once the first error is
observed.
• Discovery sampling is best utilized to determine whether a fraud might be existing. For
example: Take a discovery sample of employee claims that were submitted through dentist
offices and confirm the type of service performed by the dentist through direct correspondence
with the employee who had the service performed.
• Which sampling plan requires no additional sampling once the first error is found?
- Stratified sampling
- Stop-or-go sampling
- Discovery sampling
- Attributes sampling

13
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Student Input: Sampling was on there. 1 on discovery, the other few were more so based on statistical
sampling, they'd give you the 5% error and upper deviation limit of 3.7% sample of 80 items with no
errors found..then ask for a "proper conclusion" it was worded something like "I am 95% confident that
the population error rate, although unknown, is below 3.7%"

Topic 7: Conduct Process Mapping Including Flowcharting


• Flowcharts provide a visual of how a process works vs. Narrative that provides a written view of
how a process works
• Flowcharts allow internal auditors to document their understanding of a process, evaluate
efficiency, determine areas of primary concern, and identify key risks and controls. Flowcharts can
be used to support an auditor's overall assessment of risk and control in an engagement. All
stakeholders should provide input in the flowchart.
• An internal auditor develops a vertical flowchart of a process. The value to the auditor is to Answer:
depict inputs, activities, workflows, and interactions with other processes and outputs
• Only symbol that will be asked is the diamond (decision making).

Chapter B: Evaluating Relevance, Sufficiency, and Competence of Evidence


Chapter Introduction
• Determining whether inventory stocks are sufficient to meet projected sales is an appropriate
statement of an audit engagement objective.

Topic 1: Identify Potential Sources of Evidence (Level P)


• Primary legal evidence, also called best evidence, is generally confined to written documents and is
considered superior to oral testimony.

Topic 2: Evaluate Relevance, Sufficiency, and Competence of Evidence (Level P)


• Exam Alert: Know what is the best form of evidence SRRU
• Persuasive evidence enables an internal auditor to formulate well-founded conclusions and to
provide advice confidently. To be persuasive, evidence must be sufficient, relevant, reliable, and
useful, as stated in Standard 2130, "Identifying Information." Relevant means the evidence must be
pertinent to the audit objective and logically support the internal auditor's conclusion or advice.
Reliable implies the evidence must come from a credible source. This considers whether or not the
internal auditor directly obtained the evidence. Sufficient means there should be enough evidence
and different but related pieces of evidence should corroborate each other. Useful information
helps the organization meet its goals.
• Competence, or reliability, of audit information depends in part upon the type of evidence. For
example, a confirmation from a customer is the most reliable evidence that a receivable exists.
• The strongest evidence is direct evidence, such as the auditor's first-hand report on observing a
successful trial of the system.

14
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Chapter C: Data Analysis and Interpretation
Chapter Introduction
Topic 1: Use Computerized Audit Tools and Techniques (Level P)
• Automated working papers provide an efficient medium to document, review, store, and access
information supporting assurance and consulting work performed.

Topic 2: Conduct Spreadsheet Analysis (Level P)


• Student Input: Spreadsheet Analysis - One question where data is provided and you determine if
the data is graphed correctly in Graph A,Graph B, both, or neither .

Topic 3: Use Statistical Analysis/Process Control Techniques (Level A)


• Internal auditors are responsible for reviewing operations and programs to ascertain the extent to
which results are consistent with established goals and objectives to determine whether operations
and programs are being implemented or performed as intended.

• Mean = Average, Median = Middle Point after arranging, Mode = Most Often

• Discovery Sampling = Find just one error

Topic 4: Use Analytical Review Techniques (Level P)


• Internal auditors may apply various techniques when analyzing and evaluating audit information. All
of the examples listed here are appropriate analytic techniques. In particular, trend analysis traces
data over time to identify a tendency or direction.
• Exam Alert: Regression analysis is a statistical process for estimating the relationships among
variables. It includes many techniques for modeling and analyzing several variables, when the focus
is on the relationship between a dependent variable and one or more independent variables (or
'predictors').
• Exam Alert: Trend Analysis is the practice of collecting information and attempting to spot a pattern,
or trend, in the information.
• Exam Alert: A cause-and-effect diagram (also called a fishbone) uses a visual to map out a list of
factors that are thought to affect a problem or a desired outcome (see diagram on p 1-253).

15
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet

Topic 5: Conduct Benchmarking (Level P)


• Benchmarking involves looking at best practices in other companies.
• Know different types of benchmarking especially External

Student Input: I didn't see anything on regression analysis, I saw a question on trend analysis and a
couple on benchmarking (external and with trend analysis)

Chapter D: Documentation/Work Papers


Chapter Introduction
Topic 1: Develop Documentation/Work Papers (Level P)
• The working papers should document all facets of the audit up to the time the new auditor steps in,
and the audit program provides a complete description of the audit's objectives as well as all
evidence gathered to date.

Topic 2: Review Documentation/Work Papers (Level P)


• Supervision is one method of ongoing review, which is part of the internal assessment aspect of
quality assurance (QAIP).

Chapter E: Data Reporting


Chapter Introduction
Topic 1: Report Test Results to Auditor-in-Charge (Level P)
• Involving the staff in the development of the change from the beginning will reduce their resistance
to change.
• Vouching (Going back to a document) vs. Tracing (going forward)

Topic 2: Develop Conclusions regarding Controls (Level P)


• Understand the components of a Finding.
 Criteria
 Condition
16
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
 Cause
 Effect (Impact)
 Recommendation / Action Plan
• As long as the auditor assesses the effects of the incomplete data and disclaims the reliability of the
data clearly in the report, the analysis may prove useful without being misleading.
• The board is ultimately responsible for the company's, corporate governance, not the internal
auditors.
• A chief audit executive should establish a follow-up process to monitor the adequacy, effectiveness,
and timeliness of actions taken by management on reported engagement observations and
recommendations, including those made by the external auditors and others.

17
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
Other Topics on Part 1
IT/Business Continuity

Note: Most of the exam questions for this section are not actually IT questions but risk (events and
vulnerabilities) and control questions. The key is to dumb down the question and focus on the risk and
control. Testing is based on overall concepts of security and not in depth IT. IT is covered more heavily
in Part 3 but you should still be familiar with IT Risk and Controls.

IT Security

• Guidance relating to IT

- GTAG (Global Audit Technology Guide) created by IIA

- COBIT – Internationally accepted framework created by ISACA. It is a framework that assists


enterprises in achieving their objectives for the governance and management of enterprise
information and technology assets (IT). Simply put, it helps enterprises create optimal value
from IT by maintaining a balance between realizing benefits and optimizing risk levels and
resource use.
- Val IT is a governance framework that can be used to create business value from IT
investments. It consists of a set of guiding principles and a number of processes and best
practices that are further defined as a set of key management practices to support and help
executive management and boards at an enterprise level. Note: Val IT extends and
complements COBIT, which provides a comprehensive control framework for IT governance.

- COSO ERM – COSO Enterprise Risk Management

• Risks

Malware is short for "malicious software." Malware is any kind of unwanted software that is installed
without your adequate consent. Viruses, worms, and Trojan horses are examples of malicious software
that are often grouped together and referred to as malware.

1. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?

A. Trojan horses
B. Worms
C. Viruses
D. Root kits

• To mitigate the risks controls should be implemented. Know some key terms as they relate to
internal controls:
- General Controls = The whole organization (body)
- Application Controls = a specific application (knee)

18
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
- Preventive Controls = Separation of duties
- Detective Controls = Reconciliation (back end reviewing, monitoring)
- Effective = Test

• To mitigate IT risk organizations should have IT controls in place. However, the cost of the
controls should be commensurate with the level of risk mitigation.

• Physical Security Controls


1. Key card with security computer database
2. Role-based subdivisions within a building
3. Biometrics
4. Data centers: not on exterior wall; slab-to-slab construction

• Hardware Controls
1. Redundant character check
2. Equipment check
3. Duplicate process check
4. Echo check
5. Fault-tolerant components (allows a system to continue to work even when a fault exists i.e.
nuclear power plant, subway)

• System and Data Backup Recovery Controls


1. Backing up data—grandfather-father-son
2. Off-site storage—site that is physically distant from primary operations
3. Cloud backup—network of distributed databases/ servers
4. Electronic vaulting—electronic transmission of changes to data to off-site facility
5. Backup data controls—methodology for labeling/ storing physical items

• Controls for Transmitting Data


1. To reduce security exposure when transmitting proprietary data over communication lines, a
company should ENCRYPT the data. The device to ENCRYPT is a CRYPTOGRAPHIC DEVICE (the
word CRYPT will be in the answer)
2. Encryption vs. Encoding - Here's what encryption does. It scrambles the data in a way that turns
it into gibberish before it's sent out over the Internet. The receiving party has the key to
unscrambling it and restoring it to valid information. Is encrypting the same as encoding? Not
quite. Encoding is transforming data in order to transmit it or to meet some necessary standard
for usage—with encoding, usability, not confidentially, is the goal.

19
Provided courtesy of Lyndon S.Remias
January 2018
Part 1: Internal Audit Basics – Remias Cheat Sheet
CIA Exam Alert: Be able to identify examples of IT Application Controls—Input Controls
• Control data as it enters system
• Garbage-in, garbage-out (GIGO)
• Manual input controls, e.g., authorizations
• Electronic aids for manual inputs
o Screen formats, entry fields, drop-down menus
o Keystroke verification
o Labeling conventions and completeness checks
• Edit Checks – such as check digits
• Processing Controls
• Output Controls

Other IT type questions on the CIA Exam:

• What would you expect to find in a user developed system vs. an IT developed system?
(documentation question)
• What would be primary benefit of using EFT for international money transfers?
• Auditors role in assessing systems development
• Auditors role in reviewing systems that are outsourced
• Understand Logical Control

Which of the following is an objective of logical security controls for information systems?

A. To ensure complete and accurate recording of data.


B. To ensure complete and accurate processing of data.
C. To restrict access to specific data and resources.
D. To provide an audit trail of the results of processing.

Answer (A) is incorrect because it is not an objective of logical security control.


Answer (B) is incorrect because it is not an objective of logical security control.
Answer (C) is correct. The primary objective of security controls for information systems is to restrict
access to data and resources (both hardware and software) to only authorized individuals. In addition,
authorization tables for operating system access address logical controls.
Answer (D) is incorrect because it is not an objective of logical security control.

20
Provided courtesy of Lyndon S.Remias
January 2018
Remias Holy Grail
1. Planning Phase
Risk Controls
Objectives Risk-Based
(Events, Vulnerabilities) (COSO)
- Compliance Audit Program Guide (APG)
H,L (Share) H,H (Avoid) C R I M E Audit Step Objective and Scope
- Operational

Impact
of engagement
- Financial L,L (Accept) L,H (Reduce)

Control Activities

Risk Assessment

Info. and Comm.


- To “determine”

Control Environment
Monitoring
- Strategic - To “validate”
Likelihood
- Inherent
- Residual - Adequate
COSO ERM integrates Objectives, Risks, and Controls - Effective

2. Fieldwork Phase 3. Reporting Phase 4. Audit Follow-Up


Audit Results Prepare and Distribute Report Monitor implementation of recommendations
- Assurance on controls, Gather Evidence (SRRU) - Exit conference to discuss DRAFT - Perform follow-up procedures
- Identify audit findings - Issue FINAL (Board, Mgmnt,
(non-compliance, effectiveness) other stakeholders)
• Condition
• Criteria
• Cause
• Effect
• Recommendation Quality Assurance
QAIP – Internal Assessments -Supervision “throughout” Continuous improvement
• Self-Assessment w/independent validation •
QAIP – External Assessment – Peer Review (every 5 years) Assurance audit is compliance to CPDCS
• Peer Review •
• Report results to mgmnt/board • Compliance with CPDCS • Effective and Efficient
• Report mgmnt/board annually • Adding Value
IPPF Framework 2017
The International Professional Practices Framework (IPPF)® is the conceptual framework that organizes
authoritative guidance promulgated by The Institute of Internal Auditors. A trustworthy, global, guidance-
setting body, The IIA provides internal audit professionals worldwide with authoritative guidance. The
IPPF includes Mandatory Guidance and Recommended Guidance.

Mandatory Guidance:

• Core Principles for the Professional Practice of Internal Auditing.


• Definition of Internal Auditing.
• Code of Ethics.
• International Standards for the Professional Practice of Internal Auditing (Standards).

Recommended Guidance:

• Implementation Guidance.
• Supplemental Guidance.

Note: New Framework is tested on all exams given after


July 1, 2017.

1
IPPF Framework 2017
Mission of Internal Audit
The Mission of Internal Audit articulates what internal audit aspires to accomplish within an
organization. Its place in the New IPPF is deliberate, demonstrating how practitioners should leverage
the entire framework to facilitate their ability to achieve the Mission.

Mission: To enhance and protect organizational value by providing risk-based and objective assurance,
advice, and insight.

MANDATORY (CPDCS)
I. Core Principles for the Professional Practice of Internal Auditing

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit
function to be considered effective, all Principles should be present and operating effectively. How an
internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles
may be quite different from organization to organization, but failure to achieve any of the Principles
would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s
mission (see Mission of Internal Audit).

• Demonstrates integrity.
• Demonstrates competence and due professional care.
• Is objective and free from undue influence (independent).
• Aligns with the strategies, objectives, and risks of the organization.
• Is appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.

II. The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal
auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.

III. Code of Ethics

The Code of Ethics states the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum requirements for conduct,
and behavioral expectations rather than specific activities.

Introduction to the Code of Ethics

2
IPPF Framework 2017
The purpose of The Institute's Code of Ethics is to promote an ethical culture in the profession of
internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.

A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on
the trust placed in its objective assurance about governance, risk management, and control.

The Institute's Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:

1.Principles that are relevant to the profession and practice of internal auditing.

2.Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the Principles into practical applications and are intended to guide the ethical conduct of
internal auditors.

"Internal auditors" refers to Institute members, recipients of or candidates for IIA professional
certifications, and those who perform internal audit services within the Definition of Internal Auditing.

Applicability and Enforcement of the Code of Ethics

This Code of Ethics applies to both entities and individuals that perform internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code
of Ethics will be evaluated and administered according to The Institute's Bylaws and Administrative
Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent
it from being unacceptable or discreditable, and therefore, the member, certification holder, or
candidate can be liable for disciplinary action.

Code of Ethics — Principles (IOCC)

Internal auditors are expected to apply and uphold the following principles:

1.Integrity - The integrity of internal auditors establishes trust and thus provides the basis for reliance
on their judgment.

2.Objectivity - Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgments.

3.Confidentiality - Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority unless there is a legal or professional obligation
to do so.

4.Competency - Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.

3
IPPF Framework 2017
Rules of Conduct

1. Integrity

Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity

Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict
with the interests of the organization.

2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.

3. Confidentiality

Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law
or detrimental to the legitimate and ethical objectives of the organization.

4. Competency

Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and
experience.

4.2. Shall perform internal audit services in accordance with the International Standards for the
Professional Practice of Internal Auditing (Standards).

4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

4
IPPF Framework 2017
IV. International Standards for the Professional Practice of Internal Auditing (Standards)

• Standards are principle-focused and provide a framework for performing and promoting internal
auditing. The Standards are mandatory requirements consisting of:
• Statements of basic requirements for the professional practice of internal auditing and for
evaluating the effectiveness of its performance. The requirements are internationally applicable
at organizational and individual levels.
• Note: See the separate PDF File of the IPPF 2017 Standards.

5
IPPF Framework 2017

RECOMMENDED GUIDANCE

Mandatory Guidance

Recommended Guidance

Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices
for effective implementation of The IIA's Core Principles, Definition of Internal Auditing, Code of Ethics,
and Standards. The recommended elements of the IPPF are:

1. Implementation Guidance: Implementation Guides and Practice Advisories assist internal


auditors in applying the Standards. They collectively address internal auditing’s approach,
methodologies, and considerations, but do not detail processes or procedures

2. Supplemental Guidance:
• Includes Practice Guides provide detailed processes and procedures for internal audit
practitioners.
• Global Technology Audit Guide (GTAG)
• Guide to the Assessment of IT Risk

Note: While Position Papers are no longer an official part of the New IPPF, these documents are still
relevant and valid for practitioners and other interested parties.