CIA Part 2 Exam [PDF]

Zitiervorschau

CIA Part 2 Handouts

By Arif Zaman FCCA, CIA, CISA, CPA, CFE, CCSA, CRMA, CGA

Subscribe to YouTube Channel “Stuployer” for CIA Lectures Link: https://www.youtube.com/c/Stuployer

You can Connect with me via LinkedIn https://www.linkedin.com/in/arifz/

Contents CIA Exam Overview .................................................................................................................... 3 Part II – Syllabus ......................................................................................................................... 4 CIA II – Mapping IIA Syllabus vs. Gleim Study Unit .................................................................... 5 Unit 1 – Internal Audit Operations ............................................................................................ 7 Unit 2 – Assurance and Compliance Engagements ................................................................. 12 Unit 3 – Financial, Environmental and Consulting ................................................................... 17 Unit 4 – Internal Audit Plan...................................................................................................... 23 Unit 5 – Engagement Planning................................................................................................. 27 Unit 6 – Information Gathering ............................................................................................... 31 Unit 7 – Sampling and Statistical QC........................................................................................ 35 Unit 8 – Analysis, Evaluation, Documentation, And Supervision ............................................ 43 Unit 9 – Communicating Results & Monitoring Progress ........................................................ 52

CIA Exam Overview • • • • •

• • •

170K + Members Three Parts Exam duration 120 mins (2 hours) Exam questions 100 (1 hours – 50 MCQs, 30 Mins – 25 MCQs) – 1.2 Mins per MCQs The test assesses your knowledge, skills and abilities to apply the concept managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress (series 2000, 2200, 2300, 2400, 2500, and 2600). The largest domain is “Performing the Engagement,” which makes up 40% of the exam. Passing Score 600+ (250 – 750): 100+ MCQ’s need to pass Total 35 Topics (14 Basic & 21 Proficient)

Please Continue Next Page…

Part II – Syllabus

Gleim Units:

# 1 2 3 4 5 6 7 8 9

Gleim Units Internal Audit Operations Assurance and Compliance Engagement Financial, Environmental and Consulting Engagement The Internal Audit Plan Engagement Planning Information Gathering Sampling and Statistical Quality Control Analysis, Evaluation, Documentation and Supervision Communicating Results and Monitoring Progress Total

Coverage 5% 5% 5% 5% 20% 14% 13% 13% 20% 100%

MCQs 5 5 5 5 20 14 13 13 20 100

CIA II – Mapping IIA Syllabus vs. Gleim Study Unit I – Managing the Internal Audit Activity (20% -20 MCQs) 1. Internal Audit Operations 2. Establishing a Risk Based Internal Audit Plan 3. Communicating and Reporting to the Senior Management and Board II – Planning the Engagement (20% - 20 MCQs) 4. Engagement Planning III – Performing the Engagement (40% - 40 MCQs) 5. Information Gathering 6. Analysis and Evaluation 7. Engagement Supervision IV- Communicating Results & Monitoring Progress (20% - 20 MCQs) 8. Communicating Engagement Results and the Acceptance of Risk 9. Monitoring Progress

Notes

Unit 1 – Internal Audit Operations

1.1. Introduction to Internal Audit Nature of Work • IA must evaluate and contribute towards; governance, risk management and control process using systematic, disciplined and risk-based approach. • While assessing the governance, risk and control process, the CAE consider (1) maturity of the processes (2) seniority of the persons responsible (3) organizational culture. • The credibility of internal audit is enhanced by being proactive, offer new insights, and consider future impact. • • The CAE should develop business understanding by reviewing mission, strategic plan, key objectives, related risk and controls, minutes of the board. • The CAE may document the internal audit charter. Reasonable Assurance • The governance, risk and controls within an organization are adequate if the management provide reasonable assurance towards achievement of the organization objectives efficiently (accurate and timely) and economically minimum use of resources. Types of Internal Audit Engagement • Assurance Services • Consulting Services Reporting • •

Internal audit shall provide assurance about governance, risk and control to the Board and the senior management. Periodically internal audit shall provide reports on audit purpose, authority, responsibility, and performance.

1.2. Internal Audit Administrative Activities Overview • The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. (Performance Standard 2000) • The chief audit executive must establish policies and procedures to guide the internal audit activity. • The content of the internal audit policies and procedures comprises of: purpose and responsibility of internal audit, compliance with mandatory guidance, independence and objectivity, ethics, confidentiality, record retention.

Form, Content & Review • The internal audit procedures comprises of; risk based audit plan, audit work program, performance and documentation, communicating results, monitoring and follow-up, quality assurance and improvement program, CPD and evaluation of auditors etc. Budgeting • CAE is responsible for creating the operating and financial budget, reviewed by management and approved by the board. Human Resources • Structural and Behavioral Interviews • CAE is responsible for hiring and ensuring the proper skills based auditor are in the team. 1.3. Stakeholder Relationships Stakeholder Relationships • Key stakeholders include the board of directors, audit committees, management, external auditors, and regulators. • must build and maintain strong constructive relationships with managers and other stakeholders The Board and the Audit Committee • CAE should report administratively to senior management and functionally to the board. • (CAE) must have direct and unrestricted access to senior management and the board. Role of Audit Committee • The key role of audit committee is to promote independence. • Selecting and removing CAE • Approving internal audit charter • Reviewing and approving internal audit plan • Reviewing the final audit engagement results (audit reports) • Ensuring the corrective actions has been taken to resolves the issue. • Negotiating the external audit fee and endorsing the audit firm • Oversee the work and the final results of the external auditors Relationship with Management • Internal audit should ensure good working relationship with the management and collaborate with the management (participating auditing)

1.4. Internal Audit Resource Requirements Managing Internal Audit Resources • The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. (Performance Standard 2030) • Resources may include employees, service providers, financial support, and IT-based audit methods. • Resource planning shall be based on audit universe, risk level, audit plan, coverage and special engagement. • CAE shall consider succession planning, staff evaluation and development, and other human resources development. Outsourcing Internal Audit Activity • Oversight of and responsibility for the internal audit activity must not be outsourced (Performance Standard 2070) 1.5. Coordination IIA three line of model (Six Principles) 1. Governance – Board accountability to the stakeholders, Managers achieve organization objectives through risk-based decisions, internal audit provide assurance. 2. Governing – Ensuring structure and process exists, objectives and activities are aligned, management ensure compliance and overseeing internal audit function. 3. Management (first- and second-line role) – first line directly relates to delivery of products or services, second line assist in risk management e.g. compliance, sustainability, ethics, internal controls, IT, quality or ERM. 4. Third line role – internal audit provides assurance and advice on adequacy and effectiveness of governance, risk management, and compliance activity. 5. Third line independence – access to information and freedom from bias and interference. 6. Creating and protecting value – alignment of activities of roles, collectively create and protect value. Coordinating the work of IA with other providers • Internal – Environmental, financial control, health and safety, IT security, legal, risk management, compliance or quality assurance. • External – External auditor, third party, regulators, government agencies etc. Method of coordinating assurance coverage • coordinate to avoid duplication and share results.

•

Reliance on another service provider does not excuse the CAE from final responsibility for conclusions and opinions.

Coordinating with regulatory oversight bodies • The internal audit activity coordinates its work with that of inspectors and other personnel from the appropriate governmental bodies and with personnel from internal assurance functions

Unit 2 – Assurance and Compliance Engagements

2.1. Assurance Engagement Financial, Compliance, Operational and IT Auditing • Internal auditors provide independent assessment on financial, performance, compliance, system security, and due diligence engagements. • The three distinct categories of assurance services (financial, compliance, and operational). • These services can be provided outsourcing or co-sourcing arrangements. • The level of assurance is determined by considering the quality, extent, and costs of Internal controls.

2.2. Risk and Control Self-Assessment Control Self-Assessment (CSA) • CSA’s basic philosophy is that control is the responsibility of everyone. • Managers and auditors have an interest in using methods that (1) improve the assessment of risk management and control processes and (2) identify ways to improve their effectiveness Elements of CSA • CSA process has following element; planning, logistics (seating), agenda, scribe, electronic voting and reporting. Responsibilities • Senior management shall oversee • Operating managers responsibilities include assessment of risk and control of their units • Internal and external auditor shall provide assurance

How Internal Auditors Use CSA Internal auditor involvement in CSA program results in: • Sponsor, design, implement, and own the process; • Conduct the training; • Supply the facilitators, scribes, and reporters; and • Coordinate the participation of management and work teams. Key Features • CSA includes self-assessment surveys and facilitated workshops. • In its purest form, CSA integrates business objectives and risks with control processes. Outcomes • People in the business units become trained. • Informal, soft controls are more easily identified. • Organization is subject to greater monitoring and continuous improvement. • Internal auditors become involved in and knowledgeable and as trainers in risk and control concepts supporting the CSA program. • The internal audit activity acquires more information. • Management’s responsibility for the risk management and control processes of the organization is reinforced. • The internal audit activity will continue to include validation Approaches • The three primary approaches of CSA programs are (1) facilitation, (2) survey (questionnaire), and (3) self-certification. Organizations often combine. Facilitation Approach (4 possible formats) • Objective Based, Risk Based, Control Based, Process Based. Survey Approach • They also are preferred if the culture in the organization may limit open. • The survey questionnaire that tends to ask mostly simple “yes/no” or “have/have not”. Self-Certification Approach • The process owner themselves evaluate the process. Limitations • The internal auditor may not effectively use the selected CSA approach(es), or the persons performing the self-assessment may not be skilled in risk management and control. The relevant risks and controls then may not be identified or, if identified, not properly assessed.

2.3. Audit of Third Parties and Contract Auditing External Business Relationships (EBR) • Each EBR has risks, and management is responsible for managing and monitoring the risks and achieving the benefits. • ERB may involve service provider (IT services), supply side partners (outsourcing), and demand side partners (distributors), strategic alliance and joint ventures, IP partners (licenses). • Benefit of EBR; lower cost, operational efficiency, special expertise, new tech, known brand and economies of scale. • Challenges of EBR; may affect org’s reputation, lack of insurance coverage, bad services or product, conflict of interest, overcharging fee, EBR become insolvent, lack of confidentiality. Auditing EBRs • Their shall be an audit clause in the EBR contract. • The audit program shall compliance with the contract, missed revenue or cost saving and add value. Third-Party Audits • The internal auditors should coordinate their activities with those of the third-party auditor to share information and to prevent duplication of effort. Contract Auditing • Internal auditors often perform engagements to monitor and evaluate significant construction contracts and operating contracts that involve; lump-sum audit, cost plus contract and unit price contract.

2.4.

Quality Auditing

Quality Auditing • Internal audit activity’s role is to provide assurance that the approved quality structures are in place and quality processes are functioning as intended. • Traditional vs. Modern Views of Quality – Detection of lower quality product vs. add value. • The view of quality is the basis for TQM. • TQM philosophy is continuous improvement by doing things right at the first time.

2.5.

Security and Privacy Audits

Security and Privacy Audits • The creation of organization-wide computer networks with the potential for access by numerous outside parties has greatly increased risk.

• •

2.6.

The amount of personal information stored on computers has greatly increased. Privacy engagements address the security of personal information, especially information stored in computer systems.

Performance Auditing

Performance Auditing • A performance audit may provide assurance about the organization’s key performance indicators. • Internal auditors assess an organization’s ability to measure its performance, recognize deficiencies, and take corrective actions. • Balance scorecard and SWOT models could be to assess performance. • Performance measures could be financial and non-financial, short term and long term, internal and external. • A typical balance scorecard involve; financial measures, customer measures, internal measures, learning, growth and innovation measures.

2.7. Operational Auditing Operational Audit Engagements An operational audit assesses the efficiency and effectiveness of an organization’s operations. The following are typical operational audit engagements: • Process (Functional) engagements • Program engagements (measure the accomplishment) Compliance Auditing • Compliance audit is the adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. • Internal auditors are encouraged to consult legal counsel in all matters involving legal issues. Programs Compliance programs assist organizations in preventing unintended employee violations, detecting illegal acts, and discouraging intentional employee violations.

Unit 3 – Financial, Environmental and Consulting

3.1. Financial Engagement Financial Statements and Corporate Governance • Internal auditors provide assurance regarding financial. • The financial reporting process encompasses the steps to create information and prepare financial statements, related notes, and other accompanying disclosures in the organization’s financial reports. Management Assertions • Management make implicit or explicit assertions on measurement, presentation and disclosure of financial statements. • Internal auditor test these assertion and ensure controls are working as design. Key Risks • Key risks affecting the reliability and integrity of financial information include; revenue overstatement, expense understatement, applying unreasonable accounting estimates, applying outdated accounting principles. Accounting Cycles • Audit of financial information may follow the cycle approach. • Sales and receivables to cash receipt cycle • Purchases and payables to cash disbursement cycle • Production to conversion cycle • Financial capital and payment cycle; investments, stocks, debt, interest payment, dividends • Personnel and payroll cycle • External financial reporting cycle Fraud Risk • The auditor plans and performs the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error. • Financial statement fraud include fraudulent financial reporting and misappropriation of assets. Assessment of Internal Control Performance Statements 2130 – Control • The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. • Many countries require management to provide an assessment of the organization’s internal control over financial reporting. • Internal auditors assist management in meeting these responsibilities. • Internal auditor must not simply assume that controls are adequate and effective. • Internal auditors consider whether management monitors the costs and benefits of control.

•

The chief audit executive (CAE) may recommend a control framework if none exists and promote continuous improvement by training, technical development and monitoring etc.

Internal Audit Plan • Plan shall be flexible and adjustable during the year. • It shall cover all major operations • Consider recent or unexpected change • Consider relevance of work perform by others • CAE shall inform board and senior management gaps in audit coverage Framework for Internal Control • CAE provides the board an assessment of the effectiveness of the organization’s controls, including the adequacy of the control model or design. • COSO – widely accepted model but can be used other model as well. • COSO has five interconnected components; control activities, risk assessment, information and communication, monitoring and control environment • Internal controls are not limited to accounting controls but other matters such as resources protection, operational efficiency and compliance with rules, policies, laws and regulations. Reporting on Effectiveness of Internal Control • CAE report on the control processes annually to senior management and board. • Management is responsible to ensure effectiveness and adequacy of controls. • The board should request evaluation of internal controls Roles for Internal Auditor • CAE needs to review internal audit’s risk assessment and audit plans for the year. • CAE’s allocation of the internal audit activity’s resources. • CAE shall provide assurance on the financial reporting (SOPs, Code of Conduct, Regulatory filing, susceptibility of fraud) and governance matters (overall SOPs, regulatory proceeding, analysis of controls, adequacy of controls).

3.2. Environmental Engagement Environmental Risks CAE shall include environmental, health, and safety (EHS) risks. Among the risk exposures to be evaluated are the following: • Organizational reporting structures • Likelihood of causing environmental harm, fines, and penalties • Expenditures mandated by governmental agencies • History of injuries and deaths • History of losing customers • Episodes of negative publicity and loss of public image and reputation

Environmental Audit Functions • CAE needs to consider if exposure are not adequately managed and residual risk exist. • Environmental audit generally reports to general counsel. • The environmental auditing typically are the following; environmental audit function as separate function, CAE and environmental coordinate together, CAE is responsible for environmental audit. Research Findings • EHS auditing found the following risk and independence issues. • EHS audit function is isolated from other auditing activities. • EHS audit managers usually report administratively to the executives • EHS written audit reports to be distributed to senior management and above. • Audit information is often classified confidential and subject to the attorney-client privilege. Role of the CAE • CAE fosters a close working relationship with the chief environmental officer. • Environmental audit function reports to someone other than the CAE. • CAE schedules a quality assurance review of the environmental audit function. • EHS audit program may be compliance focused, system focus and combination. Environmental Auditing • Organization shall establish Environmental Management System (EMS) this system is environmental auditing, which includes reviewing the adequacy and effectiveness of the controls over hazardous waste. • There are seven types of environmental audit; compliance audit, EMS audit, transaction audit, treatment, storage, and disposal facility (TSDF) audit, pollution prevention audit, environmental liability accrual audits, product audit.

3.3. Consulting Engagement – Overview Definition • Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Principles Applied to Internal Auditors’ Consulting Activities • Add value proposition. • Assurance also could result from consulting engagements. • Audit and consulting does not preclude other internal audit services, such as investigations and non-audit roles.

• • • • • • • • • • •

Consulting do not necessarily impair the auditor’s or the internal audit activity’s objectivity. The board empowers the internal audit activity to perform additional services through charters. Consulting is a natural extension of assurance and investigative services and may represent informal or formal advice, analysis, or assessments. Organizations must have ground rules for the performance of consulting services. Consulting services permit the CAE to enter into dialogue with management to address specific managerial issues. Accepted engagements must be included in the plan (Implementation Standard 2010.C1) Internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks (Implementation Standard 2120.C1) Internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks (Implementation Standard 2120.C1) Internal auditors must incorporate knowledge of risks gained from consulting engagements (Implementation Standard 2120.C2) Internal auditors must refrain from assuming any management responsibility (Implementation Standard 2120.C3) knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes (Implementation Standard 2130.C1)

3.4. Consulting Engagement – Internal Audit 1. 2. 3. 4. 5. 6.

Independence & Objectivity Due Professional Care Scope of Work Communicating Results Documentation – custody and retention of consulting engagement records. Monitoring

3.5. Consulting Engagement – Benchmarking 1. Benchmarking could be done in following ways; competitive benchmarking, process (function) benchmarking, strategic benchmarking, internal and generic benchmarking.

3.6. Consulting Engagement – Other Types 1. Internal Control Training 2. Due Diligence Auditing 3. Business Process Mapping

4. System Development Reviews 5. Design of Performance Management System

Unit 4 – Internal Audit Plan

4.1. Risk Based Audit Plan Risk •

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood (The IIA Glossary)

Priorities Based on the Risk Assessment • The audit plan must be logically related to identify risks of the organization. • The large and complex organizations require sophisticated assessment. • The chief audit executive (CAE) should generally assign engagement priorities to activities with higher risks. • The audit engagement should be capable of accomplishment within given operating plans and budgets and should be measurable. •

• • •

Interpretation of Standard 2010 To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Interpretation of Standard 2010.A1 The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. Implementation Standard 2010.A2 The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders Implementation Standard 2010.C1 The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.

The Risk Based Audit Plan • Internal audit plan shall be based on audit assessment. • Audit universe shall include business units, processes, or operations etc. • Audit universe shall be evaluated at least annually • Input from the sr. management and the board shall be updated • Internal audit shall assess risks • The work schedule shall be based on assessed risk and exposure Risk Management Process • Risk management (RM) is critical to sound governance of all organizational activities. • Management typically uses a framework (e.g., COSO, ERM, ISO 31000). • Inherent risk and residual risk are fundamental risk concepts.

• • • •

Key controls reduce an otherwise unacceptable risk to a tolerable level (risk appetite). The internal auditor also coordinates with other assurance providers. Lower-risk audits need to be included in the audit plan to give them coverage. Due professional care shall be ensured in terms of professional skills and competence.

4.2. Risk Modelling Rank and Validate Risk Priorities • Risk modeling method is used to rank and validate risk priorities for audit plan. • Risk factors (likelihood and impact) shall be based on auditor’s professional judgment. • Risk modeling in a consulting service can be ranked potentially based on improve management of risks, add value, and improve the organization’s operations. AICPA Audit Risk • The audit risk model used by the AICPA: Audit Risk = Risk of Material Misstatement x Detection Risks Audit Risk = (Inherent Risk x Control Risk) x Detection Risks • This model is used by an independent auditor engaged to report on whether financial statements are fairly presented, in all material respects. • IIA does not officially define audit risk or its components. However, internal auditors can adapt the model to other audit and assurance engagements. • If inherent risk, control risk, or both are determined to be high, detection risk must be set at a low level to compensate.

4.3. Communicating and Reporting to Sr. Mang & Board Communication & Approval Performance Standard 2020 (Communication and Approval) • The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. IG 2020, Communication and Approval • The proposed assurance and consulting engagements. • The reason for selecting each engagement. • Objectives and scope of each engagement. • The plan should be flexible. Performance Standard 2060 (Reporting to Senior Management and the Board) • The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and

performance relative to its plan and on its conformance with the Code of Ethics and the Standards. CAE Duty to Report • The CAE periodically reviews the charter and presents it for approval. • The CAE annually confirms organizational independence to the board. • Impairments of independence must be disclosed to the board. • Senior management and the board determine the responses to significant issues. • The CAE may share and discuss the report with senior management before presenting it to the board. • The CAE reports on the overall effectiveness of the organization’s internal control and risk management processes to senior management and the board.

Unit 5 – Engagement Planning

5.1. Engagement Planning and Risk Assessment Engagement “Specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives” (The IIA Glossary). Performance Standard 2200 (Engagement Planning)

• • •

IA develop documented plan for each engagement The plan include objectives, scope, timing, and resource allocations The plan must consider the organization’s strategies, objectives, and risks

Performance Standard 2201 (Planning Considerations)

• • • •

Understanding the activity strategy and objectives Significant risks of activities objectives, resources and operations Adequacy and effectiveness of activities governance, risk and control processes Opportunity to improve activities governance, risk and control processes

IG 2200 (Engagement Planning) • Internal auditor should understand significant change within the organization • Understand the entity strategy and objectives • Understand the risk associated with the achievement of strategy and objectives • Resources required for the engagement • Documents required and the type and format along with retention consideration • Logistics concerns • Forms of final result communication Preliminary Survey • Surveys • Analytical Procedures • Questionnaires • Interview • Observation • Prior Audit Report • Process Mapping • Checklist Risk Identification

• Internal auditors must identify key business risks and controls • The following methods could be used for identifying the risks; brainstorming and risk and control matrix.

Risk Assessment • After identifying risks and controls, the internal auditors perform a preliminary risk assessment

•

Internal auditors may use a heat map to visually display assessed risks and prioritize risks.

5.2. Engagement Objectives, Scope, and Criteria Engagement Objectives • After the preliminary survey and risk assessment are complete, internal auditors establish objectives. •

Objectives must be established for each engagement (Performance Standard 2210).

•

Objectives are “intended engagement accomplishments”.

Engagement Scope • After establishing risk-based objectives, internal auditors establish the engagement scope. • Engagement scope sets “scope sets the boundaries within which the internal auditors will work.” • The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. (Implementation Standard 2220.A1) Engagement Criteria • Criteria are needed to evaluate the area or process under review. • Acceptable industry or professional standards, law and government regulations, best practices etc.

5.3. Engagement Staff and Resources Resources at the Engagement Level • Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives (Performance Standard 2230 - Engagement Resource Allocation) • Resources include; number and experience of staff, knowledge, skill and competence, training requirements, if any external resources are required. Audit Staff Schedules • Audit staff schedules should be prepared to fulfill task on time. • All engagements should be under budgetary control. • Audit teams are selected based on their knowledge, skills, and other. • Budget adjustments need to be justified and approved

5.4. Engagement Procedures Engagement Procedures • Physical examination • Third party information

• • • • • • •

Client information

Original documents than copies or altered documents Management assertions shall be required to perform procedures to test validity. Income Statement and Cash Flow Statements - Assertion on transactions or events; occurrence, completeness, accuracy, cutoff, classification Balance Sheet - Assertion on account balances; existences, rights and obligations, completeness, valuation and allocation Notes to the Financial Statements - Assertion on presentation and disclosure; occurrence, rights and obligations, completeness, classification, accuracy and valuation Internal audit should use IT tolls; CAAT, audit software, analytical tools etc.

Audit Procedures • Test of Controls (ToC) – check the design of controls • Substantive Test – check does the control exist over the time during review Selection of Engagement Procedures • Observing • Interviewing; internal control questionnaire • Examining; records, tangible assets, verifications • Other; confirmations (positive and negative), tracing and vouching, re-performance, analytical procedures, scanning. Maturity Model • Capability Maturity Model; initial, repeatable, define, managed, optimizing • Capability Maturity Model Integration (CMMI) Development 2; incomplete, initial, repeatable, define, managed, optimizing Engagement Work Program • Internal auditors must develop and document work programs (Performance Standard 2240 - Engagement Work Program) • Engagement work program is a “document that lists the procedures (also referred to as methods) to be followed during an engagement”. • Engagement work program should be approved by engagement supervisor. • Pro forma or standardized work program is used for repeated engagements. • Engagement work program shall include; scope, objectives, risk and control matrix, sample size, resources allocated etc.

Unit 6 – Information Gathering

6.1.

Four Qualities of Information

Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. (Performance Standard 2310, Identifying Information). The adequacy of the information is determined based on the auditors experience and competence and the particular situation. 1. Sufficiency (factual, adequate, convincing) - The sufficiency criterion applies an objective standard. The conclusions reached should be those of a prudent, informed person. 2. Reliability (use of proper engagement techniques to attain best info) - Information is reliable when it is obtained and documented so that a prudent, informed individual can produce the same results and draw the same conclusions. 3. Relevance (supports engagement observations and recommendations and is consistent with the objectives) - The definition of relevance emphasizes the need for work to be restricted to achieving objectives. 4. Usefulness (helps the organization meet its goals) - Information is useful when it helps the organization meet its objectives and create value for its owners.

6.2

Sources and Nature of Information

Sources of Information • Internal information – e.g. payroll • Internal-external information – e.g. cheques • External-internal information – e.g. supplier invoices • External information – e.g. balance confirmation • Outsource information – e.g. from outsource partner received information Nature of Information • Direct evidence – e.g. testimony • Circumstantial evidence – e.g. flat tire, broken save • Conclusive evidence – e.g. watch in the desert • Corroborative evidence – e.g. the watchman witness information cay be provided Forms of Evidence • Physical information (auditors’ direct observation) – e.g. review of property or doc. • Testimonial information (written or spoken statement) – e.g. witness statement • Documentary information (physical) – e.g. accounting records • Analytical information (shows interrelationships between data) – e.g. debtors ageing Level of Persuasiveness of Evidence • Physical examination – more persuasive

• • •

Direct observation – next most persuasive Third party originated information – more persuasive Client provided information – somewhat persuasive

Incomplete information • If client provided incomplete information, the auditor must do following; carry out analysis, assess effects and avoid providing assertion regarding the information reliability.

6.3.

Questionnaires

The questionnaires are use to obtain an understanding of the client’s controls. There are some disadvantages such as difficult to prepare, time consuming, not all circumstances can be accounted for and less effective than interview.

6.4.

Interviewing

Interviewing and other data-gathering activities, which obtain testimonial evidence from engagement clients. The main purpose of interviews is to gather facts related to the audit engagement. Types of Interviews • Preliminary Interview • Fact-gathering Interview • Follow-up Interview • Exit Interview

6.5. • •

Other Information Gathering Methods Observation – looking at process or procedure being performed Internal Survey – mailing questionnaire to eliminate interviewer biasness

Unit 7 – Sampling and Statistical QC

7.1. Statistical Concept Population and Sampling • Population – a population is an entire group of items. • Sample – A sampling involves selecting representative items from a population • Other form of data collection method: case study – identifies hypotheses, synthesis – multiple engagement observations are combined them in one single engagement, Modeling - simulates an existing fact. Population Distribution For auditors each item in a population is associated with a variable of interest such as: • Discreate Variable (yes, no) – tested using attribute sampling • Continuous Variable (monetary value) – tested using variable sampling Characteristics of population – distribution of values of varied interest, the most common is “normal distribution. Measures of Central Tendency The shape, height, and width of a population’s distribution curve are quantified through its measures of central tendency; mean – average, median – the central value, mode – the most common number. • Normal Distribution – all three mean, median and mode (Graph 1) • Asymmetric Frequency Distribution – the mean is greater than median (positively skewed towards right) (Graph 2) • Asymmetric Frequency Distribution – the median is greater than the mean (negatively skewed towards left) (Graph 3)

Standard Deviation and Confidence Level for Normal Distributions A population’s variability is the extent to which the values of items are spread about the mean (dispersion). It is measured by the standard deviation. • Little dispersion, the standard deviation is small • Highly dispersed, the standard deviation is large (flat bell curve) Confidence Level and Confidence Interval • Confidence Level – A confidence interval expresses a range of values within which we are sure the population parameter lies. • Confidence Interval – The range around a sample value that is expected to contain the true population value. The bigger the interval (sample size), the more confident.

Level of Confidence

90% 95% 99% More Confident

Wider Interval

Pilot Sampling and Standard Error Standard Deviation – The standard deviation quantifies the variation within a set of measurement. Standard Error – The standard error quantifies the variation in the means from multiple sets of measurement. Co-efficient of Variability (it define consistency) - Co-efficient is a constant number or value. The coefficient of variability measures the relative variability within the data and is calculated by dividing the standard deviation of the sample by the mean. More percentage (less consistent), less percentage (more consistent).

Standard error on both sides of mean of the means

7.2. Sampling Concept Nonstatistical (Judgmental) Sampling - The auditor’s subjective judgment • Advantages – less expensive, less time consuming, no special statistical knowledge need, more autonomy • Disadvantages – not quantitative, high reliance on auditor’s experience Statistical Sampling – objective method of sampling • Advantages – quantitative measure, efficient sample, it allows auditor to quantify sampling risk. • Disadvantages – expensive, time consuming, need knowledge Non-sampling vs. Sampling Risks • Non-sampling Risks – Its not related to sample, it’s the auditor failure due to inattention or fatigue. • Sampling Risks – It’s the risk of sample not representative of population. It is inversely proportional to sample size. Selecting the Sampling Approach • Random sampling – every item in the population of equal chances of selection. • Internal sampling - interval sampling divides the population by the sample size and selects every nth item. • Block (cluster) sampling - randomly selects groups of items as the sampling units rather than individual items e.g. month selection. Basic steps in a Statistical Plan • Determine the objectives of the plan (TOCs or Substantive Testing) • Define the population • Determine acceptable level of sampling risks • Calculate the sample size • Select the sampling approach (random, interval, block) • Take the sample • Evaluate the sample results and draw conclusion • Document the sampling procedures 7.3. Attribute Sampling Uses • •

Attribute sampling is appropriate for discrete variables Attribute sampling is used for tests of controls, i.e., when two outcomes are possible (compliance or noncompliance).

Sample Size – It depends on following • Confidence level – grater the desired confidence level, larger the sample size • Population size – larger the population size, larger the sample size • Expected deviation rate – greater the population deviation rate, the larger the size • Tolerable deviation rate – lower the tolerable rate, the larger the sample size Evaluation of Sample Results The evaluation includes calculating the sample deviation rate and the achieved upper deviation limit. • Sample deviation rate - # of deviation in a sample / sample size • Upper deviation limit – auditors use standard table to calculate UPL, the intersection of sample size and number of deviations indicate achieved level of UPL. Other Attribute Sampling Method • Discovery sampling – sample size is not fix; it is use when even a single deviation is critical. sample size is calculated so that it will include at least one instance of a deviation if deviations occur in the population at a given rate. • Stop and Go sampling – sample size is fix; the auditor reduces the sample size when the auditor believes the deviation rate in the population is low.

7.4. Variable Sampling Uses • • •

Variable’s sampling is used for continuous variables, such as weights or monetary amounts It’s useful for substantive tests In variables sampling, both the upper and lower limits are relevant (over and understatement of variable)

Sample Size If the auditor needs a more precise estimate of the tested amount, (s)he must increase the confidence level and the sample size. • Confidence level – greater confidence level, greater sample size • Population size – greater the population, the larger the sample • Tolerable misstatement (precision) – the narrow the precision, the larger the sample size • Standard deviation (variability) – increase in SD, the increase in the sample size • Cost benefit – the greater the cost per observation, the smaller the sample size Primary Method (types) of Variables Sampling

Example of different variable sampling:

Mean per Unit (MPU) Estimation Mean-per-unit uses the familiar statistical concept of mean. Difference Estimation It estimates the misstatement of an amount by calculating the difference between the observed and recorded amounts. Ratio Estimation it estimates the population misstatement by multiplying the recorded amount of the population by the ratio of the total audited amount of the sample items to their total recorded amount. Monetary Unit Sampling (MUS) The larger the customer balances tend to be more likely picked in according to MUS sampling method. It is typically used to detect overstatement.

7.5. Statistical Quality Control Uses Statistical quality control determines whether a shipment or production run of units lies within acceptable limits. Acceptance Sampling This method determines the probability that the rate of defective items in a batch is less than a specified level. Statistical Control Charts

Statistical control charts are graphic aids for monitoring the status of any process subject to acceptable or unacceptable variations during repeated operations. 1. Variations Variations in a process parameter may have several causes such as random (by chance), implementation (human or machine error), measurement (measurement error), model (fluctuation by model error), prediction (error in forecasting data). 2. Benchmarks Establishing control limits based on benchmarks. 3. Cost Benefit Analysis The limits of controls should be set so that the cost of an investigation is less than or equal to the benefits derived. 4. Pareto Diagrams A Pareto diagram is a bar chart that assists managers in what is commonly called 80:20 analysis. 80:20 rule states that 80% of all effects are the result of only 20% of all causes.

Effects

Cause 5. Histograms A histogram displays a continuous frequency distribution of the independent variable. A diagram consisting of rectangles whose area is proportional to the frequency of a variable and whose width is equal to the class interval. Histograms are a type of bar graph, where intervals are shown as bars that touch. The key word here is INTERVALS. If there are no intervals of data, then you would not use a histogram.

6. Fishbone Diagrams The diagram looks just like a fish's skeleton with the problem at its head and the causes for the problem feeding into the spine. The fishbone diagram or Ishikawa diagram is a causeand-effect diagram that helps people track down the reasons for problems.

Unit 8 – Analysis, Evaluation, Documentation, And Supervision

8.1. Computerized Audit Tools CAAT may be systems or transaction-based or may provide automated methods for EXTRACTING and ANALYZING large amounts of data. The benefits of using IT include reduced audit risk, increased productivity and audit procedures. 1. Generalized Audit Software (GAS) – to perform analytical procedures (ACL, IDEA). 2. Test Data – subjected to auditor-created data inputs in the client’s programs to assess controls. 3. Parallel Simulation - to determine the client claims the application performs. 4. Data Mining and Extraction – extracting clients records to perform audit procedures. 5. Integrated Test Facility - the auditor creates a fictitious entity, observe system processing and results. 6. Embedded Audit Module - it permits continuous monitoring of online, real-time systems. 7. Application Tracing System Mapping – programmer trace source code. 8. Spreadsheet Analysis - permits easy analysis of large amounts of client data (excel). 9. Internet 8.2. ANALYTICAL APPROACHES AND PROCESS MAPPING Use of Flowchart Flowcharting helps to gain an understanding of the client’s processes and controls and allows the internal auditor to analyze a system and to identify the strengths and weaknesses of internal controls and the appropriate areas of audit emphasis. Flowcharts are graphical representations of the step-by-step progression of information through preparation, authorization, flow, storage, etc. The system depicted may be manual, computerized, or a combination of the two. Symbols

Types of Flowchart • • • •

Horizontal – Depicts area of responsibility Vertical – Depict specific action by a computer program, also known as program flowcharts. Data Flow Diagram – Depicts data flow to, from and within info system with very few symbols. Process Mapping – Depicts a client process

Horizontal – Depicts area of responsibility

Vertical – Depict specific action by a computer program, also known as program flowcharts.

Data Flow Diagram – Depicts data flow to, from and within information system with very few symbols.

Process Mapping – Depicts a client process

Spaghetti Map •

•

Spaghetti Diagram is a VISUAL representation of the PHYSICAL FLOW of MATERIALS, PAPERS and PEOPLE through the tasks (or) activities of a process. It details the flow, distance and waiting time of the transportation of items in the process. The goal is to identify the INEFFICIENCIES in a process.

RACI Diagram it’s a tool that identifies roles and responsibilities against tasks within a project, where: R stands for Responsibility, A for Accountability, C for Consult and I for Informed.

8.3. Analytical Review Technique Analytical Procedure • Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations (Performance Standard 2320). • Benefit: It is useful in identifying errors, unexpected and differences, fraud, exceptional transactions. • Example; Ratio, trend and regression analysis, reasonableness test, period to period comparison, forecasts, benchmarking. • If discrepancies are found, the appropriate authorities within the organization should be consulted. Ratio Analysis • Financial statement analysis • Liquidity Ratio – Current ratio, Account receivable turnover ratio, Inventory turnover ratio, Total asset turnover, Profitability ratio (Gross profit margin, Operating profit margin, Net profit margin) • Ratio Comparison • Trend analysis – changes of ratio over time • Period to period – compares performance for similar time period • Industry analysis – compare the organization’s ratio with those of competitors Other Analytical Procedures • Regression Analysis – relationship between two variables e.g., sales and cos • Variance Analysis – difference between actual and budgeted (favorable and unfavorable) • Benchmarking – compares some aspect of organization with best-in-class performance • Benford’s Law (First digit law) - Fraud examiners use Benford’s Law tests on natural numbers, like payment amounts. This law can be utilized to detect patterns (or lack thereof) in naturally occurring datasets. 8.4. Workpapers – Purpose and Characteristics Internal auditors must document SUFFICIENT, RELIABLE, RELEVANT, and USEFUL information to support the engagement results and conclusions (Performance Standard – 2330). • General Guidelines – aid in planning, performance, and review of engagements. • Workpapers – purpose (planning to conclusion), uniformity, responsibility (CAE, SOP), content, review. • Best Practices - clear, concise, and complete. • Other Content – sampling method and tick marks. • Indexing – cross referencing • Summaries - orderly and logical flow of information for efficient supervisory review. • Permanent Files – by laws, minutes, SOPs, flowcharts, chart of accounts, DOA, previous engagement etc.

•

Computerized Workpapers – security issues, benefit; searchable, auto indexing, backup, accessibility, uniformity

8.5. Workpapers – Review, Control and Retention The chief audit executive must CONTROL access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate (Performance Standard – 2330.A1). • Review of working papers and the notes as record of questions raised, steps taken and results. • Control of working papers, the chief audit executive must ensure that workpapers are kept secure. • Access, engagement workpapers is to provide support in the organization’s pursuit of insurance claims, fraud cases, or lawsuits. • Retention of working papers, CAE must develop retention requirements for engagement records, consistent with the organizational guidelines, regulatory and other requirements. 8.6. Drawing Conclusion The internal auditor applies EXPERIENCE, LOGIC, and PROFESSIONAL SKEPTICISM to analyzing and evaluating the evidence obtained (findings) to draw conclusion. • Internal auditors are encouraged to identify the root cause when audit procedures detect an unfavorable condition (noncompliance, fraud, opportunity loss, misstatement, etc.). • Due professional care should be exercised by weighing effort (cost benefit analysis). • Internal audit staff must report the results of audit work to the auditor in charge for coordinating the results of audit work and ensuring that work performed supports conclusions and opinions. 8.7. Supervision Engagements must be properly supervised to ensure OBJECTIVES are achieved, QUALITY is assured, and STAFF is developed (Performance Standard 2340). • Supervision by the CAE is relevant to all phases of the engagement. The process includes; ensuring auditor’s proficiency and competence, determining workpapers support observations, conclusions, and recommendations. Ensuring communications are accurate, objective, clear, concise, constructive, and timely. • Partnering with management at all levels is one of the best ways for internal auditors to obtain information. To ensure complete cooperation, senior management is responsible for notifying other departments of the existence of the internal audit activity. • The auditor-in-charge should coordinate work assignments among audit team members during the engagement. • A written appraisal of each internal auditor’s performance evaluation is required at least annually.

Unit 9 – Communicating Results & Monitoring Progress

9.1. Communicating with Clients Engagement Communications • Internal auditor should be skilled in ORAL and WRITTEN communications. • The purpose of engagement communications is to INFORM, PERSUADE and get RESULTS. • A WRITTEN engagement communication should be made even if all issues have been resolved. Preliminary Communication • The CAE generally NOTIFIES client management about the timing of the audit, the reasons for it, the preliminary scope, procedures to be used, and the estimated client resources needed. • BEFORE this communication, the internal audit activity gathers basic information about the client. • If the results of a preliminary survey and limited testing reveal NO DEFICIENCIES, auditor communicate (memo) the results and cancel the engagement. Interim Reports The use of interim reports does not reduce or eliminate the need for a final report. Interim reports (oral or written) transmitted formally or informally communicate: 1) Information needing IMMEDIATE ATTENTION 2) A CHANGE in the SCOPE of the engagement 3) The PROGRESS of a long-duration engagement

9.2. Observations & Conclusions NOTE: The word “findings” is often used as a synonym for “observations” on the CIA exam. • After identifying, analyzing, evaluating, and documenting engagement information, the internal auditor makes observations and forms CONCLUSIONS. • FAVORABLE OBSERVATIONS should be short and simple and UNFAVORABLE OBSERVATIONS need further explanation • Observations and recommendations are based on the following attributes; CRITERIA, CONDITION, CAUSE and EFFECTS • Subsequent to above, auditor make RECOMMENDATION i.e., call to action to improve or correct existing condition and mentioned CORRECTIVE ACTION TAKEN by the management to fix the issue. 9.3. Communicating Engagement Results Final Engagement Communications Internal auditors must communicate the results of engagements (Performance Standard 2400). Following are the guidance on the element of final communication: 1. Communications must include the engagement’s OBJECTIVES, SCOPE, and RESULTS (Performance Standard 2410).

2. Final communication may include BACKGROUND INFORMATION. 3. A final communication contains observations. LESS CRITICAL OBSERVATIONS may be communication informally. 4. The auditor may share the overall CONCLUSION and OPINION in regard to conformance with org’s objectives. 5. The overall OPINION on the engagement is NOT mandatory. 6. DISAGREEMENTS are fully disclosed, including both positions and the reasons. 7. A SIGNED report is issued at the end of the engagement.

9.4. Communicating Qualities & Overall Opinion Performance Standard 2420 - Qualities of Communication • Communications must be accurate; ACCURATE (free from error), OBJECTIVE (impartial), CLEAR (logical), CONCISE (to the point), CONSTRUCTIVE (helpful), COMPLETE (relevant information) and TIMELY. Other Characteristics of the Effective Communication • Good writing is (7 Cs); CORRECT, CLEAR, CONCISE, CONSTRUCTIVE, COMPLETE, Consistent, and Coherent (logically ordered) • Active voice vs. Passive voice • To EMPHASIZE, use of graphics, bullet points and audiovisual aid. • To SELECT WORDS, one use to be careful, can use fact based (neutral) and use strong only to emphasis e.g. “fraud” over “irregularities”. Performance Standard 2421 - Errors and Omissions • 2421 - Errors and Omissions: If a final communication contains a significant error or omission, the chief audit executive must communicate (in writing) corrected information to relevant stakeholders. • 2430 - Conformance: Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”. • 2421 - Nonconformance: Nonconformance with the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose; The specific RULE or principle non-compliance, the REASON and the IMPACT shall be should be disclosed.

9.5. Exit Conference & Management Response •

•

Exit Conference: If a final communication contains a significant error or omission, the chief audit executive must communicate (in writing) corrected information to relevant stakeholders. Management Review and Response: Client should be given the opportunity to read what will be sent to their superiors. Moreover, seeing the draft report may cause clients to view the results differently.

•

Client Satisfaction Survey: Responses by clients about internal auditors’ actions should go to both management and the internal auditors to ensure the accountability of the internal audit activity.

9.6. Approve & Distribute Reports

• •

• • •

Communication & Approval Performance Standard 2440 - The chief audit executive must communicate results to the appropriate parties. Organizational protocol also may dictate recipients. The Board receives summary, the executive and the person responsible and In charge received the final report for taking corrective action. Communicating Sensitive Information Performance Standard 2440 - The chief audit executive must communicate results to the appropriate parties. If CAE concludes the management is exposing (unacceptable risk) to the organization, CAE present opinion to the Board. Auditors may consider communicating outside, after assessing risk and impact and by taking legal advice.

9.7. Monitor Engagement Outcomes • • •

Performance Standard 2500 - The chief audit executive must establish and maintain a SYSTEM TO MONITOR the disposition of results communicated to management. The system should include recording (a) pertinent OBSERVATIONS, (b) CORRECTIVE ACTION, and (c) CURRENT STATUS. The chief audit executive must establish a FOLLOW-UP PROCESS to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.