Assurance Services

Flashcards on Assurance Services for CIA Exam Review

Assurance Services

Evaluations conducted by internal auditors to help organizations establish trust and confidence in their governance, risk management, and control processes.

Purpose of Assurance Services

Strengthen the organization’s ability to create and maintain value by providing independent assessments.

Process Owner

The person or group responsible for the activity being assessed.

Operational Efficiency

Checking how well the organization’s processes work.

Reliability of Reporting

Ensuring that financial and operational reports are accurate and trustworthy.

Compliance

Verifying that the organization follows relevant laws and regulations.

Safeguarding Assets

Making sure that the organization’s resources are protected.

Ethical Culture

Assessing the organization’s commitment to ethical conduct.

Governance

The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

Risk Management

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

Control Processes

The policies, procedures, and activities designed and operated to manage risks to be within the level of an organization’s risk tolerance.

Internal Control (COSO definition)

A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Compliance Assurance

The review of controls intended to ensure organizational adherence to relevant laws and regulations, contractual arrangements, and internal policies.

Operational Assurance

The review of a function or process to appraise the efficiency and effectiveness of operations and whether those functions achieve their objectives.

IT Assurance

The review and testing of IT infrastructure to assure the integrity of information.

Control Self-Assessment (CSA)

A process that helps organizations evaluate their own risk management and control systems.

Benefits of CSA

Heightened awareness of risks, improvement in the effectiveness of controls, and greater accountability among team members.

How Internal Auditors Use CSA

A CSA program augments the traditional role of internal audit by assisting management in fulfilling its responsibilities to establish and maintain risk management and control processes and by evaluating the adequacy of that system.

Three Primary Approaches of CSA Programs

Workshop-facilitation, survey (questionnaire), and self-certification.

Objective-Based Format (Workshop Facilitation)

Focuses on the best way to accomplish a business objective by identifying controls and residual risks.

Risk-Based Format (Workshop Facilitation)

Focuses on risks to achieving an objective to determine significant residual risks.

Control-Based Format (Workshop Facilitation)

Focuses on how well the controls in place are working, producing an analysis of the gap between actual and expected control performance.

Process-Based Format (Workshop Facilitation)

Focuses on selected activities of a chain of processes to improve and streamline the whole process and its component activities.

Survey Approach (CSA)

Uses a questionnaire to ask simple questions that are understood by the target recipients when respondents are numerous or widely dispersed.

Self-Certification Approach (CSA)

Based on a management-produced analysis of selected business processes, risk management activities, and control procedures.

Audits of Third Parties and Contract Auditing

Internal auditors conduct audits of third parties and contracts to enhance risk management by identifying potential compliance issues, reputational risks, and operational inefficiencies related to external business relationships.

Examples of External Business Relationships (EBRs)

Service providers, supply-side partners, demand-side partners, strategic alliances and joint ventures, and intellectual property partners.

Benefits that EBR Partners may provide

Lower costs, better operational efficiency, special expertise, new technology, a known brand, and/or economies of scale

Significant EBR Risks

May not be identified and therefore may not be managed, assessed, or monitored; EBRs may adversely affect the organization’s reputation; Service levels or products may be unsatisfactory.

Internal Audit Procedures for EBR

Evaluating compliance with the contract to determine whether monetary and nonmonetary obligations are met.

Value Added Through Auditing EBRs

Limiting fraud, increasing trust, fostering feedback, and improving relationships.

SOC 1 Report

A service auditor issues a report for a financial statements auditor of a client that uses the service provider to understand and rely on the service provider’s controls.

SOC 2 Report

Used by customers and business partners interested in the controls that a service provider uses to provide services; includes an opinion on management’s description and suitability of the controls.

SOC 3 Report

A more generalized version of a SOC 2 report that is suitable for general use.

Contract Auditing

Auditor investigates whether the terms of the contract have been met by all parties.

Lump-Sum Contracts

Used when requirements are well-defined, uncertainties can be identified and costs estimated, and competition is adequate.

Cost-Plus Contracts

Setting a price equal to the cost plus a fixed amount or the cost plus a fixed percentage of cost

Unit-Price Contracts

Often used when a convenient measure of work is available; the key issue is the accurate measurement of the work performed.

Source Code Escrow Clause

Requires the application source code to be held in escrow by a trusted third party.

Quality Auditing

Internal audit’s objective is to provide assurance that quality processes are operating so that quality standards are met. Covers all processes, from product design to materials acquisition and final inspection.

Total Quality Management (TQM)

Covers all processes, from product design to materials acquisition and final inspection. Can increase revenues and decrease costs significantly.

TQM definition

Continuous pursuit of quality in every aspect of organizational activities through a philosophy of doing it right the first time.

Basic Quality Management Objectives

Customer satisfaction, continuous improvement, and promotion of teamwork.

Security Auditing

The internal audit function evaluates the adequacy and effectiveness of controls designed and implemented by management in all areas of security.

Information Security Auditing

Internal audit function needs to assess risks, monitor the implementation of corrective action, and evaluate controls.

Board Responsibilities Regarding Privacy

Accountable for identification of principal risks, implementation of controls, and management of privacy risk.

Internal Audit Function Responsibilities Regarding Privacy

Evaluates the privacy framework, identifies significant risks, and makes recommendations.

Information Reliability and Integrity

Includes accuracy, completeness, and security; the internal audit function provides assurance that management is appropriately discharging this responsibility.

Privacy

May simply be the protection of the collection, storage, processing, dissemination, and destruction of personal information or, more fundamentally, a human right.

Principle 5: Maintain Confidentiality

Internal auditors use and protect information appropriately

Performance Audits

Evaluate how effectively an organization measures and accomplishes its objectives.

Balanced Scorecard

Tool that relates critical success factors determined in a strategic analysis with financial and nonfinancial measures.

SWOT Analysis

Evaluates internal factors (strengths and weaknesses) and external factors (opportunities and threats) to identify critical success factors.

Organization's Greatest Strengths

Basis for its strategy and its ability to compete successfully.