Internal Audit Exam 2

What is reasonable assurance?

Conformance with the Global Internal Audit Standards - Due professional care!

Performance Measurements

Are created by the CAE with Senior management input and must be approved by the Board Audit Committee
 Provide the criteria against which the internal audit function judges its performance in key
areas.
 Provide a gauge for how well the internal audit function is accomplishing its mission/goals

What is Domain 4?

Managing the Internal Audit Function

How many principles in Domain 4?

4 (9,10,11,12)

What is another name for IA purpose, authority, and responsibility?

Mandate

Mandate

empowers the internal audit function to enhance the organization’s success by providing senior management and the board with objective assurance and advice.

Charter

formal document that includes the internal audit function's mandate, organizational
position, reporting relationships, scope of work, types of services, and other specifications.

What standard is the Mandate in?

6.1

Are the mandate and charter the same?

No

What standard is the Charter in?

6.2

Does the IA require a Charter?

Yes

What is the CAE responsible for?

Periodically assessing whether the IAF’s purpose, authority and
responsibility (mandate) defined in the charter continue to be adequate
for the IAF to accomplish its objectives.
Communicating the results of such an assessment to management and
the audit committee.

What does the IA Charter provide?

Formal criteria for review and understanding by management and the audit committee.
Facilitation of a periodic assessment of the adequacy of the internal audit function’s purpose, authority and responsibility, which
establishes the role of the internal audit function.
A formal, written agreement with management and the audit committee regarding the organization’s internal audit function

What is Principle 9?

Plan Strategically

What is standard 9.4?

Internal Audit Plan

What is the Internal Audit Plan?

The chief audit executive must create an internal audit plan that supports the achievement of the organization’s objectives. this standard incorporates risk-based planning and auditing concepts, resulting in a prioritized plan of engagements at least annually.

What is Standard 9.5?

Coordination and Reliance

What is CARES?

SCOPE of IA: Compliance, Achievement, Reliability, Effectiveness, Safeguarding of Assets

Standard 9.2?

Internal Audit Strategy

What is Internal Audit Strategy?

The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.

What is standard 9.3?

Methodologies

What are methodologies?

Guide the internal audit function in a systematic and disciplined manner to implement its strategy, develop its internal audit plan, and conform with the Standards. (New standard)

Policies and procedures should be…

Consistent with the size of the internal audit function.

Standard 9.5?

Coordination and Reliance: coordinate with internal and external providers of assurance
services and consider relying upon their work. Coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers

What is Principle 10?

Manage Resources

Standards in Principle 10?

• Standard 10.1 – Financial Resource Management

• Standard 10.2 – Human Resources Management

• Standard 10.3 – Technological Resources

Standard 8.2?

Resources: evaluate whether internal audit resources are sufficient to fulfill the
internal audit mandate and achieve the internal audit plan. If not, the chief audit executive must develop a strategy to obtain sufficient resources and inform the board about the impact of insufficient resources and how any resource shortfalls will be addressed.

Financial Resource Management

manage the internal audit function’s financial resources; Develop a budget that enables the successful implementation of the internal audit strategy and achievement of the plan.

Human Resource Management

The chief audit executive must establish an approach to recruit, develop, and retain internal auditors who are qualified to successfully implement the internal audit strategy and achieve the internal audit plan.

Technological Resources

strive to ensure that the internal audit function has technology to support the internal audit process.

What three things come under managing resources?

Budget, Resources, Technology

Data analysis allows for…

100% testing that provides definitive results and
conclusions, continuous auditing, and fraud detection or prevention.
Automated Monitoring
Automated Working Papers
Department Administration and Management

What is Principle 11?

Communicate Effectively

Building Relationships and Communicating with Stakeholders

build relationships and trust with key stakeholders, including the board, senior management, operational management, regulators, and internal and external assurance providers and other consultants

Effective Communications

The chief audit executive must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications.

Communicating Results

The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate. The chief audit executive must understand the expectations of the board and senior management regarding the nature and timing of communications.

Communicating the Acceptance of Risks

The chief audit executive must communicate unacceptable levels of risk = Risk Appetite

What does QAIP stand for?

Quality Assurance Improvement Program

What is the QAIP designed for?

Evaluate the internal audit function and its conformance with the Global Internal Audit Standards. It is also an evaluation of whether internal auditors apply ethics and professionalism to these activities.

Principle 12?

Enhance Quality

Standard 8.3?

Quality

Quality =

Conformance + Performance

QAIP Framework

ongoing monitoring, periodic self- assessment, and external assessment. The output of these three activities includes findings, observations, and recommendations.
•  The QAIP Framework provides for embedding quality assurance and continuous improvement into an internal audit function.
• The framework considers three separate activities or sections within an internal audit activity: governance, professional practice, and communication.
• The QAIP Framework assumes that quality is built into (and not onto) the structure of the internal audit function.

Five Characteristics of a Successful QAIP

Policy

Methodology and process

People

Systems and information

Communication and reporting

Internet of Things

Network connection and transmission of information or data from physical devices, objects, or fixtures,.

Cybersecurity refers to:

technologies, processes, and practices designed to protests organizations information assets.

Cybersecurity vs. Information security

Cyber= just the network

Info= system or non-system; larger

Effective controls to address cybersecurity include:

Strong security frameworks

Identifying and controlling top risk to org. related to cyber

Cybersecurity awareness programs to all employees

Consideration of external and internal threats

Info security governance

Responce protocol

IT Auditor

works extensively in the area of computerized info systems; should have deep IT risk, control, and audit expertise

True or false: It is virtually impossible in today’s business world for any internal audit function to provide value-adding services to its organization unless the function is highly proficient in its knowledge of IT risks and controls and has the capability to effectively apply technology-based audit techniques.

True

What is the IT Auditing Certification called?

Certified Information System Auditor

Standards 10.1, 10.2, 10.3

Standard 10.1 – Financial Resource Management
Standard 10.2 – Human Resources Management
Standard 10.3 – Technological Resources

Information Technology Governance

Leadership, structure and oversight process that ensure org, IT supports objectives and strategies

What is the IT Governance Framework?

Pentagon shape;

organization and gov. structures,

strategic and operational planning,

IT org. and risk management,

service deliver and measurement,

executive leadership and support

COBIT 2019 definition

internationally accepted IT governance framework; best-known control and governance framework that address info technology

Selection risk

Selection of an IT solution that is misaligned with a strategic obj that may preclude the execution of the IT-dependent strategy

Development/acquisition and deployment risk

Problems encountered as the IT solution is being developed/acquired and deployed may cause unforeseen delays, cost overruns, or even abandonment of the project.

Availability risk

Unavailability of system when needed; may cause delays in decision-making, business interruptions, financial and regulatory reporting, lost revenue, customer dissatisfaction

Hardware/software risk

failure of hardware/software to perform properly may cause business interruptions, temporary or permanent damage to or destruction of data, and hardware/software repair or replacement costs.

Access risk

Unauthorized physical or logical access to the system may result in theft or misuse of hardware, malicious software modifications,
and theft, misuse, or destruction of data.

Causes for Access risk:

use of smartphones to access, modify, and store corporate data and open use of wireless networks for guest access to business data and
lack of strong user access or authentication

Confidentiality and privacy risk

Unauthorized disclosure of business
partners’ proprietary information or individuals’ personal information may result in loss of business, lawsuits, negative press, and reputation impairment.

Causes of confidentiality and privacy risk:

unimpeded access to system networks, software, and databases.

System reliability and info integrity risk

systematic errors or inconsistencies in processing may produce irrelevant, incomplete,
inaccurate, and/or untimely information. In turn, the bad information produced by the system may adversely affect the decisions that are based on the information.

Causes of system reliability and info integrity risk:

software programming errors, weak edit or data
verification controls, and unauthorized changes to software.

Fraud and malicious acts risk

Theft of IT resources, intentional misuse of
IT resources, or intentional distortion or destruction of information may
result in financial losses and/or misstated information that decision-
makers rely upon.

IT controls can be categorized as a:

top-down hierarchy of IT governance, management, and technical controls.

The top six layers of IT controls represent; The
bottom layer represents

• IT general controls

• application controls

General Controls (ITGCs)

apply to all computerized systems or
applications. mixture of software, hardware, and manual procedures that shape an overall control environment.

Application controls:

specific controls that differ with each
computerized application.

The objectives of IT general controls are

ensure the appropriate development and implementation of applications, as well as the integrity of program and data files and of computer operations.

Most common ITGCs

Logical access controls
Systems development life cycle (SDLC) controls
Program change management controls
Physical security controls
System and data backup and recovery controls

Logical access controls

Infrastructure, applications and data limit access

Application controls

built into each application (payroll, accounts payable, inventory management, etc.) and are designed to ensure that only correct, authorized data enter the systems and that the data are processed and reported properly.

Application controls include:

Input, processing, and output controls

Most common types of application controls:

Source document controls
Batch input controls
Online (real-time) input controls
Processing controls
Output controls
Management trail controls

Batch input controls:

Financial totals, record counts, hash totals (meaningless total of vendor numbers), batch total

Online (real-time) input controls:

Completeness check, field/format checks, sign check, pre-formatting, validity checks, check digits, limit(reasonableness) check, range check, sequence check, zero balance checks, input error correction

Processing controls

Run-to-run control totals, error listing, concurrency controls

Output controls

designed to ensure that application system outputs are valid, complete, and accurate and that security over outputs is properly maintained

Types of output controls:

Output review controls, distribution controls, end-user controls

What does GTAG stand for?

Global Technology Audit Guides: provide supplemental guidance

Fraud is defined as:

Any intentional act characterized by deceit, concealment, dishonesty, misappropriation of assets or information, forgery, or violation
of trust perpetrated by individuals or organizations to secure unjust or
illegal personal or business advantage

Fraud risk is:

possibility that fraud will occur and potential effects to org

What is the fraud certification:

CFE: Certified fraud examiner in forensic accounting

Forensic auditing uses accounting and audit knowledge in matters of:

having civil or criminal legal implications

Root causes of fraud

Supply of motivated offenders
Availability of suitable targets
Absence of capable guardians
Means, motivation and opportunity
Excuses/Rationalization

The fraud triangle requires what three things to be present?

financial pressure, rationalization, opportunity

Types of fraud

corruption, assets misappropriation, and fraudulent statement

corruption

improper use of power, e.g., bribery. It often leaves little accounting evidence. (Extortion, bribes/kickbacks, conflicts of interest, illegal gratuities)

Asset misappropriation

Stealing cash or other assets (Kiting, lapping, skimming)

Financial statement misrepresentation

Overstates assets or revenues or understates liabilities and expenses

Lapping

a person with access to customer payments and accounts
receivable records steals a customer’s payment. The shortage in that
customer’s account then is covered by a subsequent payment from
another customer.

Essential elements in preventing fraud are:

setting the correct tone at the top
and instilling a strong ethical culture

Safeguarding of assets:

protects entities against unauthorized use and
disposal of assets and intellectual property.

Fraud detection

Detective controls are those that are designed to identify occurrences of
fraud or symptoms that may be indicative of fraud.

What is an essential element in detecting fraud?

Employee feedback; i.e. whistleblower hotline

no controls can provide…

absolute assurance

When conducting fraud risk assessment, it is important to: 

involve individuals with varying knowledge, skills, and perspectives.

Responsibility for fraud controls:

Management is primarily responsible