UNIT ONE

CIA Review Book 1

Mandatory auditing pronouncements of the IIA: International Standards for the Professional Practice of Internal Auditing (Standards) o State basic principals of practice of internal auditing o Provide framework for performing internal auditing o Basis for internal audit performance o Improve org. processes and operations International Professional Practices Framework (IPPF) o Mandatory guidance: Definition of internal auditing (purpose, nature, and scope of IA), Code of Ethics (behavior of individuals and organizations in IA), and International Standards (principal-focused framework) Standards: Attribute (1000s) and Performance (2000s) Assurance and Consulting Attribute: attributes of org and individuals providing IA Performance: nature and quality of IA Implementation (integrated with attribute and performance): attribute/performance standards that only apply to assurance (process owner, internal auditor, and user of assessment) and consulting (internal auditor and client) o Strongly recommended guidance: Position paper (understand governance, risk, and control issues), practice advisories (apply definition of mandatory guidance), and practice guides (conducting internal audit activities) Internal auditing: independent and objective, assurance and consulting, add value and improve operations, systematic, and evaluate risk mgmt. and governance.

Unit Two Internal audit activity must be independent and objective Internal auditors can provide consulting services they had previously provided but not audit services (cant do assurance and audit together either).

Unit Three Vital processes that enable the org to meet its objectives: governance, risk mgmt., and control Directive control to cause or encourage the occurrence of desirable events IA should evaluate and contribute to the improvement of governance, risk mgmt., and control processes

 Unit 4

IAA evaluates the whole mgmt. process that extends work to all systems, processes, operations, functions, and activities. IA more concerned over oversight Governance Risk mgmt. Control IAA risks: audit failure, false assurance, and loss of reputation. BCM business continuity management

Control process: Establish standards measuring performance analyzing deviations taking correcting actions reviewing standards COSO: Control environment, risk assessment, information and comm., monitoring, and existing control activities. Risks under 3 objectives: operations, financial reporting, and compliance CoCo model: purpose, commitment, capability, and monitoring/learning CoBiT focus areas: strategic alignment, value delivery, resource mgmt., risk mgmt., and performance measurement CoBit - four characteristics: business-focused, process-oriented, controlsbased, and measurement-driven Soft controls ethical values and mutual trust Objectives of COSO eff. Operations, compliance, and reliability of F/S ERM categories of objectives: strategic, operational, reporting, and compliance Components of ERM: internal environment, obj setting, event identification, risk assessment, risk response, control activities, info and comm., and monitoring

Unit five Unit 6 Uncertainty: capacity, volatility, and complexity 5 components of org (Henry Mintzberg): Operating core, strategic apex, middle line, technostructure, and support staff Three stages of Kurt Lewins process model: unfreezing, change, and refreezing Levels of comprehension: analysis, synthesis, and evaluation SOD: authorization, recording, and custody Sawyer means of control: organization, policies, procedures, personnel, accounting, budgeting, and reporting

Unit 7 External assessments must be conducted at least once every 5 years by independent reviewer Review Standards - basic measurement of IA, basic principles, and improved org processes, not ethical standards Residual risk risk that is not managed (affect achievement of objectives) If IA doesnt have the skills, hire a specialist (dont start) IA must have an understanding of management principles Audit payroll controls in the org, as well as the outsourced ESP IAAs charter source of authority, access to records, and scope (enhances independence) Source of authority is granted by management and the board CAE should have unrestricted access to senior management and board (dual relationship) Scope limitations communicate effects to the board Senior mgmt. is responsible for maintaining an org culture Corrective action not taken discuss with personal responsible IA should provide assurance on the mgmt. of the risk CAE determines IAA has access to resources to evaluate reliability of info Policies and procedures feed-forward control (anticipates/prevents problems) Operations standards are vague ask mgmt. criteria to be used to measure ICQs are not required for every engagement ERM not expected to provide reasonable assurance about strategic and operations o ERM negative impacts on org objectives Treasurer has the check signature stamp for payroll (retain unclaimed checks) Matrix form of org report to multiple managers (dual lines of authority) Mechanistic structure for mass production of automobiles (manufacturing) Referent power identification of subordinates with a superior Selling leadership style explains decisions and provides opportunity Most essential for guiding internal audit staff policies and procedures Oversight of work of external auditors is the responsibility of CAE Need permission to give external audit program to other auditors, but dont need permission for internal audit programs Internal quality program assessments report to CAE Preliminary survey become familiar with activities and identify areas for engagement emphasis

Greatest risk after merger purchasing function Assessment of work of external auditors evaluation of the coordination between internal and external auditors Scope of audit defined by objectives Code of conduct comprehensiveness and compliance Cant engage in social invitation by the external auditor IA cant accept gift EVER IA must be supervised, who is not proficient in the area of audit IA should not withhold information even if there is no proof Even if mgmt. is aware of the fraud/problem, report them If fraud is present, expand activities to determine whether an investigation is warranted Undiscovered materially adverse impact on F/S should be told to mgmt. Engagement info relevant = consistent with engagement objectives Engagement info reliable = objective and unbiased Appraisal of each IAs performance every year Physical evidence observation external evidence inquiry CAE develops retention requirements for engagement records and legal counsel approves it Records not protected by the attorney-client privilege are accessible in criminal proceedings. For assurance engagements, recommendations arent always required Elements of engagement communication: scope, conclusion, and recommendation Interim engagement communication: immediate action required, scope change, extend engagement Exit meeting: commitment for appropriate managerial action Operational engagement efficiency, effectiveness, and cost savings Assurance and consulting are not mutually exclusive have to be 1 year apart Independence not required for consulting Due diligence is a review of F/S and disclosures TQM focuses on customer satisfaction (team process improvement) Internal auditor cant implement reengineered process (independence) Automated controls needs to be more control since there isnt human judgment SDLC is not suited for unstructured projects LAN device that stores program and data files for users of the LAN Primary record key only one so vendor # in AP, not vendor # in PO 1 private key, 1 public key is RSA (Rivest, Shamir, and Adelman) Mean > median positively skewed Median is not affected by greater losses Pilot sample estimate SD Chi-square test can be applied to nominal data

Sample size directly relates to confidence level, and inversely relates to precision Low risk if tolerable rate is further away from sample deviation rate Tolerable misstatement decreases, sample size increases Mean per unit = audited sample/sample size * population size Attribute sampling technique yes or no answers