IIAs Certified Internal Auditor (CIA) Learning System Individual Part 1 Book (The Institute of Internal Auditor (IIA)) (Z-Library)

Part 1: Essentials of Internal Auditing Welcome to Part 1 of The IIA’s CIA Learning System®. The self-study text for the learning system includes the content addressed in The IIA’s CIA syllabus. (You can download the syllabus from the online Resource Center or from The IIA’s website.) However, in some cases, the content has been reorganized to facilitate instruction and understanding. Refer to the Table of Contents for an outline of the content. To get the most out of the course materials, complete the course in this order: 1. Begin by accessing the course at www.learncia.com. 2. Read the overview and return to the menu. Select Part 1 from the menu. 3. Complete the pre-test and view the report to help focus your study efforts. 4. Read each section and follow the Next Steps directions included at the end of the section. 5. Complete Part 1 as outlined in the online overview. Note that Part 1 of the CIA exam will consist of 125 multiple-choice questions and test takers are given 150 minutes to complete this portion of the exam. You can go to https://na.theiia.org/certification/CIA- Certification/Pages/CIA-Certification.aspx to register for the exam separately. Study Support

The IIA’s CIA Learning System includes online tools to support your study. These tools may be accessed from the menu at any time. • Glossary—Refer to the glossary for definitions of terms used in all three parts of The IIA’s CIA syllabus. • Reports—Refer to the reports to review your most recent test scores and progress through the learning system. • Resource Center—Refer to the Resource Center to access information about The IIA’s International Professional Practices Framework, updates, test-taking tips, printable flashcards, related links, and reference material and to provide feedback to The IIA regarding the learning system.

The IIA’s CIA Learning System® The IIA’s CIA Learning System® is based on the Certified Internal Auditor® (CIA®) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the learning system is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017. Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright. Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during the development and subsequent updates of The IIA’s CIA Learning System. Pat Adams, CIA Terry Bingham, CIA, CISA, CCSA Raven Catlin, CIA, CPA, CFSA Patrick Copeland, CIA, CRMA, CISA, CPA Don Espersen, CIA Al Marcella, PhD, CISA, CCSA Markus Mayer, CIA Vicki A. McIntyre, CIA, CFSA, CRMA, CPA Gary Mitten, CIA, CCSA

Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE James D. Hallinan, CIA, CPA, CFSA, CBA Larry Hubbard, CIA, CCSA, CPA, CISA Jim Key, CIA David Mancina, CIA, CPA Lynn Morley, CIA, CGA Lyndon Remias, CIA James Roth, PhD, CIA, CCSA Brad Schwieger, CPA, DBA Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CITP

Part 1 Overview Internal auditing is a discipline that works on behalf of management, the board of directors, and other stakeholders of public and private entities to improve and add value to governance, risk management, and control procedures. This is in contrast to external auditing, which serves third parties who require reliable financial information based on reliable supporting records. Instead, internal auditors typically have a broader focus (based on their approved internal audit activity charter) that requires them to examine and appraise controls, financial performance, compliance with laws and regulations, and operational performance for their effectiveness. Rather than primarily focusing on historical events as external auditors do, internal auditors also help the board and management make current as well as future-oriented decisions. For example, internal auditors may be asked to assess whether planned operations have the proper controls in place to be likely to achieve organizational goals and objectives. Drawing further distinctions between internal and external auditors as well as other related review functions can help clarify what internal auditing is and what it is not. These distinctions are described below: • External auditors/financial auditors. These auditors provide an attestation solely based on the financial reports and statements generated by an organization. While these auditors focus on the accuracy of reported information, they also review the records supporting the statements and the related controls over the financial information. The work of external and financial auditors is historical in nature and is critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt issuance) about an organization based on its financial statements when taken as a whole. In the U.S., audits of private companies are governed by the Generally Accepted Auditing Standards (GAAS) of the American Institute of Certified Public Accountants (AICPA) and audits of public

companies are governed by the Auditing Standards (AS) of the U.S. Public Company Accounting Oversight Board (PCAOB). The International Federation of Accountants (through its International Auditing and Assurance Standards Board) also promulgates International Auditing Standards (IAS), and these may be in use or adapted for use in various jurisdictions. For example, the U.K. uses a derivative of IAS. • Compliance. Compliance reviews typically serve to determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such. Compliance audits do not necessarily consider the effectiveness and efficiency of business processes but rather primarily whether the process is—or is not—in compliance. Typically, specialized individuals, some with legal or compliance backgrounds, conduct these reviews. • Regulators. These auditors work for regulating bodies (in the U.S., for example, the Financial Industry Regulatory Authority [FINRA], the Securities and Exchange Commission [SEC], and the Office of the Comptroller of the Currency [OCC]), and they review compliance with specific regulations as well as the overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of corporations or agencies that are regulated by the specified regulating body. • Government auditors. Government auditors typically work for departments, ministries, or agencies of a government and provide assurance regarding program requirements, performance audits, budget reviews, and management audits. A few more contrasting points between the internal and external auditing professions will round out this overview of internal auditing: • First, individuals employed in an internal audit activity are typically employees of an organization. However, there are alternative arrangements to staff an internal audit department through out-sourcing,

co-sourcing, and secondment arrangements. By contrast, external auditors are always independent contractors. • Second, internal auditors provide assurance, compliance, and consulting services and are also concerned with detecting patterns of errors, inefficiencies, and irregularities, including fraud, that impact an organization’s ability to accomplish its objectives, with limited regard for financial materiality. Internal auditors are primarily future-focused, and they play a strong role in helping management improve the organization’s control structure. External auditors are primarily concerned with preventing or detecting fraud when it may have a material effect on the financial statements, though they are still concerned with the potential indicators of fraud overall. • Third, internal auditors must be independent from the internal organizational functions that they audit, meaning that they exercise no management duties over the areas being audited. Internal audit activities also achieve organizational independence through their direct functional reporting to the board of directors (or a designated audit committee of the board). In general, they remain ready to respond to requests from the board and all management constituents. In contrast, external auditors are independent of both the board and management in fact and in mental attitude. Part 1 of The IIA’s CIA Learning System looks at a number of the essentials of internal auditing. • Section I covers the foundations of internal auditing—The IIA’s International Professional Practices Framework; the purpose, authority, and responsibility of the internal audit activity; the requirements of the audit charter; the difference between assurance and consulting services. • Section II looks at the concepts of independence and objectivity. • Section III looks at the concepts of proficiency and due professional care.

• Section IV describes aspects of a quality assurance and improvement program. • Section V covers organizational governance, risk, and controls and corporate social responsibility, and it looks at risk management within an audit activity charter. • Section VI focuses on fraud risks—the types of these risks, the potential for such risks occurring, and controls to prevent and detect fraud.

Section I: Foundations of Internal Auditing This section is designed to help you: • Identify and apply relevant ethical, practical, and legal standards to audit practice, including The IIA’s Code of Ethics, International Standards, and Practice Advisories and relevant laws. • Explain the International Professional Practices Framework categories of guidance. • Explain the Mission of Internal Audit. • List the Core Principles for the Professional Practice of Internal Auditing. • Define internal auditing. • Describe compliance with The IIA’s Code of Ethics. • Explain how the purpose, authority, and responsibility for an internal audit activity are documented, communicated, and approved. • Understand the importance of securing the board’s approval of the internal audit activity charter and audit plan. The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 15% of the total number of questions for Part 1. One of the topics is covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) The other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis, synthesis, and evaluation. Section Introduction The profession of auditing has a rich and storied past. The earliest accounts of auditing date back to Mesopotamia, where marks were used to record ship cargos and verify financial transactions. In ancient Rome, the Latin word auditus (the precursor to our term audit) referred to the

hearing of oral evidence as one official would verify records with those of another. Internal auditing has evolved through the years, gaining recognition from executives and organization leaders and altering the focus of audit efforts to respond to the changing needs of the global environment. Today, it focuses heavily on integrated audits, where auditors provide assurance related to any combination of the following engagement types: • Controls assurance. Providing assurance related to the design and operating effectiveness of key control activities; controls may be operations-, reporting-, or compliance-related. • Information technology (IT). Providing assurance related to the design and operating effectiveness of general IT or specific application control activities. • Compliance. Providing assurance related to the design and operating effectiveness of control activities and procedures in place to assure compliance with laws, regulations, policies, etc. • Operations. Providing assurance related to the effectiveness and efficiency of an organization’s operations, including performance and profitability goals and safeguarding resources against loss. • Financial assurance. Providing assurance related to the achievement of one or more financial statement assertions (also called management assertions): • Existence or occurrence • Completeness • Valuation and allocation • Rights and obligations • Presentation and disclosure Throughout the centuries, auditors have continued to pursue the truth,

control transactions, and prevent or detect fraudulent acts. Today, internal audits are independent, unbiased fact-finding exercises that provide verifiable information to a board of directors (especially its audit committee), management, or outside interests. Note that, according to The IIA, a board is: The highest level of governing body charged with the responsibility to direct and/or oversee the activities and management of the organization. Typically, this includes an independent group of directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the “board” may refer to the head of the organization. “Board” may refer to an audit committee to which the governing body has delegated certain functions (e.g., an audit committee).

Topic A: The IIA’s International Professional Practices Framework/Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P) The Framework The Institute of Internal Auditors (The IIA) provides internal audit practitioners with an International Professional Practices Framework (IPPF). This framework contains many components, as described below, but one key component is referred to as “the Standards.” The IPPF exists to guide internal auditors’ professional practice and ensure the highest-quality internal audit results. In The IIA’s own words, “The purpose of the . . . IPPF is to organize The Institute of Internal Auditor’s . . . authoritative guidance in a manner that is readily accessible on a timely basis while strengthening the position of The IIA as the standard-setting body for the internal audit profession globally.” Furthermore, by reflecting the evolution of current practice, the framework aims “to assist practitioners and stakeholders throughout the world in being responsive to the expanding market for high quality internal auditing.” In general, a framework like the IPPF provides a structural blueprint of how a body of knowledge and its related guidance fit together. As a coherent system, a framework facilitates consistent development, interpretation, and application of concepts, methodologies, and techniques useful to a discipline or profession. Throughout the world, internal auditing is performed in diverse environments and within organizations that vary in purpose, size, and structure (e.g., publicly traded, privately owned, not-for-profit, governmental, etc.). In addition, the laws and customs of various

countries differ. These differences may affect the practice of internal auditing in each environment. The implementation of the IPPF, therefore, will be governed by the environment in which the internal audit activity carries out its assigned responsibilities. No information contained within the IPPF should be construed in a manner that conflicts with applicable laws or regulations. If a situation arises where information contained in the IPPF is in conflict with legislation or regulation, internal auditors are encouraged to contact The IIA or legal counsel for further guidance. The IPPF is the compass that provides internal auditors with direction to keep up with the rate of business change. The framework is regularly updated by the International Internal Auditing Standards Board and related IIA international committees. The current IPPF was introduced in July 2015 and became effective in 2017. The International Professional Practices Framework is shown in Exhibit I-1. Exhibit I-1: International Professional Practices Framework The IPPF consists of:

• The Mission of Internal Audit. • The Core Principles for the Professional Practice of Internal Auditing. • The Definition of Internal Auditing. • The Code of Ethics. • The International Standards for the Professional Practice of Internal Auditing (the Standards). • Implementation Guidance. • Supplemental Guidance. The Mission of Internal Audit, the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards are available to be read or downloaded from The IIA’s website (www.theiia.org), along with a great deal of other material relevant to internal auditors, whether or not they are IIA members. (Other materials that may be available to the public for reading or downloading from the website include the monthly newsletters, IIA Global SmartBrief and Tone at the Top, and the Internal Auditor magazine, all of which will be cited as authoritative sources in these study materials.) These materials enhance the knowledge and skills of internal auditors. The Implementation Guidance and the Supplemental Guidance are intended for the use of IIA members and are password-protected. The full International Professional Practices Framework is available, however, in printed and e-book versions, known familiarly, and for reasons obvious to those who have seen it, as the “Red Book.” It can be ordered online. While the book includes all aspects of the framework, it is not necessarily as up-to-date as the online version, which is subject to continuous review, revision, and addition. Internal auditors should be sure they are familiar with the most current version of the framework available at The IIA’s website. As the auditing environment evolves, so

will the recommended guidance materials and, at a more deliberate pace, the Standards. For example, the 2017 edition of the Standards includes two new standards, alignment of the Standards to the Core Principles, and updates to existing standards. Note that this learning system is consistent with the revision of the Standards effective January 1, 2017, which can be viewed at global.theiia.org/standards-guidance/mandatory- guidance/Pages/Standards.aspx. Authoritative Guidance in the IPPF As shown above in Exhibit I-1, the authoritative guidance in the IPPF comprises two categories: mandatory and recommended. The Mission of Internal Audit, the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards make up the core of the IPPF, and abiding by them is mandatory for IIA members, practicing internal audit professionals, and Certified Internal Auditors. Mandatory guidance is denoted within the Standards by the use of the terms must and should. The IPPF Standards Glossary (in the IPPF “Red Book”) defines these words in the following manner: • The word must specifies an unconditional requirement. • The word should is used where conformance is expected unless, when applying professional judgment, circumstances justify deviation. The introduction to the Standards goes on to clarify what is meant by mandatory guidance: The Standards apply to individual internal auditors and internal audit activities. All internal auditors are accountable for conforming with the Standards related to individual objectivity, proficiency, and due professional care. In addition, internal auditors are accountable for conforming with the Standards, which are relevant to the performance of their job responsibilities. Chief audit executives [CAEs] are accountable for overall conformance with the Standards.

(Note: Adherence to the Standards is required even for those who are not IIA members or CIAs if the statement “conformance with the standards” is used in their work.) The IPPF’s recommended forms of guidance support the mandatory components. Each standard, for example, is supported by a corresponding Implementation Guide. There are also links, in some cases, to the growing collection of Practice Guides, including the Global Technology Audit Guides (GTAGs) and other supplemental guidance documents. The Implementation Guidance and the Supplemental Guidance are optional, not mandatory. They are The IIA’s version of “best practices.” They provide detailed guidance for conducting internal audit activities, including topical areas, sector-specific issues, processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables. Recommended guidance is endorsed by The IIA and was developed using due process by an IIA international guidance committee and/or institute. Rather than providing definitive answers, supplemental guidance contains a wide range of possible solutions and methods of implementing the mandatory guidance. A description of each of the IPPF components is included next. Note, however, that The IIA’s Code of Ethics is not covered in this topic. It is covered later, in Topic D of this section. The Mission of Internal Audit The Mission of Internal Audit in the IIA’s International Professional Practices Framework articulates what internal audit aspires to accomplish in an organization: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Its place in the IPPF is deliberate, demonstrating how practitioners

should leverage the entire framework to facilitate their ability to achieve the mission. The Core Principles The IIA describes its Core Principles for the Professional Practice of Internal Auditing, which are included in the IPPF, as follows: The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission. The Core Principles include: • Demonstrates integrity. • Demonstrates competence and due professional care. • Is objective and free from undue influence (independent). • Aligns with the strategies, objectives, and risks of the organization. • Is appropriately positioned and adequately resourced. • Demonstrates quality and continuous improvement. • Communicates effectively. • Provides risk-based assurance. • Is insightful, proactive, and future-focused. • Promotes organizational improvement. The Definition of Internal Auditing According to The IIA’s Definition of Internal Auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

As defined in the Standards Glossary, an internal audit activity is “a department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations.” Internal auditing activities are often referred to in relation to the acronym GRC (governance, risk, and control) due to the value-adding services internal auditing provides in assurance and consulting engagements to evaluate and help improve GRC effectiveness. Internal auditing is performed by professionals with an in-depth understanding of the culture, systems, and processes of the business. Internal audit activities may be performed by people from within the organization and/or outside the organization (i.e., co-sourced or out- sourced). Effective internal auditors serve as an organization’s corporate conscience and advisors for governance, risk, and control operational efficiency and effectiveness. They also educate and make recommendations to management and the board of directors (and/or other governance oversight bodies) to support the organization in meeting its goals and objectives. In fulfilling these responsibilities, internal auditors must demonstrate professionalism, objectivity, knowledge, integrity, and leadership. Key Terms in the Definition The following text defines and breaks down some key terms from the Definition of Internal Auditing. Independent and Objective The first part of the definition is that internal auditing is an “. . . independent, objective assurance and consulting activity . . .” Organizational independence and individual objectivity form the foundation of internal auditing; all stakeholder confidence in auditors’ work rests on this foundation.