IIAs Certified Internal Auditor (CIA) Learning System Individual Part 3 Book (The Institute of Internal Auditor (IIA)) (Z-Library)

Part 3: Business Knowledge for Internal Auditing Welcome to Part 3 of The IIA’s CIA Learning System®. The self-study text for the learning system includes the content addressed in The IIA’s CIA syllabus. (You can download the syllabus from the online Resource Center or from The IIA’s website.) However, in some cases, the content has been reorganized to facilitate instruction and understanding. Refer to the Table of Contents for an outline of the content. To get the most out of the course materials, complete the course in this order: 1. Begin by accessing the course at www.learncia.com. 2. Read the overview and return to the menu. Select Part 3 from the menu. 3. Complete the pre-test and view the report to help focus your study efforts. 4. Read each section and follow the Next Steps directions included at the end of the section. 5. Complete Part 3 as outlined in the online overview. Note that Part 3 of the CIA exam will consist of 100 multiple-choice questions and test takers are given 120 minutes to complete this portion of the exam. You can go to https://na.theiia.org/certification/CIA- Certification/Pages/CIA-Certification.aspx to register for the exam separately. Study Support The IIA’s CIA Learning System includes online tools to support your study. These tools may be accessed from the menu at any time. • Glossary—Refer to the glossary for definitions of terms used in all three parts of The IIA’s CIA syllabus. • Reports—Refer to the reports to review your most recent test scores

and progress through the learning system. • Resource Center—Refer to the Resource Center to access information about The IIA’s International Professional Practices Framework, updates, test-taking tips, printable flashcards, related links, and reference material and to provide feedback to The IIA regarding the learning system.

The IIA’s CIA Learning System® The IIA’s CIA Learning System® is based on the Certified Internal Auditor® (CIA®) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the learning system is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017. Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright. Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during the development and subsequent updates of The IIA’s CIA Learning System. Pat Adams, CIA Terry Bingham, CIA, CISA, CCSA Raven Catlin, CIA, CPA, CFSA Patrick Copeland, CIA, CRMA, CISA, CPA Don Espersen, CIA Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE Al Marcella, PhD, CISA, CCSA Markus Mayer, CIA Vicki A. McIntyre, CIA, CFSA, CRMA, CPA Gary Mitten, CIA, CCSA Lynn Morley, CIA, CGA Lyndon Remias, CIA

James D. Hallinan, CIA, CPA, CFSA, CBA Larry Hubbard, CIA, CCSA, CPA, CISA Jim Key, CIA David Mancina, CIA, CPA James Roth, PhD, CIA, CCSA Brad Schwieger, CPA, DBA Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CITP

Part 3 Overview This part of The IIA’s CIA Learning System focuses on key areas of knowledge that can help internal auditors directly or indirectly with audit engagements. Some subjects will be directly applicable to any internal audit activity, such as effective management and leadership skills. Knowledge in subjects such as financial management or global business environments can also help the internal auditor to demonstrate to stakeholders that he or she has a firm understanding of the organization’s business practices and industry environment. Internal auditors who are perceived as having business savvy and familiarity with the organization will be in a better position to deliver value and insight. Decision makers will place more weight on recommendations that demonstrate sensitivity to the organization’s strategy and the complexities of its global challenges. In this way, internal auditors can elevate their role in the organization to one that is perceived as adding value. In brief, the sections in Part 3 are as follows: • Section I: Business Acumen—organizational objectives, behaviors, and performance; organizational structure and business processes; data analytics • Section II: Information Security—common physical security controls, various forms of user authentication and authorization controls, data privacy laws and their potential impact, emerging technology practices, existing and emerging cybersecurity risks, and security-related policies • Section III: Information Technology—application and system software, information technology (IT) infrastructure, IT control frameworks, disaster recovery, and business continuity • Section IV: Financial Management—financial accounting and finance and managerial accounting References are made throughout Part 3 to specific external auditing or accounting standards (e.g., U.S. GAAP and IFRS). Your focus should be on the learning point rather than the specific language of the auditing or

accounting standard.

Section I: Business Acumen This section is designed to help you: • Describe the strategic planning process and key activities. • Define objective setting. • Identify globalization and competitive considerations. • Explain the process of aligning strategic planning to the organization’s mission and values. • Examine common performance measures. • Explain organizational behavior. • Describe management’s effectiveness in leading, mentoring, and guiding people and in building organizational commitment. • Describe management’s ability to demonstrate entrepreneurial skills. The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 35% of the total number of questions for Part 3. Some topics are covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) Other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery of the content, including application, analysis, synthesis, and evaluation. Section Introduction In a tightly competitive market, increased demand and cost savings have organizational ramifications beyond matching or surpassing competitors. Customers demand more for less and have access to multiple sources of quality goods and services at competitive prices. Organizations are examining every business process with an eye toward improving quality and performance in order to address these rising customer expectations. Proponents of quality also point out that a key long-term benefit of investing in quality is that organizations have a strong potential to improve their revenue/profit due to repeat business from loyal customers. This section will examine a number of different techniques and concepts that organizations can use to help them analyze business process performance and be more competitive.

Chapter 1: Organizational Objectives, Behavior, and Performance Chapter Introduction Organizational behavior refers to the way individuals and groups behave in the organizational setting. The organization can be thought of as a system with interdependent parts. The culture and other factors influence the way individuals and groups respond. In turn, individual and group dynamics affect the dynamics of the organization. Organizations foster certain behaviors by their operational and motivational frameworks. This chapter touches on factors that affect how motivated and empowered organizations, groups, and individuals feel. These factors include organizational structure, management style, exertion of power and influence, organizational culture, cultural differences, communication strategies, and employee recognition and reward systems. Internal auditors need to understand organizational behavior because different controls work differently in the control environment and in different organizations. Also, the root cause of a control deficiency may lie in dysfunctional organizational behavior. Auditors will benefit from a broader, enterprise-wide view of organizational behavior. The auditing activities become a knowledge source in the organization.

Topic A: The Strategic Planning Process and Key Activities (Level B) Objective Setting An organization’s objectives define what the organization wants to achieve, and its ongoing success depends on the accomplishments of its objectives. For most organizations, a primary blanket objective is to enhance stakeholder value. Objectives also indicate what is expected from a governance, risk management, and internal control perspective. At the highest level, these objectives are reflected in the organization’s mission and vision statements. To generate buy-in, a best practice is to get input from people at all levels of the organization when developing or updating these statements. The mission statement is a broad expression of what the organization wants to achieve today. It needs to clearly indicate the organization’s purpose, including its reason for being and how it proposes to add value for its customers and other stakeholders. The mission statement serves as a day-to- day guide or charge to the individuals in the organization on how to achieve this purpose. It also serves as a bridge between the organization’s purpose and its vision statement. The vision statement conveys what the organization aspires to achieve or become in the future. It represents the highest aspirational view and goals of an organization in the context of serving and adding value to its stakeholders. Types of Objectives Objectives may fall under several categories. Though these categories are distinct, there is often overlap. An objective may address more than one need or responsibility or may relate to different segments of the business or different individuals. Strategic Objectives and Strategic Planning Strategic objectives are goals set by management that specifically relate to stakeholder value enhancement, especially over the long term. They are

reflected in the organization’s strategic plans, which are long-term plans for multiple years into the future. The strategic plan is an important source for many types of assurance and consulting engagements, because other plans and objectives need to align with and integrate into these top-level plans. Also, strategic plans are a valuable communications tool that can set the tone for proper governance. Because strategic objectives and strategic planning are so critical to an organization’s success and growth, this is a key area to consider as part of the audit universe. Too often this area is overlooked and a strategic plan is simply used as an input to audit planning rather than being seen as an opportunity for adding value from a consulting perspective (such as improving the strategic planning process itself) or as an area for providing assurance coverage (such as ensuring effective communication of the plan). Ensuring that an organization has sound strategies and a strategic planning process is an important component of effective governance. Operational Objectives Operational objectives relate to the effectiveness and efficiency of operations. This includes but is not limited to operational and financial performance goals and safeguarding of assets. Reporting Objectives Reporting objectives relate to financial and nonfinancial reporting, both internal and external, and may include reliability, timeliness, transparency, completeness, or other terms as identified by the standards setters, regulators, or policies of the entity. Compliance Objectives Compliance objectives relate to the laws, regulations, policies, and procedures to which the entity is subject and the entity’s adherence to the same. Compliance objective subcategories could include contract compliance, compliance with industry standards and best practices, policy compliance, and so on. Relationships Between Objectives

There is a direct relationship between the objectives that an entity strives to achieve. This includes the components that represent what is required to achieve the objectives and the entity’s overall structure, including operating units, legal entities, and other organizational structures and substructures. The relationship between these objectives can be illustrated in the form of a cube, as depicted in COSO’s Internal Control—Integrated Framework model and shown in Exhibit I-1. Exhibit I-1: COSO’s Internal Control Framework COSO is a U.S.–based framework that is used by organizations to evaluate internal controls. The purpose of a cube metaphor is to show that each side of the cube relates to and influences the other sides of the cube (i.e., the framework has multiple dimensions). The rows represent the five components required for adequate governance, risk management, and internal control: the control environment, risk assessment, control activities, information and communication, and monitoring activities. Adherence to last four of these components is highly dependent on the quality of the first, the control environment, especially the organization’s values, attitudes, and ethics. The columns represent the three categories of objectives: operations, reporting, and compliance. The entity structure, which represents the overall entity, divisions, subsidiaries, operating units, or functions, including business processes such as sales, purchasing, production, and marketing and to which internal control relates, is depicted by the third dimension of the

cube. Globalization and Competitive Considerations An organization sets a strategy to determine not only what type of organization it wants to be but also how such an organization will be likely to thrive in its environment, which is sometimes called an organizational ecosystem. It might, for example, want to be an agile organization that adapts well to changes or a large organization that can offer economies of scale and thus low prices. The organization’s success in its strategy depends not only on the successful execution of the strategy but also on the opportunities and risks that exist in the organization’s environment. Globalization has expanded most organization’s environments to include access to larger potential customer bases at relatively low costs (opportunities), but this also results in more potential competitors from all around the world (risks). The organization will likely have some competitive advantages relative to its competition. A competitive advantage is a relative advantage one organization (or nation) has over its competitors. Here are some potential sources of competitive advantage: • Labor market. Access to low-cost or high-skill labor, a wide labor pool. • Suppliers and raw materials. Access to materials at favorable prices, good or long-term relationships with suppliers, some degree of ownership or control of (or independence from) suppliers, supplier proximity. • Customer base. Established customer base/market share, loyal and satisfied customers. • Process and methodology maturity. Risk, control, quality, change management, manufacturing, or other frameworks; their maturity level and difficulty in achieving that level of maturity. • Supply chain and transportation. Relative cost and speed of supply chain, number of options for and level of convenience to customers. • Competitor maturity and ease of market entry. Relative number of

competitors, competitor sophistication, capital investment needed to become a viable competitor. • Technology. Labor-saving or insight-generating technology, proprietary technology. • Regional economy, politics, culture, legal, and regulatory environment. Regional economic prosperity, favorable politics and taxation, culture that promotes good values such as hard work or innovation, favorable laws and regulations. Successful strategies leverage the organization’s competitive advantages relative to its competitors. However, competitors’ strategies will likely rely on their own competitive advantages due to their geographic location, size, access to capital, and so on. The organization’s strategy therefore works to find a way to leverage relative strengths and mitigate relative weaknesses in order to succeed in leveraging opportunities wherever they exist (e.g., in local markets, by expanding globally, by leveraging the online global marketplace) while minimizing the probability or impact of risks, including the threat of competitors taking market share. Internal auditors may be in a position to help evaluate whether the organization is accurately assessing the current state of its strengths and weaknesses relative to changes in globalization and the competition. For example, this may include assessing whether the organization is altering its strategy in a timely enough fashion to continue surviving and thriving when such factors are changing quickly. Mission and Value Alignment Recall that the organization’s mission expresses what the organization wants to achieve today. Part of this mission will be to provide and add value to stakeholders; another part will be to state and live up to the organization’s values. One way organizations align their mission with their organizational values and ethics is to create corporate social responsibility (CSR) or sustainability programs. The basic concept is that organizations are not responsible for just short-term financial results; they are also responsible to

the communities in which they operate, to their workers, and to the environment that sustains all humankind. As organizations implement formal sustainability programs and practices, they develop related performance measures. Internal auditors are starting to play a role in auditing sustainability programs and the design and reliability of the related measures. One way to do this is with a balanced scorecard, which is discussed in the next topic. For more information on CSR, see the discussion in Part 1, Section V, of this learning system or review The IIA’s Practice Guide “Evaluating Corporate Social Responsibility/Sustainable Development.” The CAE’s Role The role of the chief audit executive (CAE) related to strategic objectives includes establishing a risk-based plan to determine the priorities of the internal audit activity, aligned with the organization’s goals. To ensure that the risk-based plan is aligned with these goals, the CAE must consult with the entity’s board and senior management and obtain an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. Additionally, the CAE must review and adjust the plan as necessary in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

Topic B: Common Performance Measures (Level P) Internal auditors may need to assess the organization’s performance measurement system or the performance measurement system of an audit area and determine whether it is efficient, effective, and timely. Can it measure whether central organizational objectives are being achieved? Does it provide reliable information in a timely enough fashion to enable decision making and control? The basic considerations in assessing performance are: • Identifying related standards for performance. • Assessing the reasonableness of performance standards in addressing organizational and audit area objectives. • Comparing performance to the identified standards. • Evaluating performance gaps (deviations or variances from the standards). Required corrective actions should be specified and completed in a timely manner. Ultimately, an effective performance management system is one that supports the achievement of organizational goals and objectives, audit area objectives, or, for personnel performance measures, individual and personal goals and objectives. The most common weaknesses in performance measurement systems involve using the wrong key performance indicators or the wrong number of indicators. Key performance indicators (KPIs) focus on accomplishments or behaviors that are valued by the organization and are needed to successfully achieve the organization’s strategy and mission. They are valid indicators of performance if they measure the right things and are understandable to management (who use them to guide and improve performance). An audit of a functional area, for example, may include review of its performance measurement system to ensure that its local or detail-level KPIs align with the organization’s strategic objectives and most recent risk

assessment. The CAE may also review the entire organization’s KPIs for continued relevance. For example, take a manufacturer who sets a strategy to distinguish itself in its market through innovative products built on resource-intensive research and development (R&D) programs. In this case, the CAE may review the organization’s KPIs to ensure that they include measures related to R&D efficiency and/or effectiveness. This could be the number of R&D leads at a certain level of development or the number of ideas used in new products that generated a certain level of revenue. The internal audit activity can also audit for controls on the security of proprietary information. The CAE should also consider whether the organization is meeting its goals, possible reasons for performance gaps, and the role internal auditing could play in addressing these gaps. For example, if a credit card company has not been able to lower customers’ default rates, the audit activity might evaluate the credit functional area’s KPIs around customer credit approval, timeliness of monitoring delinquent accounts, collection staff productivity, and so on. In addition to determining whether the KPIs are supporting effectiveness toward reaching goals, another part of the assessment can focus on the efficiency of the KPIs in promoting goal achievement. Too few KPIs might mean a lack of incentive to pursue some of the organization’s objectives, such as managers not being assessed on whether they are supporting or promoting the sustainability policy. Too many KPIs is a more common occurrence, and this can also cause problems. The first word in the phrase is “key,” and, while the organization can have lots of performance indicators, only a small number should be designated as “key.” Too many KPIs can create a situation of information overload. This can confuse or delay decision making or lead to the wrong conclusions, such as allowing a minor criterion to have more weight than it deserves, with an unintended consequence of obscuring the more vital indicators. Prior to discussing key performance indicators further, this topic first introduces two broad ways of assessing organizational performance.

Organizational Performance Many of the themes discussed later in this course are examples of things that may affect an organization’s performance: • Trends in the industry and marketplace • Life cycle of the product and current demand • Orientation and skills training for employees • Cross-cultural communication • Employee motivation and rewards • Job design and work group design • Management styles • Team effectiveness • Individual and team communication • Organizational dynamics such as expectations, organizational structure, politics, workplace ethics, change, and diversity • Advances in electronic communications technology • Maturity level of an organization in its use of technologies, processes, frameworks (e.g., risk management), collaboration, or other areas An organization’s ability to execute its goals and the results it achieves are prime indicators of its overall success in accomplishing its performance objectives. Performance objectives are the goals and activity-based targets related to the organization’s strategy. The performance success factors are indicators of success, which will look quite different from one organization to another. We’ll now discuss two important concepts in this regard—productivity and effectiveness.

Productivity Productivity is the ability to produce a good or service. In an organization, it refers to the quantity of the outputs (products and services) in relation to the inputs (human and physical resources). Productivity is a way to achieve cost and quality advantages over the competition. Quality refers to an organization’s standards of excellence related to product or service output. The meaning of quality will vary by the type of organization. Physical product quality factors include features, reliability, durability, serviceability, performance, and conformance. Service quality factors include responsiveness, trust and assurance, reliability, and perceptions of customer care. Performance measures related to quality may include things like the number of defects or rejects located by inspection, the number reported by customers, the response time for recovery (e.g., from customer errors), the degree to which the product or service is meeting customer needs, and so on. Efficiency refers to minimizing the use of resources in a product or service process as compared to standard expectations. Various ratios generally measure the resources actually used against the resources that were planned to be used. Other measures of efficiency include turnover ratios, such as inventory turnover, or the number of times per year inventory is sold and replenished. Efficiency ratios, however, do not indicate the quality level of the outputs. The standards used for the assessments may also need to be reviewed to see if they are still accurate and realistic yet challenging. Productivity is also linked to profitability, but it is only one factor. Profitability refers to making a profit, or achieving financial gain from an effort over and above the expenses that were required to generate that profit. Various profitability measures are generated by determining which expenses to include or exclude from the analysis, such as operating profit, which measures the earnings before interest and taxes (EBIT) and can help show whether core operations are efficient enough and management is competent enough to keep the organization viable. While productivity measures primarily relate to the short term, profitability can relate to both the shorter and the longer term and may take into account other internal and