acc 590 exam 1
value proposition
objectivity, assurance, insight
entity-level controls
•Controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. •Examples:▫Code of Ethics▫Risk management policies and procedures▫Fraud prevention and detection program▫Human resources policies and procedures▫Management's control deficiency escalation process▫IT general controls
parties in governance process
•Oversight group - board and committees of the board •Stewardship group - executive management, Dual role of stewardship of resources allocated by board and accountability of results of operations •Performance group - operating and support management and staff •Assurance group - internal and external auditing functions.
7 standards of quality assurance
•Quality Assurance and Improvement Program •Quality Program Assessments •Internal Assessments •External Assessments•Reporting on the Quality Program •Use of "Conducted in Accordance with the Standards" •Disclosure of Noncompliance
structure of IPPF standards
•Standard •Interpretation •Implementation Standard •Glossary
IIA competency framework
professionalism, performance, environment, leadership & communication
insight =
Catalyst, Analyses, and Assessments
assurance =
Governance, risk, control
3rd line of defence
internal audit
5 components of internal control
1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring
What are four specific points that should be addressed in the internal audit charter? (There are more than four.)
1. The internal audit activity's position within the organization 2. Authoriation for access to records, personnel, and physical properties relevant to the performance of the engagements 3. The scope of the internal auditing activities 4. Type of assurance and consulting activities 5. That the activity will conform to the Standards, Definition, Core Principles, and Code of Ethics of IA 6. Selection and removal process for CAE
5 components of ERM
1. risk, governance, culture 2. risk, strategy, and objective-setting 3. risk in execution 4. risk information, communicating, and reporting 5. monitoring enterprise risk management performance
core principles of IPPF
1.integrity. 2.competence and due professional care. 3.objective and free from undue influence (independent). 4.Aligns with the strategies, objectives, and risks of the organization. 5.appropriately positioned and adequately resourced. 6.quality and continuous improvement. 7.Communicates effectively. 8.Provides risk-based assurance. 9.Is insightful, proactive, and future-focused. 10.Promotes organizational improvement.
code of ethics of IPPF
4 principles and 12 rules of conduct
audit universe approach
A risk-based audit approach starts with a risk universe as the basis for the audit plan. In a risk-based audit approach, the goal for the department is to address management's highest priority risks. ... All of the audits on the plan are designed to address those risks and provide insights back to senior management.
definition of consulting
Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training
definition of assurance
An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence audits.
attribute standards
Attributes of organizations and individuals performing internal audit services •For Assurance,for Consulting and for Other activities Purpose, authority, responsibility Independence and objectivity Proficiency and due professional care quality assurance and improvement program
fundamental problem of corporate governance
Balancing the interests of owners and managers (Principals and Agents)
business process approach
requires auditors to identify the key day-to-day risks faced by a business, to consider the impact these risks could have on the financial statements, and then to plan their audit procedures accordingly.
performance standards
Describe nature of IA service and provide quality criteria against which the performance of these services can be measured •Managing Internal Auditing Activity •Nature of Work •Engagement Planning•Performing the Engagement •Communicating Results •Monitoring Progress •Communicating the Acceptance of Risks
management oversight controls
Entity-level controls established by management to mitigate risks threatening the business unit and to provide assurance that business unit objectives are achieved. These controls are generally consistent in nature among business units but may vary in their execution from one business unit to another.
governance controls
Established by the board and executive management to institute the organization's control culture and provide guidance that supports strategic objectives
standard-setting bodies
Internal audit standards board, IPPF oversight counsil
definition of internal audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
4 principles in code of ethics
Integrity Objectivity Confidentiality Competency
objectivity =
Integrity, Accountability, and Independence
persuasive evidence is
Relevant Reliable Sufficient
strategic approach
Strategic risk audits focus on risks that are the result of pursuing certain strategically important organizational goals.
COSO definition of ERM
The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.
process of corporate (organizational) governance
The process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved.
mission of internal audit
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
Which of the following most likely constitutes a violation of the IIA's Code of Ethic? a. Auditor A is content as an internal auditor and has come to look at it as a regular 9-to-5 job. Auditor A has not engaged in continuing professional education or other activities to improve effectiveness during the last 3 years. However, Auditor A feels performance of quality work is the same as before. b Auditor B discovered an internal financial fraud during the year. The books were adjusted to reflect properly the loss associated with the fraud. Auditor B discussed the fraud with the external auditor when the external auditor reviewed working papers detailing the incident. c. Auditor C has accepted an assignment to perform an engagement at the electronics manufacturing division. However, Auditor C has recently joined the internal audit function coming from public accounting. Auditor C was senior auditor for the external audit of the division and has audited many electronics organizations during the past 2 years. d. Auditor D has been promoted to associate auditor director and assigned to oversee auditing of the organization's Asian operations. In the past 3 years, Auditor D completed several large consulting engagements for the operations in China and Korea - including serving on the SAP implementation team as a representative of internal audit to do pre-implementation reviews of controls. e. Auditor E has been assigned to perform an engagement at the warehousing function 6 months from now. Auditor E has no expertise in that area but accepted the assignment anyway. Auditor E has signed up for continuing professional education courses in warehousing that will be completed ore the engagement begins.
a.
residual (net) risk
after risk reponse
macro risk assessment
areas of the organization to audit
micro risk assessment
areas within engagement
two types of internal audit activities
assurance and consulting
internal audit customers
auditee, audit committee, external auditors, vendors, financial management, suppliers, regulators, senior management
risk response choices
avoid, exploit, retain, reduce, transfer
10. In the IIA's International Professional Practice Framework (IPPF), which of the following are mandatory guidance? I. Practice Advisories II. The Code of Ethics III. Practice Guides IV. The Definition of Internal Auditing V. The International Standards for the Professional Practice of Internal Auditing. VI. Core Principles for the Professional Practice of Internal Auditing a. I, II, III, IV, V and VI. b. II, IV, V, and VI only. c. V and IV only. d. II and V only. e. I and III only.
b.
According to the COSO control framework, a precondition to risk assessment is: a. Establishing control procedures or activities. b. Establishing objectives or goals. c. Establishing an internal audit function. d. Establishing a monitoring mechanism. e. Establishing performance measures.
b.
inherent (gross) risk
before risk response
6. Which of the following is a requirement of The International Standards for the Professional Practice of Internal Auditing? a. To evaluate annually the effectiveness of the audit committee. b. To obtain an annual representation from management acknowledging management's responsibility for the design and implementation of internal controls to prevent illegal acts. c. To evaluate the effectiveness of the organization's ethics-related objectives, programs, and activities. d. To certify that all error or irregularities in the accounting records discovered within the fiscal year have been reported to the external auditors. e. To issue annually an overall opinion on the adequacy of internal controls in the organization.
c.
9. The critical characteristics that individuals, teams, and organizations must have to provide effective internal audit services are described in: a. The Definition of Internal Auditing b. The Code of Ethics c. The Attribute Standards d. The Implementation Standards e. The Performance Standards
c.
mandatory IPPF components
core principles, definitions, standards, code of ethics
8. Which of the following would typically be part of the agenda for an opening meeting? I. Discussion of business objectives, risks and key processes II. Review of the audit process and timeline III. Review of audit objectives and scope IV. Presentation by auditee of how they have addressed findings from the last audit. a. I and III only. b. II and IV only. c. II and III only d. I, II, and III only e. I, II, III, and IV.
d.
As part of a company-sponsored award program, an internal auditor was offered an award of significant monetary value by a division in recognition of the cost savings that resulted from the auditor's recommendations. According to the International Professional Practices Framework, what is the most appropriate action for the auditor to take? a. Accept the gift since the engagement is already concluded and the report issued. b. Accept the award under the condition that any proceeds go to charity. c. Accept the gift on condition it is spread across all the members of the audit team. d. Inform audit management and ask for direction on whether to accept the gift. e. Decline the gift and advise the division manager's superior.
d.
The policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives are part of which component of the COSO model? a. The third line of defense. b. Control environments. c. Risk assessments d. Control activities. e. Monitoring activities.
d.
5. Which of the following is the correct order of steps in the risk management process? 1. Identify risks. 2. Monitor risk responses. 3. Formulate risk responses. 4. Assess and prioritize risks. 5. Identify context. a. 1,4,3,2,5. b. 1,5,4,3,2. c. 2,5,1,4,3. d. 5,4,1,3,2. e. 5,1,4,3,2.
e.
3 processes of assessing risk
strategic approach, business process approach, audit universe approach
two aspects of governance
strategic direction and governance oversight
7. To be sufficient, audit evidence should be: a. Directly related to the engagement observation and include all of the elements of an engagement observation. b. Obtained from a random sample. c. Obtained from a credible source. d. Well-documented and cross-referenced in the workpapers. e. Convincing enough for a prudent person to reach the same conclusion as the auditor.
e.
what does operating management want from IA
effectiveness and efficiency of operations, achievement of organizational objectives (change agent)
types of risk
existing, new, emerging
2nd line of defence
financial control, security, risk management, quality, inspection, compliance
risk assessment: look at...
impact and likelihood
recommended IPPF components
implementation guidance, supplemental guidance
4 types of interview approaches
informal, conversational interview guide approach standardized open-ended approach closed-quantitative
1st line of defence
management controls, internal control measures
internal audit process
plan, perform, report
categories of controls
preventative & detective mandatory & discretionary
what does the audit committee/ board want from IA
safeguard assets, compliance w laws and regs, reliable data (quality of info)
The IIA Standards require an internal audit function to have an internal audit charter. What is the purpose of the internal audit charter?
· Formal document · Defines internal audit's purpose, authority, responsibility, position within organization · Should set out the nature of services that the internal audit will provide and how internal audit will help the organization to achieve its objectives · Blueprint for how internal audit will operate
Who is responsible for developing the internal audit charter? Besides that responsible person, who else should be involved in determining the charter's content?
· The CAE Senior management and audit committee (board)