Internal Audit Exam 1

Independence

(Organizationally Independent): freedom from conditions that threaten objectivity or appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels

Internal audits role in ERM

-evaluating risk, giving assurance and reporting are primary responsibilities -does not make any risk decisions or develop policy -ERM plays a key role in how audits are conducted

governance areas

-financial -compliance -operations -strategic

Key changes to IPPF

-from "strongly recommended" to "recommended" -introduced a mission for internal audit that surrounds the framework -position papers were deleted -practice guides are now supplemental guidance -practice advisories are not implementation guidance -core principles were added as mandatory

Governance

the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities to the organization toward the achievement of its objectives

Risk Management

the process conducted by management to understand and deal with uncertainties that could affect the organization's ability to achieve its objectives

Control

any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved

Objectivity

(individually objective): on an individual basis; an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others.

3 types of standards

-attribute -performance -implementation

types of risk response

-avoidance -reduction -sharing -acceptance

Parties involved in governance

-board and committees -management -risk owners

components of internal control

-control environemnt -risk assessment -control activities -information and communication -monitoring

types of stakeholders

-directly involved -interested -influence

Key components of definition of internal auditing

-helping the organization accomplish its objectives -evaluating and improving the effectiveness of risk management, control, and governance processes -assurance and consulting activity designed to add value and improve operations -independence and objectivity -a systematic and disciplined approach

Principles of IIA Code of Ethics

-integrity -objectivity -confidentiality -competency

components of ERM

-internal environment -objective setting -event identification -risk assessment -risk response -control activities -information and communication -monitoring

risk assessment

-likelihood and impact -costs and benefits

material weakness

-likelihood is more than remote or impact is more than the financial statement materiality level -Reporting: all management, audit committee, external auditors; also management must disclose material weakness in external reporting

significant deficiency

-likelihood is more than remote or the impact is more than trivial -Reporting: all management, audit committee, external auditors

insignificant deficiency

-likelihood is remote or the impact is trivial/insignificant -Reporting: management of the audited department unless there are key controls involved (then needs to be reported to all management and the audit committee), shared with the external auditors if they asked

types of business processes

-operating processes -management and support processes -projects

COSO objectives for internal controls

-operations objectives -reporting objectives -compliance objectives

3 phases to internal audit engagement

-planning -performing -communicating

Strongly Recommended Guidance

-position papers -practice advisories -practice guides

purpose of the standards

-set out basic principles -provide a framework for performing and promoting internal audit -establish a basis for evaluating internal audit performance -foster and promote organizational processes and operations -standards apply to assurance AND consulting engagements

COSO objectives for ERM

-strategic objectives -operations objectives -reporting objectives -compliance objectives

Mandatory Guidance

-the definition -the code of ethics -the standards

how to determine key objectives

-why does the process exist -how does the process support the organization's strategy and contribute to its success -how are people expected to act -what else does the process do that is important to management

Senior Management's key governance responsibilities

1. Ensure the full scope of direction and authority is understood appropriately 2. Identify the processes and activities within the organization that are integral to executing the governance direction provided by the board 3. Evaluate what other business considerations or factors might create a justification for delegating a lower tolerance level to risk owners 4. Ensuring that sufficient information is gathered from the risk owners to support its reporting requirements to the board

The internal audit function can best execute its governance responsibilities by

1. Ensuring it fully understands the board's governance direction and expectations 2. Supporting management's risk management program 3. Developing an internal audit plan that appropriately encompasses the governance assurance activities and allows for periodic communications to senior management and the board on the effectiveness of risk management activities

The Board can best execute its governance responsibilities by

1. Establishing a governance committee 2. Articulate requirement for reporting to the board 3. Reevaluate governance expectations periodically

Senior Management can best execute its governance responsibilities by

1. Establishing a risk committee 2. Articulating reporting requirements 3. Reevaluate governance expectations periodically

Risk owners' key governance responsibilities

1. Evaluating whether the risk management activities are designed adequately to manage the related risks within the tolerance levels specified by senior management 2. Assessing the ongoing capabilities of the organization to execute risk management activities 3. Determining whether the risk management activities are currently operating as designed 4. Conducting day to day monitoring activities to identify, in a timely manner, whether anomalies or divergences from expected outcomes have occurred 5. Ensuring that the information needed by senior management and the board is accurate, readily available, and provided to them in a timely manner

The internal audit function's governance responsibilities may include

1. Evaluating whether the various risk management activities are designed adequately to manage the risks associated with unacceptable outcomes 2. Testing and evaluating whether the various risk management activities are operating as designed 3. Evaluating the design adequacy and operating effectiveness of the risk management program/system as a whole 4. Determining whether the assertions made by the risk owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of the risk management effectiveness 5. Determining whether the assertions made by senior management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of the risk management effectiveness 6. Evaluating whether risk tolerance information is communicated timely and effectively from both the board to senior management and from senior management to risk owners 7. Assessing whether there are any other risk areas that are currently not included in the governance process, but should be

The boards key governance responsibilities

1. Identify key stakeholders 2. Understand the needs and expectations of key stakeholders 3. Identify the outcomes that would be unacceptable to key stakeholders 4. Establish tolerance levels based on unacceptable outcomes

Risk owners can best execute their governance responsibilities by

1. Presenting governance recommendations to the risk committee 2. Reevaluating risk management activities periodically

4 sections of attribute standards

1000-purpose, authority, responsibility 1100-independence and objectivity 1200-proficiency and due professional care 1300-quality assurance and improvement program

7 sections of performance standards

2000-managing the internal audit activity 2100-nature of work 2200-engagement planning 2300-performing the engagement 2400-communicating results 2500-monitoring progress 2600-communicating the acceptance of risks

big sections of SOX

302-responsibility of financial statements 404-management assessment of internal controls 404b-having external audit firm attest to management assertions 806-whistleblower can get a substantial amount of money 906-enforcement aspect

Internal Auditing

An independent, objective assurance and consulting activity designed to add value and improve an organizations operations

3 components of value proposition

Assurance, Insight, Objectivity

Attribute Standards

address the characteristics that the internal audit function and individual internal auditors must possess to perform effective assurance and consulting activities

inherent risk

combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists assuming there are no internal controls in place

Performance Standards

describe the nature of internal audit services and the criteria against which the performance of these services can be assessed

Internal audit charter

establishes purpose, authority, and responsibility

business processes

how organization structure their business to implement strategies and achieve their business objectives

heat map

maps various risks based on impact and likelihood

implementation standards

more specific guidance relative to specific standards and audit types

controllable risk

portion of inherent risk that management can reduce through day to day operations and management activities

residual risk

portion of inherent risk that remains after management executes its risk responses

Risk (COSO's Definition)

possibility that an event will occur and adversely affect the achievement of an objective

types of controls

preventive-deters undesirable events detective-detects undesirable events corrective-fixes error or omission directive-encourages desirable events

Rule of conduct

set out the behavior norms that the internal auditor should follow to put the principles into practice