Internal Audit - Exam 1

What is the OECD's definition of corporate governance?

"Corporate governance involves a set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of obtaining those objectives and monitoring performance are determined."

What is The IIA's definition of governance?

"The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives."

How does COSO define strategy?

"The organization's plan to achieve its mission and vision and to apply its core values."

How does COSO define risk?

"The possibility that events will occur and affect the achievement of a strategy and objectives."

What is the relationship between auditing and accounting?

"The relationship of auditing to accounting is close, yet their natures are very different; they are business associates, not parent and child. Accounting includes the collection, classification, summarization, and communication of financial data; it involves the measurement and communication of business events and conditions as they affect and represent a given enterprise or other entity. The task of accounting is to reduce a tremendous mass of detailed information to manageable and understandable proportions. Auditing does none of these things. Auditing must consider business events and conditions too, but it does not have the task of measuring or communicating them. Its task is to review the measurements and communications of accounting for propriety. Auditing is analytical, not constructive; it is critical, investigative, concerned with the basis for accounting measurements and assertions. Auditing emphasizes proof, the support for financial statements and data. Thus auditing has its principal roots, not in accounting which it reviews, but in logic on which it leans heavily for ideas and methods.

How does COSO define business objectives?

"Those measurable steps the organization takes to achieve its strategy."

How does ISO define risk?

"effect of uncertainty on objectives."

How does COSO define risk appetite?

"the types and amount of risk, on a broad level, an organization is will- ing to accept in pursuit of value."

The ISO 31000 risk management framework includes five components, the first of which is "mandate and commitment." Explain what mandate and commitment means. Discuss why mandate and commitment is critical to risk management success

A "mandate" is an authoritative command. A "commitment" is an unwavering dedication to a cause. An ERM mandate and commitment from the board and senior management means that they are fully invested in successfully implementing ERM. The success of an ERM initiative, like any other major initiative, depends on solid support from the top of the organization. The board and senior management must ensure that the objectives of the ini- tiative are aligned with the organization's objectives and that everyone throughout the organization understands the objectives and is committed to achieving them. They also must ensure that sufficient resources are invested in the initiative and allocated appropriately. The top-down commitment from the board and senior management must be sustained throughout the project to ensure that it is com- pleted effectively, efficiently, and timely.

What is a combined assurance model?

A combined assurance model focuses on understanding the different types of assurance being provided so that, based on the level of risk being assessed and how strong the assurance is, a coordinated plan or calendar can be developed. This facilitates awareness of each assurance activity's assessments, when the assessments will occur, and how other assurance activities can rely on that work.

Which of the following would be considered a second line of defense in the Three Lines of Defense model?

A divisional compliance and ethics officer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training.

Which of the following would not be considered a first line of defense in the Three Lines of Defense model?

A divisional controller conducts a peer review of compliance with financial control standards.

Typically, what is a governing board's responsibility for internal controls?

A governing board is responsible for providing authority, direction, and oversight. Since ultimately a governing board is interested in determining how effectively the organization is achieving its business objectives, the board will need to understand what the risks are that could impair the achievement of those objectives. This requires, in turn, a high-level understanding of the system of internal controls that is designed to manage those risks. It is not necessary to have a detailed understanding of specific controls, but the board must obtain information to assess whether the risks are being managed to acceptable levels. This information will be obtained from management as well as independent assurance activities, such as the internal audit function.

What factors might influence the CAE's decision to postpone an assurance engagement?

A key factor in determining whether the internal audit function should postpone assurance engagements in areas of the company for which other service providers have already planned assurance activities is the nature of the activities performed by the other service providers.

An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement?

A new system was implemented during the year, which changed how the transactions are processed.

Define "value proposition." Explain why it is important for internal auditors to have a value proposition.

A value proposition is a statement of the value, or benefits, stakeholders can expect from the products and/or services they receive from the provider of the products and/or services. It is important for internal auditors to have a value proposition because an internal audit function, like any other function within an organization, must justify its existence to its key stakeholders. In other words, the stakeholders must value the services the internal audit function has to offer.

How does effective ERM help achieve strategy?

A well-defined strategy drives the efficient allocation of resources and effective decision-making, which in turn help provide the direction for the business objectives. When ERM is integrated with the process to establish strategy and business objectives, management better understands the potential barriers and opportunities related to achieving that strategy. Responses to risks will give management greater confidence when allocating resources and making decisions, and increase the likelihood that strategy will be achieved.

An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website?

Accuracy and reliability of the information.

Which of the following are components of the definition of internal auditing?

All of the above

Which of the following would be considered a first line of defense in the Three Lines of Defense model?

An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date

What are typical ERM responsibilities of the independent outside auditors?

An organization's independent outside auditors can provide both management and the board an informed, independent, and objective risk management perspective that can contribute to an organization's achievement of its external financial reporting and other objectives. Findings from their audits may relate to risk management deficiencies, analytical information, and other recom- mendations for improvement that can provide management with valuable information to enhance its risk management program.

Describe the three components of the internal audit value proposition set forth by The IIA.

Assurance- The internal audit function provides assurance on the organization's governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives. Insight- The internal audit function is a catalyst for improving an organization's effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. Objectivity- The internal audit function, with commitment to integrity and accountability, provides value to the board and senior management as an objective source of independent advice.

Which of the following statements is not true about business objectives?

Business objectives are management's means of employing resources and assigning responsibilities.

Which of the following is the ultimate position of a career internal auditor?

CAE

Which of the following is the premier certification sponsored by The IIA?

Certified Internal Auditor.

Why might an organization choose to co-source its internal audit function?

Common situations in which an organization will co-source its internal audit function include circumstances in which the third-party vendor has specialized audit knowledge and skills that the organization does not have in-house and circumstances in which the organization has insufficient in-house internal audit resources to fully complete its planned engagements.

What are the character traits, known as the 5 Cs, that are required for success in the internal audit profession?

Competence, Credibility, Connectivity, Communication, and Courage.

Which of the following is one of the 5 Cs essential to success as an internal auditor?

Courage

What is the IPPF's mandatory guidance?

Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing

Which of the following risk management activities is out of sequence in terms of timing?

Determine key organizational objectives

While planning an internal audit, the internal auditor obtains knowledge about the auditee to, among other things:

Develop an understanding of the auditee's objectives and risks.

What are the three common ways individuals enter the internal audit profession?

Directly out of school Switch from other jobs in organization or public accounting Some organizations require prospective managers to spend time working in internal auditing as part of their management trainee program.

When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should:

Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee

Which of the following is not a role of the internal audit function in best practice governance activities?

Ensure the timely implementation of audit recommendations.

According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives?

Ensuring culture is clearly articulated by the board

In exhibit 3-4, the internal audit function is included in the assurance box. In light of this assurance role, discuss the pros and cons of the chief audit executive (CAE) reporting to the board of directors (or one of its committees) versus the chief financial officer (CFO). Relate your answer to the concepts described in Standard 1100: Independence and Objectivity.

Exhibit 3-4 shows the Assurance box with direct communication lines to the board. Since the board, frequently through its committees, must monitor whether management is carrying out its direction properly, having a direct reporting relationship between the board and the internal audit function provides the internal audit function with the organizational independence that it needs to fully comply with Standard 1100. While it is important for the chief audit executive (CAE) to have a strong relationship with the chief financial officer (CFO), a direct reporting relationship to the CFO may threaten that organizational independence, particularly since a large portion of the internal audit plan may be focused on the CFO's organization. In addition, since the CAE's compensation would be significantly influenced by the CFO, there may be perceptions that the individual objectivity of the CAE is impaired, which also is contrary to the requirements of Standard 1100.

What are typical ERM responsibilities of financial executives?

Finance and accounting executives and their staffs are responsible for activities that cut across the organization. These executives often are involved in developing organizationwide budgets and plans, and tracking and analyzing performance from operations, compliance, and reporting perspectives. They play an important role in preventing and detecting fraudulent reporting, and influence the design, implementation, and monitoring of the organization's internal control over financial reporting and the supporting systems.

Which of the following is not a potential value driver for implementing ERM?

Financial results will improve in the short run

What types of business events tend to drive new legislation and guidance?

Fraud or other corporate wrongdoing.

Discuss why it is important, from a governance perspective, to have independent outside directors on a board of directors

Governance is an oversight activity that is carried out for the benefit of outside stakeholders, in particular, shareholders. Since members of management receive direct compensation for their work (salaries and bonuses), the common perception is that they may make decisions that benefit themselves in the short run instead of shareholders in the long run. On the other hand, independent outside directors, who are elected by shareholders, do not receive direct compensation, receiving instead stipends and stock awards that tend to incent the board to focus on long-term interests that are more aligned with the shareholders' expectations. Therefore, having independent outside directors on a board enhances the ability of the board to carry out its governance oversight.

Which of the following are typically governance responsibilities of senior management? I. Delegating its tolerance levels to risk managers. II. Monitoring day-to-day performance of specific risk management activities. III. Establishing a governance committee of the board. IV. Ensuring that sufficient information is gathered to support reporting to the board.

I and IV.

Enterprise risk management:

Includes selection of best risk response for the organization.

ABC utility company sells electricity to residential customers and is a member of an industry association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC's perspective, what type of stakeholder is this industry association?

Influences the company.

Define inherent risk

Inherent risk is the level of risk (potential impact and corresponding likelihood) without giving con- sideration to the risk management activities, which include controls that are designed to manage the risk. Inherent risk is sometimes referred to as gross risk.

What is the difference between internal assurance services and internal consulting services?

Internal assurance services involve an objective examination of evidence for the purpose of providing an independent assessment on the effectiveness of governance, risk management, and control pro- cesses f or the organization. Internal consulting services are advisory and related services, the nature and scope of which are agreed to with the customer and that are intended to improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility.

Why is it imperative that internal auditors have integrity?

Internal auditors must have integrity because the users of their work products rely on the internal auditors' professional judgments to make important business decisions. These stakeholders must have confidence that internal auditors are trustworthy.

One of the challenges of ERM in an organization that has a centralized structure is that:

It may be difficult to raise awareness of the impact of work actions on other employees or work areas.

Who is responsible for implementing ERM?

Management throughout the organization.

What are the two categories of guidance included in the IPPF?

Mandatory Guidance and recommended guidance

The function of the chief risk officer is most effective when he or she:

Monitors risk as part of the ERM team

Do most people who work in internal auditing spend their entire careers there? Explain.

Most people who work in internal auditing do not spend their entire careers there. They instead use internal auditing as a stepping stone into financial or nonfinancial management positions, either in the organizations they have been working for or in other organizations.

Within the context of internal auditing, assurance services are best defined as:

Objective examinations of evidence for the purpose of providing independent assessments.

Describe the relationship between objectives and strategies. What is your foremost objective as a student in this course? Explain your strategy for achieving this objective.

Objectives define what an individual or organization wants to achieve. Strategies define how individuals or organizations plan to achieve their objectives. A common objective expressed by students is to achieve a good grade. Some students indicate that they want to learn. These responses open the door for the instructor to discuss the relationship between objectives and key performance indicators. If the instructor's grading criteria are aligned with his or her student learning objectives, the grades students earn in the course should reflect their levels of learning.

Which of the following represents the best governance structure?

Operating management is responsible for risk management, executive management is responsible for oversight, and internal auditors serve in the capacity of oversight and advisory roles.

What options does an individual have if he or she chooses to be a career internal auditor?

Options that an individual has if he or she chooses to be a career internal auditor include progressing upward through the ranks of a single organization's internal audit function into internal audit management, advancing up the ladder by moving from one organization to another, or moving upward through the various levels in a firm that provides internal assurance and consulting services to other organizations.

Why do some organizations use models like the combined assurance model?

Organizations use such models to combat "assurance fatigue." Assurance fatigue occurs as a result of different assurance activities failing to collaborate effectively. Failure to sufficiently coordinate activities results in redundant and unnecessary assurance work.

The internal audit function should not:

Oversee the organization's governance and risk management processes.

Companies in industries that are heavily regulated may be subject to audits by the regulator's auditors. While not specifically covered in the Three Lines of Defense model, such auditors would most likely be considered:

Part of the third line of defense.

Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success?

Political event

Internal auditors must have competent interpersonal skills. Which of the following does not represent an attribute of interpersonal skills?

Project management.

When assessing the risk associated with an activity, an internal auditor should:

Provide assurance on the management of the risk

Which of the following is not an appropriate governance role for an organization's board of directors?

Providing assurance directly to third parties that the organization's governance processes are effective.

Define residual risk

Residual risk is the remaining level of risk after such controls are executed. This is sometimes referred to as net risk.

What is residual risk?

Residual risk represents the level of risk after management's application of actions to alter its severity.

Ina Icandoit has an 8:00 a.m. class each day. The professor has instilled in the students the importance of getting to class on time, so Ina has made this one of her objectives for the semester. What risks threaten the achievement of Ina's objective? What controls can Ina implement to mitigate these risks?

Risks: Oversleeping, and missing the bus Controls: Getting to bed at reasonable time, setting an alarm clock; packing books and supplies before going to bed, planning in advance the activities that must be completed in the morning before leaving the house, allowing sufficient time to walk to the bus stop

What are some key U. S. regulations that have been written in response to adverse business events?

Securities Act of 1933, Securities Exchange Act of 1934, Foreign Corrupt Practices Act of 1977, Report of the National Commission on Fraudulent Financial Reporting (1987), Federal Deposit Insurance Corporation Improvement Act of 1991, U.S. Sarbanes-Oxley Act of 2002, U.S. Stock Exchange Listing Standards, and the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.

Which of the following is not an example of a risk-sharing strategy?

Selling a nonstrategic business unit.

Who is responsible for establishing the strategic objectives of an organization?

Senior management.

Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process?

Senior management.

AVF Company's new CFO has asked the company's CAE to meet with him to discuss the role of the internal audit function. The CAE should inform the CFO that the overall responsibility of internal audit is to:

Serve as an independent assurance and consulting activity designed to add value and improve the company's operations.

In exhibit 4-3, why are some of the balls representing risks clustered together while some are not?

Some risks occur individually and some may occur at the same time, or in aggregate. Such risks may be more significant in aggregate than when assessed individually.

Describe ways in which an organization's business model may affect its approach to governance oversight. Provide examples that contrast publicly held companies from privately held companies.

Stakeholders — Different business models may result in varying stakeholders with different expectations. For example, publicly traded companies will have stakeholders with profit and growth expectations, while nonprofit organizations may have stakeholders with expectations about achieving the purpose of the organization, for example, providing for the welfare of underprivileged children. The Board and its Committees — The organization, makeup, and focus of the board may vary. For example, publicly traded companies are likely to have primarily independent directors, formal committees such as an audit committee and a nominating committee, and a risk appetite that is consistent with the expectations of the external stakeholders. Privately held companies are more likely to have members of management serving as directors, few if any board committees, and a risk appetite that is based on the expectations of the primary owners and management. Risk Management — The roles of senior management and risk owners will be affected by the business model. For example, large, diverse organizations will need to rely on senior management providing direction and oversight to a variety of risk owners. However, in smaller, less complex organizations, senior management may own and have to manage many of the risks themselves. Assurance Activities — The internal auditors and independent outside auditors may have different approaches to carrying out their responsibilities. For example, in public companies, both sets of auditors may need to provide assurance on the effectiveness of internal controls over financial reporting, while in private companies, such assurance may not be necessary or as formal.

Which of the following is recommended guidance within the IPPF?

Supplemental guidance

Which of the following is a framework that can help individual internal auditors and internal audit functions assess their current competency levels and identify areas for improvement?

The Global Internal Auditor Competency Framework.

How is The IIA's leadership organization structured?

The IIA headquarters' executive leadership team is headed by the president and CEO. Hundreds of volunteers, including The IIA's Global Board of Directors, also provide IIA leadership. The 38-member Global Board of Directors oversees the affairs of The IIA. The board's Executive Committee comprises the chairman of the board, the senior vice chairman, five vice chairmen, a secretary, and the two most recent former chairmen of the board. The board also includes the North American Board, which holds specific authority and oversight of North American activities, directors-at-large, ex-officio directors, institute directors, and The IIA president as an ex-officio member.

What is the major objective of the Internal Audit Foundation?

The Internal Audit Foundation exists to help audit leaders, practitioners, students, and academics experience continuous growth in their careers to propel them to become respected as trusted advisers as well as thought leaders within the industry.

Why are there arrows flowing in both directions between the different elements of governance depicted in exhibit?

The arrows represent the flow of information throughout the governance structure. The board provides direction to senior management to guide them in carrying out the risk management activities. Senior management in turn provides direction to lower levels of management who are responsible for the internal control activities. However, lower-level managers are accountable to senior management with regard to the success of those internal control activities; senior management is accountable to provide the board assurances regarding the effectiveness of risk management activities. The arrows in the figure depict that flow of direction and accountability from one layer to the next.

Independent outside auditors provide financial reporting assurance services primarily for:

The benefit of third parties

Discuss how regulations help to improve governance. Explain how some regulations may have unintended consequences regarding governance.

The board and senior management govern on behalf of the organization's stakeholders who need sufficient appropriate information to evaluate the effectiveness of the organization's governance policies and procedures. Regulations help facilitate this by increasing the transparency of publicly available information and providing a means for determining whether organizations transact business and report business results consistently and fairly. Regulations commonly include criteria against which governance practices can be assessed, both internally by the board and senior management and externally by the organization's key constituents. Oftentimes regulations are promulgated to mitigate the undesirable outcomes of harmful events in the business world. The problem with this, in terms of unintended consequences, is that mitigating the undesirable outcomes associated with a particular type of event may cause other harmful events with undesirable outcomes to occur. For example, some organizations may find it cost prohibitive to adhere to a newly promulgated regulation. Also, some good-intentioned regulations may result in undue record-keeping or reporting that does not benefit the intended parties.

What are typical ERM responsibilities of the board of directors?

The board's ERM responsibilities are to provide oversight and direction to management. In par- ticular, the board in the Risk Governance and Culture component of ERM. The board also helps management establish the governance and operating models, define culture and desired behaviors, demonstrate commitment to integrity and ethics, and assign accountability and authority for risk management

What are typical ERM responsibilities of the chief risk officer?

The chief risk officer (CRO) typically operates in a staff function, working with other managers in establishing ERM in their areas of responsibility. The risk officer has the resources to help effect ERM across subsidiaries, businesses, departments, functions, and activities. This individual may have responsibility for monitoring risk management progress and assisting other managers in reporting relevant risk information up, down, and across the organization.

Which of the following is mandatory guidance within the IPPF?

The core principles.

How does COSO define vision?

The entity's aspirations for its future state or what the organization aims to achieve over time.

How does COSO define core values?

The entity's beliefs and ideals about what is good or bad, acceptable or unaccept- able, which influence the behavior of the organization.

How does COSO define mission?

The entity's core purpose, which establishes what it wants to accomplish and why it exists.

What is the difference between the two areas of governance depicted in exhibit 3-3?

The first broad area of governance is strategic direction. The board is responsible for providing strategic direction and oversight relative to the establishment of key business objectives, consistent with the organization's business model. Directors bring varied and diverse business experience to the board and, thus, are in a position to provide the strategic direction and oversight of that direction that will help the organization be successful. The board can also influence the organization's risk-taking philosophy and establish broad boundaries of conduct based on the organization's overall risk appetite and cultural values. Providing strategic direction, overseeing the objective-setting process, and monitoring progress toward meeting the goals and objectives of the organization are key reasons for the board's existence. The second broad area of governance is governance oversight. This area involves the board understanding the needs of stakeholders, providing direction and authority to senior managers, who in turn empower risk owners to carry out that direction, reporting of risk management effectiveness up from risk owners to senior management to the board, and internal and external activities, most notably the internal and external auditors, providing assurances to senior management and the board as to the effectiveness of governance activities.

What services might the internal audit function provide in lieu of performing an assurance engagement?

The internal audit function might perform consulting services in lieu of assurance services. One example of such services is to provide advice aimed at improving the governance, risk management, and internal control processes of the areas of the organization covered by the other service providers. The internal audit function also might consult with the other assurance providers on how they plan, conduct, document, and report on the assurance activities they perform.

The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and the objectivity of its internal auditors?

The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session

Which of the following statements regarding corporate governance is not correct?

The internal audit function of a company has more responsibility than the board for the company's corporate governance.

What are typical ERM responsibilities of internal audit function?

The internal audit function plays an important role in evaluating the effectiveness of—and recom- mending improvements to—ERM. The IIA's International Standards for the Professional Practice of Internal Auditing specify that the scope of the internal audit function should encompass gover- nance, risk management, and control systems. This includes evaluating the reliability of reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. In carrying out these responsibilities, the internal audit function assists management and the board by exam- ining, evaluating, reporting on, and recommending improvements to the adequacy and effective- ness of the organization's ERM.

In a combined assurance model, should the internal audit function postpone assurance engagements in areas of the company for which other assurance providers have already planned assurance activities?

The key purpose of implementing a combined assurance model is to coordinate the activities of the various assurance functions within the company in a manner that minimizes redundant and unnecessary assurance work, while at the same time ensuring that necessary assurance work is completed effectively and efficiently (i.e., there are no assurance gaps). Whether the internal audit function should postpone planned assurance engagements in areas of the company for which other assurance providers have already planned assurance activities cannot be answered without first considering the factors that might influence the decision.

What is the primary difference between internal and external financial reporting assurance services?

The primary difference between internal financial reporting assurance services and external financial reporting assurance services is the audience. Internal auditors provide financial reporting assurance services primarily for the benefit of management and the board of directors. Independent outside audi- tors provide financial reporting assurance services primarily for the benefit of third parties.

How does this definition relate to the figure in exhibit 3-3?

The strategic direction aspect of governance illustrated in exhibit 3-3 encompasses the information and direction the board provides to help ensure the organization is successful. The governance oversight aspect of governance illustrated in exhibit 3-3 focuses on the board's role in managing and monitoring the organization's operations.

Assurance, Insight, and Objectivity comprise

The value proposition

Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?

To ensure that the internal audit plan supports the overall business objectives.

The Internal Audit Foundation exists to help audit leaders, practitioners, students, and academics experience continuous growth in their careers to propel them to become:

Trusted advisors.

Which risk, inherent or residual should have a greater impact on annual internal audit plan?

When developing an internal audit plan, internal auditors should be more concerned about inherent risk. To provide independent assurances about the effectiveness of risk management activities, internal auditors should not make any assumptions about the effectiveness of such activities until they are audited.

Describe risk-taking philosophy

a set of shared beliefs and attitudes characterizing how the entity con- siders risk in everything it does, from strategy development and implementation to its day-to-day activities. An organization's philosophy will range from risk averse to risk neutral to risk aggressive.

What are internal consulting services?

advisory and related services, the nature and scope of which are agreed to with the customer and that are intended to improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility.

How does The IIA define internal auditing?

an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes

What are the three components of the internal audit value proposition set forth by The IIA?

assurance, insight, and objectivity

In addition to the internal audit function, what other internal functions may provide independent assurance to the board or senior management?

environmental and safety function, quality assurance groups, and trading control activities.

What types of outcomes might a board need to consider to understand stakeholders' expectations?

financial, compliance, operations, or strategic outcomes.

What are some of the factors that have fueled the dramatic increase in demand for internal audit services over the past 30 years?

globalization, increasingly complex corporate structures, e-commerce and other techno- logical advances, and a global economic downturn.

What is the IPPF's recommended guidance?

includes implementation guidance and supplemental guidance.

What are the seven inherent personal qualities listed in the chapter that are common among successful internal auditors?

integrity, passion, work ethic, curiosity, creativity, initiative, and flexibility.

What is internal assurance services?

involve an objective examination of evidence for the purpose of providing an independent assessment on the effectiveness of governance, risk management, and control processes for the organization.

What are the definitions of governance?

is the process conducted by the board of directors to authorize, direct, and oversee management toward the achievement of the organization's objectives.

What is co-sourcing?

means that an organization is supplementing its in-house internal audit function to some extent via the services of third-party vendors.

What is objectivity?

objectivity is an impartial, unbiased mental attitude and involves avoiding conflicts of interest, which allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made.

How many core competencies are included in The IIA's Global Internal Auditor Competency Framework and for what general job levels are they recommended?

outlines 10 core competencies recommended for each broad job level, namely internal audit staff, internal audit management, and the CAE.

What are the three fundamental phases in the internal audit engagement process?

planning the engagement, performing the engagement, and communicating engagement outcomes.

What is independence?

refers to the organizational status of the internal audit function and reflects the freedom from conditions that threaten objectivity or the appearance of objectivity.

What is inherent risk?

represents the level of risk before management's application of direct or focused actions to alter its severity.

Describe acceptable variation in performance

sometimes called risk tolerance, represents the boundaries of acceptable outcomes related to achieving business objectives. Such variations typically will relate to specific outcomes, such as financial results, reputational impact, safety of individuals, etc.

What is the definition of control?

the process conducted by management to mitigate risks to acceptable levels.

What is the definition of risk management?

the process conducted by management to understand and deal with uncertainties (risks and opportunities) that could affect the organization's ability to achieve its objectives.

Describe Risk appetite

the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value. It is a guidepost in strategy setting. The risk appetite may be expressed in financial terms, such as impact on net income or earnings per share, or nonfinancial terms.

That are the key responsibilities for the senior management in accordance with governance?

• Ensuring that the full scope of direction and authority delegated by the board is properly understood. Senior management must understand the board's governance expectations, the amount of authority the board has delegated to management, its tolerance levels relative to unacceptable outcomes, and requirements for reporting to the board. • Identifying the processes and activities within the organization that are an integral part of executing the governance direction provided by the board. • Evaluating what other business considerations or factors might create a justification for delegating a lower tolerance level to risk owners than that delegated from the board. For example, the board may specify that management must maintain controls to ensure there are no control weaknesses beyond a certain level of severity. However, senior management, desiring to avoid the situation where multiple significant control deficiencies aggregate to an unacceptable level, may specify to risk owners that controls be maintained to ensure there are no control deficiencies exceeding a lower level of severity. • Ensuring that sufficient information is gathered from the risk owners to support its reporting requirements to the board.

That are the key responsibilities for the board of directors in accordance with governance?

• Establishing a governance committee. • Articulating requirements for reporting to the board. • Reevaluating governance expectations periodically (probably annually).

That are the key responsibilities for the risk owners in accordance with governance?

• Evaluating whether the risk management activities are designed adequately to manage the related risks within the tolerance levels specified by senior management. Although senior management may provide direction relative to the risk management activities, the risk owners typically will determine the specific tasks that are necessary to carry out those activities. • Assessing the ongoing capabilities of the organization to execute those risk management activities. This assessment should evaluate the maturity of the procedures in place, the competence and experience of the people performing those procedures, the sufficiency of any enabling technologies (for example, computer systems), and the availability of external and internal information to support decision-making. • Determining whether the risk management activities are currently operating as designed— that is, whether the people and systems are executing the processes consistently with the desired objectives. • Conducting day-to-day monitoring activities to identify, in a timely manner, whether anomalies or divergences from expected outcomes have occurred. • Ensuring that the information needed by senior management and the board is accurate and readily available, and is provided to senior management on a timely basis.

What role does the internal audit function play in governance?

• Evaluating whether the various risk management activities are designed adequately to manage the risks associated with unacceptable outcomes. • Testing and evaluating whether the various risk management activities are operating as designed. • Determining whether the assertions made by the risk owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of risk management effectiveness. • Determining whether the assertions made by senior management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of risk management effectiveness. • Evaluating whether risk tolerance information is communicated timely and effectively from both the board to senior management and from senior management to the risk owners. • Assessing whether there are any other risk areas that are currently not included in the governance process, but should be (for example, a risk for which risk tolerance and reporting expectations have not been delegated to a specific risk owner).

IT governance has become a "hot topic" in recent years. Using the governance framework shown in exhibit 3-4, customize each of the components to describe how they might specifically relate to governing IT objectives and risks of an organization.

• Governance Umbrella — The board of directors has a responsibility to understand how IT 1) enables the achievement of business objectives and 2) poses a variety of inherent risks to an organization. The chief information officer (CIO) may not have a direct reporting relationship or direct access to the board or its committees and, therefore, the board's direction and authority may be delegated through another senior executive, such as the CFO. Good IT governance requires the CIO, or a similar officer, to understand the following: - Business objectives that depend on IT or IT-specific objectives that will help the CIO manage the overall IT operations. - The amount of risk the board and senior management can tolerate related to risk outcomes. - Key stakeholders and their expectations. While outside stakeholders may have some interest in how IT enables business objectives, the primary IT stakeholders may be internal customers, such as business and functional leaders. • Risk Management — The tactics for managing IT risks may vary somewhat from other business risks, but the overall process is the same. It is important for IT management to identify all IT- related risks, understand the potential impact and likelihood of those risks, and determine the appropriate strategies for managing those risks within the tolerance levels established by the board and senior management. Additionally, IT management must implement timely and effective monitoring activities to ensure IT risks are in fact being managed to acceptable levels. • Assurance — Internal audit functions typically devote a portion of their audit plan to address IT risks. Internal audit communications to senior management and the board will be similar to those described in the chapter. Assurances also may be obtained by other internal and external parties. For example, the CIO may hire specialist consultants to conduct penetration testing to help evaluate the security of the organization's firewalls and security capabilities.

What are the three different types of stakeholders that the board must understand? Give examples of each type.

• Stakeholders Directly Involved in the Operation of the Organization's Business — Examples include employees, customers, and vendors. • Stakeholders Interested in the Organization's Business — Examples include shareholders, investors, certain regulators, and financial institutions. • Stakeholders Influencing the Organization's Business — Examples include certain regulators, financial institutions, rating agencies, industry associations, and competitors.

Given that directors typically do not interface directly with key stakeholders, how might a board of directors obtain an understanding of key stakeholder expectations?

• Stakeholders Directly Involved in the Operation of the Organization's Business — Most director interactions are with senior management. However, it can be beneficial for directors to periodically meet with employees to gain a better understanding of the organization's culture and how it operates. Information about the expectations of customers and vendors also can be obtained by discussing such expectations with both senior management and other employees. • Stakeholders Interested in the Organization's Business — Needs and expectations of shareholders and investors may be communicated during annual shareholder meetings, calls to an organization's investor relations department, posted on blogs about the organizations, or indirectly from third-party sources. • Stakeholders Influencing the Organization's Business — Such stakeholders may provide information about their needs and expectations in reports they create about the organization or through information they provide on their own websites.

What are the three lines of defense in the Three Lines of Defense model?

• The first line of defense represents the internal control activities conducted by individuals and management. These activities are comprised of both the specific internal control activities, referred to as internal control measures in the model, and management controls, which are those that oversee and monitor the individual activities. • The second line of defense represents other assurance activities such as those listed in exhibit 3- 5. These activities are conducted by individuals reporting through different lines of management than those directly responsible for the internal control activities. • The third line of defense represents the assurance internal audit functions provide. Since internal audit functions typically report functionally to the board and have no other management responsibilities, they are in the best position to provide independent and objective assurance.

What are COSO's five categories of risk response?

■ Accept. ■ Avoid. ■ Pursue. ■ Reduce. ■ Share.

Additional knowledge, skills, and credentials in-charge internal auditors might be expected to possess.

■ An in-depth knowledge of the organization and its industry. ■ Specialized subject matter expertise in more than one area such as accounting, technology, emerging regulations, enterprise risk management, or control self-assessment. ■ Communicating effectively and building rapport with management. ■ Coaching subordinates and sharing expertise. ■ Making presentations to and facilitating meetings of management personnel. Credentials in-charge internal auditors are expected to possess include, for example: ■ Professional certification such as a CIA, Certified Public Accountant (CPA), Chartered Accountant (CA), or Certified Information Systems Auditor (CISA). ■ A developing track record of successfully leading engagements that is reflected in positive performance evaluations and complimentary feedback from service recipients.

What are the 11 risk management principles identified in ISO 31000?

■ Creates and protects value. ■ Is an integral part of all organizational processes. ■ Is part of decision-making. ■ Explicitly addresses uncertainty. ■ Is systematic, structured, and timely. ■ Is based on the best available information. ■ Is tailored. ■ Takes human and cultural factors into account. ■ Is transparent and inclusive. ■ Is dynamic, iterative, and responsive to change. ■ Facilitates continual improvement of the organization.

Additional knowledge, skills, and credentials CAEs might be expected to possess.

■ Deep expertise in governance, risk management, and control. ■ Commanding respect among senior executives. ■ Thinking strategically and stimulating change within the organization. ■ Building and sustaining an internal audit function that adds value to the organization. Credentials internal audit executives are expected to possess include, for example: ■ A history of successful professional advancement and leadership. ■ A reputation inside and outside the organization as a thought leader in governance, risk management, and control.

For an organization that has not implemented ERM, describe steps the internal audit function can take to initiate an ERM program without impairing the function's independence and/or objectivity.

■ Educate the board and management on the benefits of implementing ERM. ■ Perform or facilitate an enterprisewide risk assessment, the results of which could also support internal audit planning. ■ Determine the board's and/or management's risk tolerance levels against which audit findings are evaluated to facilitate communication of which issues should receive the greatest level of risk man- agement attention by management. ■ Report to the audit committee on the accuracy and completeness of management's risk communi- cations. ■ Outline key procedures that management should consider if they do decide to implement ERM.

In what forms might risk information be communicated?

■ Electronic messaging. ■ External/third-party materials. ■ Informal/verbal updates. ■ Training and seminars. ■ Written internal documents.

What five activities are included in the ISO 31000 risk management process?

■ Establish the context. ■ Assess the risks. ■ Treat the risks. ■ Monitor the risks. ■ Establish a communication and consultation process.

What are some ERM consulting activities the internal audit function may perform if appropriate safeguards are implemented?

■ Facilitating identification and evaluation of risks. ■ Coaching management in responding to risks. ■ Coordinating ERM activities. ■ Consolidating the reporting on risks. ■ Maintaining and developing the ERM framework. ■ Championing establishment of ERM. ■ Developing ERM strategy for board approval.

What are some ERM assurance activities the internal audit function may perform?

■ Giving assurance on the risk management processes. ■ Giving assurance that risks are correctly evaluated. ■ Evaluating risk management processes. ■ Evaluating the reporting of key risks. ■ Reviewing the management of key risks.

What types of procedures might an internal auditor use to test the design adequacy and operating effectiveness of governance, risk management, and control processes?

■ Inquiring of managers and employees. ■ Observing activities. ■ Inspecting resources and documents. ■ Reperforming control activities. ■ Performing trend and ratio analysis. ■ Performing data analysis using computer-assisted audit techniques. ■ Gathering corroborating information from independent third parties. ■ Performing direct tests of events and transactions.

The inherent personal qualities common among successful internal auditors.

■ Integrity. ■ Passion. ■ Work ethic. ■ Curiosity. ■ Creativity. ■ Initiative. ■ Flexibility. ■ Competitiveness. ■ Commitment to excellence. ■ Inquisitiveness. ■ Confidence. ■ Professionalism.

What are the three parts of the CIA exam?

■ Internal Audit Basics. ■ Internal Audit Practice. ■ Internal Audit Knowledge Elements.

The knowledge, skills, and credentials entry-level internal auditors are expected to possess

■ Knowledge of internal auditing and audit-related subjects such as accounting, management, and IT. ■ Understanding the concepts of business objectives, risks, and controls. ■ Hands-on working knowledge of audit-related software such as flowcharting software and generalized audit software. ■ Oral and written communication skills. ■ Analytical, problem-solving skills. ■ A good GPA. ■ Scholarships. ■ An internship or other relevant work experience. ■ Active involvement in a student organization such as an IIA student chapter or a business frater- nity. ■ Although not yet common, completion of one or more parts of the CIA exam by students before they graduate is rising. "

What are the five components of the ISO 31000 risk management framework?

■ Mandate and commitment. ■ Design of framework for managing risk. ■ Implementing the risk management framework and process. ■ Monitoring the framework. ■Continually improving the framework.

According to COSO, what are the fundamental concepts emphasized in its definition of enterprise risk management (ERM)?

■ Recognizing culture and capabilities, which are key aspects of ERM. ■ Applying practices, which are the procedures and tasks employed by the organization to ensure effective risk management. ■ Integrating with strategy-setting and its execution, which involves management considering the implications of each strategy to the organization's risk profile. ■ Managing risk to strategy and business objectives provides management and the board of direc- tors with a reasonable expectation that they can achieve the overall strategy and business objec- tives. ■ Linking to creating, preserving, and realizing value means that, ultimately, the success of risk management is determined by value.

What are the five COSO ERM components?

■ Risk Governance and Culture. ■ Risk, Strategy, and Objective-Setting. ■ Risk in Execution. ■ Risk Information, Communication, and Reporting. ■ Monitoring Enterprise Risk Management Performance.

What are the five fundamental points embedded in the COSO and ISO definitions of risk?

■ Risk begins with strategy formulation and setting of business objectives. ■ Risk involves uncertainty, which COSO refers to as "The state of not knowing how potential events may or may not manifest." ■ Risk does not represent a single point estimate (for example, the most likely outcome). Rather, it represents a range of possible outcomes. ■ Risks may relate to preventing bad things from happening (risk mitigation), or failing to ensure good things happen (that is, exploiting or pursuing opportunities). ■ Risks are inherent in all aspects of life—that is, wherever uncertainty exists, one or more risks exist.

One of your classmates, I. M. Motivated, consistently carries a very heavy class load. In addition to his already heavy class load, he is contemplating applying for an internal audit internship at a local company. Discuss the opportunities and risks that are relevant to his decision.

■ Résumé enhancement, which could make it easier to get a job interview. ■ Relevant experience may help the student determine whether internal auditing is the right career choice. ■ Such experience may also make it easier to get a job. ■ The student will likely receive compensation while working as an intern. ■ The student will expand his or her professional network, which could help during his or her career. Risks include: ■ Class performance may suffer due to demands on the student's time. ■ Poor performance while serving as in intern may hurt the student's chances of getting the desired job. ■ Health problems may result if the student feels excess stress or does not get adequate sleep. ■ Important relationships in the university environment may suffer.

What ERM activities should the internal audit function not perform?

■ Setting the risk appetite. ■ Imposing risk management processes. ■ Management assurance on risks. ■ Taking decisions on risk responses. ■ Implementing risk responses on management's behalf. ■ Accountability for risk management.

Risk assessment most commonly focuses on two criteria—impact and likelihood. As an organization's risk assessment process evolves, what other criteria might be valuable to consider and why?

■ Speed of onset—a risk that occurs quickly (a terrorist act) may be more difficult to react to than one for which advance planning may mitigate the impact (Y2K). ■ Controllability—some risks can be managed more effectively than others; for example, external risks tend to be less controllable than internal risks. ■ Speed of reaction—the slower an organization can react to a risk occurrence, the greater the impact may be. ■ Interdependencies with other risks—the impact of a given risk may be tolerable, but if a risk occur- rence triggers other risk outcomes, the aggregate impact may be intolerable. ■ Monitorability—some risks lend themselves to risk indicators that may allow for more timely reac- tion than others; for example, there is advance warning of a hurricane but a tornado may arise very unexpectedly. ■ Third-party impact—while the organization may be able to react to and manage certain risk occur- rences, key related third parties (such as customers, vendors, lenders, etc.) may not be as resilient, which could increase the impact of a risk occurrence.

What are the four categories of business objectives discussed in this chapter?

■ Strategic objectives, which pertain to the value creation choices management makes on behalf of the organization's stakeholders. ■ Operations objectives, which pertain to the effectiveness and efficiency of the organization's opera- tions, including performance and profitability goals and safeguarding resources against loss. ■ Reporting objectives, which pertain to the reliability of internal and external reporting of financial and nonfinancial information. ■ Compliance objectives, which pertain to adherence to applicable laws and regulations.

What are typical ERM responsibilities of management?

■ The CEO is ultimately responsible for the effectiveness and success of ERM. One of the most important aspects of this responsibility is ensuring that a positive and ethical tone is set. The CEO influences the composition and conduct of the board, provides leadership and direction to senior managers, and monitors the organization's overall risk activities in relation to its risk appetite. When evolving circumstances, emerging risks, strategy implementation, or anticipated actions indicate potential misalignment with risk criteria, the CEO takes the necessary actions to reestablish alignment. ■ Senior managers in charge of the various organizational units have responsibility for managing risks related to their specific units' objectives. They convert the organization's overall strategy into ongoing operations activities, identify potential risk events, assess the related risks, and implement actions to manage those risks. Managers guide the application of the organization's ERM components relative to and within their spheres of responsibility, ensuring the application of those components is consistent with the board's and management's levels of acceptable varia- tion in performance. They assign responsibility for specific ERM procedures to managers of the functional processes. As a result, these managers usually play a more active role in devising and executing particular risk procedures that address the unit's objectives, such as techniques for risk identification and assessment, and in determining specific risk management strategies, for example, developing policies and procedures for purchasing goods or accepting new customers. ■ Staff functions, such as accounting, human resources, compliance, or legal, also have import- ant supporting roles in designing and executing effective ERM practices. These functions may design and implement programs that help manage certain key risks across the entire organization.