Livre Hock 2019 English Part 1

CIA Part 1
Essentials of Internal Auditing

HOCK international books are licensed only for individual use and may not be lent,
copied, sold, or otherwise distributed without permission directly from HOCK
international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete,
accurate and up-to-date materials. Books from unauthorized sources are likely outdated and
will not include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized

training center should have an individually numbered orange hologram with the
HOCK globe logo on a color cover. If your book does not have a color cover or does not
have this hologram, it is not a genuine HOCK book.
2019 Edition
CIA
Preparatory Program
Part 1
Essentials of Internal Auditing
Brian Hock, CIA, CMA

and
Carl Burch, CIA, CMA
with
Kevin Hock and Kekoa Kaluhiokalani
HOCK international, LLC
P.O. Box 6553
Columbus, Ohio 43206
(866) 807-HOCK or (866) 807-4625

(281) 652-5768
www.hockinternational.com
[email protected]
Published January 2019
Acknowledgements
Acknowledgement is due to the Institute of Internal Auditors for permission to use

copyrighted questions and problems from the Certified Internal Auditor Examinations by The
Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, Florida 32701
USA. Reprinted with permission.
The authors would also like to thank the Institute of Certified Management Accountants for
permission to use questions and problems from past CMA Exams. The questions and
unofficial answers are copyrighted by the Certified Institute of Management Accountants
and have been used here with their permission.
The authors also wish to thank the IT Governance Institute for permission to make use of
concepts from the publication Control Objectives for Information and related Technology
(COBIT) 3rd Edition, © 2000, IT Governance Institute, www.itgi.org. Reproduction without
permission is not permitted.
© 2019 HOCK international, LLC
No part of this work may be used, transmitted, reproduced or sold in any form or by any
means without prior written permission from HOCK international, LLC.
ISBN: 978-1-934494-17-2
This textbook is for personal use only by Rashad Fatdakhov ([email protected]).
Thanks
The authors would like to thank the following people for their assistance in the production of
this material:
§ Lynn Roden, CMA for her assistance in the technical elements of the material,
§ All of the staff of HOCK Training and HOCK international for their patience in the
multiple revisions of the material,
§ The students of HOCK Training in all of our classrooms and the students of HOCK
international in our Distance Learning Program who have made suggestions, com-
ments and recommendations for the material,
§ Most importantly, to our families and spouses, for their patience in the long hours
and travel that have gone into these materials.
Editorial Notes
Throughout these materials, we have chosen particular language, spellings, structures and
grammar in order to be consistent and comprehensible for all readers. HOCK study
materials are used by candidates from countries throughout the world, and for many,
English is a second language. We are aware that our choices may not always adhere to
“formal” standards, but our efforts are focused on making the study process easy for all of
our candidates. Nonetheless, we continue to welcome your meaningful corrections and ideas
for creating better materials.
This material is designed exclusively to assist people in their exam preparation. No

information in the material should be construed as authoritative business, accounting or
consulting advice. Appropriate professionals should be consulted for such advice and
consulting.
Dear Future CIA:
Welcome to HOCK international! You have made a wonderful commitment to yourself and
your profession by choosing to pursue this prestigious credential. The process of certifica-
tion is an important one that demonstrates your skills, knowledge, and commitment to your
work.
We are honored that you have chosen HOCK as your partner in this process. We know that
this is a great responsibility, and it is our goal to make this process as efficient as possible
for you. To do so, HOCK has developed the following tools for your use:
A Study Plan that guides you, week by week, through the study process. You can
also create a personalized study plan online to adapt the plan to fit your schedule.
Your personalized plan can also be emailed to you at the beginning of each week.
The Textbook that you are currently reading. This is your main study source and
contains all of the information necessary to pass the exam. This textbook follows the
exam contents and provides all necessary background information so that you don’t
need to purchase or read other books.
The Flash Cards include short summaries of main topics, key formulas and con-
cepts. You can use them to review whenever you have a few minutes, but don’t want
to take your textbook along.
ExamSuccess contains original questions and questions from past exams that are
relevant to the current syllabus. Answer explanations for the correct and incorrect
answers are also included for each question.
A Mock Exam enables you to make final preparations using questions that you have
not seen before.
Teacher Support via our online student forum, e-mail, and telephone throughout
your studies to answer any questions that may arise.
Videos using a multimedia learning platform that provide the same coverage as a
live-taught course, teaching all of the main topics on the exam syllabus.
We understand the commitment that you have made to the exams, and we will match that
commitment in our efforts to help you. Furthermore, we understand that your time is too
valuable to study for an exam twice, so we will do everything possible to make sure that
you pass the first time.
I wish you success in your studies, and if there is anything I can do to assist you, please
contact me directly at [email protected].
Sincerely,
Brian Hock, CIA, CMA

President and CEO
CIA Part 1 Table of Contents
Table of Contents
Exam Introduction ............................................................................................................. 1

Box Styles Used in This Book 1
Section I – Foundations of Internal Auditing .................................................................. 2

A. The Purpose, Authority, and Responsibility of the IAA 9
B. The Internal Audit Charter 9
C. Assurance and Consulting Services 12
D. IIA Code of Ethics 14
Section II – Independence and Objectivity .................................................................... 17

A. Organizational Independence and Individual Objectivity 18
B and C. Impairments to Independence or Objectivity 22
D. Policies That Promote Objectivity 26
Section III – Proficiency and Due Professional Care .................................................... 27

A and B. Proficiency (Standard 1210) 27
C. Due Professional Care (Standard 1220) 33
D. Competency Through Continuing Professional Development 35
Section IV – Quality Assurance and Improvement Program ....................................... 36

A. The Requirements of the QAIP 37
B. Reporting the Results of the QAIP 42
C. Disclosure of Conformance or Nonconformance 43
Section V – Governance, Risk Management, and Controls ......................................... 45

Three Lines of Defense Model 45
A. Organizational Governance ....................................................................................... 47
Cornerstones of Good Corporate Governance – The IIA Corporate Governance Model 47
The Board of Directors 48
Stakeholders and Corporate Governance 49
The Internal Auditor’s Role in Organizational Governance 51
B. Organizational Culture................................................................................................ 53
C. Ethics ........................................................................................................................... 55
The Internal Auditor’s Role in Assessing Organizational Ethics 55
Ethics Advocates 57
Code of Conduct Policy 58
D. Corporate Social Responsibility ................................................................................ 59
© 2019 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. i
Table of Contents CIA Part 1
E. Concepts of Risk and Risk Management .................................................................. 64

Types of Risk 66
Risk Appetite, Risk Tolerance, and Risk Capacity 67
F. Globally Accepted Risk Management Frameworks .................................................. 82
COSO Framework on Enterprise Risk Management 84
ISO 31000 Principles, Framework, and Process 89
G. Examining the Effectiveness of Risk Management ................................................. 93
H. Appropriateness of IAA’s Role in the Risk Management Process ......................... 96
I. Interpret Internal Control Concepts and Types of Controls ..................................... 98
Establishing the Control Process 102
Controls in the Accounting Transaction Cycles 107
J: Globally Accepted Internal Control Frameworks ................................................... 115
The COSO Model 115
Alternative Control Frameworks 121
K. Examine the Effectiveness and Efficiency of Internal Controls............................ 123
Section VI – Fraud Risks............................................................................................... 126

A. Fraud Risks and Types of Fraud 126
B. Evaluating Potential for Occurrence of Fraud 129
C. Recommend Controls to Prevent and Detect Fraud 133
D. Forensic Auditing 135
Appendix A: Glossary ................................................................................................... 137

Appendix B: Model Internal Audit Activity Charter .................................................... 140
Appendix C: Practice Advisories for QAIP .................................................................. 144
Appendix D: Sample Code of Conduct ........................................................................ 152
Appendix E: 40 Common Forms of Fraud ................................................................... 154
ii © 2019 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
CIA Part 1 Introduction
Exam Introduction
The CIA Part 1 exam, Essentials of Internal Auditing, is 150 minutes (2 hours and 30 minutes) long and
consists of 125 multiple-choice questions.
The CIA Part 1 syllabus has six sections:
• Section I: Foundations of Internal Auditing (15%)

• Section II: Independence and Objectivity (15%)
• Section III: Proficiency and Due Professional Care (18%)
• Section IV: Quality Assurance and Improvement Program (7%)
• Section V: Governance, Risk Management, and Control (35%)
• Section VI: Fraud Risks (10%)
Additionally, the IIA syllabus refers to proficient and basic cognitive levels:
• Proficient. Candidates must exhibit thorough understanding and ability to apply concepts, pro-
cesses, or procedures; analyze, evaluate, and make judgments based on criteria; and/or put
elements or material together to formulate conclusions and recommendations.
• Basic. Candidates must retrieve relevant knowledge from memory and/or demonstrate basic com-
prehension of concepts or processes.
In preparing for the exam, candidates need to read the textbook and use the ExamSuccess software with
questions from past exams. Many of the exam topics are very large; therefore, by studying past exam
questions candidates can get a feeling for the manner and depth to which a topic is tested.
As a word of caution, you might notice that the terminology used in this book may be different than what
you are familiar with from your workplace. Because internal auditing is an internal activity, there are no
established or standardized terms that apply in every organization. Keep in mind that the terms used in
this book are the terms that appear on the exams, so you should become accustomed to them.
Box Styles Used in This Book

The following box styles used throughout this book indicate material quoted from various IIA sources. Minor
changes may have been made to the formatting, but no changes have been made to the content.
1
Content quoted from the IIA website appears in light grey boxes with an orange border.
Content quoted from the Standards or Implementation Guides appears in yellow boxes.
Content quoted from Practice Advisories or Implemention Guides appears in orange boxes.
Note: Quotes may not include the entire section or may include non-sequential sections.
1
The website is https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx#mandatory.
© 2019 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 1
Section I – Foundations of Internal Auditing CIA Part 1
Section I – Foundations of Internal Auditing

The best place to start preparing for CIA Part 1 is by understanding the guidance for internal auditors and
a company’s internal audit activity (IAA). The IIA provides explanations and outlines of the different cate-
gories of guidance, so when it is appropriate, the IIA explanation and description of the various sources of
guidance will be provided.
The main source of guidance is the International Professional Practices Framework (IPPF).
Within the IPPF there are the following sections:
• The Mission of Internal Audit
• Mandatory Guidance
• Recommend Guidance
As the names indicate, only mandatory guidance must be followed.
Standards & Guidance — International Professional Practices Framework (IPPF)®
The International Professional Practices Framework (IPPF) is the conceptual framework that organizes
authoritative guidance promulgated by The Institute of Internal Auditors. A trustworthy, global, guid-
ance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance
organized in the IPPF as mandatory guidance and recommended guidance.
Mandatory Guidance
Conformance with the principles set forth in mandatory guidance is required and essential for the pro-
fessional practice of internal auditing. Mandatory guidance is developed following an established due
diligence process, which includes a period of public exposure for stakeholder input. The mandatory ele-
ments of the IPPF are:
• Core Principles for the Professional Practice of Internal Auditing
• Definition of Internal Auditing
• Code of Ethics
• International Standards for the Professional Practice of Internal Auditing (Standards)
Recommended Guidance
Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices
for effective implementation of The IIA’s Core Principles, Definition of Internal Auditing, Code of Ethics,
and Standards. The recommended elements of the IPPF are:
• Implementation Guidance — assist internal auditors in applying the Standards.
• Supplemental Guidance (Practice Guides) — provide detailed processes and procedures for internal
audit practitioners.
2 © 2019 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing
This graphic from the IIA website provides a visual representation of the IPPF, the Mission, the Mandatory
Guidance, and the Recommended Guidance.
When you are presented with a question, look first in the Mandatory Guidance for an answer. If there is no
answer in the Mandatory Guidance, look in the Recommended Guidance.
The Mission of Internal Audit

The mission describes the goals of the internal audit activity within the organization and encompasses all
of the remaining elements of the IPPF.
The Mission of Internal Audit articulates what internal audit aspires to accomplish within an organization.
Its place in the New IPPF is deliberate, demonstrating how practitioners should leverage the entire
framework to facilitate their ability to achieve the Mission.
To enhance and protect organizational value by providing risk-based and objective assurance, advice,
and insight.
Exam Tip: Memorize the Mission of Internal Audit.
Mandatory Guidance
“Mandatory guidance” refers to standards and principles from the IIA that must be followed. “Mandatory”
means that it is a requirement, not a suggestion. The four sources of mandatory guidance are:
1) Core Principles for the Professional Practice of Internal Auditing
2) Definition of Internal Auditing
3) Code of Ethics
4) International Standards for the Professional Practice of Internal Auditing (Standards)
The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit
activity to be considered effective, all Principles should be present and operating effectively. How an
internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles
may be quite different from organization to organization, but failure to achieve any of the Principles
would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s
mission.
The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal
auditing. The definition is:
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, con-
trol, and governance processes.
The Code of Ethics states the principles and expectations governing behavior of individuals and organ-
izations in the conduct of internal auditing. It describes the minimum requirements for conduct and
behavioral expectations rather than specific activities.
The Standards are principle-focused and provide a framework for performing and promoting internal
auditing. The Standards are mandatory requirements consisting of:
• Statements of basic requirements for the professional practice of internal auditing and for evaluating
the effectiveness of its performance. The requirements are internationally applicable for organiza-
tions and individuals.
• Interpretations, which clarify terms or concepts within the statements.
• Glossary Terms.
It is necessary to consider both Statements and Interpretations to understand and apply the Standards
correctly. The Standards employs terms that have been given specific meanings included in the Glossary.
Exam Tip: Memorize the Definition of Internal Auditing.
The Core Principles

There are ten Core Principles that provide guidance for the IAA:
1) Demonstrates integrity.
2) Demonstrates competence and due professional care.
3) Is objective and free from undue influence (independent).
4) Aligns with the strategies, objectives, and risks of the organization.
5) Is appropriately positioned and adequately resourced.
6) Demonstrates quality and continuous improvement.
7) Communicates effectively.
8) Provides risk-based assurance.
9) Is insightful, proactive, and future-focused.
10) Promotes organizational improvement.
Exam Tip: Memorize the ten core principles of internal auditing.
Introduction to the Standards

The Standards provide a guide for the practice of internal auditing. Most of the Standards are tested on the
CIA exam, but initially it is important just to understand the structure of the Standards. This text from the
IIA is an excellent outline of the Standards and its objectives.
Internal auditing is conducted in diverse legal and cultural environments; for organizations that vary in
purpose, size, complexity, and structure; and by persons within or outside the organization. While dif-
ferences may affect the practice of internal auditing in each environment, conformance with The IIA’s
International Standards for the Professional Practice of Internal Auditing (Standards) is essential in
meeting the responsibilities of internal auditors and the internal audit activity.
The purpose of the Standards is to:
1. Guide adherence with the mandatory elements of the International Professional Practices Frame-
work.
2. Provide a framework for performing and promoting a broad range of value-added internal auditing
services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards are principles-focused, mandatory requirements consisting of:
• Statements of core requirements for the professional practice of internal auditing and for evaluating
the effectiveness of performance that are internationally applicable at organizational and individual
levels.
• Interpretations clarifying terms or concepts within the Standards.
The Standards, together with the Code of Ethics, encompass all mandatory elements of the International
Professional Practices Framework; therefore, conformance with the Code of Ethics and the Standards
demonstrates conformance with all mandatory elements of the International Professional Practices
Framework.
(continued)
The Standards employ terms as defined specifically in the Glossary. To understand and apply the Stand-
ards correctly, it is necessary to consider the specific meanings from the Glossary. Furthermore, the
Standards use the word “must” to specify an unconditional requirement and the word “should” where
conformance is expected unless, when applying professional judgment, circumstances justify deviation.
The Standards comprise two main categories: Attribute and Performance Standards. Attribute Stand-
ards address the attributes of organizations and individuals performing internal auditing. Performance
Standards describe the nature of internal auditing and provide quality criteria against which the perfor-
mance of these services can be measured. Attribute and Performance Standards apply to all internal
audit services.
Implementation Standards expand upon the Attribute and Performance Standards by providing the
requirements applicable to assurance (.A) or consulting (.C) services.
Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions
or conclusions regarding an entity, operation, function, process, system, or other subject matters. The
nature and scope of an assurance engagement are determined by the internal auditor. Generally, three
parties are participants in assurance services: (1) the person or group directly involved with the entity,
operation, function, process, system, or other subject matter—the process owner, (2) the person or
group making the assessment—the internal auditor, and (3) the person or group using the assessment—
the user.
Consulting services are advisory in nature and are generally performed at the specific request of an
engagement client. The nature and scope of the consulting engagement are subject to agreement with
the engagement client. Consulting services generally involve two parties: (1) the person or group offer-
ing the advice—the internal auditor, and (2) the person or group seeking and receiving the advice—the
engagement client. When performing consulting services the internal auditor should maintain objectivity
and not assume management responsibility.
The Standards apply to individual internal auditors and the internal audit activity. All internal auditors
are accountable for conforming with the standards related to individual objectivity, proficiency, and due
professional care and the standards relevant to the performance of their job responsibilities. Chief audit
executives are additionally accountable for the internal audit activity’s overall conformance with the
Standards.
If internal auditors or the internal audit activity is prohibited by law or regulation from conformance with
certain parts of the Standards, conformance with all other parts of the Standards and appropriate dis-
closures are needed.
If the Standards are used in conjunction with requirements issued by other authoritative bodies, internal
audit communications may also cite the use of other requirements, as appropriate. In such a case, if the
internal audit activity indicates conformance with the Standards and inconsistencies exist between the
Standards and other requirements, internal auditors and the internal audit activity must conform with
the Standards and may conform with the other requirements if such requirements are more restrictive.
The review and development of the Standards is an ongoing process. The International Internal Audit
Standards Board engages in extensive consultation and discussion before issuing the Standards. This
includes worldwide solicitation for public comment through the exposure draft process. All exposure
drafts are posted on The IIA’s website as well as being distributed to all IIA institutes.
Note: The IIA’s Standards Glossary is presented in Appendix A.
Note: Being familiar with the Standards is one of the best ways to prepare for the exam. The original
text of the Standards is presented in the textbook where it is relevant.
Types of Standards
1) Attribute Standards
Attribute Standards (1000–1300) are concerned with the characteristics of the organization and the parties
performing the auditing activities. The primary components of the Attribute Standards are:
• Purpose, Authority, and Responsibility (1000). The purpose, authority, and responsibility of
the IAA should be formally defined in the internal audit charter, consistent with the Standards, and
approved by the board.
• Independence and Objectivity (1100). The IAA must be independent and the internal auditors
must be objective in performing their work.

• Proficiency and Due Professional Care (1200). The engagement must be performed with pro-
ficiency and due professional care.
• Quality Assurance and Improvement Program (1300). The Chief Audit Executive (CAE, the
head of the IAA) must develop and maintain a quality assurance and improvement program that
covers all aspects of the internal audit activity and continuously monitors its effectiveness. This
program includes periodic internal and external quality assessments and ongoing internal moni-
toring. Each part of the program must be designed to help the internal auditing activity add value
and improve the organization’s operations. Furthermore, the program must provide assurance that
the internal audit activity conforms to the Definition of Internal Auditing, the Standards, and
the Code of Ethics.
2) Performance Standards
Performance Standards (2000–2600) describe the internal audit activities and criteria against which the
performance of these services can be evaluated. The primary components of the Performance Standards
are:
• Managing the Internal Audit Activity (2000). The CAE must effectively manage the internal
audit activity to ensure that it adds value to the organization.
• Nature of Work (2100). The internal audit activity must evaluate and contribute to the improve-
ment of risk management, control, and governance processes using a systematic and disciplined
approach.
• Engagement Planning (2200). Internal auditors must develop and record a plan for each en-
gagement, including the scope, objectives, timing, and resource allocations.
• Performing the Engagement (2300). Internal auditors must identify, analyze, evaluate, and
record sufficient information to achieve the engagement’s objectives.
• Communicating Results (2400). Internal auditors must communicate the engagement results.
• Monitoring Progress (2500). The CAE must establish and maintain a system to monitor the
disposition of results communicated to management.
• Resolution of Management’s Acceptance of Risks (2600). When the CAE believes that senior
management has accepted a level of residual risk that may be unacceptable to the organization,
the CAE must discuss the matter with senior management. If the decision regarding residual risk
is not resolved, the CAE and senior management must report the matter to the board for resolution.
3) Implementation Standards
Implementation Standards apply to the two specific types of engagements: assurance (.A) or consulting
(.C). For example, Standard 1000 (Purpose, Authority, and Responsibility) consists of implementation
standards 1000.A1 or 1000.C1, which are for assurance and consulting, respectively.
1) Assurance services involve the internal auditor’s objective assessment of evidence to provide an
independent opinion or conclusions. The internal auditor determines the nature and scope of the
assurance engagement. There are generally three parties involved in assurance services:
• The process owner, or the person or group directly involved with the process, system, or
other subject matter.
• The internal auditor, or the person or group making the assessment.
• The user, or the person or group using the assessment.
2) Consulting services are advisory in nature and are generally performed at the specific request
of an engagement client. The nature and scope of the consulting engagement are subject to agree-
ment with the engagement client. Consulting services generally involve two parties:
• The internal auditor, or the person or group offering the advice.
• The engagement client, or the person or group seeking and receiving the advice.
Note: The internal auditor should maintain objectivity and not assume management responsibility when
performing consulting services.
Recommended Guidance
1) Implementation Guidance
Implementation Guides assist internal auditors in applying the Standards. They collectively address in-
ternal auditing’s approach, methodologies, and consideration, but do not detail processes or procedures.
2) Supplemental Guidance
Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include
topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, pro-
grams, step-by-step approaches, and examples of deliverables.
Note: Previously, there was a category of recommended guidance called Practice Advisories (PAs). The
PAs provided detailed guidance for the application of the Standards and were the best practices endorsed
by the IIA for applying the Definition, Code of Ethics, and Standards. While the PAs are no longer included
in the Recommended Guidance, they are included here where appropriate. The PAs tend to be longer
and more detailed than the Implementation Guides and therefore make an excellent tool when preparing
for the exam.
A. The Purpose, Authority, and Responsibility of the IAA

The purpose, authority, and responsibility of the internal audit activity is the foundation on which the IAA
is built as it performs its work. The text of Standard 1000, as well as its Interpretations and Implementation
Standards, are shown here:
Standard 1000 – Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an
internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework (the Core Principles for the Professional Practice of In-
ternal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief
audit executive must periodically review the internal audit charter and present it to senior management
and the board for approval.
Interpretation:
The internal audit charter is a formal document that defines the internal audit activity’s purpose, author-
ity, and responsibility. The internal audit charter establishes the internal audit activity’s position within
the organization, including the nature of the chief audit executive’s functional reporting relationship with
the board; authorizes access to records, personnel, and physical properties relevant to the performance
of engagements; and defines the scope of internal audit activities. Final approval of the internal audit
charter resides with the board.
Implementation Standards:
1000.A1 – The nature of assurance services provided to the organization must be defined in the internal
audit charter. If assurances are to be provided to parties outside the organization, the nature of these
assurances must also be defined in the internal audit charter.
1000.C1 – The nature of consulting services must be defined in the internal audit charter.
The purpose, authority, and responsibility of the IAA need to be stated in the Internal Audit Charter, which
is covered in detail next.
B. The Internal Audit Charter

The internal audit charter (“the Charter”) provides the internal audit activity with a formal mandate to do
its work. The Charter is:
1) Written by the Chief Audit Executive (CAE).
2) Approved by the senior management and the board or audit committee.
3) Communicated to engagement clients.
4) Reviewed periodically by the CAE to make certain it is still relevant and appropriate.
Note: The Model charter from the IIA is in Appendix B. We strongly recommend that you read through
the entire Charter as you begin your studies and also as a final review before you take the exam.
The Charter should:
• Establish the internal audit activity’s position within the organization, including the nature of the
CAE’s functional reporting relationship with the board.
• Authorize access to records, personnel, and physical properties relevant to the performance of
engagements.
• Define the scope of internal audit activities.
Sections of the Charter

There are seven sections in the Model Charter.
1) Purpose and Mission. Includes both the Mission of Internal Auditing and the Definition of Internal
Auditing.
From the Charter: The purpose of Company X’s internal audit activity is to provide independ-
ent, objective assurance and consulting services designed to add value and improve Company
X’s operations. The mission of internal audit is to enhance and protect organizational value by
providing risk-based and objective assurance, advice, and insight. The internal audit activity
helps Company X accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of governance, risk management, and control pro-
cesses.
2) Standards for the Professional Practice of Internal Auditing. Establishes that the IAA will
follow all of the mandatory elements of the IPPF. Additionally, the CAE must report periodically to
the board about the IAA’s conformance to the Standards and Code of Ethics.
From the Charter: The internal audit activity will govern itself by adherence to the mandatory
elements of The Institute of Internal Auditors' International Professional Practices Framework,
including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics,
the International Standards for the Professional Practice of Internal Auditing, and the Definition
of Internal Auditing. The chief audit executive will report periodically to senior management and
the board regarding the internal audit activity’s conformance to the Code of Ethics and the
Standards.
This requirement to follow the Standards is also set out in Standard 1010:
Standard 1010 – Recognizing Mandatory Guidance in the Internal Audit Charter
Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the
Internal Audit Charter
The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing,
the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in
the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit
and the mandatory elements of the International Professional Practices Framework with senior
management and the board.
3) Authority. Establishes the dual reporting process for the IAA and:
• What the board will do to make certain that the IAA has sufficient authority to fulfil its duties.
• What the board authorizes the IAA to do. This includes the board providing the IAA with full,
free, and complete access to all functions, records, property, and personnel that is needed for
the IAA to fulfill its duties.
The Charter should specify the dual reporting process for the IAA.
From the Charter: The chief audit executive will report functionally to the board and adminis-
tratively (i.e., day-to-day operations) to the chief executive officer.
4) Independence and Objectivity. Specifies that the IAA must have organizational independence
and that internal auditors maintain objectivity. The first two paragraphs of this section are:
From the Charter: The chief audit executive will ensure that the internal audit activity remains
free from all conditions that threaten the ability of internal auditors to carry out their responsi-
bilities in an unbiased manner, including matters of audit selection, scope, procedures,
frequency, timing, and report content. If the chief audit executive determines that independence
or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed
to appropriate parties.  
Internal auditors will maintain an unbiased mental attitude that allows them to perform engage-
ments objectively and in such a manner that they believe in their work product, that no quality
compromises are made, and that they do not subordinate their judgment on audit matters to
others.  
5) Scope of Internal Audit Activities. The potential scope of work for the IAA is vast. The main
type of engagement is assurance, but it is also possible that the IAA will perform consulting en-
gagements. However, if the IAA performs consulting engagements, that authorization must be
specifically stated in the Charter.
From the Charter: The scope of internal audit activities encompasses, but is not limited to,
objective examinations of evidence for the purpose of providing independent assessments to
the board, management, and outside parties on the adequacy and effectiveness of governance,
risk management, and control processes for Company X.
The chief audit executive also coordinates activities, where possible, and considers relying upon
the work of other internal and external assurance and consulting service providers as needed.
The internal audit activity may perform advisory and related client service activities, the nature
and scope of which will be agreed with the client, provided the internal audit activity does not
assume management responsibility.
Opportunities for improving the efficiency of governance, risk management, and control pro-
cesses may be identified during engagements. These opportunities will be communicated to the
appropriate level of management.
6) Responsibility. Outlines the specific responsibilities of the CAE.
From the Charter: The chief audit executive has the responsibility to:  
Submit, at least annually, to senior management and the board a risk-based internal audit plan
for review and approval.
Communicate to senior management and the board the impact of resource limitations on the
internal audit plan.  
Review and adjust the internal audit plan, as necessary, in response to changes in Company X’s
business, risks, operations, programs, systems, and controls.  
Communicate to senior management and the board any significant interim changes to the in-
ternal audit plan.  
Ensure each engagement of the internal audit plan is executed, including the establishment of
objectives and scope, the assignment of appropriate and adequately supervised resources, the
documentation of work programs and testing results, and the communication of engagement
results with applicable conclusions and recommendations to appropriate parties.
(continued)
Follow up on engagement findings and corrective actions, and report periodically to senior man-
agement and the board any corrective actions not effectively implemented.  
Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and
upheld.  
Ensure the internal audit activity collectively possesses or obtains the knowledge, skills, and
other competencies needed to meet the requirements of the internal audit charter.  
Ensure trends and emerging issues that could impact Company X are considered and commu-
nicated to senior management and the board as appropriate.  
Ensure emerging trends and successful practices in internal auditing are considered.  
Establish and ensure adherence to policies and procedures designed to guide the  internal audit
activity.  
Ensure adherence to Company X’s relevant policies and procedures, unless  such policies and
procedures conflict with the internal audit charter. Any such conflicts will be resolved or other-
wise communicated to senior management and the board.  
7) Quality Assurance and Improvement Program: States that the IAA must perform engage-
ments at the expected level of quality. The QAIP is one of the ways that the IAA assesses and
ensures the proper level of quality and adherence to all of the Standards.
From the Charter: The internal audit activity will maintain a quality assurance and improve-
ment program that covers all aspects of the internal audit activity. The program will include an
evaluation of the internal audit activity’s conformance with the Standards and an evaluation of
whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the effi-
ciency and effectiveness of the internal audit activity and identify opportunities for
improvement.
The chief audit executive will communicate to senior management and the board on the internal
audit activity’s quality assurance and improvement program, including results of internal as-
sessments (both ongoing and periodic) and external assessments conducted at least once every
five years by a qualified, independent assessor or assessment team from outside Company X.
C. Assurance and Consulting Services

The two main categories of services that the internal audit activity may provide are assurance and consult-
ing services.
The Standards Glossary defines assurance services as:
An objective examination of evidence for the purpose of providing an independent assess-

ment on governance, risk management, and control processes for the organization.
Examples may include financial, performance, compliance, system security, and due dili-
gence engagements.
The Standards Glossary defines consulting services as:
Advisory and related client services, the nature and scope of which are agreed upon with
the client and which are intended to add value and improve an organization’s operations.
Examples include counsel, advice, facilitation, process design and training.
The Standards state that internal auditors can only perform consulting services specifically defined in the
internal audit charter.
Comparing Assurance and Consulting Engagements

In an assurance engagement, the auditor provides an assessment and states an opinion about whether
or not something within the company is operating or performing correctly. The auditor should be objective
in the investigation and independent in the decision. Examples of assurance engagements include:
• Assessing if controls are properly designed and implemented.
• Whether production standards are being met.
• The accuracy of recorded of financial transactions.
In a consulting engagement, the auditor provides advice or makes a suggestion. The auditor does not
need to be independent in a consulting engagement. Consulting engagements are often forward-
looking rather than an analysis of past events.
Types of Assurance Engagements

Some of the more common categories of assurance engagements include:
• Risk and control assessments
• Audits of third parties and contract compliance
• Security and privacy audits
• Performance and quality audits
• Key performance indicator audits
• Operational audits
• Financial audits
• Regulatory compliance audits
Types of Consulting Engagements

The Charter must specifically state that the IAA may provide consulting services before any such engage-
ments are started. Some of the more common categories of consulting engagements include:
• Training
• System design
• System development
• Due diligence
• Privacy
• Benchmarking
• Internal control assessments
• Process mapping
Note: More specific and detailed information about the types of assurance and consulting engagements
is covered in CIA Part 2.
Standards for Consulting Engagements

The Practice Advisories list twelve principles to guide internal auditors during consulting engagements. This
Practice Advisory, formerly PA 1000.C1-1, is no longer current, but the principles it outlined can still serve
as a useful guide for internal auditors. The following list is a condensed version of these twelve principles:
• Value is added by the IAA when it performs both assurance and consulting services. In
fact, the IAA is in a strong position to provide consulting services because of its professional stand-
ards and its knowledge of the company and its operations.
• Included in the internal audit charter is the provision that the IAA provide consulting
and other appropriate services. Additionally, any rules or standards applicable to the consulting
services must also be stated in the charter.
• The IAA may also provide other services besides assurance and consulting, such as in-
vestigating fraud and conducting due diligence.
• Consulting services do not impair the objectivity of either the internal auditor or the IAA.
However, the auditor’s first duty is as an auditor, and so all actions need to be governed by the
applicable internal audit guidelines and standards. Objectivity is not impaired as long as the inter-
nal auditor provides advice and does not take ownership of a specific process.
If an IAA is performing consulting engagements, it is imperative that the company’s internal auditors take
extra precautions to determine that senior management and the board all understand and agree with the
concept, operating guidelines, and communications required for performing consulting engagements. In-
dependence and objectivity issues connected to both consulting and assurance engagements are covered
in Section II.
D. IIA Code of Ethics

The Code of Ethics is an ethical guide for internal auditors and does not provide specific guidance nor does
it prescribe defined actions because an auditor faces many different types of ethical situations.
The four principles in the Code are:
1) Integrity. Auditors should behave in a way that reflects positively on the auditor and the profes-
sion.
2) Objectivity. Auditors should make decisions based on facts and information and not on their
personal preferences or feelings.
3) Confidentiality. Auditors will learn many things that should be kept confidential. When in doubt,
auditors should err on the side of not sharing information.
4) Competency. Internal auditors should have the necessary skills, knowledge, and experience to
perform their work.
We strongly recommend that you memorize the Code of Ethics so that you can identify key words
that may be in a question or answer choice. The full text of the Code of Ethics follows.
The Code of Ethics states the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum requirements for conduct,
[sic] and behavioral expectations rather than specific activities.
Introduction to the Code of Ethics
The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal
auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, con-
trol, and governance processes.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on
the trust placed in its objective assurance about governance, risk management, and control.
The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
• Principles that are relevant to the profession and practice of internal auditing.
• Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid
to interpreting the Principles into practical applications and are intended to guide the ethical conduct
of internal auditors.
“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifica-
tions, and those who perform internal audit services within the Definition of Internal Auditing.
Applicability and Enforcement of the Code of Ethics
This Code of Ethics applies to both entities and individuals that perform internal audit services.
For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code
of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Di-
rectives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it
from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate
can be liable for disciplinary action.
Principles
Internal auditors are expected to apply and uphold the following principles:
1. Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judg-
ment.
2. Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and com-
municating information about the activity or process being examined. Internal auditors make a balanced
assessment of all the relevant circumstances and are not unduly influenced by their own interests or by
others in forming judgments.
3. Confidentiality
Internal auditors respect the value and ownership of information they receive and do not disclose infor-
mation without appropriate authority unless there is a legal or professional obligation to do so.
4. Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal
auditing services.
Rules of Conduct
1) Integrity
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to
the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
2) Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict
with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.
3) Confidentiality
Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the
law or detrimental to the legitimate and ethical objectives of the organization.
4) Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and
experience.
4.2. Shall perform internal auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
Section II Section II – Independence and Objectivity
Section II – Independence and Objectivity

Independence and objectivity are defined in Standard 1100.
Standard 1100 – Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing
their work.
Interpretation:
Independence is the freedom from conditions that threaten the ability of the internal audit
activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree

of independence necessary to effectively carry out the responsibilities of the internal audit activity, the
chief audit executive has direct and unrestricted access to senior management and the board.
This can be achieved through a dual-reporting relationship. Threats to independence must be managed
at the individual auditor, engagement, functional, and organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to perform

engagements in such a manner that they believe in their work product and that no quality
compromises are made. Objectivity requires that internal auditors do not subordinate their judgment
on audit matters to others. Threats to objectivity must be managed at the individual auditor,
engagement, functional, and organizational levels.
The model Charter also includes a statement about independence and objectivity.
From the Charter: The chief audit executive will ensure that the internal audit activity remains free
from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an
unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report
content. If the chief audit executive determines that independence or objectivity may be impaired in fact
or appearance, the details of impairment will be disclosed to appropriate parties.  
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements
objectively and in such a manner that they believe in their work product, that no quality compromises
are made, and that they do not subordinate their judgment on audit matters to others.  
Independence and objectivity are also addressed in four other Standards:
1) Standard 1110 – Organizational Independence
2) Standard 1112 – Chief Audit Executive Roles Beyond Internal Auditing
3) Standard 1120 – Individual Objectivity
4) Standard 1130 – Impairment to Independence or Objectivity
The discussion of independence and objectivity is broken down into the following areas:
• Organizational independence and the reporting lines of the IAA.
• Impairments to the independence of the IAA or the objectivity of an individual auditor.
• Policies that promote independence and objectivity.
Section II – Independence and Objectivity CIA Part 1
A. Organizational Independence and Individual Objectivity

Organizational independence is achieved largely through the status of the IAA and the authority that the
board gives to it. If the IAA is perceived to be important and reports to the board of directors, they will be
more independent because of the support they receive from the highest levels of the organization. If, on
the other hand, they report only to the chief accountant and there is a perception within the organization
that they do not add value to the organization (or are not respected by the board), the IAA will have less
independence and their work will be less useful to the organization.
Note: It is vital for the IAA to have the support of senior management and of the board so that it can
work freely and without interference.
From the Charter: To establish, maintain, and assure that Company X’s internal audit activity has
sufficient authority to fulfill its duties, the board will:
• Approve the internal audit activity’s charter.
• Approve the risk-based internal audit plan.
• Approve the internal audit activity’s budget and resource plan.
• Receive communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters.
• Approve decisions regarding the appointment and removal of the chief audit executive.
• Approve the remuneration of the chief audit executive.
• Make appropriate inquiries of management and the chief audit executive to determine  whether there
is inappropriate scope or resource limitations.
The chief audit executive will have unrestricted access to, and communicate and interact directly with,
the board, including in private meetings without management present.
The board authorizes the internal audit activity to:
• Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent
to carrying out any engagement, subject to accountability for confidentiality and safeguarding of
records and information.
• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques re-
quired to accomplish audit objectives, and issue reports.  
• Obtain assistance from the necessary personnel of Company X, as well as other specialized services
from within or outside Company X, in order to complete the engagement.  
Dual Reporting Lines for the Internal Audit Activity

The ideal reporting situation is for the CAE to have two separate reporting structures:
1) Functional Reporting is connected to the engagements and their results. Proper functional re-
porting is the source of independence and authority for the IAA. The CAE reports functionally to
the board.
2) Administrative Reporting is the reporting relationship within the organization’s management

structure that facilitates the day-to-day operations of the IAA. The CAE reports administratively
to upper management.
Note: When there is an audit committee, functional reporting will often be done to an audit committee,
rather than to the board.
This dual reporting structure is shown below. Because the CEO reports to the board, both the administrative
and functional reporting lines end with the board of directors.
Board of Directors
Administrative Reporting
Functional Reporting
Senior Management
Audit Committee
(CEO)
Internal Audit Activity (CAE)
Functional Reporting
Standard 1110 addresses organizational independence and the interpretation provides a list of examples of
functional reporting.
Standard 1110 – Organizational Independence
The chief audit executive must report to a level within the organization that allows the
internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the
board, at least annually, the organizational independence of the internal audit activity.
Interpretation:
Organizational independence is effectively achieved when the chief audit executive reports functionally
to the board. Examples of functional reporting to the board involve the board:
• Approving the internal audit charter;

• Approving the risk based internal audit plan;
• Approving the internal audit budget and resource plan;
• Receiving communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters;
• Approving decisions regarding the appointment and removal of the chief audit executive;
• Approving the remuneration of the chief audit executive; and
• Making appropriate inquiries of management and the chief audit executive to determine whether
there are inappropriate scope or resource limitations.
1110.A1 – The internal audit activity must be free from interference in determining the scope of internal
auditing, performing work, and communicating results. The chief audit executive must disclose such
interference to the board and discuss the implications.
Practice Advisory 1110-1 provides more guidance about the role of the CAE in promoting organizational
independence.
Practice Advisory 1110-1
1. Support from senior management and the board assists the internal audit activity in gaining the
cooperation of engagement clients and performing their work free from interference.
2. The chief audit executive (CAE), reporting functionally to the board and administratively to
the organization’s chief executive officer, facilitates organizational independence. At a minimum
the CAE needs to report to an individual in the organization with sufficient authority to promote
independence and to ensure broad audit coverage, adequate consideration of engagement
communications, and appropriate action on engagement recommendations.
Administrative Reporting
PA 1110-1 provides a list of what administrative reporting typically includes.
4. Administrative reporting is the reporting relationship within the organization’s management

structure that facilitates the day-to-day operations of the internal audit activity. Administrative
reporting typically includes:
• Budgeting and management accounting.

• Human resource administration, including personnel evaluations and compensation.
• Internal communications and information flows.
• Administration of the internal audit activity’s policies and procedures.
Individual Objectivity
Being objective means that the auditor must make conclusions based on facts without being influenced by
feelings, emotions, relationships, bribes, or any other outside influence. Individual objectivity is covered in
Standard 1120.
Standard 1120 – Individual Objectivity
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
Further guidance is found in the Practice Advisory.
1) Individual objectivity means the internal auditors perform engagements in such a manner that they
have an honest belief in their work product and that no significant quality compromises are made.
Internal auditors are not to be placed in situations that could impair their ability to make objective
professional judgments.
Maintaining Independence and Objectivity

Auditors should not be managers, not even temporary managers, in other departments and they should
not make operational decisions in any part of the company. The Model Charter provides a list of activities
that internal auditors should not do.
From the Charter: Internal auditors will have no direct operational responsibility or authority over any
of the activities audited. Accordingly, internal auditors will not implement internal controls, develop pro-
cedures, install systems, prepare records, or engage in any other activity that may impair their
judgment, including:
• Assessing specific operations for which they had responsibility within the previous year.  
• Performing any operational duties for Company X or its affiliates.  
• Initiating or approving transactions external to the internal audit department.  
• Directing the activities of any Company X employee not employed by the internal audit activity,
except to the extent that such employees have been appropriately assigned to auditing teams or to
otherwise assist internal auditors.
Internal auditors will:
• Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
• Exhibit professional objectivity in gathering, evaluating, and communicating information about the
activity or process being examined.  
• Make balanced assessments of all available and relevant facts and circumstances.  
• Take necessary precautions to avoid being unduly influenced by their own interests or  by others in
forming judgments. 
B and C. Impairments to Independence or Objectivity

Standard 1130 requires the disclosure of any impairment to the independence or objectivity of an auditor
or the IAA.
Standard 1130 – Impairment to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment must
be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
An impairment is anything that might cause the auditor to be less than completely objective in an en-
gagement. As listed in the Interpretation to Standard 1130, common impairments include:
1) A personal conflict of interest.
2) A scope limitation, including a restriction of access to records, personnel, or properties.
3) Resource limitation, which includes funding limitations.
4) Situations where the auditor is assessing operations for which they were previously responsible.
5) Assurance engagements for functions over which the CAE has previously had responsibility.
6) Consulting engagements in areas where assurance engagements are also performed.
If an auditor believes that independence or objectivity has been impaired, the auditor must disclose the
nature of the impairment to the CAE or appropriate parties. If an impairment arises during an engagement,
it must be reported immediately to the manager of the engagement so that the situation can be addressed
or eliminated.
1) Conflicts of Interest
Conflict of interest is defined in the Interpretation to Standard 1120.
Standard 1120 – Interpretation
Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a
competing professional or personal interest. Such competing interests can make it difficult to fulfill his
or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A
conflict of interest can create an appearance of impropriety that can undermine confidence in the
internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an
individual’s ability to perform his or her duties and responsibilities objectively.
An auditor with a conflict of interest in an assurance engagement should be removed. The auditor can be
reassigned back to the engagement if the conflict is resolved.
Any conflicts of interest in a consulting engagement should be disclosed to the client. If the client has no
objections, then the auditor may remain on the consulting engagement.
2) Scope Limitations, Including Restriction of Access to Records, Personnel, or Property

A scope limitation is a restriction on the engagement that prevents accomplishing the objectives and
plans. Scope limitation are discussed in PA 1130-1.
2. A scope limitation is a restriction placed on the internal audit activity that precludes the activity from
accomplishing its objectives and plans. Among other things, a scope limitation may restrict the:
• Scope defined in the internal audit charter.  
• Internal audit activity’s access to records, personnel, and physical properties relevant to  the
performance of engagements.  
• Approved engagement work schedule.  
• Performance of necessary engagement procedures.  
• Approved staffing plan and financial budget.  
3. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing,
to the board. The CAE needs to consider whether it is appropriate to inform the board regarding
scope limitations that were previously communicated to and accepted by the board. This may be
necessary particularly when there have been organization, board, senior management, or other
changes.  
3) Resource Limitations
Without sufficient resources and funding, the IAA may not be able to operate independently and objectively.
For example, inadequate staffing, insufficient training, or outdated technology might invite compromises or
shortcuts that would impair the IAA’s position in the organization.
4) Assessing Operations for Which Internal Auditors Were Previously Responsible

Objectivity is assumed to be impaired if an auditor performs an assurance review of any activity over
which he or she recently had responsibility. Individuals who are assigned to or transferred to the IAA should
not audit areas where they worked until a reasonable period of time has elapsed, usually at least one
year. If an individual is assigned to an engagement where he or she worked in the past year, objectivity is
presumed be impaired and such facts should be clearly stated when communicating the results relating to
the audited area.
Note: Objectivity is also impaired when auditors are auditing an area for which they will have future
responsibility within one year after the engagement.
5) CAE’s Previous Responsibility for Non-audit Functions

It is possible that management could ask an internal auditor to assume responsibility for a part of operations
that could be subject to periodic internal auditing assessments. Internal auditors should not accept such
assignments, but it is possible that management may insist.
If the IAA accepts responsibility and the operation is part of the audit plan, the CAE could minimize the
impairment to objectivity by using a third party to complete the audit (for example, an external auditor or
third-party contractor). In addition, the CAE should confirm that the individuals who have operational re-
sponsibility will not participate in any internal audits of the operation.
Practice Advisory 1130.A2-1 Internal Audit’s Responsibility for Other (Non-audit) Functions provides guid-
ance for such situations.
Practice Advisory 1130.A2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions
Primary Related Standard 1130.A2 – Assurance engagements for functions over which the chief audit
executive has responsibility must be overseen by a party outside the internal audit activity.
1. Internal auditors are not to accept responsibility for non-audit functions or duties that are
subject to periodic internal audit assessments. If they have this responsibility, then they are
not functioning as internal auditors.
2. When the internal audit activity, chief audit executive (CAE), or individual internal auditor is
responsible for, or management is considering assigning, an operational responsibility that the
internal audit activity might audit, the internal auditor’s independence and objectivity may be
impaired. At a minimum, the CAE needs to consider the following factors in assessing the impact
on independence and objectivity:
• Requirements of the Code of Ethics and the Standards.
• Expectations of stakeholders that may include the shareholders, board of directors, management,
legislative bodies, public entities, regulatory bodies, and public interest groups.
• Allowances and/or restrictions contained in the internal audit charter.
• Disclosures required by the Standards.
• Audit coverage of the activities or responsibilities undertaken by the internal auditor.
• Significance of the operational function to the organization (in terms of revenue, expenses,
reputation, and influence).
• Length or duration of the assignment and scope of responsibility.
• Adequacy of separation of duties.
• Whether there is any history or other evidence that the internal auditor’s objectivity may be at risk.
3. If the internal audit charter contains specific restrictions or limiting language regarding the
assignment of non-audit functions to the internal auditor, then disclosure and discussion with
management of such restrictions is necessary. If management insists on such an assignment, then
disclosure and discussion of this matter with the board is necessary. If the internal audit charter is
silent on this matter, the guidance noted in the points below are to be considered. All the points
noted below are subordinate to the language of the internal audit charter.
4. When the internal audit activity accepts operational responsibilities and that operation is part of the
internal audit plan, the CAE needs to:
• Minimize the impairment to objectivity by using a contracted, third-party entity or external auditors
to complete audits of those areas reporting to the CAE.
• Confirm that individuals with operational responsibility for those areas reporting to the CAE do not
participate in internal audits of the operation.
• Ensure that internal auditors conducting the assurance engagement of those areas reporting to the
CAE are supervised by, and report the results of the assessment, to senior management and the
board.
• Disclose the operational responsibilities of the internal auditor for the function, the significance of
the operation to the organization (in terms of revenue, expenses, or other pertinent information),
and the relationship of those who audited the function.
5. The auditor’s operational responsibilities need to be disclosed in the related audit report of those
areas reporting to the CAE and in the internal auditor’s standard communication to the board. Results
of the internal audit may also be discussed with management and/or other appropriate stakeholders.
Impairment disclosure does not negate the requirement that assurance engagements for functions
over which the CAE has responsibility need to be overseen by a party outside the internal audit
activity.
6) Consulting Services
Providing Assurance Service in Areas of Previous Consulting Engagements (1130.A3)
Standard 1130.A3 – The internal audit activity may provide assurance services where it had previously
performed consulting services, provided the nature of the consulting did not impair objectivity and pro-
vided individual objectivity is managed when assigning resources to the engagement.
Internal Audit Responsibility for Consulting Engagements (1130.C1 and C2)

Internal auditors may provide consulting services to areas over which they had previous responsibility, but
they must act independently and objectively. Any potential impairment to their independence or objectivity
must be disclosed to the client before the engagement is accepted.
Standard 1130.C1 – Internal auditors may provide consulting services relating to operations for which
they had previous responsibilities.
Standard 1130.C2 – If internal auditors have potential impairments to independence or objectivity

relating to proposed consulting services, disclosure must be made to the engagement client prior to
accepting the engagement.
Perceived Impairment of Objectivity

Objectivity must exist in both fact and appearance, which means that internal auditors must avoid even
the appearance of impairment. Accepting small promotional items such as pens, calendars, or other insig-
nificant items is generally not considered to impair professional judgment. However, any gifts of larger
value should be immediately reported to a supervisor.
Note: An internal auditor can make recommendations to a department as part of a consulting engage-
ment and still be objective in a future financial audit of that same department.
CAE Disclosure to the Board Connected to Independence and Objectivity

The Charter sets out two responsibilities that the CAE has in reporting independence- and objectivity-related
issues to the board:
1) The CAE will confirm at least annually to the board that the IAA is organizationally independent.
The CAE will need to make certain that the IAA maintains its organizational independence at all
times.
2) The CAE will disclose to the board any interference with the IAA determining the scope of work,
performing the work, or communicating the results.
From the Charter: The chief audit executive will confirm to the board, at  least annually, the organi-
zational independence of the internal audit activity.  
The chief audit executive will disclose to the board any interference and related implications in deter-
mining the scope of internal auditing, performing work, and/or communicating results.  
D. Policies That Promote Objectivity

There are a number of procedures that the CAE can follow in order to maintain objectivity within the IAA:
• Job assignments should minimize potential conflicts of interests. For example, an auditor should
not audit an area where his or her spouse works.
• Jobs should be periodically rotated so that relationships do not develop between the auditor and
the auditee that might impair the auditor’s judgment.
• A strong QAIP will help ensure that organizational independence and objectivity are part of the
culture of the IAA.
PA 1120-1 provides a list of things that can be done to maintain and promote objectivity.
2) Individual objectivity involves the chief audit executive (CAE) organizing staff assignments that
prevent potential and actual conflict of interest and bias, periodically obtaining information from the
internal audit staff concerning potential conflict of interest and bias, and, when practicable, rotating
internal audit staff assignments periodically.
3) Review of internal audit work results before the related engagement communications are released
assists in providing reasonable assurance that the work was performed objectively.
HOCK international books are licensed only for individual use and may not be lent,
copied, sold, or otherwise distributed without permission directly from HOCK
international.
If you did not download this book directly from HOCK international, it is not a
genuine HOCK book. Using genuine HOCK books assures that you have complete, accurate,
and up-to-date materials. Books from unauthorized sources are likely outdated and will not
include access to our online study materials or access to HOCK teachers.
Hard copy books purchased from HOCK international or from an authorized training
center should have an individually numbered orange hologram with the HOCK globe
logo on a color cover. If your book does not have a color cover or does not have this
hologram, it is not a genuine HOCK book.
Section III Section III – Proficiency and Due Professional Care
Section III – Proficiency and Due Professional Care

Section III discusses Standard 1200, which covers the auditor’s obligations for proficiency and due pro-
fessional care.
Standard 1200 – Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.
PA 1200-1 provides additional guidance for both proficiency and due professional care.
Practice Advisory 1200-1: Proficiency and Due Professional Care
Proficiency and due professional care are the responsibility of the chief audit executive (CAE) and

each internal auditor. As such, the CAE ensures that persons assigned to each engagement collectively
possess the necessary knowledge, skills, and other competencies to conduct the engagement
appropriately.
Due professional care includes conforming with the Code of Ethics and, as appropriate, the organization’s
code of conduct as well as the codes of conduct for other professional designations the internal auditors
may hold. The Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
• Principles that are relevant to the profession and practice of internal auditing: integrity, objectivity,
confidentiality, and competency.
• Rules of conduct that describe behavioral norms expected of internal auditors. These rules are an
aid to interpreting the principles into practical applications and are intended to guide the ethical
conduct of internal auditors.
A and B. Proficiency (Standard 1210)

Standard 1210 details the auditors expectations with respect to proficiency.2
Standard 1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to per-
form their individual responsibilities. The internal audit activity collectively must possess or
obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
Interpretation:
Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of
internal auditors to effectively carry out their professional responsibilities. It encompasses consideration
of current activities, trends, and emerging issues, to enable relevant advice and recommendations. In-
ternal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional
certifications and qualifications, such as the Certified Internal Auditor designation and other designations
offered by The Institute of Internal Auditors and other appropriate professional organizations.
1210.A1 – The chief audit executive must obtain competent advice and assistance if the in-
ternal auditors lack the knowledge, skills, or other competencies needed to perform all or part
of the engagement.
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the
manner in which it is managed by the organization, but are not expected to have the expertise of a
person whose primary responsibility is detecting and investigating fraud.
(continued)
2
Bolded phrases are added for emphasis by HOCK.
Section III – Proficiency and Due Professional Care CIA Part 1
1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks
and controls and available technology-based audit techniques to perform their assigned work. However,
not all internal auditors are expected to have the expertise of an internal auditor whose primary respon-
sibility is information technology auditing.
1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent ad-
vice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to
perform all or part of the engagement.
Some key points to keep in mind regarding proficiency are:
• Proficiency is a quality that is engagement-specific and auditor-specific. In other words,

there is no one way to be proficient. Necessary skills and knowledge are different for each auditor
and each specialty, and a single auditor can be proficient in a number of areas.
• Regardless of their individual specialty, every auditor must be able to evaluate the risk of fraud
and identify key IT risks and controls.
• Developing and maintaining proficiency is an ongoing effort. Internal auditors are expected
to maintain and update their skills through continuing professional education (CPE). In addition,
CPE is mandatory for CIAs to maintain their certification.
Note: In addition to being technically competent, internal auditors must also be proficient in communi-
cation, critical thinking, persuasion, and negotiation.
The IIA Competency Framework

In The IIA’s Global Internal Audit Competency Framework (2013), also known as “the Competency Frame-
work,” the IIA lists ten “core competencies” (that is, professional skills) that it considers essential for all
internal auditors to possess. Here is the list, quoted in full:3
1) Professional ethics: Promotes and applies professional ethics
2) Internal audit management: Develops and manages the internal audit function
3) IPPF: Applies the International Professional Practices Framework (IPPF)
4) Governance, risk and control: Applies a thorough understanding of governance, risk and control
appropriate to the organization
5) Business acumen: Maintains expertise of the business environment, industry practices and spe-
cific organizational factors
6) Communication: Communicates with impact
7) Persuasion and collaboration: Persuades and motivates others through collaboration and co-
operation
8) Critical thinking: Applies process analysis, business intelligence and problem solving techniques
9) Internal audit delivery: Delivers internal audit engagements
10) Improvement and innovation: Embraces change and drives improvement and innovation
The Competency Framework illustrates the relationship of these competencies in a diagram: 4
IMPROVEMENT AND INNOVATION (#10)
INTERNAL AUDIT DELIVERY (#9)
PERSONAL SKILLS
Communication Persuasion and Critical Thinking

(#6) Collaboration (#7) (#8)
TECHNICAL EXPERTISE
IPPF Governance, Risk, Business Acumen

(#3) and Control (#4) (#5)
INTERNAL AUDITING MANAGEMENT (#2)
PROFESSIONAL ETHICS (#1)
This chart should be read from bottom to top, the green section forming the “foundation,” the blue con-
taining the requisite skill-set, and the orange showing expected outcomes. Individually, these sections
represent discrete areas of professional activity and qualities; collectively, they express the desired traits
for a fully competent internal auditor.
At the base of the diagram sit “Professional Ethics” and “Internal Audit Management.” This placement sup-
ports the IIA’s belief that all auditing activity must be grounded in “high ethical standards.” Furthermore,
the “resources and activities” of the audit activity must be appropriately coordinated to maximize efficiency
3
Institute of Internal Auditors, The. The IIA Global Internal Audit Competency Framework. Altamonte Springs, Florida:
The Institute of Internal Auditors, 2013. p. 2. Note: The original text uses Roman numerals, which have been modified
here for formatting consistency.
4
Ibid., p. 3. Adapted from the original.
and output. Although the auditor may not specifically be in charge of the audit activity, he or she should
take responsibility for its success and actively engage in helping it function smoothly.
Next, grouped together under the heading “Technical Expertise” are “IPPF,” “Governance, Risk and Control,”
and “Business Acumen.” As this set demonstrates, all internal auditors should be familiar with IPPF princi-
ples along with the key auditing actions of recognizing and analyzing risks and controls. The Competency
Framework describes “Business Acumen” as the “understanding of the client organization, its culture, the
way it works, the sector it operates in and the local and global factors that act upon it.” 5 In other words,
the auditor must become well acquainted with the business’s internal structure, how it is situated in relation
to its industry and competitors, and the local and global forces that impact its operations.
“Communication,” “Persuasion and Collaboration,” and “Critical Thinking” are listed under the heading “Per-
sonal Skills.” These topics are not necessarily part of formal internal-auditing training; however, as the
diagram indicates, they complement and thus build on the auditor’s “technical expertise.” For the most
part, internal auditors must interact with other people, whether as team members or with company em-
ployees. A person who communicates respectfully, speaks persuasively, and works collaboratively
accomplishes more than someone lacking these traits. Regarding “Critical Thinking,” a competent internal
auditor is one who focuses on facts and logic rather than assumptions and prejudices.
The top of the chart highlights “Internal Audit Delivery” and “Improvement and Innovation,” two features
that might be considered the “crowning achievements” of professional competency. The culmination of
“competent” internal auditing is the delivery of an ethical, efficiently managed, and expertly executed re-
port. However, the IIA has placed “Improvement and Innovation” above “Delivery,” suggesting that
competency extends beyond just doing a good job. That is, a truly competent internal auditor contributes
to the advancement of the profession regardless of the scope, whether it is local, national, or international.
Proficiency, Understanding, and Appreciation

In Practice Advisory 1210-1, there are three levels of competence listed as well as areas in which the
internal auditor should have this level of competence.
Practice Advisory 1210-1: Proficiency
1. The knowledge, skills, and other competencies referred to in the standard include:
• Proficiency in applying internal audit standards, procedures, and techniques in performing

engagements. Proficiency means the ability to apply knowledge to situations likely to be encountered
and to deal with them appropriately without extensive recourse to technical research and assistance.
• Proficiency in accounting principles and techniques if internal auditors work extensively with
financial records and reports.
• An understanding of management principles to recognize and evaluate the materiality and

significance of deviations from good business practices. An understanding means the ability to apply
broad knowledge to situations likely to be encountered, to recognize significant deviations, and to
be able to carry out the research necessary to arrive at reasonable solutions.
• An appreciation of the fundamentals of business subjects such as accounting, economics,

commercial law, taxation, finance, quantitative methods, information technology, risk management,
and fraud. An appreciation means the ability to recognize the existence of problems or potential
problems and to identify the additional research to be undertaken or the assistance to be obtained.
5
Ibid. p. 3.
It is important to understand the difference between proficiency, understanding, and appreciation.
Example: A company has a receivable turnover rate of 4 and days in receivable of 90. The industry
average is 5 and 72 days. Having an appreciation is being aware that it is taking too long to collect
receivables. Understanding is being able to figure out the impact on operations such as the cash cycle,
profit and loss, and so forth. Proficiency means being able to offer solutions to the problem.
Knowledge and Skills

PA 1210-1 lists the knowledge and skills that an internal auditor should have.
Auditors should know:
• The indicators of fraud.
• Key information-technology risks and controls.
• Available technology-based audit techniques.
Auditors must possess or develop the following skills:
• Working well with others.
• Understanding human relations.
• Maintaining satisfactory relationships with engagement clients.
• Clear and effective communication techniques (both in oral and written form) to convey such mat-
ters as engagement objectives, evaluations, conclusions, and recommendations.
Proficiency is the Responsibility of CAE

The CAE is responsible for ensuring that each internal auditor and the IAA collectively have the necessary
proficiencies to perform the engagements.
The CAE determines the appropriate levels of education and experience required for an internal audit posi-
tion. The CAE must also have confidence that the IAA staff collectively possesses the knowledge and skills
necessary to perform their duties.
If the CAE determines that the needed skills and competencies do not exist within the IAA, they must go
outside the IAA to get them.
Assessment of Proficiency
The CAE must be certain that the IAA has the necessary proficiency to perform engagements. An assess-
ment of proficiency should be done at least annually, and more often in a dynamic, quickly changing
environment. From PA 1210-1:
2. Suitable criteria of education and experience for filling internal audit positions is established by the
chief audit executive (CAE) who gives due consideration to the scope of work and level of
responsibility and obtains reasonable assurance as to each prospective auditor’s qualifications and
proficiency.
3. The internal audit activity needs to collectively possess the knowledge, skills, and other competencies
essential to the practice of the profession within the organization. Performing an annual analysis of
an internal audit activity’s knowledge, skills, and other competencies helps identify areas of
opportunity that can be addressed by continuing professional development, recruiting, or co-
sourcing.
Using External Specialists

If the IAA does not have the skills and competencies for an engagement, the CAE must either decline the
engagement or go outside the IAA or organization to get those skills. External auditors, specialists, or other
service providers (such as actuaries, appraisers, environmental specialists, fraud investigators, statisti-
cians, and lawyers) can supplement the proficiency of the IAA to complete an engagement.
Paragraph 3 of PA 1210.A1-1 lists some of the types of engagements for which outside service providers
may be needed:
• Engagements that require specialist knowledge (such as tax questions, foreign languages, or IT)
• Valuations of assets (both tangible and intangible)

• Determination of physical amounts (for example, oil reserves)
• Fraud
• Interpretations of legal or tax matters
• Mergers and acquisitions
The CAE needs to evaluate the skills and reputation of the hired person or company, even if the CAE did
not directly hire them. If the potential hire does not meet the proficiency requirement, the CAE should
communicate these reservations to the board and to whomever engaged the third party.
Paragraph 5 of PA 1210.A1-1 lists some considerations for the assessment of an external party:
• The relevant professional certifications and/or membership in a professional organization.
• Experience and education in similar situations and the area in which they will be engaged.
• Reputation.
• Knowledge of the business and industry.
When assessing an external party, the CAE must be aware of any potential impairments to independence
and objectivity. A lack of independence or objectivity may not prevent the hiring, but the CAE will be
particularly interested if the third party has any financial or other affiliations with the organization or anyone
inside the organization.
For example, the CAE is supervising an audit of the accounts payable system and needs to hire an IT
specialist. In this case, it would probably not be an impairment if the IT expert’s sister is an assembly line
worker in the factory being audited because there is little overlap between the assembly line and accounts
payable. However, it probably would be an impairment if the IT expert’s sister is on the company’s audit
committee because the presence of relatives on the committee would not appear objective.
Note: The external auditor should not serve as a third-party expert on any engagement connected to
the financial statement audit, otherwise the external auditor’s independence is impaired.
The CAE must review all tasks performed by an outside expert to assess whether or not the conclusions
are reasonable, unbiased, and address all the relevant issues. If the CAE does not have sufficient experience
and understanding to perform the assessment, it will be necessary to have someone else perform the
review.
C. Due Professional Care (Standard 1220)

As stated in the Standards, due professional care requires that internal auditors apply the skill and
care expected of a reasonably prudent and competent internal auditor. Standard 1220 addresses
the need for due professional care in both assurance and consulting engagements. The Standard does not
require that the auditor never make a mistake, but it does demand that the auditor perform his or her
duties as diligently as possible.
The auditor must exercise due professional care at all levels, including these following activities:
• Deciding the amount of work needed to achieve an objective.
• Decisions about materiality.
• Deciding which procedures to apply.
• Assessing risk and adequacy of risk management.
• Assessing errors.
• Writing conclusions.
Standard 1220 – Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal
auditor. Due professional care does not imply infallibility.
1220.A1 – Internal auditors must exercise due professional care by considering the
• Extent of work needed to achieve the engagement’s objectives;
• Relative complexity, materiality, or significance of matters to which assurance procedures are ap-
plied;
• Adequacy and effectiveness of governance, risk management, and control processes;
• Probability of significant errors, fraud, or noncompliance; and
• Cost of assurance in relation to potential benefits.
1220.A2 – In exercising due professional care internal auditors must consider the use of technology-
based audit and other data analysis techniques.
1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with due pro-
fessional care, do not guarantee that all significant risks will be identified.
1220.C1 – Internal auditors must exercise due professional care during a consulting engage-
ment by considering the
• Needs and expectations of clients, including the nature, timing, and communication of engage-
ment results;
• Relative complexity and extent of work needed to achieve the engagement’s objectives; and
• Cost of the consulting engagement in relation to potential benefits.
Internal auditors are not expected to perform a detailed review of every statement or document they re-
ceive, but they are expected to examine and verify the documents to a level appropriate for their
materiality. This means that more material items will be examined and tested in more detail than im-
material items.
As part of assessing documents and information, internal auditors should always consider the possibility of
fraud, inefficiencies, waste, and conflicts of interest.
In the quest to exercise due professional care, the internal auditor must be aware that there might be
significant risks inherent in the audit. Assurance procedures help the auditor reduce risk in the audit but do
not guarantee that significant risks will be identified or eliminated.
Practice Advisory 1220-1 provides additional information about due professional care.
1. Due professional care calls for the application of the care and skill expected of a reasonably
prudent and competent internal auditor in the same or similar circumstances. Due
professional care is therefore appropriate to the complexities of the engagement being performed.
Exercising due professional care involves internal auditors being alert to the possibility of fraud,
intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of
interest, as well as being alert to those conditions and activities where irregularities are most likely
to occur. This also involves internal auditors identifying inadequate controls and recommending
improvements to promote conformance with acceptable procedures and practices.
2. Due professional care implies reasonable care and competence, not infallibility or
extraordinary performance. As such, due professional care requires the internal auditor to
conduct examinations and verifications to a reasonable extent. Accordingly, internal auditors
cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the
possibility of material irregularities or noncompliance needs to be considered whenever an internal
auditor undertakes an internal audit assignment.
D. Competency Through Continuing Professional Development

Standard 1230 – Continuing Professional Development
Internal auditors must enhance their knowledge, skills, and other competencies through continuing pro-
fessional development.
Continuing professional development, also known as Continued Professional Education (CPE), includes:
• Maintaining proficiency through continuing education.
• Staying informed about improvements and current developments in the internal audit standards,
procedures, and techniques.
Practicing CIAs must complete and report 40 hours of CPE every year through professional organizations
(such as the IIA), attending training courses, or formal education classes. Internal auditors who work in
specialized audit and consulting areas such as IT, tax, or systems design may get their CPE in specialized
classes in their area of specialized work.
Internal auditors should always be working to enhance their skills, knowledge, and other competencies so
that they are better able to complete their internal audit work, prepare for new tasks, and prepare for new
jobs that might lead to a promotion. Internal auditors need continuing professional development regardless
of whether or not they hold a professional certification.
Note: New CIAs are awarded 80 CPE hours for passing the exam. Half of these CPE hours (40) are for
the year in which the exam is passed and the other 40 hours for the subsequent year.
CPE is also addressed in PA 1230-1.
1. Internal auditors are responsible for continuing their education to enhance and maintain their
proficiency. Internal auditors need to stay informed about improvements and current
developments in internal audit standards, procedures, and techniques, including The IIA’s
International Professional Practices Framework guidance. Continuing professional education
(CPE) may be obtained through membership, participation, and volunteering in professional
organizations such as The IIA; attendance at conferences, seminars, and in-house training programs;
completion of college and self-study courses; and involvement in research projects.
2. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate

professional certification, such as the Certified Internal Auditor designation, other designations
offered by The IIA, and additional designations related to internal auditing.
3. Internal auditors are encouraged to pursue CPE (related to their organization’s activities and
industry) to maintain their proficiency with regard to the governance, risk, and control processes of
their unique organization.
4. Internal auditors who perform specialized audit and consulting work—such as information
technology, tax, actuarial, or systems design—may undertake specialized CPE to allow them to
perform their internal audit work with proficiency.
5. Internal auditors with professional certifications are responsible for obtaining sufficient CPE to satisfy
requirements related to the professional certification held.
6. Internal auditors not presently holding appropriate certifications are encouraged to pursue an
educational program and/or individual study to obtain professional certification.
Section IV – Quality Assurance and Improvement Program CIA Part 1
Section IV – Quality Assurance and Improvement Program

From the Charter: The internal audit activity will maintain a quality assurance and improvement pro-
gram that covers all aspects of the internal audit activity. The program will include an evaluation of the
internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors
apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the
internal audit activity and identify opportunities for improvement.
The chief audit executive will communicate to senior management and the board on the internal audit
activity’s quality assurance and improvement program, including results of internal assessments (both
ongoing and periodic) and external assessments conducted at least once every five years by a qualified,
independent assessor or assessment team from outside Company X.
There are a number of Standards that address the Quality Assurance and Improvement Program
(QAIP):
• Standard 1300: Quality Assurance and Improvement Program
• Standard 1310: Requirements of the Quality Assurance and Improvement Program
• Standard 1311: Internal Assessments
• Standard 1312: External Assessments
• Standard 1320: Reporting on the Quality Assurance and Improvement Program
• Standard 1321: Use of “Conforms with the International Standards for the Professional Practice of
Internal Auditing”
• Standard 1322: Disclosure of Nonconformance
Note: Because of the very large Practice Advisories for this topic, the full texts are presented in Appendix
C. Excerpts from the Standards and Practice Advisories are included in the text as needed.
Goal of the QAIP

The QAIP is designed to evaluate whether or not the work of the IAA conforms with the definition of internal
auditing, the Standards, and the Code of Ethics. The QAIP also provides an assessment of the efficiency
and effectiveness of the IAA. Standard 1300 describes what a well-developed QAIP does for the IAA.
Standard 1300 – Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement program that
covers all aspects of the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal audit
activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code
of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and
identifies opportunities for improvement. The chief audit executive should encourage board oversight in
the quality assurance and improvement program.
Implementation Guide:
A well-developed QAIP ensures that the concept of quality is embedded in the internal audit activity and
all of its operations. The internal audit activity should not need to assess whether each individual en-
gagement conforms with the Standards. Rather, engagements should be undertaken in accordance with
an established methodology that promotes quality and, by default, conformance with the Standards.
Additionally, the methodology generally promotes continuous improvement of the internal audit activity.
Section IV Section IV – Quality Assurance and Improvement Program
A. The Requirements of the QAIP

Standard 1310 – Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external assess-
ments.
These internal and external assessments reassure the company stakeholders about the competency of the
IAA and also provide a way for the CAE to identify opportunities for improving the IAA’s effectiveness and
efficiency. QAIP assessments should include evaluations of:
• Compliance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, includ-
ing timely corrective actions to remedy any significant instances of noncompliance.

• Adequacy of the IAA’s charter, goals, objectives, policies, and procedures.
• Contribution to the organization’s governance, risk management, and control processes.
• Compliance with applicable laws, regulations, and other governmental or industry standards.
• Effectiveness of continuous improvement activities and adoption of best practices.
• The extent to which the internal auditing activity adds value and improves the organization’s op-
erations.
The assessments are provided to stakeholders, and the CAE should provide the assessments to senior
management and board at least annually.
1. Internal Assessments (Standard 1311)

There are two kinds of internal assessments:
1) Ongoing internal assessments of the internal audit activity. Ongoing assessments are per-
formed on individual engagements.
2) Periodic internal assessments through self-assessment or by an independent person within the

organization. Periodic assessments look at the IAA as a whole rather than individual engagements.
Note: Although an internal review usually costs less than an external review, it will suffer from an
inherent lack independence.
Standard 1311 – Internal Assessments
Internal assessments must include:
• Ongoing monitoring of the performance of the internal audit activity.
• Periodic self-assessments or assessments by other persons within the organization with sufficient
knowledge of internal audit practices.
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement
of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and prac-
tices used to manage the internal audit activity and uses processes, tools, and information considered
necessary to evaluate conformance with the Code of Ethics, and the Standards.
Periodic assessments are conducted to evaluate conformance with the Definition of Internal Au-
diting, the Code of Ethics, and the Standards.
Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the
International Professional Practices Framework.
Practice Advisory 1311-1 provides guidance for internal assessments.
Ongoing internal assessments are the conclusions and follow-up actions to ensure that improvements
are implemented. Ongoing monitoring also helps the CAE assess the quality of the IAA’s engagements.
Ongoing reviews may be conducted through:
• Supervision of the internal auditor’s work during the course of the audit engagement.
• Checklists showing that processes adopted by the audit activity are being followed.
• Peer review of workpapers by auditors not involved in the engagement.
• Feedback from audit customers and other stakeholders.
• Analyses of performance metrics (for example, cycle time and recommendations accepted).
• Project budgets, timekeeping systems, audit plan completion, and cost recoveries.
Periodic self-assessments should assess compliance with the activity’s charter, the Definition of Internal
Auditing, the Code of Ethics, and the Standards. This periodic self-assessment will evaluate:
• The quality and supervision of the work performed.
• The adequacy of the internal audit policies and procedures.
• The ways in which the IAA adds value to the organization.
• The progress towards achieving key performance indicators.
• The degree to which stakeholder expectations have been met.
Periodic internal self-assessment may:
• Include more in-depth interviews and surveys of stakeholder groups.
• Be performed by members of the IAA (that is, self-assessment).
• Be performed by CIAs or other competent audit professionals currently assigned elsewhere in the
organization.
• Include self-assessment and preparation of materials subsequently reviewed by CIAs or other

competent audit professionals from elsewhere in the organization.
• Include benchmarking of the IAA practices and performance metrics against relevant best practices
of the internal audit profession.
Note: Internal assessments do not eliminate the need for independent external assessments.
2. External Assessments (Standard 1312)

External reviews provide an independent opinion about the quality of the audit activity for the CAE and
other stakeholders. It is recommended that a qualified, independent person or team from outside the or-
ganization conduct an external review at least once every five years.
1312 – External Assessments
External assessments must be conducted at least once every five years by a qualified, independent
assessor or assessment team from outside the organization. The chief audit executive must dis-
cuss with the board:
• The form and frequency of external assessment.
• The qualifications and independence of the external assessor or assessment team, including any
potential conflict of interest.
Interpretation:
External assessments may be accomplished through a full external assessment, or a self-assessment

with independent external validation. The external assessor must conclude as to conformance with the
Code of Ethics and the Standards; the external assessment may also include operational or strategic
comments.
A qualified assessor or assessment team demonstrates competence in two areas: the professional prac-
tice of internal auditing and the external assessment process. Competence can be demonstrated through
a mixture of experience and theoretical learning. Experience gained in organizations of similar size,
complexity, sector or industry, and technical issues is more valuable than less relevant experience. In
the case of an assessment team, not all members of the team need to have all the competencies; it is
the team as a whole that is qualified. The chief audit executive uses professional judgment when as-
sessing whether an assessor or assessment team demonstrates sufficient competence to be qualified.
An independent assessor or assessment team means not having either an actual or a perceived conflict
of interest and not being a part of, or under the control of, the organization to which the internal audit
activity belongs. The chief audit executive should encourage board oversight in the external assessment
to reduce perceived or potential conflicts of interest.  
When the assessment is conducted by an outside party, it is more independent than an internal assessment.
However, the CAE should carefully decide if there is enough of a benefit for the additional cost of an external
assessment.
During the review, an external assessor will tend to focus on:

• The adequacy of the internal audit charter.
• The goals, objectives, policies, and procedures of the IAA.
• Whether or not the IAA’s work is in accordance with the charter.
• Whether or not the work conforms with the Definition of Internal Auditing, the Code of Ethics, and
the Standards.
• The contribution of the IAA to the organization’s risk management, governance, and internal con-
trols.
• The IAA’s methods and work programs.
• The skills and work performed by the individuals in the IAA.
• Whether or not the IAA adds value and improves the operations of the organization.
Practice Advisory 1312-1: External Assessments lays out two approaches for conducting an external as-
sessment:
1) Having a full external assessment conducted by an external assessor or review team.
2) Having an independent assessor or review team conduct an independent validation of the internal
self-assessment and the corresponding report completed by the internal audit activity.
While a full external review is usually preferred, it may not always be practical. Practice Advisory 1312-2:
External Assessments: Self-assessment with Independent Validation gives some instances where a full
external review might not be appropriate or necessary. For example:
• The IAA may be in a business or industry that is subject to strict regulations and supervision.
• The IAA may be otherwise subject to extensive external oversight and direction relating to gov-
ernance and internal controls.
• The IAA may have been recently subjected to an external review or consulting services in which
there was extensive benchmarking with best practices.
• The CAE may determine that the benefits of self-assessment and the strength of the QAIP outweigh
the benefits of an external assessment.
Full External Assessments (PA 1312-1)

According to PA 1312-1 Paragraph 10, an external assessment has a broad scope:
• Conformance with the Definition of Internal Auditing, the Standards, the Code of Ethics, the char-
ter, plans, policies, procedures, and practices.
• Board and senior management expectations of the IAA.
• The integration of the IAA into the organization’s governance process, including relationships be-
tween key groups.
• The skills and experience of the staff.
• Determining if the IAA adds value to the organization.
The preliminary results of the assessment are discussed with the CAE and final results are communicated
to the board and management. The communication includes:
• An opinion on the IAA’s conformance with the Definition of Internal Auditing, the Code of Ethics,
and the Standards.
• An assessment and evaluation of the use of best practices.
• Recommendations for improvement.
• Response from the CAE that includes an action plan and implementation dates.
The CAE must communicate the results of external quality assessments, including details of the action plan
for any needed improvements, to senior management, the board, and the external auditor. Follow-up re-
porting should be done when items on the action plan are completed.
Self-Assessment with Independent Validation (PA 1312-2)

After the self-assessment has been completed under the direction of the CAE, a draft report is prepared
that includes the CAE’s assessment of the IAA’s conformance with the Standards. The external assessor
then performs sufficient tests of the self-assessment to validate the results and express an opinion on the
level of the IAA’s conformance with the Definition of Internal Auditing, the Code of Ethics, and the Stand-
ards.
As part of the independent validation, the external assessor reviews the draft report and attempts to rec-
oncile unresolved issues, if any. After completing the review, the assessor can:
• Agree with the evaluation and include additional wording as needed, concurring with the self-
assessment process and opinion as well as the report’s findings, conclusions, and recommenda-
tions.
• Disagree with the evaluation and add dissenting wording, specifying the points of disagreement
and the significant findings, conclusions, recommendations, and opinions in the report.
• Prepare a separate independent validation report (either concurring or expressing disagree-

ment) to accompany the self-assessment report.
The final report of the self-assessment, validated by an external assessor, will be signed by the self-
assessment team and external assessor and issued to senior management and the board.
Note: The individuals who perform the external assessment must be free from any conflicts of interest.
It is the responsibility of the CAE to ensure that the individuals performing the external assessment are
both qualified and independent.
QAIP Comparison Table Internal Quality Assessment External Quality Assessment

Types of assessments 1) Ongoing monitoring of the 1) External Assessments.
performance of the internal 2) Self-assessment with Inde-
audit activity. pendent Validation.
2) Periodic self-assessments.
Form of report At least annually, results of the Preliminary results discussed
internal assessments, neces- with CAE.
sary action plans, and their Final report sent to Senior Man-
successful implementation agement and Board.
are reported to senior man- CAE must provide plan to ad-
agement and the board. dress deficiencies.
Performed by Members of the IAA and super- Qualified and independent pro-
vised by the CAE. fessionals, or reviewers from
outside the organization.
How often performed Ongoing assessments per- At least once every 5 years.
formed throughout the year.
Periodic assessments per-
formed as needed.
Note: An external assessment might not produce all the cost/benefit analyses necessary to determine
if the IAA is “profitable” because the external assessor may not have access to all the relevant financial
information to make such a conclusion.
B. Reporting the Results of the QAIP
Standard 1320: Reporting on the Quality Assurance and Improvement Program

Standard 1320 – Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance and improve-
ment program to senior management and the board.
Disclosure should include:
• The scope and frequency of both the internal and external assessments.
• The qualifications and independence of the assessor(s) or assessment team, including  potential
conflicts of interest.
• Conclusions of assessors.
• Corrective action plans.
Interpretation:
The form, content, and frequency of communicating the results of the quality assurance and improve-
ment program is established through discussions with senior management and the board and considers
the responsibilities of the internal audit activity and chief audit executive as contained in the internal
audit charter. To demonstrate conformance with the Code of Ethics, and the Standards, the results of
external and periodic internal assessments are communicated upon completion of such assessments and
the results of ongoing monitoring are communicated at least annually. The results include the assessor’s
or assessment team’s evaluation with respect to the degree of conformance.
The Quality Assurance and Improvement Program (QAIP) analyzes the work of the IAA and makes recom-
mendations for improvement, if appropriate. Because the CAE is in charge of the IAA, the CAE has the most
to gain from the information contained in the assessment reports. Therefore, it is the CAE’s responsibility
to develop and maintain the QAIP for both external and internal assessments. Specific report functions are
discussed below.
External assessments. Upon completing the external assessment, the assessor will send a formal com-
munication to senior management and the board presenting the assessment’s findings. However,
preliminary results of the assessment should be discussed with the CAE. The final results are communicated
to the CAE with copies sent directly to senior management and the board. Based on the report, the CAE
will then need to communicate specific planned actions concerning significant issues.
Internal assessments. Internal assessments are carried out to assure the CAE that the auditors are
complying with the Standards and other applicable criteria. It is the CAE’s responsibility to ensure that, at
least annually, results of the internal assessments, necessary action plans, and their successful implemen-
tation are reported to senior management and the board.
Note: In a case where the CAE is grossly incompetent or has been strongly criticized in the report, a
copy must also be provided to the audit committee or the board. In most cases, however, the report is
provided to the CAE.
When the board is not directly copied on the report, the CAE should forward the report to the board
along with the CAE’s opinion as to whether or not the activities of the IAA are in compliance with the
appropriate standards. If the CAE believes that the IAA’s activities do comply with the Standards, he or
she must demonstrate this compliance.
Similarly, the follow-up on the contents of the report, especially when it is an external assessment, is
the responsibility of the CAE.
Implementation Guide 1320 provides an example of a rating system that identifies the different levels of
conformance.
Implementation Guide 1320
External assessment reports include the expression of an opinion or conclusion on the results of the
external assessment. In addition to concluding on the internal audit activity’s overall degree of conform-
ance with the Standards, the report may include an assessment for each standard and/or standard
series. The CAE should explain the rating conclusion(s) to senior management and the board, as well as
the impact from the results. An example of a rating scale that may be used to show the degree of
conformance is:
• Generally conforms – This is the top rating, which means that an internal audit activity has a
charter, policies, and processes, and the execution and results of these are judged to be in conform-
ance with the Standards.
• Partially conforms – Deficiencies in practice are judged to deviate from the Standards, but these
deficiencies did not preclude the internal audit activity from performing its responsibilities.
• Does not conform – Deficiencies in practice are judged to be so significant that they seriously
impair or preclude the internal audit activity from performing adequately in all or in significant areas
of its responsibilities.
C. Disclosure of Conformance or Nonconformance
Standard 1321: Conforming to the Standards of Internal Auditing

The CAE wants to state that the IAA conforms to the International Standards for the Professional Practice
of Internal Auditing, but can only do so with the support of proper assessments. Both internal and external
assessments have to conclude that the IAA conforms to the Definition of Internal Auditing, the Code of
Ethics, and the Standards. Any instances of non-conformance must be corrected before the CAE can issue
a conformance statement.
Standard 1321 – Use of “Conforms with the International Standards for the Professional Prac-
tice of Internal Auditing”
Indicating that the internal audit activity conforms with the International Standards for the Professional
Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and
improvement program.  
Interpretation:
The internal audit activity conforms with the Code of Ethics and the Standards when it achieves the
outcomes described therein. The results of the quality assurance and improvement program include the
results of both internal and external assessments. All internal audit activities will have the results of
internal assessments. Internal audit activities in existence for at least five years will also have the results
of external assessments.  
Note: There are only two phrases that communicate compliance: “in conformance with the Standards”
or “in conformity to the Standards.”
Standard 1322: Disclosure of Noncompliance

There may be cases where full compliance is not possible, and if noncompliance impacts the overall scope
of the operation, a Disclosure of Noncompliance statement should be made to senior management and
the board.
1322 – Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards
impacts the overall scope or operation of the internal audit activity, the chief audit executive must dis-
close the nonconformance and the impact to senior management and the board.
Implementation Guide 1322 lists examples of nonconformance and guidance for the CAE in such situations.
Implementation Guide 1322
If an internal audit activity fails to undergo an external assessment at least once every five years, for
example, it would be unable to state that it conforms with the Standards (see Implementation Guide
1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Au-
diting”). In such a case, the CAE would evaluate the impact of this nonconformance.
Other common examples of nonconformance may include, but are not limited to, situations in which:
• An internal auditor was assigned to an audit engagement, but did not meet individual objectivity
requirements (see Standard 1120 – Individual Objectivity).
• An internal audit activity undertook an engagement without having the collective knowledge, skills,
and experience needed to perform its responsibilities (see Standard 1210 – Proficiency).
• The CAE failed to consider risk when preparing the internal audit plan (see Standard 2010 – Plan-
ning).
In such cases, the CAE would need to evaluate the nonconformance and determine whether it impacts
the overall scope or operation of the internal audit activity. It is also important for the CAE to consider
whether, and how much, a nonconformance situation may affect the internal audit activity’s ability to
fulfill its professional responsibilities and/or the expectations of stakeholders. Such responsibilities may
include the ability to provide reliable assurance on specific areas within the organization, to complete
the audit plan, and to address high-risk areas.
After such consideration, the CAE will disclose the nonconformance, as well as the impact of the non-
conformance, to senior management and the board. Often, disclosures of this nature involve a discussion
with senior management and communication to the board during a board meeting. The CAE may also
discuss nonconformance during private sessions with the board, one-on-one meetings with the board
chair, or by other appropriate methods.
Section V Section V – Governance, Risk Management, and Controls
Section V – Governance, Risk Management, and Controls

Three Lines of Defense Model
The IIA’s Position Paper The Three Lines of Defense in Effective Risk Management and Control presents the
Three Lines of Defense Model that “provides a simple and effective way to enhance communications on
risk management and control by clarifying essential roles and duties.” Adequate coordination and commu-
nication are essential so that everyone understands their role in risk management and operates in unison
to avoid inefficient overlapping controls or ineffective gaps in controls. The board and senior management
set the tone for the priority of controls and risk management throughout the organization.
Note: Although the Three Lines of Defense are not specifically on the syllabus, students have reported
that questions about this model have appeared on the exam.
First Line of Defense: Operational Management

Operational managers are responsible for identifying risks and taking corrective actions to address any
control deficiencies on a day-to-day basis.
Second Line of Defense: Risk Management and Compliance Functions

The second line of defense is a separate risk management function that monitors the first line of defense
(i.e., the operational management) that may intervene as necessary to modify or develop the internal
controls. Compliance with laws and regulations also falls under the second line of defense.
Common responsibilities for the second line of defense include:6
• Supporting management policies, defining roles and responsibilities, and setting goals for imple-
mentation.
• Providing risk management frameworks.
• Identifying known and emerging issues.
• Identifying shifts in the organization’s implicit risk appetite.
• Assisting management in developing processes and controls to manage risks and issues.
• Providing guidance and training on risk management processes.
• Facilitating and monitoring implementation of effective risk management practices by operational

management.
• Alerting operational management to emerging issues and changing regulatory and risk scenarios.
• Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of re-
porting, compliance with laws and regulations, and timely remediation of deficiencies.
6
IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control. 2013. p. 4-5.
Section V – Governance, Risk Management, and Controls CIA Part 1
Third Line of Defense: Internal Audit

The third line of defense is internal audit, which provides the highest possible level of independence and
objectivity within the organization. Internal auditors are responsible for auditing risks and controls across
the entire organization and therefore provide an important layer of additional oversight over the controls
in the first line of defense. The internal auditors will usually work closely with the second line of defense
and can usually rely on—with verification—the work of the second line of defense. Any observed deficiencies
should be reported to senior management and the board.
Common third line of defense activities include:
• Auditing controls.
• Tracking any control deficiencies or security events for proper remediation.
• Ongoing risk assessment of outside parties, in conjunction with first and second lines of defense.
In addition to remaining objective and independent, the IAA should follow best practices, which include: 7
• Acting in accordance with recognized international standards for the practice of internal auditing.
• Reporting to a sufficiently high level in the organization to be able to perform its duties inde-
pendently.
• Having an active and effective reporting line to the governing body.
Recommended Practices
Here are recommended practices from the Position Paper: 8
• Risk and control processes should be structured in accordance with the Three Lines of Defense
model.
• Each line of defense should be supported by appropriate policies and role definitions.
• There should be proper coordination among the separate lines of defense to foster efficiency and
effectiveness.
• Risk and control functions operating at the different lines should appropriately share knowledge
and information to assist all functions in better accomplishing their roles in an efficient manner.
• Lines of defense should not be combined or coordinated in a manner that compromises their ef-
fectiveness.
• In situations where functions at different lines are combined, the governing body should be advised
of the structure and its impact. For organizations that have not established an internal audit activ-
ity, management and/or the governing body should be required to explain and disclose to their
stakeholders that they have considered how adequate assurance on the effectiveness of the or-
ganization’s governance, risk management, and control structure will be obtained.
7
Ibid., p. 6.
8
Ibid., p. 7.
Section V A. Organizational Governance
A. Organizational Governance
Organizational Governance: Definitions
The IIA Standards Glossary defines organizational governance as the “combination of processes and
structures implemented by the board to inform, direct, manage, and monitor the achievement of its objec-
tives.” In essence, governance is a way of thinking about how the board and company management
understand their objectives and the means of achieving them. The implicit expectation is that a well-gov-
erned company is in the optimal position to succeed.
There are no set criteria for organizational governance that apply to every business-related context, or as
Sawyer succinctly puts it, “most guidance on governance is principles-based and not rules-based.”9 For

instance, governance principles must take into account such diverse factors as the company’s size, its age,
the disposition of the board, the personality of the CEO, the legal or regulatory environment, and even
cultural considerations.
Regardless of the definition used, the board is the focal point of governance10 and because the board
is “the link between the stakeholders and the organization’s executive management,”11 it is primarily re-
sponsible for setting out the goals and intended means of reaching them.
Cornerstones of Good Corporate Governance – The IIA Corporate Governance Model

The four cornerstones of good corporate governance are the board of directors, executive manage-
ment, external auditors, and internal auditors. Governance processes are strengthened when there is
synergy among these four groups, enabling them to work well and productively with each other.
BOARD
EXTERNAL AUDIT
INTERNAL AUDIT
Effective
Governance
MANAGEMENT
In addition to these four cornerstones, companies have to make sure that inappropriate and unethical
behavior is not tolerated. Successful companies foster a culture of integrity, which is dependent on the so-
called “tone of at the top,” and this environment is put in place by the board, top management, and the
audit committee.
9
Institute of Internal Auditors Research Foundation, The. Sawyer’s Guide for Internal Auditors. 6th ed. Vol 3. “Govern-
ance, Risk Management, and Compliance Essentials.” Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation, 2012, p. 62.
10
“What distinguishes the approach in the Standards is the specific emphasis on the board and its governance activities.”
Practice Guide Assessing Organizational Governance in the Private Sector, p. 3.
11
IPPF Practice Guide Assessing Organizational Governance in the Private Sector. p. 3.
A. Organizational Governance CIA Part 1
The Board of Directors

At the top of the hierarchy of the organization, the board of directors plays a crucial role in the governance
process. The board of directors should understand that its purpose is to promote and protect the interests
of the corporation’s stockholders while considering the interests of other external and internal stakeholders,
such as creditors and employees.
The board’s major areas of responsibility should be monitoring the CEO and other senior executives, over-
seeing the corporation’s strategy and processes for managing the enterprise (including a succession
planning), and monitoring the corporation’s risks and internal controls, including the ethical tone. Directors
should employ healthy skepticism12 in meeting these responsibilities.
A majority of the directors should be independent in both fact and appearance. An independent director
has no current or prior professional or personal ties to the corporation or its management other than service
as a director. Independent directors must be able and willing to be objective in their judgments.
The directors should possess relevant business, industry, company, and governance expertise. The direc-
tors should reflect a mix of backgrounds and perspectives and have unblemished records of integrity. All
directors should receive detailed orientation and continuing education to assure they achieve and maintain
the necessary level of expertise.
Because the board is tasked with overseeing the CEO, the roles of board chair and CEO should be
separate. If the roles are not separate, then the independent directors should appoint an independent lead
director. The lead director and committee chairs should provide leadership for agenda setting, meetings,
and executive sessions.
The audit, compensation, and governance committees of the board should have charters, authorized by the
board, which outline how each will be organized, their duties and responsibilities, and how they report to
the board. Each of these committees should be composed of independent directors only and each committee
should have access to independent outside advisors who report directly to the committee.
The board should have procedures in place to evaluate on an annual basis the CEO, the board committees,
the board as a whole, and individual directors. The evaluation process should be a catalyst for change in
the best interests of the shareholders.
Note: If a company has an audit committee, it is a sub-committee of the board of directors that is
made up of members of the board. One of the roles of the audit committee is to oversee the work of
both the internal and external auditors. Therefore, if there is an audit committee, the reporting that is
done by the CAE to the board may, in many cases, be done to the audit committee instead of the board.
12
“Healthy skepticism” means having an attitude of doubt but not carrying it so far as to suspect wrongdoing everywhere.
It means asking questions, gathering information, and making individual decisions. In this context, directors should not
just accept without question the information they are given by management but should “dig a little deeper” and find out
the facts, because management may have overlooked, either deliberately or accidentally, relevant facts.
Stakeholders and Corporate Governance

A stakeholder is an individual or entity who has a material interest in a company’s achievements, validated
through some form of investment, and who thereby expects a benefit in return. The specific benefit that a
stakeholder aims to receive varies depending on the nature of the interest and investment. That said, any
significant investment confers a certain degree of power or influence upon the stakeholder, and that
leverage can be used to exert pressure on decisions that a company might make. Management of these
stakeholders and their differing interests in the company is part of the governance process.
Generally speaking, stakeholders can be divided into two categories: internal stakeholders and external
stakeholders.
Internal stakeholders include people who work for the company, directly invest capital, or who are oth-
erwise connected to the daily operations. Examples of internal stakeholders include the following:
• Directors invest time and talents and expect personal advancement, remuneration, and status.
• Senior management invests time and talent and expects personal advancement, remuneration,
and status.
• Employees invest labor and talents and expect pay and, where applicable, benefits.
• Trade unions or staff associations invest time and resources and expect to negotiate benefits
and concessions from the company on behalf of their members.
• Shareholders invest capital and expect to receive a return on their investment.
External stakeholders, although not directly employed by or investing in the company, nevertheless have
significant interests in the company’s performance. Examples of external stakeholders include the following:
• Customers “invest” money by way of purchasing goods and services; they expect to have use
and satisfactory enjoyment from the products and services they acquire.
• Suppliers invest their goods and services and expect to be paid and, under certain circumstances,
develop working relationship with the company.
• Contractors and subcontractors invest resources to create specialized services and expect to
be compensated.
• Distribution networks invest money in transportation infrastructure or other delivery systems

and expect to be compensated.
• Communities invest their social, economic, and environmental interests and expect employment
and economic prosperity from the company.
• The general public and government invest public resources and, in certain instances, create
laws, regulations, and incentives (such as tax abatements or special rezoning) in exchange for
employment and economic prosperity.
In the course of exercising prudent corporate governance, management must oversee the varying and
sometimes incongruous expectations of internal and external stakeholders. For instance, there are occa-
sions where the desires of company directors may openly conflict with the desires of shareholders, and
such opposing objectives must be mediated. One way of managing these competing expectations is the
enlightened shareholder view (or stakeholder theory), which is a corporate governance strategy
whereby the board of directors governs the company in the interest of shareholders but at the same time
recognizes the interest of the other stakeholder groups.
Managing Stakeholders
An organization’s stakeholder relationships must be managed in accordance with their bargaining strength,
influence, power, and degree of interest. Business organizations should manage their stakeholders, partic-
ularly those with the greatest influence. Mendelow’s stakeholder map classifies stakeholders on a matrix
by showing the level of interest and the amount of power they have over the organization’s activities.
These factors will help define the type of relationship the organization should seek with its stakeholders.
In Mendelow’s power/interest matrix, shown below, interest is horizontal, and power is vertical.
The four quadrants are ignore, keep informed, keep satisfied, and key players.
Mendelow’s Power/Interest Matrix
Low Interest High Interest
Weak Power Ignore Keep Informed
Strong Power Keep Satisfied Key Players
• Ignore. The interests of these stakeholders can be passed over without serious consequences for
the company. This quadrant includes the government, some smaller shareholders, or employees
with minimal power or interest. However, the “ignore” strategy does not take into account any
moral or ethical considerations in respect to the stakeholders. It is simply the stance to take with
certain stakeholders if strategic positioning is the most important objective.
• Keep Informed. Most shareholders fall into this quadrant. They deserve to be informed of im-
portant company-related events, usually through an annual report; however, individually they do
not exert much power. That said, stakeholders in this quadrant can increase their overall influence
by forming coalitions with other stakeholders to exert greater pressure.
• Keep Satisfied. Stakeholders in this quadrant do not have much interest but retain power over
the company. All of these stakeholders need to do to become influential is to re-awaken interest
at key moments, which would then transform them into “key players.” It is often in the best inter-
ests of management to maintain these stakeholders in the “keep satisfied” quadrant rather than
create another key player in the stakeholder mix.
• Key players. Key players have the greatest influence on the company. If there is only one key
player, decision-making should be easy and relatively free of conflict. However, if there are several
key players, decision-making may be more complicated and there may be ambiguity over the
company’s strategic direction.
The Internal Auditor’s Role in Organizational Governance

Standard 2110 spells out the CAE’s role in analyzing organizational governance.
Standard 2110 – Governance
The internal audit activity must assess and make appropriate recommendations to improve the organi-
zation’s governance processes for:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Communicating risk and control information to appropriate areas of the organization.
• Coordinating the activities of, and communicating information among, the board, external and inter-
nal auditors, other assurance providers, and management.
The internal auditor plays a crucial role in helping a company assess and improve its governance structures.
Because there is no fixed definition of organizational governance that applies to every context, the internal
auditor must prepare some groundwork before auditing a company’s governance practices and structures.
1) Understand the general principles and models of organizational governance. Before the
auditor engages the client, he or she should become familiar with “typical governances pro-
cesses,”13 especially those that relate to the industry of the company under review.
(Implementation Guide 2110 suggests COSO or ISO 31000 as appropriate starting points.) Fur-
thermore, the auditor should take into account extenuating circumstances that might influence
governance issues, such as the size of the company or the composition of its board.
2) Review existing governance-related documentation. It is likely that a company will have a

charter or similar document that contains a mission statement or other explanation of the com-
pany’s goals. The CAE should review these files and related information, such as minutes from
board meetings. In addition, the auditor could interview people with “key governance roles” and
“review any governance concerns identified by regulators.”14
3) Develop a preliminary audit plan. Based on the initial research, the CAE can craft a general
overview of the path that the audit will take. A well-developed plan “encompasses the organiza-
tion’s governance processes” and “addresses their associated risks,” with special attention given
to areas of “higher-risk governance processes.”15 Standard 2110 gives the overarching points that
the audit should cover, but the auditor should use sensible judgment to custom-design a plan that
best suits the needs of the company.
4) Meeting with decision-makers (i.e., the board). The CAE should meet with the board in an
official context to gain a clear understand of members’ objectives as well as their understanding
of effective governance. Furthermore, the auditor can highlight areas of concern that arose in the
review of governance-related documentation (above). In this meeting, board members may sug-
gest adjustments to the audit plan. Implementation Guide 2100 notes that this meeting would also
be an opportunity for the auditor to highlights the requirements of Standard 2110 and reinforce
the relevance of the audit activity. At the conclusion of this meeting, the board should officially
sign off on the audit.
5) Execute the approved plan. A degree of flexibility for unexpected developments or discoveries
should be allowed.
13
IPPF Implementation Guides. p. 105.
14
Ibid., p. 106.
15
Ibid., p. 107.
6) If necessary, consult legal counsel. Under certain circumstances, it may be appropriate for the
auditor to work closely with or have access to legal counsel. For instance, certain highly-regulated
industries require strict adherence to local or national laws, so the auditor must make sure that
the audit addresses issue of legal compliance.
7) Completing the process. Once the work is done and the final report complete, the internal au-
ditor must “demonstrate conformance”; in other words, present conclusions either through a series
of small reports or one larger comprehensive report. In addition, the Implementation Guide sug-
gests two further steps to make sure that the appropriate authorities received the information:
• Formal presentation to the board. The minutes of such a meeting could be included with
the final documentation.
• Key decision-makers sign a “statement of acknowledgement.” Board members and the

management team signify their acceptance of the governance audit in writing.
With respect to this particular audit, and depending on need and circumstances, the IAA can continue in a
purely assessment-level role or it could expand to consulting or assurance to address issues raised in the
final report.
Any engagements connected to corporate governance should be based on risk assessments. Results from
prior engagements and non-governance engagements may also provide guidance to the CAE about the
nature and types of engagements that should be provided. Additionally, the board or executive manage-
ment may have specific direction for engagements based on their specific needs.
The scope of the engagement may be either the macro aspects (that is, the entire governance framework)
or the micro aspects (that is, specific risks, processes, or activities) of corporate governance.
Note: When there are corporate governance issues or if the corporate governance process is not yet
fully developed, the CAE may consider consulting-type engagements instead of assessments in order to
raise the quality of the governance.
The Governance Process Relationship with Risk and Control

Practice Advisory 2110-2 discusses the relationship of risk and control within the governance process, and
how the chief audit executive (CAE) should consider these relationships when planning an assessment of
an organization’s governance processes.
PA 2110-2: Governance: Relationship with Risk and Control – Paragraph 6
The chief audit executive should consider these relationships in planning assessments of governance
processes:  
• An audit should address those controls in governance processes that are designed to prevent or
detect events that could have a negative impact on the achievement of organizational strategies,
goals, and objectives; operational efficiency and effectiveness; financial reporting; or compliance
with applicable laws and regulations.  
• Controls within governance processes are often significant in managing multiple risks across the
organization. For example, controls around the code of conduct may be relied upon to manage
compliance risks, fraud risks, etc. This aggregation effect should be considered when developing the
scope of an audit of governance processes.  
• If other audits assess controls in governance processes (e.g., audits of controls over financial
reporting, risk management processes, or compliance), the auditor should consider relying on the
results of those audits.  
Section V B. Organizational Culture
B. Organizational Culture
Organizational Culture: Relevant Concepts
It is helpful to understand the interrelationship between organizational culture and all aspects of a com-
pany’s control as an overlap of two independent but important influences:
1) Internal. The specific norms and practices that exist within a given company, which can be de-
scribed as a kind of distinct culture. Examples: rituals, customs, jargon, dress and grooming
standards.
2) External. The behavioral demands, reinforced by custom and law, that a company must conform
to in order to operate and conduct legitimate business. Examples: controls, risk management,
regulatory compliance issues.
What distinguishes “organizational culture” from “organizational governance” is that culture and its related
practices are not written down or codified. Organizational culture can be rooted in the distinct personalities
of company leadership or more generally in the ethnic, religious, or political context in which the business
operates. Culture-based behaviors develop gradually over time and can be extremely difficult to change,
particularly if the behaviors and values are longstanding or otherwise associated with the company’s core
identity.
Because culture is so closely associated with individual and group identity, efforts to modify or change
cultural behaviors (that is, internal practices) can be met with resistance, especially if the calls for change
come from outside the company (that is, from external sources). Regardless of how well-intentioned or
rationally-based the criticism of organizational culture might be, even the suggestion of scrutiny can be
met with resistance.
It is therefore not surprising that a company’s organizational culture will influence the way it understands
the control environment and approaches individual engagement risks and controls. In the middle of this
confluence of internal and external pressures is the IAA, who must satisfy the imperatives of the audit while
also taking into account the prevailing attitudes that the organization might have toward such oversight.
By balancing these two imperatives, the internal auditor can help the board and management gain a clear
vision of the risks they face and appropriate means to control them.
Organizational Culture and the Control Environment

The IIA Standards Glossary defines control environment as the “[t]he attitude and actions of the board
and management regarding the importance of control within the organization.” Furthermore, it “provides
the discipline and structure for the achievement of the primary objectives of the system of internal control.”
In essence, the control environment is a reflection of how management feels about controls in general
(positive or negative).
The Standards Glossary lists six control environment elements, which are listed below with commentary
about the influence that organizational culture might have on them.
1) Integrity and ethical values. Through its official policies but also by the example leadership sets
(that is, the “tone from the top”), a company projects its attitudes about integrity and ethics
throughout company ranks.
2) Management’s philosophy and operating style. The dominant philosophy serves as a set of
guidelines for decision-making priorities; for example, Profit or environment? Short-term gain or
long-term gain? The operating style is the philosophy in action.
3) Organizational structure. A highly structured, hierarchical culture suggests an emphasis on con-

formity, whereas decentralized lines of authority might communicate a willingness to adjust and
respond to feedback.
B. Organizational Culture CIA Part 1
4) Assignment of authority and responsibility. How power and responsibility is distributed be-
tween management and employees reveals attitudes about governance.
5) Human resource policies and practices. The human resources (HR) department takes care of
employee needs; therefore, a well-run HR sends a clear message that worker wellbeing is a prior-
ity, whereas a poorly run or nonexistent HR indicates the opposite.
6) Competence of personnel. The degree to which management values worker competence can be
seen in its hiring, promotion, and incentives practices. Employees get the message when an in-
competent manager receives a raise or when nepotism plays a part in a job offer.
The internal auditor should become familiar with, and make appropriate adjustments for, the ways in which
corporate culture affects these elements. The auditor should not compromise the integrity of the audit
function for the sake of accommodating a moody board member or in deference to a deep-seated reluctance
to keep written records. Rather, the IAA should find ways of bridging any perceived divides–for instance,
acknowledging concerns or rewording certain statements to be less confrontational—to give maximum al-
lowance for cultural concerns while still satisfying the audit requirements.
Organizational Culture and Individual Engagement Risks and Controls

A similar relationship exists between organizational culture and controls. Organizational culture may
exert pressure, for better or worse, on the efficiency and effectiveness of controls. For example, a relaxed
corporate culture may resist the specificity and careful documentation required of controls. Conversely, a
corporate culture with a longstanding recordkeeping policy might not welcome additional layers of controls
that are perceived as unnecessary.
The overarching principle to keep in mind is that the internal auditor should cultivate a comprehensive
understanding of the organizational culture before setting out to design an audit activity so that they can
ascertain the effect that the culture may have on the controls and therefore engagement risk.
Section V C. Ethics
C. Ethics
Organizational Ethics: Relevant Concepts
The field of ethics covers a range of beliefs and practices that are considered “desirable” and that are
developed through “a consensus of what is deemed acceptable behavior.”16 This definition highlights two
key assumptions:
1) That which is “desirable” is by definition “good.” It is an important but very fine distinction
to separate the notion of “good” from “successful,” as ethical actions do not by definition lead to
success. That said, it is assumed that “goodness” is a desirable trait because it can enhance a
company’s public profile and raise employee morale.
2) Ethics are a reflection of communal values. In other words, ethics are principles that are
rooted in culture, law, longstanding practice, and social conditions. As a result, ethical
standards will vary from context to context and may evolve over time. Therefore, having a clear
command of ethics requires the auditor to have a well-defined understanding of cultural norms
along with legal considerations.
Before conducting an ethics audit, the IAA should gain a comprehensive understanding of the company’s
ethical ecosystem, meaning the method by which its ethical standards are established and circu-
lated. Under most circumstances, the top-level decision-makers (in most cases the board or other
oversight group) set the ethical priorities through documentation (such as a codes of ethics) and also by
example, i.e. the “tone at the top.” Senior management reflects the attitudes set by the board that in
turn should be adopted by employees. There may also be a Chief Ethics Office or ethics committee charged
with promoting and overseeing the company’s ethics environment.
The company’s ethical standards may extend to “third-party service providers, suppliers, [and]
agents.”17 To a certain degree, these entities represent or act on behalf of the organization, and thus the
company could be held liable for ethical improprieties that third-parties might commit. For this reason, it is
not uncommon for contracts with outside vendors to stipulate adherence to the company’s ethics protocols.
Furthermore, customers may also be required to follow company-mandated ethical guidelines, often listed
in end-user license agreements, with respect to goods and services they purchase from the company.
The Internal Auditor’s Role in Assessing Organizational Ethics

Standard 2110.A1 spells out the internal auditor’s obligation in assessing organizational ethics:
Standard 2110.A1 – Governance
The internal audit activity must assess the design, implementation, and effectiveness of the organiza-
tion’s ethics-related objectives, programs, and activities.
Foremost, the internal auditor must be a model of the highest ethical standards, avoiding even the
appearance of impropriety. The IIA’s Code of Ethics asserts that the IAA is “expected to apply and uphold”
the four principles of integrity, objectivity, confidentiality, and competency. Furthermore, “Compli-
ance with the Code of Ethics is mandatory.”18 It is presumed that every Certified Internal Auditor is familiar
with the International Standards for the Professional Practice of Internal Auditing.
Because there is no set method of executing an ethics audit, the IAA should carefully formulate the most
efficient and thorough process by taking into consideration the appropriate scope, time frame, and use of
16
IPPF Practice Guide. Evaluating Ethics-related Programs and Activities. July 2012. p. 3.
17
Ibid., p. 5.
18
Ibid., p. 2. The statement adds: “Noncompliance can result in disciplinary actions, including expulsion from The IIA
and withdrawal of the Certified Internal Auditor (CIA) designation.”
C. Ethics CIA Part 1
resources. In addition, demonstrative support from company officials (“management’s buy-in”) is an indis-
pensable component of the audit’s success.
According to The IIA’s Practice Guide Evaluating Ethics-Related Programs and Activities, an ethics audit
should focus on the following areas:
1) Policies. The internal auditor might review the company’s ethics documentation such as codes of
conduct, statements of values, and mission statements for clarity, comprehensiveness, and con-
sistency. The audit may also assess how available these documents are for employees to access,
understand, and acknowledge.
In addition, the auditor should analyze the policy for reporting ethics violations, in particular:
• It must have a clearly defined and verifiable pathway for an employee to file a complaint.
• It must protect both the rights of the individual reporting an alleged violation and the
rights of the person accused of wrongdoing.
Reporting violations of ethical standards is especially tricky when those in position of authority
stand accused, especially by those who are their subordinates. Without clearly defined safeguards
and assurances, employees may prefer to avoid reporting alleged violations by superiors out of fear
of retaliation.
2) Procedures. The review must assess how well ethics policies are put into practice. Therefore, the
design of the ethics procedures and the method of their implementation should come under
scrutiny. Auditors should compare the organization’s ethics structures to the most up-to-date “best
practices” models or consult benchmark equivalents in the respective industry for examples.
3) Effectiveness. Measuring the effectiveness of the ethical climate is a difficult aspect to determine
in an ethics audit because “effectiveness” is a qualitative rather than quantitative feature. Self-
assessment surveys, conducted anonymously, are usually the best gauge of the effectiveness
of ethics initiatives.
“Self-assessment” does not mean that employees rate their own ethical behavior, because there
is little incentive to admit to unethical behavior. Rather, employees are invited to review the ethical
behaviors that they perceive in others or the ethics climate overall as they understand it. The
expectation is that an aggregated composite of these observations will yield an accurate assess-
ment of the company’s ethical environment.
4) Dispositions. The audit must analyze the fairness and completeness of the dispositions (or en-
forcement) process, for example:
• Appropriately scaled penalties. For example, first offenses of mild violations might receive
verbal warnings, whereas repeat offenses or serious violations could receive written reprimands
or even termination.
• Consistent application. Penalties should apply equally to all employees, regardless of their
position in the company.
• Documentation. It is advisable that violations and dispositions are recorded and preserved.
5) Compliance. In some jurisdictions, a company’s ethics guidelines may have to conform to legal
requirements, which suggests that certain ethics violations may also have legal ramifications. PA
2400-1: Legal Considerations in Communicating Results is a useful resource that can help auditors
clearly understand the proper series of actions to take to make sure that the company’s ethical
structures meet all legal obligations.
Section V C. Ethics
2400-1: Legal Considerations in Communicating Results
2. The internal auditor gathers evidence, makes analytical judgments, reports results, and determines
whether management has taken appropriate corrective action. The internal auditor’s need to prepare
engagement records may conflict with legal counsel’s desire to not leave discoverable evidence that
could harm the organization’s position in legal matters. For example, even if an internal auditor gathers
and evaluates information properly, the facts and analyses disclosed may negatively impact the
organization from a legal perspective. Proper planning and policy making — including role definition and
methods of communication — are essential so that a sudden revelation does not place the internal auditor
and legal counsel at odds with one another. Both parties need to foster an ethical and preventive
perspective throughout the organization by sensitizing and educating management about the established

policies.
Once the ethics audit is complete, the IAA should make a formal presentation to the board to outline the
findings, report shortcomings, and recommend remedies. It is also possible for the auditor to transition
from a reporting role to consultation and assurance.
Ethics Advocates
A company’s corporate culture is shaped by the behavior and actions of management, which spread
throughout the company’s structure and influence the way employees do business, interact with each other,
and engage with customers. The corporate culture sets the company’s ethical climate, which is the pre-
vailing sense of morality and transparency. Ideally, a company’s ethical climate should be consistent with
the highest and most praiseworthy professional standards.
In order to promote these ideals, management should provide a detailed code of conduct, specific ethical
codes, and statements of vision and policy. Such documents are important declarations of the organization’s
values and goals, the behavior expected of its people, and the strategies for maintaining a culture that
aligns with its legal, ethical, and societal responsibilities.
In addition, management must act as ethics advocates, visible models of appropriate behavior who en-
courage and support the code of conduct at all times and at all levels of activity. Certain organizations have
designated a Chief Ethics Officer to serve as a counselor to executives, managers, and others, and as a
champion within the organization for moral and ethical behavior. Having such a position—and placing it at
a high level in the governance structure—sends a clear message to internal and external stakeholders that
management places a strong emphasis on ethical standards.
Shared Responsibility for the Organization’s Ethical Culture

Under most circumstances, management has the primary responsibility for setting an ethical corporate
culture. However, all individuals should be encouraged to be ethics advocates, whether formally
(such as serving on an ethics committee) or informally (such as through consistent promotion of ethical
behaviors). By instilling a sense of shared responsibility, management signals its belief that ethical conduct
cannot be “handed off” or “handed over” to someone else, nor should unethical conduct be ignored or go
unreported. Thus, the underlying assumption is that the success of an organization’s ethical culture results
from the collective effort of many rather than at the urging of a few.
Internal Audit Activity as Ethics Advocate

As noted in Standard 2110.A1, the IAA can serve as the “eyes and ears” of management, the audit com-
mittee, and external auditors; that is, it can provide critical oversight in many areas. Therefore, internal
auditors and the IAA should take an active role to support the organization’s ethical culture. Auditors pos-
sess a high level of trust and integrity and they have the skills to be effective advocates of ethical conduct.
They can appeal to the enterprise’s leaders, managers, and other employees to comply with the legal,
ethical, and social responsibilities.
C. Ethics CIA Part 1
The IAA may assume one of several different roles as an ethics advocate, including Chief Ethics Officer
(ombudsman, compliance officer, management ethics counselor, or ethics expert), member of an internal
ethics council, or assessor of the organization’s ethical climate. In some circumstances, however, the role
of Chief Ethics Officer might conflict with the independence attribute of the internal audit activity.
Note: The IIA Code of Ethics states that the internal auditors should be an example of the ethical be-
havior that employees should practice.
Code of Conduct Policy

A Code of Conduct, or Business Conduct Policy, should outline the specific behaviors that are required of or
prohibited for all employees. The Code of Conduct should be written in clear, concise language that elimi-
nates ambiguity or contradictory interpretation. This guide becomes even more critical in larger
organizations when all employees will not be in direct contact on a regular basis with management. The
Code of Conduct is applicable to all people in the organization, regardless of position, department, or length
of employment.
What is in the Code of Conduct

In addition to outlining expected behaviors for employees, the Code of Conduct should include guidance on
the following topics:
• Conflicts of interest. In general, any conflicts of interest must be disclosed so that the company
can determine the appropriate steps to take in order to protect itself.
• Confidentiality of information. Clear guidelines must be set so that employees understand the
importance of preserving confidential information.
• Acceptance of gifts. Certain codes of conduct forbid employees from accepting any gifts from
interested parties. Others may set a dollar-amount limit.
• Compliance with all applicable laws, rules, and regulations. In this section, the code makes
explicit what is generally accepted to be true: employees must not break the law and they must
follow industry regulations.
• Penalties. The Code must clearly detail the consequences for any violations.
Note: A Code of Conduct does not automatically guarantee a higher standard of ethical behavior, nor
should it replace the need for an audit of ethical behavior. The establishment of ethics monitoring should
complement specific ethical codes or protocols.
The Code of Conduct needs to be periodically assessed by the IAA to ensure that it is relevant and that it
reflects the company’s needs. Additionally, compliance with the Code of Conduct should also be tested
periodically and may even be included as part of every engagement.
A sample Code of Conduct is shown in Appendix D.
Section V D. Corporate Social Responsibility
D. Corporate Social Responsibility

Corporate Social Responsibility (CSR) arose out of concern over long-term sustainability related to non-
economic factors such as the environment, labor practices, and charitable giving. CSR affects customers,
employees, shareholders, suppliers, partners, and the public, creating many different groups of stakehold-
ers who all have different expectations of the organization.
The IIA’s Practice Guide Evaluating Corporate Social Responsibility/Sustainable Development defines CSR
as:
The way firms integrate social, environmental, and economic concerns into their values,
culture, decision-making, strategy and operations in a transparent and accountable manner
and thereby establish better practices within the firm, create wealth, and improve society.
In other words, CSR is a process for businesses to integrate all of the non-financial the issues that concern
stakeholders and report on how the company is operating in a socially responsible way.
Note: CSR may also be referred to as social responsibility, sustainable development, or corporate citi-
zenship.
Responsibility for CSR exists at every level within the organization:
• The board has overall responsibility for CSR.
• Management is responsible for executing CSR and ensuring that there are clear objectives, per-
formance measurement, and reporting.
• Employees must integrate CSR into their everyday activities.
• The internal auditors should understand the risks and controls related to CSR and may be re-
sponsible for auditing CSR.
Note: CSR is similar to the concept of triple bottom line, which suggests that a business is sustainable
in the long-term only with economic, social, and environmental success.
Risks Related to CSR

Companies face a multitude of risks related to CSR:19
• Reputation. The company’s reputation may be harmed by operating in ways that violate regula-
tions or ignore social concerns.
• Compliance. Regulations and laws over issues such as the environment, health and safety, em-
ployment, governance, and fraud will vary by country and can impose heavy fines and penalties.
• Liability and Lawsuits. The company may be open to legal action from alleged or perceived harm
to stakeholders.
• Operational. Failure to thoughtfully implement CSR measures may adversely affect operations.
• Company Stock Valuation. Investors may be less inclined to put their money into a company
that is not aligned with their social values.
• Employment Market. Job candidates may choose not to work for a company that does meet their
expectations for social responsibility.
• Consumer Sales. Customers may either prefer or shun a company based on its CSR policies.
• External Business Relationships. The company may be exposed to risk through suppliers or
business partners who do not uphold the same CSR values.
19
Adapted from The IIA’s Practice Guide: Evaluating Corporate Social Responsibility/Sustainable Development.
D. Corporate Social Responsibility CIA Part 1
CSR Frameworks
There are three commonly-used CSR frameworks that a company can refer to for guidance:
ISO 26000
ISO 26000: Guidance on social responsibility (2010) provides a framework for sustainable develop-
ment by promoting a common global understanding of social responsibility. The seven core subjects
addressed in ISO 26000 are:
1) Organizational governance
2) Human rights
3) Labor practices
4) The environment
5) Fair operating practices
6) Consumer issues
7) Community involvement and development
Note: ISO 26000 does not provide a standard for certification and explicitly forbids its use a standard
for certification.
According to ISO 26000, there are five main aspects of CSR:
1) A company should operate ethically and with integrity.
2) A company should treat its employees fairly and with respect.
3) A company should demonstrate respect for human rights.
4) A company should be a responsible citizen in its community.
5) A company should do what it can to sustain the environment for future generations. For exam-
ple, a company might do any one or more of the following:
• Reduce pollution of the air, land, rivers, and seas.
• Develop a sustainable business whereby all the resources used by the company are replen-
ished.
• Reduce reliance on non-renewable, polluting energy (such as fossil fuels) and increase
the use of renewable energy (such as water or wind).
• Recycle waste materials.
Global Reporting Initiative

The Global Reporting Initiative (GRI) provides a framework for reporting sustainability issues so that
companies can easily compare their results against other companies that also use GRI. The GRI standards
were last updated in October 2016 and are available free from the GRI website.20
20
https://www.globalreporting.org/
The Pyramid of Social Responsibility

In Corporate Social Responsibility: Evolution of Definitional Construct (1999), Archie B. Carroll describes
four ascending levels of social responsibility that he illustrates as a pyramid. The bottom of the pyramid
represents the basic reasons for engaging in economic activity and each upward section reflects a more
outward and altruistic perspective. The underlying assumption is that, because companies operate within a
social context, there are implied obligations that the corporation should be aware of, consider, and incor-
porate into their practices. Carroll clarifies that the lower levels should be generally addressed first, although
true responsibility can only be demonstrated through achievement of all four levels.
His influential ideas are illustrated in the following chart with additional explanation and commentary below.
The Pyramid of Social Responsibility
•Be a good corporate citizen

Philan- •Contribute resources to the community; improve
thropic quality of life.
•Be ethical
Ethical •Obligation to do what is right, just, and fair.
Avoid harm.
•Obey the law

•Law is society's codification of right
Legal and wrong. Play by the rules of the
game.
•Be profitable
Economic •The foundation upon
which all others rest.
1) Philanthropic responsibilities: Charitable donations and contributions to local community pro-

jects are examples of desirable, as opposed to mandatory, requirements.
2) Ethical responsibilities: Apart from compliance with legal requirements, companies should act
in a fair and just way, even if the law does not compel them to do so.
3) Legal responsibilities: Companies have an obligation to respect prevailing moral views as ex-
pressed in legislative codes. Obeying these laws must be the foundation of an organization’s
compliance with social responsibilities.
4) Economic responsibilities: Companies have economic responsibilities to shareholders (who re-

quire a good return on their investment), to employees (who want fair employment conditions and
reasonable wages), to customers (who want value for money), and to suppliers (who should be
paid on time).
D. Corporate Social Responsibility CIA Part 1
CSR Process
The IPPF Practice Guide Evaluating Corporate Social Responsibility/Sustainable Development provides a list
of the steps in the CSR process:
1) Set priorities and policies for areas such as ethics, labor, the environment, charity, and any
other relevant CSR areas. Management might use a CSR framework as guidance.
2) Set specific objectives and strategies to achieve the policies set by management. Examples of
specific objectives include reducing waste by a certain percentage, donating a percent of profits to
charity, increasing employee outreach in the community, achieving compliance with laws and reg-
ulations, and so forth.
3) Communicate and embed CSR into controls and decision making. CSR risks should be con-
sidered in every project and throughout every product life cycle.
4) Track the activities related to CSR so that the results of the CSR policies and objectives can be
measured, analyzed, and benchmarked.
5) Engage stakeholders to resolve any complaints and receive feedback on the CSR issues affecting
them.
6) Audit results including controls related to CSR and any public disclosures.
7) Report results. Some of the considerations of CSR reporting are covered next.
CSR Reporting
One of the biggest challenges with CSR is deciding what information to report because, unlike financial
reporting, there are no standards for CSR reporting. Federal or local laws may require reporting on specific
activities such as environmental impact, but otherwise the contents of the CSR report are up to the organ-
ization to decide. The report should also include both positive and negative results, otherwise the report
will appear one-sided and may not be trusted.
Companies can issue their CSR reports standalone or as part of the annual report. The stakeholders then
use the report to make decisions about the extent of their involvement with the organization. Depending
on the organization and the demands of the stakeholders, it may be necessary to have the report verified
or audited so that the report can be trusted and not just seen as marketing propaganda.
Role of Internal Audit in CSR

The CAE should include CSR risks during risk assessment and audit planning to determine what, if any,
portion of the CSR process should be included in the audit plan. The board or management may also provide
direction to the CAE regarding issues that need the auditor’s attention. CSR audits are usually long-term
engagements so that the auditor can thoroughly observe and analyze the elements of the CSR across the
entire company. Outside expertise might be needed to audit elements of the CSR with specific technical
competencies such as the environment, health and safety, human rights, or labor rights.
Approaches to Auditing CSR

There are many different approaches to auditing CSR discussed in Evaluating Corporate Social Responsibil-
ity/Sustainable Development, which all involve separating the CSR controls in different ways:
• By element. (Discussed in more detail below.)
• By stakeholder or stakeholder group. (Discussed in more detail below.)
• By subject. For example, by workplace, marketplace, environment, and community.
• By department/function. Audit CSR separately for each department within the organization.
• By third party. Audit third parties for compliance with CSR terms and conditions.
Auditing by Element
In auditing by element, the auditor breaks down the CSR controls into elements of compliance with laws,
regulations, and other contractual obligations. The following is a list of typical elements and the appropriate
issues associated with them:
• Governance. Are the board members fulfilling their roles and duties? Are budgets appropriately
set to achieve CSR objectives? Is the board reporting reliable information to stakeholders?
• Ethics. Are there policies and reporting mechanisms covering corruption, conflicts of interest, and
other ethical dilemmas? Are there protections in place for those who raise concerns?
• Environment. Are environmental impact assessments performed as necessary? Do environmental

emergency plans exist? Do suppliers and vendors have responsible environmental policies?
• Transparency. Is personal information adequately protected and kept private? Does the company
follow accounting standards? Is there a crisis-management plan?
• Healthy, Safety, and Security. Is health and safety considered in the product development cy-
cle? Are incidents reported and resolved in a timely manner? Are product recalls made when
necessary?
• Human Rights and Work Conditions. Are employees paid a fair and living wage? Are there
policies for the prevention and management of discrimination? Are labor standards enforced?
Auditing by Stakeholder Group

In auditing by stakeholder group, the auditor uses a similar approach to auditing by element but breaks
down the analysis differently. The groups and some examples of questions that the auditor should ask are:
• Employees and Their Families. Are employees paid a fair wage, on time, and with job advance-
ment opportunities? Is there freedom of religion in the workplace? Are there adequate policies
addressing discrimination and harassment?
• Environmental Organizations. Which environmental agencies or interests groups have or should

have input? What are the best ways of addressing or engaging with concerns that these entities
raise with respect to specific business practices?
• Customers. Is there a customer complaint resolution process? Are company advertisements hon-
est? Is customer information kept private and protected?
• Suppliers. Are suppliers paid on time and in full? Are local suppliers used where available? Do the
suppliers share similar CSR policies?
• Communities. Does the company support the local economy? Does the company engage in phi-
lanthropy in the community such as charity and volunteering? Are indigenous people respected?
• Shareholders. Are accounting standards followed? Is there an appropriate anti-corruption policy

and resolution process? Are strategic decisions made with long-term objectives in mind?
E. Concepts of Risk and Risk Management CIA Part 1
E. Concepts of Risk and Risk Management

The IIA defines risk in the Standards Glossary as:
The possibility of an event occurring that will have an impact on the achievement of objec-
tives. Risk is measured in terms of impact and likelihood.
Enterprise Risk Management: Frameworks, Elements and Integration (SMA:ERMF), published by the Insti-
tute of Management Accountants (IMA) as part of their Statements on Management Accounting series, adds
actions to their definition of risk: 21
Any event or action that can keep an organization from achieving its objectives.
Risk is not the same as uncertainty. Uncertainty means that there is an unknown event or outcome,
which may be positive or negative. On the other hand, risk is an uncertainty with a negative outcome that
might harm the business.
Companies want to minimize the risks that they face, either by reducing the likelihood of a risk occurring
or by reducing the impact of the event if it were to happen. Risk management is the process of identifying
and mitigating risks to reduce the possibly negative impact that risks can have on the company.
In the Standards Glossary, the IIA defines risk management as:
A process to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization’s objectives.
SMA:ERMF defines enterprise risk management as:
A structured and disciplined approach: It aligns strategy, processes, technology, and

knowledge with the purpose of evaluating and managing the uncertainties the enterprise
faces as it creates value. . . It is a truly holistic, integrated, forward-looking, and process-
oriented approach to managing all key business risks and opportunities—not just financial
ones—with the intent of maximizing shareholder value as a whole.22
Note: Enterprise risk management is discussed in Topic F with risk management frameworks.
The Casualty Actuarial Society (CAS) broadens its definition of risk management even further to include
stakeholders:
[Enterprise risk management] is the discipline by which an organization in any industry

assesses, controls, exploits, finances, and monitors risk from all sources for the purpose of
increasing the organization’s short- and long-term value to its stakeholders.23
21
Walker, Paul and William G. Shenkir, Enterprise Risk Management: Frameworks, Elements, and Integration, State-
ment on Management Accounting. Montvale, NJ: Institute of Management Accountants, 2018. p. 31.
22
Ibid., p. 5, quoting J. W. DeLoach, Enterprise-wide Risk Management: Strategies for Linking Risk and Opportunity,
Financial Times. London: Financial Times, 2000. p. 4.
23
Overview of Enterprise Risk Management. Casualty Actuarial Society Committee on ERM, 2003. p. 8.
Section V E. Concepts of Risk and Risk Management
The role of the IAA in risk management is set forth in Standard 2120.
Standard 2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes.
Interpretation:  Determining whether risk management processes are effective is a judgment resulting
from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission.
• Significant risks are identified and assessed.
• Appropriate risk responses are selected that align risks with the organization’s risk appetite.
• Relevant risk information is captured and communicated in a timely manner across the organization,
enabling staff, management, and the board to carry out their responsibilities.
The internal audit activity may gather the information to support this assessment during multiple en-
gagements. The results of these engagements, when viewed together, provide an understanding of the
organization’s risk management processes and their effectiveness. Risk management processes are
monitored through ongoing management activities, separate evaluations, or both.
2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s gov-
ernance, operations, and information systems regarding the:
• Achievement of the organization’s strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how
the organization manages fraud risk.
2120.C1 – During consulting engagements, internal auditors must address risk consistent with the en-
gagement’s objectives and be alert to the existence of other significant risks.
2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting engagements
into their evaluation of the organization’s risk management processes.
2120.C3 – When assisting management in establishing or improving risk management processes, in-
ternal auditors must refrain from assuming any management responsibility by actually managing risks.
Standard 2120 states that the IAA is responsible for evaluating and improving the organization’s risk man-
agement process. In order for the IAA to evaluate risk and risk management, it is necessary to understand
risk, including the different types of risks, and the risk management process.
Types of Risk
The following is a list of common risk classifications.
• Strategic risks affect the whole organization. Examples of strategic risks include the economy,
global market conditions, reputation risk, brand risk (patent and trademark protection), leadership
risk, political risk, and the risk of changing customer needs. Entity-level risks also include actions
of competitors and changes in regulations.
Because strategic risks can be global in nature, it is difficult for management to directly or actively
manage or reduce them. Furthermore, the number of things that could possibly go wrong on a
global scale is vast; therefore, it is financially impractical to forecast, plan for, or influence all
contingencies. At best, management and the board of directors should identify and monitor poten-
tially troubling events.
• Operational risks result from inadequate or failed internal processes, people, or systems.
Operational risks can affect the supply chain, process execution, human resources, technology,
business continuity, customer satisfaction, and product or service failure.
In addition, two specific subsets of operational risks are:
a. Legal risk arises from uncertainty related to legal actions or the applicability or interpretation
of contracts, laws, or regulations.
b. Compliance risk is the current or future risk to profits or to the company’s assets as a result
of violations of, or nonconformance with, laws, rules, regulations, required practices, internal
policies and procedures, or ethical standards.
Operational risks are more directly under the influence of management, who can proactively miti-
gate them.
• Financial risks are associated with to the financial health of the company. Capital availability
is one of the most important financial risks. Financial risk can also arise from volatility of foreign
currencies, interest rates, or commodity prices. Further financial risks can result from concentra-
tion of customers and receivables, lack of liquidity, and trading activities. The need to comply with
accounting standards, financial reporting requirements, regulatory reporting requirements, and
tax regulations introduces important financial risks as well.
Borrowing money creates financial risk for the following reasons:
a. Lack of cash may prevent the firm from paying its interest and other obligations when they
are due. As the proportion of fixed cost (that is, debt) financing to total financing increases,
fixed cash outflows for interest expense also increase. When cash outflows for interest expense
increase, the possibility of insolvency also increases.
b. The payment of interest creates increased variability in earnings per share because the fixed
interest costs increase the volatility of a firm’s earnings before taxes (EBT).
• Hazard risks are events that can be insured against, such as natural disasters (with property
insurance), death of a key employee (with key person life insurance), or personal injury on the
business premises (with liability insurance).
Volatility and time are two features that also impact risk.
• Volatility refers to inconsistency of results. For example, if sales fluctuate wildly from day to
day, sales are extremely volatile. Volatility increases the possibility of poor future results.
• Time can also be a crucial element in risk. A project that covers a longer period of time is riskier
than a project covering a shorter period of time.
Internal and External Risk

Risks can also be classified as internal or external.
Examples of internal risks include:
1) Infrastructure risk events, such as changes to the organization or its policies. For example,
over-expanding can lead to the production of excess unsold goods.
2) Process-related risk events, such as changes to manufacturing process. For example, a poorly-
designed factory layout may increase costs.
3) Internal technological risk events, such as introducing new software. For example, choosing
software that does not meet the needs of employees can cripple productivity.

Examples of external risks include:
• Competition
• Regulations
• Supply chain disruptions
• Political risk
Risk Appetite, Risk Tolerance, and Risk Capacity

In order to manage risks, the company must understand the amount of risk it can take on and how much
risk it is willing to take on. Risk management is based on an analysis of risk capacity, risk appetite,
and risk tolerance.
Risk capacity is the maximum amount of risk that an organization can tolerate without irreparably dam-
aging the company.
Example: A construction company sets its risk capacity at $250,000. Thus, management is willing to
bear any risk exposure less than $250,000, but any risk larger than that will need to be avoided or
transferred.
Therefore, if a potential project demands a penalty payment of $400,000 for any delays, the company
might renegotiate the penalty clause to $250,000 or less, purchase insurance for the amount of the
penalty in excess of $250,000, or reject the project.
Risk appetite is defined in the IIA glossary as “the level of risk that an organization is willing to accept.”
Risk appetite is shaped by the expectations of stakeholders, regulatory and contractual requirements, and
the influence of technology, capital, and human resources. Furthermore, market opportunities—or lack
thereof—may increase or decrease the appetite for risk taking.
Risk tolerance is the amount of variance in the returns from an activity that a company is willing to
tolerate. The higher the risk tolerance, the greater the range of outcomes a company is willing to
accept. Conversely, a company that is less tolerant of risk will identify more specific risks that need to be
managed. Operating within established risk tolerance parameters assures management that the company
is remaining within its risk appetite and provides a degree of assurance that the company is on the right
track to achieve its objectives.
Example: According to a company’s appetite for marketable securities risk, it does not accept risks
that are likely to result in a significant loss.
The company’s risk tolerance policy does not allow the company to make investments that are likely to
result in a loss of greater than 20% in any given year no matter how high the potential gains are.
The relationship between risk capacity, appetite, and tolerance are shown in the following diagram:
Risk Capacity: The limit of risk that can

be taken by the organization.
Risk Appetite: The risk that is deemed

acceptable in the pursuit of overall
operational and financial goals.
Risk Tolerance: The amount of risk

a company is actually prepared to
bear, given a specific risk factor.
Risk Categories: These categories are

tailored for each business unit.
Business Credit Market Opera- Other

Risk Risk Risk tional Risk Risks
For all the identified risks, the company needs to make certain that the total amount of assumed risk does
not exceed its risk appetite, which in turn should not exceed its risk capacity.
Influences on a Company’s Risk Appetite

The following is a list of factors that can influence risk appetite:
• The company’s position in the business-development life cycle. A company in the start-up
phase often needs a high risk-appetite. If it survives to the growth stage, the company might
need tighter controls to manage risk. Companies in this stage might establish an internal control
function to oversee risk processes. In the maturity stage, sales generally level off, which means
that the focus switches to controlling costs.
• The viewpoints of the major stakeholders. Stakeholders, such as major shareholders, bond-
holders, lenders, and analysts, might have different opinions about the risk the company should
take on. Conservative stakeholders (such as banks) may press for a lower risk appetite while more
adventurous stakeholders (such as shareholders) might encourage a more aggressive stance. Re-
gardless of the position, the stakeholder with the most influence is the one that has the most
influence or power over the decision-making process. (Mendelow’s power/interest matrix
could apply in this context.)
Example: When a bank lends a company money, it becomes a stakeholder because the bank’s
managers prioritize a return on its investment, which requires the company to stay in business.
If the bank feels that the company is taking unnecessary risks, it could raise concerns with
management and the board. The level of concern the bank expresses is directly proportional to
the amount of money it has invested (that is, more investment, more level of concern). In
addition, the likelihood that the bank’s concerns will influence company policy also rises in pro-
portion to its level of investment (that is, more investment means more influence).
• Accounting factors. Risk appetite can adjust depending on a variety of accounting issues, such
as the volume of transactions, the complexity of the accounting system, and changing rules and
regulations, and so forth.
• The opportunity for fraud. In an environment where the likelihood of fraud is high, under most
circumstances a company’s risk appetite will decrease, whereas a low likelihood of fraud might
increase risk appetite.
• Entity-level factors. Risk appetite can be influenced by the quantity and quality of hired person-
nel, quantity and quality of training courses, disruptions in the information system processing
system, changes in the organization’s structure, and changes in key personnel.
• External factors. Changes in the economy, the industry, and technology can alter a company’s
risk appetite.
Example: A company has a conservative bad-debt policy with respect to its customers and
creditors (i.e., low risk appetite). However, an economic recession might convince management
to accept a larger bad-debt provision (i.e., higher risk appetite) to address the possibility of
consumers defaulting on their payments.
• Governmental restrictions. Depending on various circumstances, governments can legislate the

level of risk a company is legally able to take on. Industries such as insurance and banking are
generally more regulated and more restricted because they are responsible for the public’s money.
Formalizing Risk Appetite

If a company has not made a formal statement about its risk appetite, then it has a potential control
problem. Managers could be running the company with insufficient guidance on the levels of risk that they
are permitted to take, or they may not be seizing important opportunities due to a perception that taking
on additional risk is discouraged.
Formalizing risk appetite means putting it in writing so that there is little confusion about the board and
management’s attitude toward risk. Indeed, formalizing risk appetite improves communication between all
those who oversee risk management. Generally speaking, the larger and more complex an organization is,
the more formalized its policies and procedures should be regarding risk appetite. For example, large fi-
nancial services companies can be expected to have highly detailed risk-appetite statements, whereas a
small or mid-sized company might have a risk-appetite statement no more than a sentence or two.
Example: A short risk-appetite statement may be “no project investment should be greater than 20%
of company’s net assets” or “IFRS earnings should not be negatively affected by more than 50% of its
forecasted earnings.”
Risk appetite can be expressed either quantitatively (numerically) or qualitatively. The following are
examples of quantitatively expressing risk appetite:
• Solvency. A company does not want to lose more than a defined amount of its capital so that it
can remain a going concern following an extreme-loss event or a combination of extreme-loss
events.
• Capital coverage. A company requires that its capital is sufficient to cover a multiple of the
amount of capital needed to absorb a loss of a certain magnitude (for example, a 1-in-100-year
event).
• Earnings. A company does not want to lose more than a defined percent or multiple of annual net
income.
• Company value. A company wants to assume the amount and kinds of risks that maximizes
company value (that is, the risk-adjusted present value of future cash flows).
There may be aspects of risk that cannot be measured quantitatively, but regardless of the measurement
limitations, risk still has to be identified. In such cases, “risk preferences” can be used to determine and
establish risk appetite. Risk preferences define certain risks that the company does not want to accept,
such as avoiding investment in subprime mortgages or taking out variable-annuity loans.
Once a company understands its risk appetite, it can start developing its risk management process.
The Risk Management Process

The following list represents a general approach to the risk management process. However, it is important
to bear in mind that the risk management process can be organized in a number of different ways. Steps
may be added or altered in response to specific situations. Furthermore, enterprise risk management (cov-
ered next) introduces the importance of integrating strategy setting and performance with risk
management.
The basic steps in risk management are:
1) Risk identification
2) Risk assessment
3) Risk prioritization
4) Response planning
5) Risk monitoring
Step 1: Risk Identification

Management, with oversight from the board of directors, analyzes the company’s internal business, external
environment, business processes, existing controls, and any other areas of potential risk to identify all
possible risk events that might adversely impact or otherwise prevent the company from achiev-
ing its objectives.
The risk identification process should take place at all levels of the organization. Within each business unit,
key employees in areas such as operations, finance and accounting, IT, and unit management should be
tapped to take part in the identification of risks in their respective areas. When properly executed, the
process of risk identification identifies risks that have a reasonable probability of occurring and impacting
operations within a foreseeable period of time.
Internal Events
• Capital investments made to support strong customer demand, improve customer satisfaction,
reduce downtime, and so forth.
• Technological change creating the need for new processes and changed processes.
• Personnel events such as work stoppages, employee fraud, or the loss of key employees.
External Events
• Economic events, both domestic and international, such as a recession or international trade
events leading to currency and other price fluctuations.
• Natural disasters such as fires, floods, hurricanes, earthquakes, or volcanoes.
• Political events such as new regulations, changes in tax laws, and results of elections.
• Social factors such as changing demographics.
• Technological change creating opportunities for new products or services to offer.
Event Identification Techniques

Management needs to establish formal processes to review potentially significant risks in order to decide
which events need further attention.
The IMA’s Statement on Management Accounting, Enterprise Risk Management: Tools and Techniques for
Effective Implementation (SMA:ERMT) lists the following techniques for identifying risks: 24
• Brainstorming sessions. These are meetings where employees, management, or staff members
are invited to discuss the risks they encounter in their particular fields and to develop solutions
through dialogue and idea sharing. Brainstorming can be limited to selected organization units; in
addition, the results of the brainstorming work can be used by other units to identify their own
risks.
• Event inventories and loss event data. Event inventories are detailed listings of potential
events common to companies within a particular industry or to a particular process or activity
common across industries. Loss event data could be a database on actual loss events that have
taken place for a specific industry or an archive of actual events experienced by the company that
only the longer-tenured management can recall. An archive of actual events that have occurred
can serve as a resource of “lessons learned.”
• Interviews and self-assessment. Each unit assesses its risk management capability and sub-
mits a self-assessment to the risk management coordinator, who could be the chief financial officer,
the controller, the chief operating officer, or the chief risk officer. The coordinator follows up with
interviews to clarify issues. After the information has been completed, a cross-functional team
might participate in a facilitated workshop to discuss it.
• Facilitated workshops. A facilitator leads a discussion about events that may affect the achieve-
ment of the entity’s objectives, in order to identify the most critical risks. Alternatively, the
workshop might focus on just one unit and on identifying that unit’s most critical risks. Workshops
can be limited to management or they can include employees, customers, suppliers, or other
stakeholders in order to draw on the accumulated knowledge and experience of management,
staff, and other stakeholders through structured discussions. For example, a financial controller
might conduct a workshop with the accounting team to identify events that could have an impact
on the entity’s external financial reporting objectives. By combining the knowledge and experience
of team members, important events are identified that otherwise might be missed.
• SWOT analysis. “SWOT” stands for strengths, weaknesses, opportunities, and threats.
“Strengths and weaknesses” are internal and include the company’s culture, structure, financial
resources, and human resources. “Opportunities and threats” are external and are usually not
under the control of management in the short run. They include political, societal, environmental,
and industry risks. Serious consideration of the organization’s weaknesses and threats can lead to
explicit identification of risks.
• Risk questionnaires and risk surveys. These and similar sources of information identify poten-
tial risks by providing a list of questions related to specific risks, both internal and external.
Information might also come from customer satisfaction surveys, customer comments, or from
exit interviews with departing employees. This data should be reviewed to identify risks. A risk
survey may be used instead of a questionnaire.
• Scenario analysis. Managers consider various scenarios that could occur and imagine how they
would impact the business.
• Technology. Companies with a network can encourage managers to post their risk management
practices such as checklists on the network for use by others. Technology can be used externally
to scan the Internet for risks related to the company’s products, services, and reputation.
24
Walker, Paul L. and William G. Shenkir. Enterprise Risk Management: Tools and Techniques for Effective Implemen-
tation, Statement on Management Accounting. Montvale, NJ: Institute of Management Accountants, 2018. p. 7-13.
Step 2: Risk Assessment

Risk assessment is the process of analyzing and quantifying identified risks from three perspectives: the
likelihood of the risk occurring, the potential impact or the relative significance of the event if it does
occur, and the interrelationship of the risks on a unit-by-unit or total organization basis.
Risk assessment focuses on two kinds of risk:
• Inherent risk. SMA:ERMF defines inherent risk as “the level of risk that resides with an event or
process prior to management taking a mitigation action.” 25 The U.S. Office of Management and
Budget (OMB) defines inherent risk as “the potential for waste, loss, unauthorized use, or misap-
propriation due to the nature of the activity itself.” In other words, inherent risk is related to the
very nature of the activities the company undertakes in the normal course of business. Manage-
ment cannot do anything about the existence of inherent risk; however, it can take steps to
address and, where appropriate, mitigate its effects.
Example: Inherent risk can be the result of a company’s size. A very large company might face
government regulation because of the scope of the organization’s influence, or its complex
management structure could be the source of all kinds of communication breakdowns. The
company’s size is an essential part of its nature, and yet this inherent quality is the source of
all kinds of risks.
• Residual risk. SMA: ERMF defines residual risk as: “The level of risk that remains after manage-
ment has taken action to mitigate the risk.”26 In other words, after all prudent measures have
been taken, some risk will always remain.
Example: Most insurance policies include a deductible clause, meaning that in any loss situation
the insured party will still have to pay some portion of the repair or replacement. The deductible
amount is the residual risk.
Residual risk is expressed as follows:
Inherent risk
− Activities of management to mitigate / address the risk
= Residual risk
Exposure to risk is assessed according to loss frequency (or probability) and loss severity, which
involves estimating potential financial loss and any nonfinancial impacts of risks, such as potential damage
to the company’s image, or loss of shareholder confidence.
• Loss frequency or probability measures how often the loss occurs (on average) and is expressed
in relation to a time period. For example, a loss frequency of 0.25 per year means the probability
is 25% that a loss will occur in any given year, and on average a loss occurs once every four years.
• Loss severity measures the seriousness of a loss in terms of cost at the time it occurs. Loss
severity is determined in terms of the company’s experience with a given type of loss. For example,
historically when a company has sustained a particular type of loss such as a fire or a burglary,
the average cost is $50,000. That $50,000 average loss is assigned to future events of a similar
nature.
25
Walker, Paul and William G. Shenkir, Enterprise Risk Management: Frameworks, Elements, and Integration, State-
ment on Management Accounting. Montvale, NJ: Institute of Management Accountants, 2018. p. 31.
26
Ibid.
Qualitative Risk Assessment Tools

Qualitative risk can be assessed with a risk map or risk heat map, which is a visual depiction of relative
risks. For each identified risk, the probability of the event happening is plotted on a scale of 1 to 8 along
the x-axis. Next, the estimated monetary impact of the loss is plotted on a scale of 1 to 8 along the y-axis.
Once it is fully plotted, a risk map will clearly show which risks have high probability and high loss potential
(located in the upper right-hand corner) and which risks have low probability and low loss potential (located
in the lower left-hand corner). If a particular risk involves quantitative factors, such as a monetary loss,
the potential quantitative loss is included as well in the assessment.
In addition to helping management pinpoint important risks, a risk map such as the one following provides
a portfolio view of risks, showing the combination of risks an organization faces.
Note: Portfolio theory in respect to enterprise risk management will be discussed in Topic F.
Risk Map
RISK B RISK H
8  
RISK D RISK G
7  
6
Monetary Impact
RISK F
5 
4
RISK C RISK E
3  
2
RISK A RISK I
1  
1 2 3 4 5 6 7 8
Frequency/Probability
When plotting risks on a risk map, management can present the risks based on the level of risk in each
event before any mitigation action is taken. Alternatively, the risks can be presented according to their
residual risk, or the level of risk remaining after management has taken mitigation action.27
Qualitative risk assessment can also be done without calculating a specific amount of loss but rather by
ranking different risk events according to the amount at risk from most to least.
27
Ibid., p. 18.
Quantitative Risk Assessment Tools

An array of tools can assist management in assessing risk from a quantitative standpoint, including the
following:
1) Value at Risk (VaR) measures the potential loss in value of a risky asset as the result of a specific
risk event over a defined period for a given confidence interval. VaR is based on the assumption
that the possible outcome of the event is represented by a normal distribution or bell curve. In a
normal distribution, 95% of results lie within 1.96 standard deviations of the mean and 99% of
the results lie within 2.57 standard deviations of the mean. This information can help predict the
range of results with a measured level of confidence.
Example: If the VaR on an asset is $100 million at a one-week, 95% confidence level, there is
only a 5% chance that the value of the asset will drop more than $100 million over any given
week.
2) Cash Flow at Risk is similar to VaR but measures the likelihood that cash flows will drop by more
than a certain amount over a given period of time. Expected cash flows are tested for their sensi-
tivity to certain risks. Cash Flow at Risk uses the measures of a normal distribution.
3) Earnings at Risk measures the confidence interval for a fall in earnings during a specific period
by examining how earnings vary around expected earnings. Variables are examined to determine
their effect on earnings, such as the effect that a 1% movement in interest rates would have on
earnings.
4) Earnings Distributions is a graphical representation of the probability distribution of various

potential levels of return.
5) Earnings Per Share Distributions is a graphical representation of the probability distribution of

various potential amounts of earnings per share (EPS).
6) Benchmarking compares the company’s risk profile and the impact of potential risks with those
of similar companies.
Step 3: Risk Prioritization (Ranking)

After risks have been identified and assessed, management must decide which risks rank the highest in
priority and thus should be addressed first. This decision combines quantitative and qualitative analysis.
Four terms are used to express the measurement of potential loss that could occur from a specific risk:
1) Expected Loss (given a set of probabilities)
2) Unexpected Loss
3) Maximum Probable Loss
4) Maximum Possible Loss (also called Extreme or Catastrophic Loss)
1) Expected Loss
An expected loss is an amount that management expects to lose to a given risk per year on average
over a period of several years. Because the loss is expected, it should be included in the budget.
The expected loss can be calculated in two ways.
First, for a specific loss event that has multiple possible loss amounts, the expected loss can be calculated
as the weighted average of all the possible loss amounts, using the probabilities of the possible loss
amounts as the weights. Over the long term, the expected loss is the average amount of that loss event
the company expects to incur during any given period such as a year.
Example: A company has determined that a particular loss event has the following probabilities of loss
during a one-year period (note that the probabilities must add up to 100%):
Probability Amount of Loss

10% $ 100,000
20% $ 120,000
30% $ 160,000
35% $ 180,000
5% $ 500,000
The expected loss is calculated by multiplying each possible loss amount by its probability (percentage
chance) of occurring and summing the results, as follows:
10% × $100,000 = $ 10,000

20% × $120,000 = $ 24,000
30% × $160,000 = $ 48,000
35% × $180,000 = $ 63,000
5% × $500,000 = $ 25,000
Expected loss $ 170,000
Even though $170,000 is not one of the possible outcomes, it is the expected loss, a weighted average
of all the possible losses given their probabilities.
Obviously, this process is greatly influenced by the possible outcomes used and the probability assigned
to each outcome. For example, if the $500,000 loss had been given a 10% chance of occurring and the
probability of the $100,000 loss had been decreased to 5%, the expected loss would have been higher.
Second, expected loss can be calculated for events that may or may not happen. For example, suppose
management estimates the chance that a particular loss event will occur is 40%. Therefore, the chance the
event will not occur must be 60% (100% − 40%). Loss quantified in this manner involves only two prob-
abilities: the probability that the loss event will occur (and a single estimated loss amount if it does occur)
and the probability that the loss event will not occur (and a loss amount of zero).
The expected loss from each event is calculated as a weighted average of each of the possible loss amounts
multiplied by its probability of occurring, and then the products are summed. However, since there are only
two possible amounts—the loss amount if the loss occurs and zero if the loss does not occur—calculation
of the weighted average is very simple. Since anything multiplied by zero is zero, multiplying the probability
that the event will not occur by zero is unnecessary. The expected loss from each event is the estimated
amount of the loss multiplied by the probability that the event will occur.
The resulting expected loss amounts enable companies to better identify which risks are most important to
them.
Example: A company has identified four risks. Below is the probability of occurrence for each risk during
a one-year period and the estimated amount of each loss if the loss event occurs.
Probability Amount of Loss

Risk A 10% $ 1,000,000
Risk B 25% $ 600,000
Risk C 40% $ 400,000
Risk D 90% $ 200,000
Note that the probabilities above do not sum to 100%. There is no reason that they should sum to 100%
because each one represents the probability that a different event will occur. That is, each is independent

of all the others. For each risk, the probability that it will not occur is 100% minus the probability that
it will occur. Therefore, the probabilities of each risk’s occurring or not occurring sum to 100%, and
each risk carries its own expected value.
The above table does not present the probability of each risk not occurring. For example, the probability
that Risk A will occur is 10%. Therefore, the probability that Risk A will not occur is 90%, and the
probabilities for Risk A sum to 100% (10% + 90%). If Risk A does occur, the loss will be $1,000,000. If
it does not occur, the loss will be zero. The expected loss for Risk A is actually (0.10 × $1,000,000) +
(0.90 × $0). However, since anything multiplied by zero is zero, the second part of the calculation is
unnecessary. Multiply 0.10 by $1,000,000 to find the expected loss for Risk A: $100,000.
A $100,000 expected loss for Risk A does not mean the annual loss from Risk A is $100,000. Rather, it
means that in 9 out of 10 years, Risk A will not occur. However, in 1 out of 10 years, Risk A will
occur and the loss will be $1,000,000. But when that one-time $1,000,000 loss is averaged over a
period of 10 years, the average expected loss per year is $100,000 ($1,000,000 ÷ 10).
The expected value of each loss is calculated by multiplying the amount of each loss by its probability of
occurring:
Risk Probability Amount of Loss Expected Loss
Risk A 10% × $ 1,000,000 = $100,000
Risk B 25% × $ 600,000 = $150,000
Risk C 40% × $ 400,000 = $160,000
Risk D 90% × $ 200,000 = $180,000
The expected value of each loss can help determine the most critical potential loss event. In this example,
the risk item that has the lowest monetary loss, Risk D at $200,000, is probably the most critical to the
company because of the high likelihood that it will occur (90%). Its high probability of occurring causes
its expected loss ($180,000) to be the highest of the four identified risks.
Here are the risks ranked according to their expected losses:

Risk Probability Amount of Loss Expected Loss
#1 Risk D 90% × $ 200,000 = $180,000
#2 Risk C 40% × $ 400,000 = $160,000
#3 Risk B 25% × $ 600,000 = $150,000
#4 Risk A 10% × $ 1,000,000 = $100,000
2) Unexpected Loss
An unexpected loss is the amount that could likely be lost to the risk event in a very bad year, in
excess of the amount budgeted for the expected loss, up to the maximum probable loss (discussed
in the next topic). The business should reserve the unexpected loss amount as capital.
3) Maximum Probable Loss

The maximum probable loss, also known as the probable maximum loss or PML, is the largest loss that
can occur under foreseeable circumstances. Damage greater than the maximum probable loss could
occur, but in the judgment of management it is very unlikely to occur.
If the risk is to real property, the estimated maximum probable loss should take the property’s physical
characteristics into consideration. The maximum probable loss to real property is inversely related to the
size of the building and to the effectiveness of protections in place. Thus, the larger the building’s size, the
lower is the probability of its being entirely destroyed. The better the fire protection (for example, sprinklers,
alarm systems, distance from the closest fire station, and so forth), the more likely it is that a fire would
be brought under control and extinguished completely before the whole building is destroyed. The building’s
state of occupancy also influences the amount of damage that could occur. A vacant building is more
vulnerable to complete or even to partial destruction than one that is occupied because occupants would
be aware of what was happening and would intervene. Furthermore, a vacant building is more vulnerable
to vandalism.
4) Maximum Possible (or Catastrophic) Loss

The maximum possible (or catastrophic) loss is the worst-case scenario. It represents the greatest possible
loss from a specific risk or event. For example, the maximum possible loss for a building is its total destruc-
tion and the loss of all its contents.
Cost-Benefit Analysis in Risk Management

Every business venture requires management to accept a certain degree of risk with potential for losses.
In the best of circumstances, a company could mitigate every risk and eliminate all losses, but unfortunately
such ideal conditions do not exist. Furthermore, nearly all risk mitigation responses have costs, either
directly (such as an upfront payment) or indirectly (such as time or other opportunity costs).
The costs of the risk response and the amount of potential loss from a particular risk event are often difficult
to calculate or assess. However, a cost-benefit analysis must be conducted for all potentially reduc-
ible risks. Once management has determined an expected value for the potential loss and the cost of the
risk response, they can then decide the best course of action.
Sometimes management might decide that the best course of action is to do nothing, especially if the cost
of responding to the risk is greater than the amount that might be lost should the risk event occur.
Example: A company would probably decide not to buy an insurance policy with a premium of $2,000
to cover an expected loss of $1,000.
Furthermore, some risks may be negatively correlated with one another, thereby acting as natural hedges
for each other, and thus they would not need to be mitigated at all.
Step 4: Response Planning

Once management has identified, assessed, and ranked risks, they will need to determine the appropriate
responses. In doing so, management will consider the risk of loss, the amount of loss, and the costs and
benefits of the various risk responses.
A company can choose among the following five different responses for each specific risk.
• Avoiding or eliminating the risk. Avoiding or eliminating the risk might be the best course of
action when the probability of loss is determined to be high and the expected loss amount is also
high. Avoiding or eliminating the risk might entail selling or otherwise disposing of a business unit
or product line. Drastic actions might need to be taken, such as leaving a specific geographic area.
At times, the activity under consideration might be profitable and therefore avoiding or eliminating
it involves difficult decisions about profitability versus risk.
• Reducing or mitigating the risk. Management accepts that risk exists but looks for ways to
reduce it. For example, management might expand an existing product line, split an IT function
into two geographically separate areas, or diversify in other ways.
• Transferring or sharing the risk. Management moves the risk of loss either partially or wholly
to another entity. The primary example of transferred risk is the purchase of insurance. In doing
so, the company transfers the risk to the insurance company. Transferring the risk may also be
done through terms of a contract or by hedging with derivatives.
Note: Transferring a risk does not mean preventing the risk event. For example, buying flood
insurance does not prevent floods. The company transfers the risk of flood-related loss to the
insurance company.
• Retained risk or risk retention. Retained risk is the portion of a risk not covered by insurance,
such as a deductible. Management might believe that the cost to insure against a given risk is
greater than the expected cost of the event, and so it may elect to accept the risk either by
choosing an insurance policy with a high deductible or by self-insuring. “Self-insuring” means not
purchasing insurance at all and bearing any loss that occurs.
• Exploiting or accepting a risk. A company may deliberately expose itself to risk to generate
profits. Many companies have achieved success by exploiting or accepting risk, or more specifically
by being able to discern which risks to exploit. The best measure of effective risk exploitation or
acceptance is the degree to which the value of the company has increased as a consequence of
the risk taking.
A risk map can help determine the appropriate response to each specific risk. The risk map includes a
suggested response for each combination of impact and profitability according to where each risk falls on
the risk map.
Risk Map
8
Avoid
7
6
Reduce or
Monetary Impact
5 Prevent
4
Transfer
3
Retain
1
1 2 3 4 5 6 7 8
After the risk management process has been completed, some residual risk may remain, which should be
reported to the appropriate management level for a final decision either to accept or reduce it further.
Step 5: Risk Monitoring

Conditions can change, new risks may appear, or an identified risk may become an even greater threat.
Those responsible for a given risk area must conduct routine follow-up and regularly report a current risk
assessment to management. In addition, internal auditors can review the status of identified risk areas as
part of their internal audits.
Managing Operational Risk

Operational risks are connected to day-to-day operations and are usually best managed at a lower level in
the organization by people who are working with operational issues on a daily basis. The primary way of
managing operational risk is to have properly developed, implemented, and maintained internal controls.
Managing Financial Risk

A variety of financial instruments can create economic value for a company by managing exposure to
financial risk, especially credit and market risk:
• Maintaining commitments, such as lines of credit from financial institutions for financing needs.
• Derivative instruments, such as forward or futures contracts, options, and swaps to hedge the
risk of foreign currency value fluctuations, fair value fluctuations, or changes in interest rates.
• Specific policies for investments.
Benefits of Risk Management

Risk management provides the following benefits:
• Increasing shareholder value through minimizing losses and maximizing opportunities.
• Fewer disruptions to operations.
• Better utilization of resources.
• Fewer shocks and unwelcome surprises.
• Employees, other stakeholders, and relevant governing and regulatory bodies are more confident
in the organization.
• More effective strategic planning.
• Better cost control.
• Timelier assessment of and grasp of new opportunities.
• Better and more complete contingency planning.
• Improved ability to meet objectives and take advantage of opportunities.
F. Globally Accepted Risk Management Frameworks CIA Part 1
F. Globally Accepted Risk Management Frameworks

This topic covers the COSO model for Enterprise Risk Management and ISO 31000, which are the leading
globally-accepted risk management frameworks and provide the foundation for many companies’ risk man-
agement processes.
Enterprise Risk Management (ERM)

Risk management involves individual departments and divisions making risk assessments and managing
risks. However, unless risk is managed from the perspective of the organization as a whole, the result can
be overlaps, redundancies, and blind spots. It is possible that a risk event that might affect the entire
company is overlooked because the individual risk assessment protocols focus on single departments and
not on the company overall.
Enterprise risk management is different than traditional risk management because ERM is a process for
developing a top-down view of the key risks facing the organization. Enterprise risk management is de-
signed to coordinate risk identification, assessment, and management throughout the entire organization
and in each department in order to maximize coverage and reduce the possibility of overlooked risks.
ERM and a Portfolio View of Risk

Enterprise risk management is rooted in modern portfolio theory used in investing, which argues for the
construction of an optimal portfolio of securities according to risk and return. In portfolio theory, a particular
security should not be evaluated as a standalone investment; rather, each individual security should be
evaluated according to how its market value is expected to vary in relation to the market values of other
securities in the portfolio.
Managing risks separately and in isolation, also known as the silo approach,28 is short-sighted and coun-
terproductive because it fails to consider the interrelationships between and among risks. Not only can risks
that are negatively correlated reduce overall risk, but risks that are positively correlated can multiply the
damage. ERM endorses evaluating risks as a portfolio of events. This “portfolio view” helps companies
determine the ways in which several risks are correlated, either positively or negatively, and thereby gives
the company the best information to respond to risk.
Example: Consider how a multinational corporation might evaluate the risks associated with a domestic
currency that begins to decline in value. On the one hand, the cost of raw materials purchased interna-
tionally would increase, making production more expensive. On the other hand, the multinational’s
export business increases, improving sales and profits.
Absent a portfolio view of risk, the multinational’s various divisions and departments would have differing
objectives in their risk assessment strategies, with the potential for conflicting goals and outcomes. The
purchasing department might choose to hedge against the falling currency with currency options, while
at the same time the treasury function would hedge against the same event with currency futures.
Without the kind of coordination that a portfolio view of risk provides, it is likely that these departments
would waste company resources and squander profitable opportunities.
With a portfolio view of risk, however, management would be able to take the macroscopic view, assess
the overall needs of the company, and execute a coordinated response to the currency decline. It may
be that the effect of the currency decline on purchasing and its effect of sales and profits would offset
each other, creating a natural hedge, and no purchase of derivatives is even warranted.
28
Silos are tall, narrow agricultural storage facilities used on farms to store farm produce, usually grain. The produce
stored in a silo is secure and protected but it has no interaction with the produce in any nearby silos.
Section V F. Globally Accepted Risk Management Frameworks
The risk map from Topic E is shown again here and visually illustrates the concept of portfolio view of
risk:
Risk Map
RISK B RISK H
8  
RISK D RISK G
7  
6
Monetary Impact
RISK F
5 
4
RISK C RISK E
3  
2
RISK A RISK I
1  
1 2 3 4 5 6 7 8
The map shows a variety of risks, mapped out according to frequency and degree of monetary impact. At
first glance, the risk map appears to show a collection of individual risks, each one capable of being indi-
vidually addressed and resolved by one department or another. Furthermore, management might consider
pouring most of its resources into addressing Risks G and H because those are the high visibility targets in
the map’s “red zone” in the upper right-hand corner.
However, ERM and a portfolio view of risk suggest a different approach. Although preparing for high fre-
quency/high impact risks (such as Risks G and H) is important, it is not sufficient. Management must also
be aware of low frequency/high impact risks (such as Risks B and D) that could devastate the organization.
In addition, management must recognize that certain threats, if not properly addressed, can create a cas-
cade of numerous interdependent events that can turn into a catastrophe. Risk management resources
need to be deployed to identify, assess, and mitigate not only the initial risk event but also the impact of
the whole process. In other words, a portfolio view of risk helps a company view risks as interrelated and
interconnected, and thus the company can be well positioned to handle multiple risk events.
To prepare for multiple risk events, an organization can use scenario planning and statistical modeling.
With scenario planning, a group of senior executives and technical experts consider a range of alterna-
tives that enable an organization to respond quickly to future unpredictable events. The group generally
has a wide range of perspectives that enable it to consider possible scenarios other than the usual and the
expected.
Statistical models are formulations or data analyses that can be used to make assumptions or verify
assumptions about the data. Linear regression is an example of statistical modeling that helps develop a
forecast from historical data. (Regression analysis is covered in Part 2.)
Corporate Governance and ERM

A key role for corporate governance is the guidance it brings to the way that management assesses and
handles risk. The board must ensure that management has processes to identify, prioritize, manage, and
monitor its most critical risks and, when necessary, a clearly defined process to alert the board. The board
must also make sure that these processes are continuously reviewed and improved in response to changes
in the business environment.
In order to perform its risk oversight and monitoring activities, boards of directors are increasingly estab-
lishing risk management committees to oversee and monitor overall enterprise risk management
activities, including reviewing policies, procedures, and practices associated with business, market, and
operational risk. Furthermore, many corporate boards have appointed a chief risk officer (CRO) whose
activities are supervised by the risk management committee of the board of directors. Risk management
committees are not required or defined by the SEC at present, so there are no formal requirements for risk
management committee members. However, it is best that members of the risk management committee
be nonemployee directors (that is, not members of company management), and at least one should have
demonstrated risk management qualifications.
Enterprise risk management enhances the function of corporate governance and, by extension, risk man-
agement. It can provide essential assistance for the board of directors, the risk management committee,
and the CRO because its focus is aimed squarely at the entity level, meaning that it examines the company
as a whole. ERM can help a company identify corporate objectives that are at risk and the means to
address even minor problems before they can escalate to company-wide catastrophes.
COSO Framework on Enterprise Risk Management

In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published En-
terprise Risk Management—Integrated Framework to assist organizations in managing risk. In 2017, COSO
published an update to the 2004 publication, Enterprise Risk Management—Integrating with Strategy and
Performance, to address the increased complexity of risk and new risks that had emerged since 2004. COSO
defines enterprise risk management (ERM) in Enterprise Risk Management—Integrating with Strategy and
Performance:
[Enterprise risk management] is the culture, capabilities, and practices that organizations
integrate with strategy-setting and apply when they carry out that strategy, with a
purpose of managing risk in creating, preserving, and realizing value.29
According to the COSO 2017 publication, the process of enterprise risk management is inseparable from
strategic planning. Thus, enterprise risk management is deployed as part of the process of selecting
and refining strategies in order to understand the impact of risk on performance. Integrating enterprise
risk management practices throughout an entity helps to enhance growth and performance.30
29
Enterprise Risk Management—Integrating with Strategy and Performance, Executive Summary, p. 3, © 2017 Com-
mittee of Sponsoring Organizations of the Treadway Commission (COSO). Bolded phrases added by HOCK for emphasis.
30
Ibid., p. 1.
Review of Strategic Planning

A strategy is a set of actions that managers take to increase the company’s performance, and strategy-
setting includes both strategy formulation (the process of selecting strategies) and strategy imple-
mentation (the process of putting the selected strategies into action). Strategy involves:
• Designing, delivering, and supporting products.
• Improving efficiency and effectiveness of operations.
• Designing the organization structure, control systems, and culture.
A strategic plan aims for the long term, usually covering a period of five years or more. The strategic plan
is used along with tactical and operational planning to develop the budget for the coming year and thus it
is used to determine resource allocation.
Integrating Risk Management with Strategy Selection

According to COSO’s Enterprise Risk Management—Integrating with Strategy and Performance (Executive
Summary), many firms evaluate risk in terms of its potential effect on the viability of an already-determined
strategy. However, two additional strategy-related risk can also have an impact on a company’s value: 31
• Strategy may not align with the organization’s mission, vision, and core values. When the
choice of business strategy undermines the company’s “core values,” this strategy/mission misa-
lignment could cause an identity crisis within the company. In addition, potential customers may
be confused due to inconsistent messages or experiences.
• Strategies introduce their own set of risks (or implications). The choice of business strategy
introduces its own risk profile, so the board of directors and management must consider these
possibilities as they consider adopting a strategy that best suits their needs.
The Executive Summary claims that these two strategy-related risks are “the most significant cause of
value destruction”32 because it is the process best suited to recognize and manage the harmful “implica-
tions” that might arise.
31
Ibid., p. 4.
32
Ibid., p. 5.
The COSO 2017 ERM Framework

The 2017 COSO ERM framework is a set of five components and twenty interrelated principles. The five
components are: 33
1) Governance and Culture. Governance sets the organization’s tone. It reinforces the importance
of and establishes oversight responsibilities for enterprise risk management. Culture relates to
ethical values, desired behaviors, and understanding of risk in the entity. The board of directors,
through its oversight role, is responsible for supporting the creation of value in an entity and
preventing its decline. The oversight role of the board includes enterprise risk management. The
board’s risk oversight role includes but is not limited to reviewing, challenging, and concurring with
management on proposed strategies, its risk appetite, the alignment of strategy and objectives
with the entity’s stated mission, vision, and core values, significant business decisions, responses
to significant fluctuations in performance and deviations from core values, management incentives
and compensation, and investor and stakeholder relations.
2) Strategy and Objective-Setting. Enterprise risk management, strategy, and objective-setting

are all part of the strategic-planning process. The company determines its risk appetite and aligns
strategy with it. The objectives developed put strategy into practice and serve as a basis for iden-
tifying, assessing, and responding to risk. Three aspects of risk need to be considered as part of
the strategic planning process: (1) risks to the chosen strategy; (2) the possibility of a given
strategy not aligning with the entity’s mission, vision, and core values; and (3) the implications of
the strategy chosen.
3) Performance. Risks that may impact the achievement of the firm’s strategy and business objec-
tives need to be identified and assessed. Risks should be prioritized according to severity within
the context of the firm’s risk appetite. Management takes a portfolio view of the amount of risk it
has assumed and selects risk responses. The results of this process are reported to key risk stake-
holders.
4) Review and Revision. As part of its review of the entity’s performance, management should
consider how well the components of its enterprise risk management are functioning over time. If
substantial changes occur, management should consider what revisions are needed.
5) Information, Communication, and Reporting. Enterprise risk management involves a contin-

ual process of obtaining and sharing necessary information received from both internal and
external sources. The communication should flow up, down, and across the organization.
The five components are supported by a set of principles that describes practices that can be used by
various types of organizations. These principles can provide the board and management with a reasonable
assurance that the organization understands the risks associated with its strategy and objectives and that
it is striving to manage those risks.
33
Ibid., p.6.
The Five Components and the Twenty Principles of Enterprise Risk Management 34
Components Principles
Governance and Cul- 1) Exercises board risk oversight. The board of directors provides over-
ture sight of the strategy and carries out governance responsibilities to support
management in achieving its strategy and business objectives.
2) Establishes operating structures. The organization establishes operat-
ing structures in the pursuit of strategy and business objectives.
3) Defines desired culture. The organization defines the desired behaviors
that characterize the entity’s desired culture.

4) Demonstrates commitment to core values. The organization demon-
strates a commitment to the entity’s core values.
5) Attracts, develops, and retains capable individuals. The organization
is committed to building human capital in alignment with the strategy and
business objectives.
Strategy and Objec- 6) Analyzes business context. The organization considers potential effects
tive-Setting of business context on risk profile.
7) Defines risk appetite. The organization defines risk appetite in the con-
text of creating, preserving, and realizing value.
8) Evaluates alternative strategies. The organization evaluates alternative
strategies and potential impact on risk profile.
9) Formulates business objectives. The organization considers risk while
establishing the business objectives at various levels that align with and
support strategy.
Performance 10) Identifies risk. The organization identifies risks and risk events that can
impact the performance of strategy and business objectives.
11) Assesses severity of risk. The organization assesses the severity of risk.
12) Prioritizes risks. The organization prioritizes risks as a basis for selecting
responses to risks.
13) Implements risk responses. The organization identifies and selects risk
responses.
14) Develops portfolio view. The organization develops and evaluates a
portfolio view of risk.
Review and Revision 15) Assesses substantial change. The organization identifies and assesses
changes that may substantially affect strategy and business objectives.
16) Reviews risk and performance. The organization reviews entity perfor-
mance and considers risk.
17) Pursues improvement in enterprise risk management. The organiza-
tion pursues improvement of enterprise risk management.
Information, Commu- 18) Leverages information systems. The organization leverages the entity’s
nication, and information and technology systems to support enterprise risk manage-
Reporting ment.
19) Communicates risk information. The organization uses communication

channels to support enterprise risk management.
20) Reports on risk, culture, and performance. The organization reports

on risk, culture, and performance at multiple levels and across the entity.
34
Ibid., p. 10. Formatting has been changed by HOCK.
Benefits of Enterprise Risk Management

The benefits of a well-developed and well-implemented ERM system are numerous, and they will vary from
business to business. Some of the more common benefits according to the COSO framework are: 35
• The organization’s range of opportunities is increased. By considering all possibilities, both positive
and negative aspects of risk, management can identify new opportunities and unique challenges
associated with current opportunities.
• Risks are identified and managed across the enterprise. Management can identify and manage
multiple and entity-wide risks to sustain and improve performance.
• Positive outcomes are increased while negative surprises are reduced. Enterprise risk management
enables entities to improve their ability to identify risks and establish appropriate responses,
thereby reducing surprises and related costs or losses, and to act on opportunities that present
themselves, thus profiting from advantageous developments.
• Performance variability can be reduced. Even positive performance variability can cause chal-
lenges: performing ahead of schedule can cause as much concern as performing short of schedule.
Enterprise risk management enables organizations to anticipate the risks that would affect perfor-
mance and to minimize disruption and maximize opportunity.
• Resource deployment—capital and company resources—is improved. Every risk can be considered
a request for resources. Obtaining good information on risks allows management to assess overall
resource needs, prioritize resource deployment, and enhance resource allocation.
• Enterprise resilience is enhanced. An organization’s medium- and long-term viability is dependent
on its ability to anticipate and respond to change. Effective enterprise risk management can en-
hance the firm’s resilience, its ability to anticipate and respond to change.
• Management will gain a better understanding of how the explicit consideration of risk may impact
the choice of strategy. As a result, the firm’s corporate strategy will be better aligned with its risk
appetite.
• Enterprise risk management adds perspective to the strengths and weaknesses of a strategy as
conditions change and to how well the strategy fits with the organization’s mission and vision.
• Management can feel more confident that it has examined alternative strategies and considered
input from those in the organization who will be charged with implementing the selected strategy.
• Once the strategy is set, enterprise risk management provides an effective way for management
to fulfill its role, knowing the organization is attuned to risks that can impact the strategy and is
managing them well.
• Applying enterprise risk management helps create trust and instills confidence in stakeholders.
• Enterprise risk management helps organizations identify factors that represent change as well as
risk and how that change could impact performance and necessitate a change in strategy.
Limitations of Enterprise Risk Management

Enterprise risk management also has a very important limitation. Implementing ERM does not mean that
the entity will anticipate every risk that could result in loss. In the ERM process, known risks are identified
and some previously unknown risks may become known. However, some unknown risks will not be identi-
fied. The company must maintain a business continuity plan that is ready to be executed if an unknown
risk materializes and affects the organization negatively.
35
Ibid., pp. 1-4.
ISO 31000 Principles, Framework, and Process

ISO 31000:2018 (second edition) is a family of standards that provides a set of principles and guidelines
for risk management and is divided into three areas:
1) Principles. The interrelated values that are foundational to the risk-management process.
2) Framework. The ways in which the risk-management plan should be integrated into “significant
activities and functions.”
3) Process. A step-by-step list of procedures to design and execute risk management.
According to ISO 31000, a company that adopts and integrates these procedures is in a strong position to
have a risk-management program that is efficient, effective, and consistent.
About Risk
First, ISO 31000 defines risk as the “effect of uncertainty on [company] objectives.”36 The uncertainty
associated with risk is neither good nor bad; it is an integral part of and a motivating factor for commercial
activity. It is best to assume that, in the routine course of business activity, risk can be mitigated but not
entirely eliminated.
Second, ISO 31000 defines risk management as the “coordinated activities to direct and control an or-
ganization with regard to risk.”37 There is no set way to manage risk that applies to all contexts. Rather,
decision makers (such as the board) set the company’s risk appetite or the level of acceptable risk, and
management strives to achieves the company’s objectives with the least amount of uncertainty.
Third, the intended beneficiaries of all the risk taking and risk management are the stakeholders, which
ISO 31000 defines as a “person or organization that can affect, be affected by, or perceive themselves to
be affected by a decision or activity.”38 Thus, risks are managed on behalf of stakeholders, who might have
financial, economic, or even emotional “investments” in the company’s success.
Principles of Risk Management

The following is a list of eight principles that ISO 31000 states should guide risk-management procedures.39
1) Integrated. Risk management should be an integral part of business functions.
2) Structured and Comprehensive. Risk management should be orderly and a part of all levels of
the business.
3) Customized. There is no “one size fits all” approach to risk management. The process must be
designed to fit the specific needs of the organization.
4) Inclusive. It is presumed that all stakeholders are involved in some level with risk management.
5) Dynamic. The commercial environment changes; thus, the risk-management process should be
adaptable and change when necessary.
6) Best Available Information. Risk management must be run according to the most current in-
formation and with the understanding that situations can change.
7) Human and Cultural Factors. Those who manage risk must be sensitive to the cultural context
of business operations and the assumptions about acceptable risk.
8) Continual Improvement. Risk management is an ongoing, iterative process.
36
ISO 31000: Risk Management Guidelines. 2nd ed. Switzerland: ISO, 2018. p. 1.
37
Ibid. Emphasis in original.
38
Ibid.
39
Ibid., p. 3-4.
Framework of Risk Management

A properly functioning framework, according to ISO 31000, requires leadership and commitment; that is,
upper management must signal to employees and stakeholders that risk management is a non-negotiable
priority. The ISO 31000 framework describes the theoretical superstructure of the risk-management pro-
cess with the following qualities:40
1) Integration. For risk assessment to succeed, it must become a part of the business’s structure
from top to bottom. Risk management is everyone’s responsibility.
2) Design. The design of a risk-management system should reflect and respond to the company’s
specific needs and capacities, including its management structure, available resources, and “ex-
ternal and internal context” (that is, the internal and external forces that influence decision-
making).
3) Implementation. The risk-management plan should be introduced in an orderly, well-communi-

cated, and transparent way. Stakeholders must be kept updated and consulted when necessary.
4) Evaluation. An ideal risk-management plan incorporates opportunities for periodic and robust
reviews to make sure that the process smoothly adapts to change.
5) Improvement. If the evaluation procedure highlights failures or oversights, then the plan should
be improved and updated.
Process of Risk Management

ISO 31000 is careful to point out that “although the risk management process is often presented as se-
quential, in practice it is iterative.”41 In other words, although each step of the risk-management procedure
is essential and irreplaceable, stages can repeat or occur out of order. As long as the overall objective of
risk management is achieved—that is, risks are identified and controlled—then the precise order of events
is flexible.
1. Communication and Consultation

According to ISO 31000, “Communication seeks to promote awareness and understanding of risk, whereas
consultation involves obtaining feedback and information to support decision-making.”42 Thus, during this
stage the risk management team establishes lines of communication and then solicits input from stake-
holders—primarily the board and management, but they are encouraged to widen the scope of inquiry as
broadly as they see fit.
2. Scope, Context, and Criteria

In this phase, the risk-management team sets the groundwork and the ground rules for the risk-analysis
procedure. The main objective at this point is to “customize the risk management process” so that it ad-
dresses all the features unique to the company and its needs.
• Defining the scope. The team sets the boundaries: wide or narrow, comprehensive or selective.
Deadlines, budgets, and human resources are set. It is important that the risk management scope
aligns with the company goals and values.
• External and internal context. It is essential that the risk-management team shape the param-
eters of the process to take into account external influences (such as culture, law, market forces,
stakeholder priorities) and internal influences (such as organizational governance, values, and
commitments).
40
Ibid., p. 5-8.
41
Ibid., p. 9.
42
Ibid.
3. Risk Assessment
The three stages of risk assessment are risk identification, risk analysis, and risk evaluation.43
• Risk identification. This is a fairly involved process that requires a careful analysis of all the risks,
internal and external, tangible and intangible, quantitative and qualitative, that a company faces.
Collectively, all the relevant risk factors create a risk profile.
• Risk analysis. Once risks have been catalogued, they need to be analyzed according to such
factors as severity, likelihood of occurring, and complexity. To a certain degree, risk analysis is a
subjective undertaking; therefore, it is best to solicit multiple perspectives.
• Risk evaluation. After being properly identified and analyzed, risks must be prioritized and deci-
sion-makers need to assign appropriate responses. Possible responses cover the range from no
action to modest changes to intensive intervention.
4. Risk Treatment
Following the comprehensive risk-assessment process, the plans must be put into action. ISO 31000 refers
to risk treatment as an “iterative” activity, which means that it should be recursive and repeatable. 44 In
general, this phase should involve careful planning and self-evaluation. Also, any residual risk (that is,
risk factors that remain after “treatment”) should be analyzed to determine if it is acceptable or if more
works has to be done.
• Selection of risk treatment options. A skillful risk management team should have an array of
tools and resources to “treat” or otherwise address the individual risks. For example, the source
of risk could be removed, insurance could be purchased, or in some cases the desired option is to
increase existing risk. Economic considerations should not be the only factors in deciding risk
treatment: “the organization should take into account all of the organization’s obligations, volun-
tary commitments and stakeholder views.”45
• Preparing and implementing risk treatment plans. At this point, the plan is put into action.
ISO 31000 recommends that a formal treatment plan be drawn up that shows the order of
events, the required resources, the chain of command, the lines of communication, and deadlines.
5. Monitoring and Review

An essential part of risk treatment is a feedback system “to assure and improve the quality and effective-
ness of process design, implementation and outcomes.”46 Team members are encouraged to check the
process for any flaws or oversights and proactively correct as needed. It can also serve to trace any break-
downs in the system or the risk management process.
6. Recording and Reporting

According to ISO 31000, “the risk management process and its outcomes should be documented and re-
ported.”47 Documentation serves the practical function of providing a step-by-step accounting of risk
discovery, planning, decision making, resource allocation, and execution. In addition, it can be the basis of
the reporting submitted to stakeholders.
43
Ibid., p. 11.
44
Ibid., p. 13.
45
Ibid.
46
Ibid., p. 14.
47
Ibid.
Summary of ISO 31000

The anchor points of ISO 31000 can be narrowed down in this way:
• The risk-management process must be integrated at all levels of the company to maximize its
effectiveness. It must be taken seriously and upper management must set the appropriate tone.
• The risk-management process must be adapted to the needs of the company. Each company
has different needs, different objectives, and different contexts, so the plan must conform to these
specific requirements.
• The end result of the risk-management process must be clarity. Regardless of the magnitude and
prevalence of risk, as long as the decision-makers have a clear understand of the uncertainties
they face, then the risk-management team has done its job.
• Stakeholders must be involved and informed throughout the risk-management process.
Exam Note: In the exam, if a question is specifically about ISO 31000, answer with the terminology
specific to ISO 31000. If a question does not specifically mention ISO 31000 but includes ISO 31000
terminology, use the ISO 31000 terminology to answer the question.
Section V G. Examining the Effectiveness of Risk Management
G. Examining the Effectiveness of Risk Management

Standard 2120 and PA 2120-1 address the role of internal audit in assessing the risk management process.
Internal auditors can examine, evaluate, and report on the adequacy and effectiveness of the risk manage-
ment process. In addition, they may also make recommendations to improve the risk management process.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes.
Interpretation: Determining whether risk management processes are effective is a judgment resulting
from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission.
• Significant risks are identified and assessed.
• Appropriate risk responses are selected that align risks with the organization’s risk  appetite.
• Relevant risk information is captured and communicated in a timely manner across the  organization,
enabling staff, management, and the board to carry out their responsibilities.
• The internal audit activity may gather the information to support this assessment during multiple
engagements. The results of these engagements, when viewed together, provide an understanding
of the organization’s risk management processes and their effectiveness.
Risk management processes are monitored through ongoing management activities, separate evalua-
tions, or both.
2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s gov-
ernance, operations, and information systems regarding the:
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how
the organization manages fraud risk.
Practice Advisory 2120-1: Assessing the Adequacy of Risk Management Processes
1. Risk management is a key responsibility of senior management and the board. To achieve its business
objectives, management ensures that sound risk management processes are in place and
functioning. Boards have an oversight role to determine that appropriate risk management processes
are in place and that these processes are adequate and effective. In this role, they may direct the
internal audit activity to assist them by examining, evaluating, reporting, and/or recommending
improvements to the adequacy and effectiveness of management’s risk processes.
G. Examining the Effectiveness of Risk Management CIA Part 1
Every organization will have its own particular methodology to implement the risk management process.
PA 2120-1 includes information about the different processes that an organization may have.
PA 2120-1: Assessing the Adequacy of Risk Management Processes
6. The techniques used by various organizations for their risk management practices can vary
significantly. Depending on the size and complexity of the organization’s business activities, risk
management processes can be:
• Formal or informal.
• Quantitative or subjective.
• Embedded in the business units or centralized at a corporate level.
7. The organization designs processes based on its culture, management style, and business objectives.
For example, the use of derivatives or other sophisticated capital markets products by the
organization could require the use of quantitative risk management tools. Smaller, less complex
organizations could use an informal risk committee to discuss the organization’s risk profile and to
initiate periodic actions. The internal auditor determines that the methodology chosen is sufficiently
comprehensive and appropriate for the nature of the organization’s activities.
The internal auditor must determine whether or not the risk management process is effective and if the
methodology is clearly understood by the key groups, including the board and audit committee. The internal
auditor must be satisfied that the organization’s risk management processes address these five key objec-
tives:
• Risks that arise from business strategies and activities are identified and prioritized.
• Management and the board set the level of risk acceptable to the organization (assess risk appe-
tite).
• Risk mitigation or reduction activities are designed and implemented to reduce or otherwise man-
age risk at acceptable levels.
• Risk are periodically reassessed on an ongoing basis.
• Reports are given periodically to the board and management on the results of the risk assessment
process.
Note: Internal auditors should address any risk exposures that they encounter in any engagement and
evaluate them further as necessary, even if it is not part of the immediate engagement.
Section V G. Examining the Effectiveness of Risk Management
Gathering Evidence for Assessment

When gathering evidence for assessing the risk management process, procedures that the internal auditor
should follow are described in Paragraph 8 of PA 2120-1.
8. Internal auditors need to obtain sufficient and appropriate evidence to determine that the key
objectives of the risk management processes are being met to form an opinion on the adequacy of
risk management processes. In gathering such evidence, the internal auditor might consider the
following audit procedures:  
• Research and review current developments, trends, industry information related to the business
conducted by the organization, and other appropriate sources of information to determine risks and
exposures that may affect the organization and related control procedures used to address, monitor,
and reassess those risks.
• Review corporate policies and board minutes to determine the organization’s business strategies,
risk management philosophy and methodology, appetite for risk, and acceptance of risks.
• Review previous risk evaluation reports issued by management, internal auditors, external auditors,
and any other sources.
• Conduct interviews with line and senior management to determine business unit objectives, related
risks, and management’s risk mitigation and control monitoring activities.
• Assimilate information to independently evaluate the effectiveness of risk mitigation, monitoring,
and communication of risks and associated control activities.
• Assess the appropriateness of reporting lines for risk monitoring activities.
• Review the adequacy and timeliness of reporting on risk management results.
• Review the completeness of management’s risk analysis and actions taken to remedy  issues raised
by risk management processes, and suggest improvements.
• Determine the effectiveness of management’s self-assessment processes through observations,
direct tests of control and monitoring procedures, testing the accuracy of  information used in
monitoring activities, and other appropriate techniques.
• Review risk-related issues that may indicate weakness in risk management practices and, as
appropriate, discuss with senior management and the board. If the auditor believes that
management has accepted a level of risk that is inconsistent with the organization’s risk management
strategy and policies, or that is deemed unacceptable to the organization, refer to Standard 2600
and related guidance for additional direction.
Evidence to support the risk assessment is usually obtained from engagements throughout the year. Be-
cause there is no formula to follow, the successful assessment of risk often rests with the professional
judgment and experience of the internal auditors and the CAE.
When No Risk Management Process Exists

If an organization does not have a risk management process, the CAE must convince the board and senior
management to establish one, even if it just an informal set of procedures.
5. In situations where the organization does not have formal risk management processes, the chief
audit executive (CAE) formally discusses with management and the board their obligations to
understand, manage, and monitor risks within the organization and the need to satisfy themselves
that there are processes operating within the organization, even if informal, that provide the
appropriate level of visibility into the key risks and how they are being managed and monitored.
H. Appropriateness of IAA’s Role in the Risk Management Process CIA Part 1
Assessing the Adequacy of Risk Management Processes for Formal Consulting Services
Standard 2120 addresses risk management in the context of a consulting engagement.
2120.C1 – During consulting engagements, internal auditors must address risk consistent with the en-
gagement’s objectives and be alert to the existence of other significant risks.
2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting engagements
into their evaluation of the organization’s risk management processes.
2120.C3 – When assisting management in establishing or improving risk management processes, in-
ternal auditors must refrain from assuming any management responsibility by actually managing risks.
If auditors identify significant risk exposure or control weaknesses during a consulting engagement, man-
agement must be alerted. In some cases, particularly where there are significant risk exposures, it might
be necessary for the internal auditor to communicate directly with the board or audit committee.
As with any assessment engagement, the internal auditor should use professional judgment to:
• Determine the significance of exposures or weaknesses and the actions taken or contem-
plated to mitigate them.
• Ascertain the expectations of management, the audit committee, and board in having these
matters reported.
Note: Internal auditors need to avoid managing risks during a consulting engagement because doing so
might result in a negative outcome, which could be perceived as an internal audit failure and damage
the reputation of the IAA.
H. Appropriateness of IAA’s Role in the Risk Management Process

The assessment and reporting of an organization’s risk management processes are normally a high audit
priority, and the Charter should clearly outline management and the board’s expectations for the IAA. The
IIA Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management indicates that the
IAA’s role is to provide assurance to the board on the effectiveness of risk management. Assurance should
be provided in three areas:
1) The design and implementation of the risk management processes.
2) Identification of key risks and the effectiveness of their controls.
3) Assessment and reporting of risk and controls.
The IAA can provide a wide range of risk-management services, but there are activities that the IAA should
refuse. The two most important questions to ask when considering whether an activity is appropriate are:
1) Will the activity have a negative impact on the IAA’s independence and objectivity? If the
answer is yes, the IAA should not accept the engagement.
2) Will the activity improve the organization’s governance, controls, and risk management?
If the answer is no, the IAA should not accept the engagement.
Note: The IAA’s role in the risk management process is not static and will change over time.
Section V H. Appropriateness of IAA’s Role in the Risk Management Process
The Role of Internal Auditing in Enterprise-wide Risk Management divides possible consulting engagements
into three categories:48
Core internal audit roles in regard to ERM (Assurance)
Giving assurance on the risk management process Evaluating the reporting of key risks
Giving assurance that risks are correctly evaluated Reviewing the management of key risks
Evaluating risk management processes
Legitimate internal audit roles with safeguards (Consulting)
Facilitating identification and evaluating risks Maintaining and developing the ERM framework

Coaching management in responding to risks Championing the establishment of ERM
Coordinating ERM activities Developing the RM strategy for board approval
Consolidated reporting on risks
Roles internal auditors should not undertake
Setting the risk appetite Taking decisions on risk responses

Imposing risk management processes Implementing responses on management’s behalf
Management assurance on risks Accountability for risk management
The chart is colored coded as follows:
• Green. The IAA should do these activities.
• Yellow. The IAA can do these activities, with safeguards.
• Red. The IAA should not do these activities.
Assurance Roles
The assurance activities listed above are all squarely within the IAA’s domain, and the IAA should provide
some or all of these services. The degree of assurance that the IAA provides will depend on how embedded
risk management is in the organization’s everyday operations. In the early stages of implementing ERM,
the IAA may need to be an advocate for ERM’s benefits. In the later stages, when most of the core audit
roles (the items in green) have been fulfilled, the IAA will usually shift to consulting.
Consulting Roles
The IAA can provide consulting services only if permitted in the Charter and there is no assumption of
management responsibility. Most consulting engagements should have a strategy and time frame for mi-
grating responsibility from the IAA to management.
Safeguards prevent consulting engagements from transitioning into activities that the IAA should not un-
dertake, either accidentally or due to pressure from management. Therefore, the IIA should not:
• Manage risk.
• Make risk management decisions.
• Give assurance on any part of the ERM framework that it developed.
• Deviate from the Standards related to consulting engagements.
Note: There must be sufficient safeguards in place to ensure the objectivity and independence
of the internal auditors in ERM consulting roles.
48
Reformatted from IIA Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management. p. 4.
I. Interpret Internal Control Concepts and Types of Controls CIA Part 1
I. Interpret Internal Control Concepts and Types of Controls

Defining Control
The IIA Glossary defines control as:
Any action taken by management, the board, and other parties to manage risk and increase
the likelihood that established objectives and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide reasonable assurance
that objectives and goals will be achieved.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) states that in-
ternal controls “provide reasonable assurance regarding the achievement of objectives” in three categories:
• Effectiveness and efficiency of operation
• Reliability of financial reporting
• Compliance with applicable laws and regulations
Classifying Controls
Control classification helps a given organization understand the relationship and hierarches governing its
related controls. There are three primary ways of classifying controls:
1) Organizational-level Controls
• Corporate-level (entity-level) controls. They include general policy statements, values, and
overall monitoring procedures, such as the audit committee and risk management committee.
• Operational-level controls. They include both manual and automated controls. Operational-level
controls encompass planning and performance monitoring, the system of accountability to superi-
ors, and risk evaluation.
• Transaction-level controls. They are mostly automated, consisting of specific control procedures
and controls to ensure that financial information is accurate and complete.
2) Manual Versus Automated Controls

• Manual controls operate through human intervention.
Examples of manual controls include a supervisor signing a purchase requisition or a man-

ager physically reviewing actual versus budgeted information. Manual controls are more prone
to error than automated controls.
• Automated controls operate through and within a company’s information technology system.
Examples of automated controls include automated balancing and reconciliations, systems

access controls, automated flags that identify possible invalid or duplicate entries or data, and
any check made automatically by a computer system.
Automated controls are typically more reliable and more efficient than manual controls, and thus they can
provide more valuable, timely, and reliable information. That said, there are instances where manual con-
trols are critical, especially in complex and dynamic processes or in places where human judgment is
required. A review of manual processes may reveal opportunities for automated improvement.
Section V I. Interpret Internal Control Concepts and Types of Controls
3) Type of Controls
Type of Control Definition Examples

Directive To cause or encourage • Policies and procedures put in place by
a desirable event to executive management.
occur. • Management directives, such as directing all
internal auditors to be CIAs.
• Making sure employees have job descriptions.
Preventive To avoid the occurrence These are measures to deter noncompliance with
of an unwanted event. policies and procedures, such as:
These are key controls • Segregation of duties.
for events that would be • Suitable authorization of transactions.
very harmful to the • Checking creditworthiness of customers before
company if they occur. goods are shipped.
• Physical controls to safeguard assets such as
equipment, inventories, securities, cash, and
so forth.
• These may also be “yes/no” controls that
check if a certain condition exists or not.
Detective To detect undesirable • Bank reconciliations.
events that have • Checking for missing document numbers in
occurred. pre-numbered documents.
Can be used to detect • Performance reporting with variances.
events that could harm
the company if not
corrected.
Corrective To correct undesirable • Procedures put in place to remedy problems
events that have already discovered by detective controls, such as steps
occurred. taken to identify the cause of the problem and
to modify the processing system to minimize
future occurrences of the problem.
Compensating To compensate for • Bank reconciliation (also a detective control).
weaknesses in the • Additional independent oversight.
control system.
These reduce risk when

other controls are not
effective, but not
sufficient by themselves
to control risks.
Timing of the Controls

Under ideal conditions, controls should prevent mistakes before they occur because it is less expensive to
prevent a mistake than to fix one. There are three types of controls:
1) Feedforward controls identify a problem before it occurs and attempt to prevent it from occur-
ring. An example of feedforward controls is preventive maintenance on a machine to avoid a
breakdown. Policies and procedures are other examples of feedforward controls.
2) Concurrent controls operate at the same time as the process they monitor and make adjust-
ments based upon immediate feedback from the system.
3) Feedback controls identify a problem after it has occurred. Although this may be the most com-
mon form of control, it is the least effective and least efficient because time and money have been
wasted before detection.
In terms of efficiency, feedforward controls are the best, followed by concurrent controls, and then feedback
controls.
Note: Controls may be either quantitative or qualitative. A quantitative control relates to the number
of units produced, hours worked, defects found, or something similar (such as budgets, schedules, quo-
tas, and charts). A qualitative control relates to characteristics or requirements of job performance or
the finished unit (such as job instructions, quality-control standards, or employment criteria).
Planning and Controlling

Planning is the process of setting goals and objectives. Through controlling, a company monitors its
progress towards those goals and objectives. Planning and control can sometimes be combined for greater
efficiency. A budget is an example of a control tool that combines both planning and controlling.
Characteristics of Effective Controls

An effective control system should have the following characteristics:
• Economical. There must be a positive cost/benefit ratio, meaning that the organization saves
more than the cost of the control.
• Meaningful. Only significant, material items need controls.
• Appropriate. The control system should relate to an objective or goal of the company.
• Congruent. The result of the system should be useful and in line with what it is measuring.
• Timely. Information must be available in enough time to act upon it.
• Simple. The control must be understandable to the people using it.
• Operational. The control should provide benefit to operations and not simply be interesting.
Benefits of Strong Internal Control

Controls help an organization achieve its goals and objectives while minimizing risk. Without strong con-
trols, a company puts itself at risk for employee theft, loss of control over information, and other damaging
inefficiencies. A company with strong internal control can enjoy the following benefits:
• More reliable information for the decision-making process.

• Better control over the assets of the company.
• Reduced chance of fraud.
• Lower external audit costs.
• Better compliance with laws and regulations
• Increased investor confidence through more reliable financial reporting.
Limitations of Internal Controls

Even the best internal control system has limitations. For example:
• Internal controls can provide only reasonable assurance that objectives can be achieved. Inter-
nal controls should never be promoted as a guarantee.
• Human error, faulty judgement, collusion, and fraud can all limit the effectiveness of controls.
• Excess or unreasonable controls can increase bureaucracy and reduce productivity. Controls must
be evaluated in terms of their cost and benefit to avoid wasting resources.
Who Benefits from Having a Strong Internal Control System?

The presence of strong internal controls benefits more than just the top levels of the corporation.
• For a public company, investors are interested in effective internal controls to evaluate manage-
ment’s performance of its stewardship responsibilities as well as the reliability of the company’s
financial statements.
• External auditors can efficiently audit a company with an effective internal control system.
• Organizations with large numbers of employees are easier to manage with strong internal
controls by defining and directing employees’ authority across complicated infrastructures.
• Customers have an indirect interest in internal controls because a strong internal control system
may reduce costs of production and thereby lower prices.
Who is Responsible for Internal Control?

Many different parties are responsible for internal controls:
• The board of directors is primarily responsible for overseeing the internal control sys-
tem, providing governance, guidance, and insight.
• The CEO is responsible for the “tone at the top.” The CEO should provide leadership and
direction to the senior managers and review the way that they are controlling the business.
• Senior managers delegate responsibility for establishing specific internal control policies and
procedures to personnel responsible for each unit’s functions.
• Financial and accounting officers, as well as staff, are central to the exercise of control because
their activities permeate the organization. However, all management personnel are involved, es-
pecially in controlling their own units’ activities.
• External parties such as independent auditors often provide information useful to effective
internal control.
Establishing the Control Process

Every control process has three main elements:
1) Setting the objectives.
2) Measuring performance against a standard.
3) Evaluating the results then correcting or regulating the performance.
Note: The control process is an ongoing effort.
These elements can be broken down into the following ten steps:
1) Set the standards.
2) Select the times or control points at which to collect information.
3) Observe the process or collect the samples.
4) Record information.
5) Compare and measure performance against the standard.
6) Evaluate the performance.
7) Report any significant deviations or problems to the appropriate level of management.
8) Implement corrections.
9) Follow up to ensure that the corrections are effective.
10) Review and revise the standards of performance as necessary.
The following commentary provides greater detail on some of the steps, but does not cover the entire list.
Steps 1 and 2. Setting Standards and Selecting Control Points

The process of developing standards and measurements should include the people involved in the process
being controlled. An appropriate standard should be set along with the times (or control points) in the
process to measure performance. By being included in setting the standards, employees will feel more
ownership of the process and should be more motivated to achieve an objective that they helped create.
If a standard is too difficult to achieve, employees may become discouraged. On the other hand, if the
standard is too easily achieved, then there is no motivation to work hard. Standards should be reviewed
on an ongoing basis and revised or even eliminated for any changes in the circumstances or processes.
If the item is measured too early in a process, the deviations or problems may have not yet developed.
However, if results are measured too late, the company may have incurred too many unnecessary costs
between the occurrence of any problems and their detection.
If a product is destroyed as a result of the testing process, it may be impossible to set measurable standards
for every unit produced.49 In circumstances where testing each item is impractical, statistical sampling
is appropriate where a sample of the total population is tested to draw a conclusion about the entire popu-
lation.
Step 5. Comparing and Measuring Performance against the Standards

Every product, service, or process can be measured against a standard for performance. Decisions about
appropriate measurement depend on management’s goals and priorities. For example, if management
49
An example of this inefficient method of measurement would be to determine if a given light bulb will last for 10,000
hours by keeping all produced lightbulbs lit for 10,000 hours.
wants to increase production levels, then measuring efficiency of materials usage may not be the best
metric because it would be counterproductive to the goal of the company.
In some instances, measurement comes down to a choice between long-term and short-term objectives.
For example, the company could either aim for future growth or make as much money as possible now.
Another important part of the measuring process is determining who performs the measurement. Self-
measurement is preferable because it builds employee morale and empowerment and it is less expensive,
but there is a risk that people will not report all deviations. Second-party measurement is more expen-
sive than self-measurement, but it may lead to better and more useful results.
Steps 6 and 8. Evaluation and Implementation of Correction

It is essential to compare like items to like items. For example, comparing results from different plants
is not a useful exercise if each plant uses different production methods. Similarly, if there is a significant
change in the process or technology from one year to the next, it is not accurate or effective to compare
current practices to prior periods.
Some evaluations are measured using subjective rather than objective criteria. For example, the quality of
an individual’s work output can only be determined by the tastes or opinions of a given evaluator. With
these trait-based decisions, more care must be taken in the evaluation of the results. Indeed, it may be
best to have more than one person involved in the decision-making process because trait-based decisions
can be more easily influenced by emotions.
Note: If evaluation is used as a motivational tool, the item that is measured needs to be under the direct
control of the person being evaluated. This motivation tool also needs to be in line with the goals and
objectives of the company.
Step 10. Review and Revise the Standards of Performance as Necessary

Constant monitoring is essential for keeping a control system current. Furthermore, even the most sophis-
ticated control systems can be compromised by a persistent hacker or an unethical member of upper
management. Yet for all these potential pitfalls, a business is in a much safer position with a functioning,
updated, monitored control system than without one.
Note: Exogenous variables are factors outside the control of the decision-maker, such as technological
changes, weather, competitors, and wars. Because they are outside the control of the company, planning
for them can be difficult under the best of circumstances.
Application Controls in an Automated Control System

Computer-based information systems have application controls for data processing. Application controls
are broken down into three main categories: input, processing, and output controls.
Input controls
Input controls help to ensure that only valid, authorized information is entered into the system. There are
five categories of input controls:
1) Edit checks confirm the validity and accuracy of input data, such as verifying that each field has
the proper numeric, alphabetic, or alphanumeric format and that the information in the transaction
is reasonable.
2) Key verification is the requirement of inputting information again and comparing the two inputs.
For example, entering a new password twice before it is saved.
3) Redundancy checks send additional sets of data to confirm the accuracy and validity of the
original data.
4) Echo checks send data back to the sender to compare it with what was originally sent.
5) Completeness checks (for transmission of data) determine whether all necessary information
has been sent.
Processing controls
Processing controls ensure that the data and transmission are valid and also include physical security of
the equipment. The primary processing controls are:
1) Posting checks compare the contents of the record before and after updating.
2) Cross-footing compares the sum of the individual components to the total figure.
3) Zero balance checks are used when a total sum should be 0.
4) Run-to-run control totals provide verification of the data values during the different stages of
processing and help ensure the completeness of all transactions.
5) Internal header and trailer labels ensure that the correct files are processed.
6) Concurrency controls manage two or more programs trying to access the same information at
the same time.
7) Key integrity checks make sure that the keys (characteristics of records that allow them to be
sorted) are not changed during data processing.
Output controls
Output controls provide reasonable assurance that input and processing create complete and accurate out-
put, and that the output is distributed appropriately. The following is a list of basic output controls:
1) Output distribution controls ensure that distribution is made in accordance with pre-authorized
automated or manual parameters.
2) Output retention controls ensure that output is retained in accordance with organizational pol-
icies, which should consider statutory and legal requirements.
3) Forms controls make sure that there is proper control over checks, bonds, and stock certificates.
These items need to be protected by physical and logical controls.
4) Error logs are listings of processing errors. This error logs need to be reviewed to ensure that
data is still being correctly processed.
Segregation of Duties
It is often the case that fraud occurs because a single employee has oversight authority over several oper-
ations, resulting in numerous opportunities to evade controls, conceal questionable activity, and alter
documentation. The objective of segregation of duties is to make it more difficult for any one individual
to steal company assets or commit other types of fraud because under this system no single employee
is in a position to both perpetrate and conceal irregularities.
Under proper segregation of duties, different people must perform each of the following functions:
1) Authorize the transaction.
2) Record the transaction, prepare source documents, and maintain journals (i.e., keeping track of
how much of the asset the company should have).
3) Keep physical custody of the related asset (i.e., protecting the assets that the company actually
has).
4) Periodically reconcile physical assets (point 3) to recorded amounts (point 2).
Note: For an exam question about an effective or ineffective internal control, keep in mind that these
are the four actions that must be done by different people. Once you identify the four separate
functions, you will be able to answer the question correctly.
Example: Within the inventory acquisition cycle, different people should be responsible for:
1) Authorizing the purchase of inventory.
2) Recording the purchase of inventory in the accounting records.
3) Receiving the inventory and maintaining the physical custody of the units of inventory.
4) Reconciling the amount of inventory recorded (point 2) and the amount of inventory held in the
warehouse (point 3).
If one person both receives and records the inventory, that person is in a position to steal items but
report that they were never received.
Segregation of duties should also apply to transferring inventory from the warehouse to the production
line. One person should authorize the transfer, one person should record how much inventory was re-
quested, a third person should have custody of the inventory, and a fourth person should periodically
reconcile the two amounts.
Note: One employee may have both authorization and record-keeping duties as long as they are in
different transaction cycles. For example, the person who is responsible for authorizing inventory
purchases may also be responsible for recording fixed assets.
Other examples of segregation of duties include:
• One person has custody of cash receipts and a different person authorizes account write-offs.
Without segregation, one person could authorize a false write-off while diverting the collection on
the account.
• One person authorizes issuance of purchase orders and a different person is responsible for re-
cording receipt of inventory.
Without such segregation, one person could issue a purchase order to a fictitious company and
prepare a fictitious receiving record, resulting in the company paying for something it never or-
dered or received.
• One person has authority to adjust accounts receivable and a different person posts payments on
customers’ accounts.
Without this segregation, one person could divert cash receipts and then falsify the account bal-
ances of the customers who paid the cash in order to conceal the diversion.
• One person is responsible for preparing the bank deposit and a different person reconciles the
checking account.
Without segregation, one person could divert cash receipts and cover the theft by creating recon-
ciling entries.
Note: One of the inherent limitations of segregation of duties is collusion, which is when two or more
employees work together to get around controls. Job rotation can reduce the risk of collusion.
Controls in the Accounting Transaction Cycles

Accounting transaction cycles have controls and segregation of duties embedded in them to reduce the
likelihood of fraud. The following pages cover five transaction cycles, providing examples of segregation of
duties and tables detailing the departments involved, their activities, the risks, and related control proce-
dures.
You do not need to memorize these tables. What is important is to be able to think through each cycle and
identify related activities with their controls and segregation of duties.
Note: Some small- and medium-sized companies may not have enough employees for complete segre-
gation of duties, in which case internal auditors must assess whether or not there are sufficient

compensating controls. Otherwise, there is a much higher opportunity for employees to commit fraud.
Note: Flowchart versions of the transaction cycles are available to download from the CIA Part 1 Text-
book page in “My Studies” on the HOCK web site.
Revenue-Receivable Cycle
Through the revenue-receivable cycle, a company can make sure that only qualified customers can obtain
credit, that the goods or services they obtain are at the right time and at the right price, and that recorded
sales are promptly and accurately recorded.
Example Segregation of Duties in the Revenue-Receivable Cycle
Approval for Credit Sales: A credit officer from the credit department approves credit sales.
Custody of Assets: Custody of handling merchandise lies with the warehouse department, which pulls
it and sends it to the shipping department, which then sends it to the customer. Personnel in these
departments do not approve the order, record the sales, or reconcile records.
Recording: The accounting department (or the billing department) matches the sales documents from
shipping and records the order as a sale.
Reconciliation: There should be reconciliation between the accounts receivable ledger and the general
ledger. An independent person should do the reconciliation.
Departments Narrative of Activities Risks Control Procedures

The sales department receives Unauthorized rates or Prices or rates have to
orders and then checks to see if prices are misquoted to be verified to an
the inventory is in stock. customers. authorized price list
If this is a credit sale, the sales before the order is
department sends a credit processed.
application to the credit An invalid or fictitious Customers are checked
department for approval. customer order is against an approved
If the application is approved, the received and processed. customer list.
sales department makes the sale
and sends the approved sales There is incorrect Goods must be verified
order to the warehouse inventory stocking to be in stock before a
Sales department and the shipping information that leads to sales order is
department. stockouts. The customer processed.
does not receive goods There should be
in time, causing regular inventory
customer ill will. counts so that
inventory information
is up to date.
A sales representative The sales department
authorizes a credit sale cannot approve credit
that creates excessive for customers. The
bad debts. function has to be
segregated.
The credit application is received The customer’s credit Credit applications
from the sales department. application is not have to be processed in
A credit check is run. If the received and processed a timely manner.
customer is deemed creditworthy, on a timely basis, Procedures are
the application is approved. leading to a lost sale. designed to reduce the
Notice of the approval is sent to occurrence of bad
sales, warehouse, shipping, and debts and to make sure
Credit accounting. that creditworthy
customers are not
rejected in error.
The approved credit Procedures need to be
exceeds the customer’s in place to make sure
credit limit, leading to that customers’ credit
excessive bad debts. limits have not been
exceeded.
The warehouse receives approved Goods are released from Goods cannot be
sales order and pulls goods. inventory to shipping released from
Goods are checked for quality and without authorization. inventory to the
sent to the shipping department. shipping department
until the inventory
department receives a
Warehouse copy of a properly
authorized sales order.
This control is designed
to prevent the
unauthorized removal
of inventory from the
store.

The shipping department receives Defective or spoiled The customer’s goods
the goods from inventory. goods are sent to the are verified for quality.
The shipping department prepares customer.
goods for shipping, the bill of Items that are shipped Customer order
lading, and the packing slip; data are not the items that information is checked
is entered for goods shipped. were ordered. against the approved
Shipping customer sales order.
Shipping documents may Shipping clerks compare

not have the most up to goods received from
date information about inventory with approved
the customer, causing sales orders.
delays in payment.
Accounting updates inventory and Invoices may not be Accounting matches the
sales accounts and posts posted to customer inventory and sales
information to the general ledger accounts. order information.
account.
Invoices may be posted Accounting reconciles
to the wrong customer the general ledger and
accounts. accounts receivable
General master file.
Accounting
The general ledger Accounts receivable
account is not properly prepares a summary of
updated. all invoices for the day
and forwards it to
accounting so the
general ledger can be
updated.
A copy of the sales order is Duplicate billings may be Sales invoices are
received and matched with the made. compared with shipping
shipping department’s copy of the Sales invoices may be documents and
sales order and bill of lading. A incorrectly priced. approved customer
pre-numbered multi-copy sales orders before invoices
Some shipments may not
invoice is also prepared. are mailed.
Accounts be billed at all or not
Receivable The customer is invoiced. billed in time.
The accounts receivable master file
is updated. Accounts receivable The accounts receivable
master file may not be master file is regularly
updated in a timely updated and is
manner. reconciled with the
general ledger.
Purchases-Payable Cycle
The objective of the purchases-payable cycle is to make sure that only authorized orders are received and
inventoried.
Example Segregation of Duties in the Purchases-Payable Cycle
Approval of Purchase: The purchasing manager should review the purchase requisition and approve
or reject the purchase of goods.
Custody of Goods: Custody of goods lies with receiving (which receives the goods) and warehouse
(which stores the goods).
Recording: An accounts payable clerk records the transaction to the accounts payable journal. An ac-
counting clerk records the transaction to the general ledger.
Reconciliation: There needs to be reconciliation between the general ledger and accounts payable file.
There also needs to be reconciliation between the general ledger and inventory records. Independent
persons should do reconciliations.

When inventory needs to be The warehouse does Inventory is maintained
restocked, a purchase requisition not maintain adequate at predetermined
is submitted to the purchasing stock. levels.
department. If levels fall below a
The warehouse accepts goods certain point, a
Warehouse from the receiving department. purchase requisition is
Goods received are matched with trigged.
the receiving report. The warehouse submits Purchase requisitions
Periodic inventory counts are a purchase requisition are checked against
conducted. for items that are not inventory level.
Shortages are investigated. needed.
A purchase order is prepared for Goods are purchased at Goods can be

the vendor. inflated prices (not purchased only from
The vendor is verified to be on the including the agreed preapproved vendors.
approved vendor list. upon discount). Purchased goods meet
When approved, the purchase Inferior quality goods quality and price
order is sent to the vendor, are purchased. standards.
receiving, accounts payable, and The staff understands
warehousing departments. conditions for which
discounts are given.
Purchasing
Purchasing agents A Code of Conduct
receive kickbacks from states that receiving
vendors. kickbacks is against
company policy and
violators with be
punished.
A hotline is available
for employees to
anonymously report
Code violations.

Goods are received from the Goods that were not Packaging slips are
vendor. ordered are accepted. matched with purchase
The quality of received goods is orders, ensuring that
verified to meet standards. only received goods
were ordered.
A receiving report is prepared and
sent to the warehouse and Packaging slips are not Independent
accounts payable. properly matched verification checks
Checked-in goods are sent to the against purchase goods sent with
warehouse department. orders, or goods packaging slips.
received are Discrepancies are
miscounted, leading to investigated.
Receiving
erroneous reporting.
Goods are damaged or Received goods are
do not meet quality checked for damage.
standards. Damaged goods are
sent back to the
vendor.
Goods are verified to
meet quality standards.
Goods are stolen while Goods are kept in a
in the receiving area. secured area.
Goods received are posted to the Invoice errors are not Match vendor invoice
accounts payable file. detected. with purchase order
Payment vouchers are prepared Goods are paid for with receiving report.
and approved, which are then sent twice.
Accounts to the treasurer and accounting. Goods not received are
Payable paid for.
Available cash Terms of payment
discounts are not used. must be verified,
including any cash
discounts.
The treasurer prepares, signs, and Payment vouchers are Documents must be
sends checks or electronic funds improperly reviewed; matched to prevent
payments to vendors. thus, goods are paid for double payment.
twice.
Treasurer Goods received are not Checks schedules
paid in a timely should be verified. All
manner, resulting in possible discounts
the loss of cash should be taken.
discounts.
Copies of checks are received from Transactions are not Posting must be done
the treasurer and payment posted properly. daily.
vouchers from accounts payable. The general ledger and
Transactions are posted to the accounts payable files
Accounting
general ledger. must be reconciled.
The general ledger file
and inventory records
must be reconciled.
Payroll Cycle
The objective of the payroll cycle is to make sure that only legitimate employees are paid and only for the
hours they have worked.
Example Segregation of Duties in the Payroll Cycle
Approval of Timesheets: Departmental managers approve timesheets.
Custody of Cash or Checks for Wages: Checks are prepared by payroll, but they have to be signed
by someone outside of payroll (for example, the treasurer). Either the treasurer or the human resources
department distributes payroll checks.
Recording: A payroll department clerk records payroll information in the payroll journal. A clerk in
accounting records payroll information to the general ledger.
Reconciliation: An independent person reconciles the accounting general ledger and the payroll journal.

All pertinent information There may be Only authorized
concerning employees is discrepancy between personnel are on
maintained. timesheet and payroll timesheets.
Additions and termination of records that could Timesheets have to be
Time-
employees are authorized. indicate fictitious authorized by a
keeping/
employees. department manager.
Human HR records and stores information
Resources about days and hours that There may be The HR department
(HR) employees work. unauthorized sends a list of
amendments to authorized employees,
employees’ payment pay rates, and
details. deductions to payroll.
The manager keeps reliable There may be The manager should
information of the activity of each unapproved absences check and authorize
Department employee, and such activity will be on full pay. time cards and the
Manager used to calculate the remuneration Hours, productivity, schedule of activity.
of employees. and activity can be
overstated.
Employee wages are calculated, Due to poor or Authorized change
including deductions for income fraudulent record- documents need to be
tax, social security, pensions, and keeping, fictitious matched with approved
other considerations. employees may appear timesheets.
Salary checks are prepared, which in the records.
the treasurer has to sign.
Payroll/ Information is constantly updated
in the accounting system.
Accounting
Payroll can be Clear instructions
misallocated to the should be given to
wrong departments. ensure correct
allocations.
An independent person
should check
allocations.
The treasurer receives prepared The general ledger is Individual payroll
payroll checks to be signed and not updated in a timely checks are matched
distributes them to employees. manner, causing with the check listing.
Treasurer financial reports to be
Undistributed checks are held until Undistributed checks
the employee picks it up or it is misstated. need to be held in a
mailed. secure area.
Cash Receipts Cycle

The cash receipts cycle makes sure that there is proper control over cash receipts.
Example Segregation of Duties in the Cash Receipts Cycle
Authorization: Only authorized personnel should open and endorse the checks.
Custody of Cash: The cashier, treasurer, or other designated person must deposit checks at the bank.
Recording: The accounts receivable department makes adjustments to the client’s account receivable
balance.
Reconciliation: Someone other than the cashier or someone in the accounts receivable department has
to reconcile the bank statement with the general ledger. Additionally, there has to be a reconciliation
between the general ledger and accounts receivable ledger and between the accounts receivable journal
and cash receipts journal.
Customer checks with remittance Checks received might The mailroom should
advice are sent to the company. be lost or stolen. immediately endorse
The mailroom receives checks A check could be incoming checks to
and immediately endorses them fraudulently altered. prevent them from
“For Deposit Only.” being misappropriated.
Checks are separated from the Remittance advices
remittance advice. The should immediately be
remittance advice is a stub from separated from checks
the invoice statement that is sent to accelerate deposits
Mailroom
to the customer and then sent and reduce
back to the company (also known opportunities to divert
as a “turnaround document”). If the cash and undertake
the stub is received with the lapping.
check, it can speed up the time Two clerks should be
the payment is processed. present at all times to
verify that checks are
endorsed “For Deposit
Only.”
The cashier or treasurer prepares Checks might not be Without exceptions,

the bank deposit slips. deposited daily or checks have to be
Cashier/ Checks are deposited daily. deposits might be deposited daily.
Treasurer netted (that is, cash is Deposits should never
Cash receipts file are updated.
taken out for petty be netted.
cash).
Individual remittance advices are Information on the The accounts

received and reconciled against statement is not correct, receivable journal must
the remittance list. leading to client be reconciled with the
Accounts The accounts receivable file is complaints and ill will. general ledger.
Receivable updated.
Monthly accounts receivable
statements are sent to the client.
The general ledger file is updated. The general ledger file is The general ledger file
improperly updated. needs to be reconciled
Accounting
with the accounts
receivable journal.
Cash Disbursement Cycle

The cash disbursement cycle makes sure that payments are made only for goods and services ordered and
received.
Example Segregation of Duties in the Cash Disbursements Cycle
Authorization: Authorization for payment comes from accounts payable.
Custody of Cash: The treasurer oversees the cash disbursement.
Recording: A clerk in general accounting posts checks to the general ledger. A clerk in accounts payable
posts checks to the accounts payable file. A clerk for the treasurer posts checks to the cash disbursement
journal.
Reconciliation: There needs to be reconciliation between the general ledger, the cash disbursement
journal, and the account payable file. There must also be an independent verification.
Purchase orders and reports are Errors may not be Mathematical accuracy
Receiving
sent to accounts payable. detected. should be checked.
The vendor’s invoice statement is Invoice mistakes may Mathematical accuracy

received along with a remittance not be detected. should be checked.
advice, which will be sent to the Payment for goods Invoice quantities
vendor with the company’s check. might not be received. should be compared to
The department has to verify the quantities reported by
Accounts invoice and approve payment. receiving and inventory
Payable control.
It creates an accounts payable
voucher so that vendors can be Tight budgetary
paid. controls can be
Accounts payable files are implemented.
updated.
The treasurer makes payments to Available discounts are The treasurer files and
the vendor, either by check or not taken. tracks invoices by due
electronic transfer. An invoice can date.
The cash disbursement journal is accidentally be paid Cash flow budgets are
updated. twice. prepared.
Invoices are approved
Treasurer
only with a complete
voucher package (that
is, all supporting
documents).
Only original invoices
are paid.
The general ledger file is updated. The general ledger file is An independent
General
improperly updated. reviewer examines
Accounting
general ledger filings.
Section V J: Globally Accepted Internal Control Frameworks
J: Globally Accepted Internal Control Frameworks

Control frameworks help management understand the effectiveness of control systems. This topic discusses
three globally-accepted control models:
• The Internal Control–Integrated Framework model (the COSO model)
• The COCO Model
• The Turnbull Report
Note: Each model stresses that internal control can provide only reasonable assurance, not a guar-
antee of objectivity. Ultimately, the effectiveness of any control system depends on the competency
and dependability of the people in the organization.
Note: This topic is tested at proficiency level, so should you understand these frameworks and their
components.
The COSO Model

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 50 issued the
Internal Control–Integrated Framework. The COSO report changed the concept of internal controls from
narrow, technical terms of financial reporting to include all aspects of business operations and compliance,
and it established a standard against which all organizations could measure their internal control systems.
The COSO model includes the following five interrelated components:51
Component Explanation
Control The control environment sets the tone for the organization, influencing the con-
Environment trol consciousness of its people. The control environment is the foundation for all
of the other components of internal control.
Risk Assessment Risk assessment is the identification and analysis of relevant risks to the achieve-
ment of objectives and forms a basis for how risks should be managed.
Control Activities Control activities ensure that management directives are carried out. These pol-
icies and procedures also outline the necessary steps to address risks to the
organization’s objectives.
Information and These are the systems or processes that support the identification, capture, and
Communication exchange of information in a form and time frame that enable people to carry out
their responsibilities.
Monitoring These are processes used to assess the quality of internal control performance
over time. This objective is accomplished through ongoing monitoring activities,
separate evaluations, or a combination of the two.
50
COSO is composed of five private organizations: American Institute of Certified Public Accountants (AICPA), American
Accounting Association (AAA), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), Financial
Executives International (FEI)
51
Internal Control—Integrated Framework, COSO.
J: Globally Accepted Internal Control Frameworks CIA Part 1
Components and Principles of the COSO Framework52
Components and Principles

The Framework sets out seventeen principles representing the fundamental concepts associated with
each component. Because these principles are drawn directly from the components, an entity can achieve
effective internal control by applying all principles. All principles apply to operations, reporting, and
compliance objectives. The principles supporting the components of internal control are listed below.
Control Environment
1) The organization demonstrates a commitment to integrity and ethical values.
2) The board of directors demonstrates independence from management and exercises oversight of the
development and performance of internal control.
3) Management establishes, with board oversight, structures, reporting lines, and appropriate authori-
ties and responsibilities in the pursuit of objectives.
4) The organization demonstrates a commitment to attract, develop, and retain competent individuals
in alignment with objectives.
5) The organization holds individuals accountable for their internal control responsibilities in the pursuit
of objectives.
Risk Assessment
1) The organization specifies objectives with sufficient clarity to enable the identification and assess-
ment of risks relating to objectives.
2) The organization identifies risks to the achievement of its objectives across the entity and analyzes
risks as a basis for determining how the risks should be managed.
3) The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4) The organization identifies and assesses changes that could significantly impact the system of inter-
nal control.
Control Activities
1) The organization selects and develops control activities that contribute to the mitigation of risks to
the achievement of objectives to acceptable levels.
2) The organization selects and develops general control activities over technology to support the
achievement of objectives.
3) The organization deploys control activities through policies that establish what is expected and pro-
cedures that put policies into action.
Information and Communication
1) The organization obtains or generates and uses relevant, quality information to support the function-
ing of internal control.
2) The organization internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of internal control.
3) The organization communicates with external parties regarding matters affecting the functioning of
internal control.
Monitoring Activities
1) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.
2) The organization evaluates and communicates internal control deficiencies in a timely manner to
those parties responsible for taking corrective action, including senior management and the board of
directors, as appropriate.
52
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework Exec-
utive Summary. Durham, NC: COSO, 2013. p. 6-7.
Note: It is strongly recommended to read the entire COSO Executive Summary, which is available from
the IIA website: https://na.theiia.org/standards-guidance/topics/documents/executive_summary.pdf
The COSO control framework can be visualized as a cube: the rows show the five components of internal
control, the slices are the three objectives of control, and the columns represent the activities or units of
the entity.
COSO Internal Control Framework 53
Objectives

Components
Entity
1) The Control Environment

The control environment provides the foundation for all the other components and includes:
• The integrity, ethical values, and competence of employees.
• Management’s commitment to competence.
• Human resource policies and procedures.
• The way management assigns authority and responsibility, and how it organizes and develops
its people.
• Management’s philosophy and operating style.
• The attention and direction provided by the board of directors.
• Organizational structure.
Internal controls are more likely to function well if management believes that the controls are im-
portant and communicates its support to employees at all levels. If management believes controls
are meaningless or even an obstacle, employees will notice this attitude. As a result, in spite of formal
policies saying otherwise, employees will view internal controls as “red tape” to be “cut through” to get the
job done.
53
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework.
Organizations with effective control environments set a positive “tone at the top.”
• They transmit guidance both verbally and by example, communicating the company’s values,
standards, and code of conduct, and they follow up on violations. There are mechanisms to en-
courage employee reporting of suspected violations, and disciplinary actions are taken when
employees fail to report them.
• They foster a control consciousness by setting formal and clearly communicated policies and
procedures that are to be followed at all times, without exception, and which result in shared
values and teamwork.
• They specify the competence levels for particular jobs, hire and retain competent people,
and assign authority and responsibility appropriately.
• The board of directors is responsible for setting corporate policy and for seeing that the company
is operated in the best interest of shareholders. The attention and direction provided by the direc-
tors are critical components. The board consists of both inside and outside directors who have
adequate expertise and who are active and involved. Independence from management is essential
so that, if necessary, difficult and probing questions will be raised.
2) Risk Assessment
The company’s objectives must be established before risks can be assessed. The following is a list of broad
categories of objectives that also relate to the objectives of internal control:
• Operational objectives relate to the achievement of the company’s mission. They include objec-
tives for the effectiveness and efficiency of the company’s operations and performance and
profitability goals. They also include the safeguarding of company resources against loss.
• Financial objectives address the preparation of external financial statements. They include pub-
lishing reliable, accurate reports and the prevention of fraudulent financial reporting.
• Compliance objectives include adhering to all laws and regulations such as taxes, employee
health and safety, environmental considerations, and so forth. A company’s record of compliance
or noncompliance with laws and regulations affects its reputation and the company’s risk of being
fined.
Risk can come from both internal and external forces:
• External risks include changes in technology, changes in the market, new, natural disasters,
economic changes, failure of a key supplier, or being sued, defrauded, or robbed.
• Internal risks include employee embezzlement and falsification of records, lack of compliance
with government regulations, or other illegal acts by employees (such as taking a bribe), disrup-
tions to computer systems, poor management decisions, errors, or accidents. Changes in
management responsibilities can affect control activities, and an ineffective board or audit com-
mittee may leave openings for fraudulent actions.
3) Control Activities
After the risks have been assessed, controls should be designed to limit the risks. Control activities are the
policies that address the identified risks and the procedures that ensure that management directives are
carried out. Thus, controls should be designed to limit risk and protect the organization’s ability to
achieve its objectives. Although risks cannot be completely eliminated, they can be minimized through
appropriately designed and well implemented control activities.
The following list gives some examples of control activities.
1) Top-level reviews. Management reviews actual results and compares them to budgets, forecasts,
prior periods, or competitors while also tracking the extent to which targets are being met.
2) Direct functional or activity management. Managers review appropriate performance reports,

such as collections of past-due accounts.
3) Information processing. These include controls to check accuracy, completeness, and authori-
zation of transactions; control of new system development and existing system modifications; and
control of access to data files and programs.
4) Independent checks. These are checks performed by someone other than the person responsible
for the original operation and are generally more effective at assuring that transactions are pro-
cessed and activities are performed accurately. A “new pair of eyes” will spot mistakes more often
than the originator of the work.
5) Performance indicators. These indicators relate different sets of data to one another, and any
unexpected results should be investigated. By investigating unexpected results, management can
see areas where the organization’s objectives are in danger of not being achieved. Example of
performance indicators are purchase price variances and percentage of returns to total orders.
6) Physical controls to safeguard assets. The most visible safeguarding controls include protect-
ing the organization’s assets from losses due to natural disasters such as floods or tornadoes.
Safeguarding controls also include physical protection measures to restrict access to assets and
documents such as records, blank checks, purchase orders, bank codes, and so forth. Items must
be counted periodically and compared with control records.
7) Documents and records. Source documents are designed to facilitate collection of all relevant
information and should be pre-numbered in order to account for all documents, reducing
the likelihood of fraudulent use.
8) Authorization. Employees should be appropriately empowered to perform tasks, receive specific

documents, and make decisions that impact assets. Their authority must involve some kind of
validation, such as a signature or an authorization.
9) Segregation of duties. Duties are divided among various employees to reduce the risk of errors
or inappropriate activities. This control ensures that no single individual is given too much respon-
sibility so that no employee is in a position to perpetrate and conceal irregularities.
Note: Under the segregation of duties, different people must always do the following functions:
1) Authorize a transaction.
2) Record the transaction, prepare source documents, and maintain journals.
3) Keep physical custody of the related asset.
4) Periodically reconcile physical assets to recorded amounts.
For an exam question about an effective or ineffective internal control, keep in mind that these
are the four actions that must be done by different people.
4) Information and Communication

Relevant information must be identified, captured, and communicated in a manner that enables people to
carry out their responsibilities. Therefore, reports must contain the information that management needs
and must be available in a timely manner.
• Communication must be ongoing, both within and between various levels and activities of the
organization. All personnel must understand their roles in the internal control system and have a
means of communicating significant information upstream.
• Reports must contain operational, financial, and compliance information needed for informed de-
cisions.
• Supervisors must communicate duties and responsibilities to the employees that report to them,
and employees must be able to alert management to potential problems.
• Information must be communicated to those outside the organization, such as vendors, and must
be able to be received from external sources.
• The systems must provide a way to communicate important information to the very top of the
organization when appropriate.
5) Monitoring
Monitoring assesses the quality of the internal control system’s performance over time. Management, which
is responsible for monitoring the entire system, must also revisit previously identified problems to make
sure that they have been corrected. Ongoing monitoring done regularly during normal operations reduces
the need for separate evaluations.
When deficiencies in internal control are discovered, they should be reported immediately to senior man-
agement and to the board of directors for very significant matters. Appropriate remedial action should be
taken and the results of the remedial action should be monitored.
Note: Operating reports are an effective tool for ongoing monitoring because they allow operators,
management, or auditors to quickly recognize performance deviations.
Alternative Control Frameworks
The CoCo Model

The CoCo model was designed by the Criteria of Control Board of the Canadian Institute of Chartered
Accountants. In CoCo there are four components of control, broken down into twenty criteria. Although you
do not need to memorize these criteria, you should be familiar with the overall structure and terms.54
1. Purpose
• Objectives should be established and communicated.

• Significant internal and external risks should be identified and assessed.
• Policies to support the achievement of the organization’s objectives should be designed, commu-
nicated, and implemented.
• Plans should be established and communicated to assist in the achievement of objectives.
• There should be measurable performance targets in the objectives and plans.
2. Commitment
• Ethical values should be established and practiced at all levels in the organization.
• Human resource policies should be consistent with the firm’s ethical values.
• Authority, responsibility, and accountability should be clearly defined and consistent with the or-
ganization’s objectives.
• An atmosphere of mutual trust should be supported through the flow of information and commu-
nication.
3. Capability
• People should have the needed knowledge, skills, and tools to support the achievement of the
organization’s objectives.
• Communication should support the values and achievement of objectives.
• Sufficient and relevant information should be identified and communicated to the appropriate party
in a timely manner.
• Decision-making in the company should be coordinated between departments.
• Control activities should be designed and implemented.
4. Monitoring and Learning
• External and internal environments should be monitored for feedback on the achievement of ob-
jectives.
• Performance should be monitored against targets and goals.
• The assumptions used in the development of plans and goals should be reviewed periodically.
• Information and communication need to be periodically reviewed.
• Follow-up procedures should be implemented to ensure that the needed changes occur and are
effective.
• There should be a periodic review of the effectiveness of the control systems.
Note: Both COSO and CoCo emphasize soft controls, which emphasize ideas and expectations (for
example, shared values, expectations, commitment, competence, and trust) rather than specific tasks
(for example, policy and procedures).
54
Guidance on Control. Toronto: Canadian Institute of Chartered Accountants. 1995.
The Turnbull Report

Internal Control: Guidance for Directors on the Combined Code (1999, updated 2005) is more commonly
referred to as the Turnbull Report. Created for the Financial Reporting Council (FRC), it informs directors
(both executive and non-executive) of their obligations under the UK Combined Code with regard to
keeping effective internal control in their companies and maintaining appropriate audits and checks to
ensure the quality of financial reporting.
The Turnbull Report says that the system of internal control should:55
• Be embedded in the operations of the company and form a part of its culture.
• Be capable of responding quickly to evolving risks to the business arising from factors within
the company and to changes in the business environment.
• Include procedures for immediately reporting to appropriate levels of management any

significant control failings or weaknesses that are identified together with details of corrective
action being undertaken.
The key tenets of the Turnbull Report are:56
• Board’s responsibility for internal controls
The board is ultimately responsible for an organization’s internal controls. The board should set
appropriate policies on controls and get regular assurance that internal controls are function-
ing effectively. Additionally, the board should undertake an annual assessment for the purpose
of making its public statement on internal controls.
• Management’s responsibility for internal controls
Management carries out the board’s policies on risk and control. Management should identify and
evaluate the risks faced by the company for consideration by the board. Furthermore, it should
design, operate, and monitor a suitable system of internal control that implements the policies
adopted by the board.
• Employees’ responsibility for internal controls
All employees have some responsibility for internal control as part of their accountability for achiev-
ing objectives. Employees must have the necessary knowledge, skills, information, and authority
to establish, operate, and monitor the system of internal control.
• Adopting a risk-based approach
The company needs to adopt a risk-based approach to establishing a sound system of control
and reviewing its effectiveness. This approach starts by identifying the risks that the company
faces and it should be incorporated within the company’s normal management and governance
processes. It should not be considered as a separate exercise undertaken to meet regulatory re-
quirements.
• Ongoing monitoring of risks and controls
Risks and controls need to be continuously monitored and fine-tuned in order to respond to
changes in its risk exposures. Additionally, a feedback process should be in place to ensure that
appropriate change or action occurs in response to changes in risk and control assessments.
55
Financial Reporting Council. Internal Control Revised Guidance for Directors on the Combined Code. London: Financial
Reporting Council, 2005. p. 7.
56
Ibid., p. 4-11.
Section V K. Examine the Effectiveness and Efficiency of Internal Controls
K. Examine the Effectiveness and Efficiency of Internal Controls

Controls are a critical, indispensable component of success, which is why it is important for a company to
engage regular reviews of controls to make sure they are properly designed, fully functional, and effective.
Standard 2130 lays out the IAA’s priorities for assessing internal controls.
Standard 2130 – Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating
their effectiveness and efficiency and by promoting continuous improvement.
2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in re-
sponding to risks within the organization’s governance, operations, and information systems regarding
the:
2130.C1 – Internal auditors must incorporate knowledge of controls gained from consulting engage-
ments into evaluation of the organization’s control processes.
Preliminary Work
The IAA’s primary goal with respect to controls is evaluating effectiveness and efficiency and “pro-
moting continuous improvements.” In order to achieve this goal, the CAE must gain a thorough
understanding of the company’s control protocols. Such information can be gained through:
• Meeting with the board and upper management to get a sense of the “risk appetite, risk toler-
ance, and risk culture.”57
• Studying the controls currently in use.
• Reviewing any previous assessment of controls, recommendations, and enacted remedies.
• Consulting the company’s legal counsel to understand any relevant regulatory and statutory
requirements.
Note: Areas of the business that have been recently acquired, restructured, or significantly changed
since the last audit require specific attention.
Evaluating Effectiveness
The system for evaluating control effectiveness proceeds in this manner: 58
1) Identify objectives and any associated risks.

2) Determine the significance of any risks.
3) Make note of the responses to these risks.
4) Identify the “key controls.”
5) Assess how well a given control is designed.
6) Test the control to ascertain the effectiveness of the design.
57
IPPF Implementation Guide 2130, p. 1.
58
Ibid., p. 3.
K. Examine the Effectiveness and Efficiency of Internal Controls CIA Part 1
To streamline this process, it is advisable to draw on a number of sources within the organization for helpful
information, including interviews with management and staff, a review of significant documents, inspections
of physical facilities, and data collection and analysis.
Note: Implementation Guide 2130 recommends a risk and control matrix to help the IAA evaluate
the effectiveness of various controls.
Evaluating Efficiency
No matter how effective a control might be, its value is greatly diminished if it does not function efficiently.
An efficient control is cost-effective, maximizes its resource allocation, and provides discernable value for
the company. According to Implementation Guide 2130, there are three criteria that can help the IAA
measure the efficiency of a specific control:59
1) The level of control must be “appropriate for the risk it addresses.” For example, petty
cash does not need as many controls as cash received from customers.
2) The costs of the control must not exceed the benefits it provides. For example, the office
supply cabinet does not need 24/7 surveillance and a biometric scanner for access, but a server
room certainly would.
3) No control should “create significant business concerns.” For example, regardless of how
efficiently a control manages a particular risk, if the control breaks the law, it puts the company in
significant legal jeopardy.
If a control satisfies these three criteria, it can be judged to be efficient and thus useful. If a control cannot
satisfy some or all of these criteria, the IAA might recommend adjusting, replacing, or eliminating the
control.
Note: A risk control map can help the IAA determine the value of controls with respect to the risks they
are designed to address.
Continuous Improvement
The control-evaluation activity should be an ongoing process. In consultation with the organization’s deci-
sion-makers, the CAE can map out a plan for a series of limited-range control audits at regular intervals
followed by a broader comprehensive one.
Implementation Guide 2130 suggests additional activities to promote the “continuous improvement” cycle
for controls, including regular training meetings for employees, frequent contact with management for
updates and input, and “monitoring technical advancements” that might enhance the controls process. 60
Note: Auditing internal controls is inherently a part of every engagement, so evidence about the effec-
tiveness and efficiency of controls can be gathered on an ongoing basis.
59
Ibid.
60
Ibid., 4.
Section V K. Examine the Effectiveness and Efficiency of Internal Controls
Conformance and Documentation

“Conformance” is not a static quality, and so controls must be re-examined periodically and, where neces-
sary, be revised as time and standards change. Documentation should always be kept up-to-date.
It is recommended that the CAE carefully document the control assessment process in order to demonstrate
“conformance” with Standard 2130. A relatively easy method is to archive all engagement-related infor-
mation in the workpapers, which might include: 61
• Minutes of meetings with stakeholders
• Relevant charts and graphs
• Test results, proposed corrections, and assessment of remedies
• Surveys
• Computer files
• Notes
• Spreadsheets
A formal report should be provided annually to senior management and the board. In addition to the audi-
tor’s professional judgment about the efficiency and effectiveness of the control processes, the report should
also:
• Emphasize the importance of internal controls to the organization.
• Describe the nature and extent of the work the internal auditor performed.
• Note the work of other assurance providers that was used in formulating the conclusion.
61
Loosely adapted from Implementation Guide 2130, p. 4.
Section VI – Fraud Risks CIA Part 1
Section VI – Fraud Risks

The last section of the Part 1 exam is Fraud Risks, which accounts for 10% of the exam and is tested
mostly at a proficiency level. Because this section is only 10% of the exam, do not to spend a dispropor-
tionate amount of time studying it.
Definition of Fraud
In the Standards Glossary, the IIA defines fraud as:
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are
not dependent upon the threat of violence or physical force. Frauds are perpetrated by
parties and organizations to obtain money, property, or services; to avoid payment or loss
of services; or to secure personal or business advantage.
What differentiates fraud from a mistake is that fraud is intentionally committed. The individual com-
mitting the fraud knows that the action is either illegal or contrary to company policy. For example, writing
off a bad debt that should be collected is not fraud, but writing off bad debt knowing that it can be collected
(or has already been collected) is fraud.
A. Fraud Risks and Types of Fraud
Type of Fraud
There are three main types of fraud:
1) Fraudulent financial reporting is intentional misstatements, including the omission of infor-

mation from financial statements and misapplication of accounting principles.
2) Misappropriation of assets includes theft, embezzlement, and any action that causes the com-
pany to expend cash for goods and services that do not benefit or provide value to the company.
3) Corruption includes illegal gratuities, bribes, kickbacks, conflict of interest, or economic extortion.
Note: If any of these acts are committed unintentionally, they do not constitute fraud. The term that
distinguishes fraud from innocent misrepresentation is scienter, meaning that the person has knowledge
of the “wrongness” of an act or event prior to committing it.
Impact of Fraud on the Company

Fraud may be carried out either for the benefit of the organization or to the detriment (harm) of the
organization.
The following are examples of fraud that can benefit the organization:
• Sale or assignment of fictitious or misrepresented assets.

• Improper payments, such as illegal political contributions, bribes, kickbacks, and payoffs to gov-
ernment officials, intermediaries of government officials, customers, or suppliers.
• Intentional, improper representation or valuation of transactions, assets, liabilities, or income.
• Intentional, improper transfer pricing (that is, improper valuation of goods exchanged between
related organizations). By deliberately structuring pricing techniques improperly, management can
improve the operating results of an organization involved in the transaction to the detriment of the
other organization.
• Intentional, improper related-party transactions in which one party receives some benefit not ob-
tainable to unrelated parties in an arm’s-length transaction.
Section VI Section VI – Fraud Risks
• Intentional failure to record or disclose significant information in order to improve the financial
picture of the organization to outside parties.
• Prohibited business activities, such as those that violate government statutes, rules, regulations,
or contracts.
• Tax fraud.
Some examples of fraud that can be detrimental to the organization are:
• Accepting bribes or kickbacks.
• Diverting a potentially profitable transaction that would have normally generated profits for the
organization to an employee or outsider.

• Embezzlement or theft, such as misappropriating money or property and falsifying financial records
to cover up the act, thus making detection difficult.
• Intentionally concealing or misrepresenting events or data.
• Invoices submitted for services or goods that are not actually provided to the organization.
Note: Appendix E lists 40 common forms of fraud.
Conditions Necessary for Committing Fraud

In order for a person to commit fraud, three conditions need to be present:
1) The person has to be motivated to commit the fraud.
2) The person has to have the opportunity to commit the fraud.
3) The person has to have the ability to rationalize the fraud.
Collectively, these three elements are called the fraud triangle. If the company can eliminate any of these
three elements, the likelihood of fraud occurring is greatly reduced. For example:
• A strong HR department and personnel policies can reduce the motivation to commit fraud.
• Internal controls can reduce the opportunity for employees to commit fraud.
• Ethics training and a principled corporate culture can help a company reduce the ability of an
individual to rationalize fraud.
1) Motivation
Some common issues that motivate fraud are:
• Internal pressure from top management to meet expectations (for example, market or revenue
expectations), and not meeting these expectations could lead to job loss or demotion.
• External pressure from financers that threatens the organization’s financial stability (for example,
not meeting various requirements in a debt agreement).
• Pressure to pay for a personal lifestyle or vices (for example, gambling or drugs).
• Pressure to maximize performance-based bonuses or compensation (for example, the company

has a contingent compensation structure).
2) Opportunity
Some of the factors and conditions that create an opportunity for fraud include:
• Knowing the weaknesses in the company’s internal control systems.
• Poor segregation of duties.
• Access to accounting records or assets.
• Lack of proper supervision.
• Unethical “tone at the top.”
• A belief that the person will not get caught.
3) Ability to Rationalize Behavior

Some examples of behavior rationalization are:
• The individual believes that he or she has not been properly financially compensated. Thus, stealing
is not really stealing; rather, it is another means of getting what is rightfully owed.
• The individual believes that he or she is not getting proper recognition in the workplace.
• The individual needs more money.
• The individual plans to return the stolen money in the future, so the act is equivalent to an interest-
free loan.
Responsibility of the Internal Auditor

Management has the responsibility to establish and maintain an effective control system. The internal
auditor is responsible for examining the controls to determine if they are adequate to prevent or detect
fraud as well as looking for occurrences of fraud. However, the internal auditor is not responsible for
preventing fraud.
Management Fraud
Management fraud is an especially serious matter because it is criminal activity perpetrated by individuals
in positions of authority. In preparing for an engagement, auditors should communicate with management
to gauge their understanding of the relevant risks of management fraud and their knowledge of any frauds
that are being or might be committed within the company.
A common risk factor for fraudulent financial reporting is management override of controls. In such
instances, management finds ways of circumventing internal controls in order to commit financial crimes.
Other causes for management fraud are:
• Executives taking rash steps from which they cannot retreat.
• Profit centers distorting facts to hold off divestment.
• Incompetent managers deceiving others in order to keep their jobs.
• Performance distorted to warrant larger bonuses.
• The need to succeed turning managers to deception.
• Unscrupulous managers serving conflicting interests.
• Profits inflated to obtain advantages in the marketplace.
• The one who controls both the assets and related records is in a position to falsify records.
B. Evaluating Potential for Occurrence of Fraud
Assessment of Fraud Risk for the Organization

The overall risk assessment should identify the fraud risk, which includes assessing the opportunities and
potential motivations for fraudulent behavior. Properly developed and implemented controls will reduce the
risk of fraud; therefore, the auditor must carefully examine the fraud-related controls.
In assessing fraud risk, internal auditors should determine whether or not:
• The organization has set realistic goals and objectives.
• The organization fosters an environment of control consciousness.
• There are written policies, such as a Code of Ethics, that describe prohibited activities and the
actions that will be taken for violations.
• The organization has put in place policies, practices, procedures, and reports to monitor activities
to safeguard assets, particularly in high-risk areas.
• The organization has installed the proper communication channel that will provide management
with adequate and reliable information.
• Recommendations are established to enhance the control structure to help deter fraud.
The Practice Guide Internal Auditing and Fraud outlines the five keys steps of fraud risk assessment: 62
1) Identify relevant fraud risk factors.
2) Identify potential fraud schemes and prioritize them based on risk.
3) Map existing controls to potential fraud schemes and identify gaps.
4) Test operating effectiveness of fraud prevention and detection controls.
5) Document and report the fraud risk assessment.
1) Identify Relevant Fraud Risk Factors

The internal auditor must understand the organization’s business activities as well as external business
partners in order to gain a complete understanding of the risk of fraud. The auditor must review previous
work and study any previous fraud or suspected fraud to make sure that the risks from those events have
been addressed.
2) Identify Potential Fraud Schemes and Prioritize Them Based on Risk

A fraud risk assessment team may be created to identify the potential frauds that could be committed.
After the potential risks have been identified, they need to be prioritized, taking into consideration a number
of factors as suggested by Internal Auditing and Fraud:63
• Monetary impact.
• Impact to the organization’s reputation.
• Loss of productivity.
• Potential criminal/civil actions including potential regulatory noncompliance.
• Integrity and security over data.
• Loss of assets.
62
IPPF Practice Guide Internal Auditing and Fraud. 2009. p. 16.
63
Ibid., p. 17.
• Location and size of operations/units.
• Company culture.
• Management/employee turnover.
• Liquidity of assets.
• Volume and/or size of transactions.
• Outsourcing.
Fraud risks should be communicated to the board at least annually, or more frequently if needed.
3) Map Existing Controls to Potential Fraud Schemes and Identify Gaps

For each fraud risk, the assessment team will next identify the preventive and detective controls that are
in place. This assessment will include entity-wide anti-fraud controls, like a whistleblowing program, board
oversight, and a code of conduct. Additionally, the risk of management override of controls needs to be
considered.
4) Test Operating Effectiveness of Fraud Prevention and Detection Controls

After the relevant controls have been identified, they need to be tested to determine if they are operating
properly and effectively. The IAA should be very involved in this testing and assessment.
5) Document and Report the Fraud Risk Assessment

Internal Auditing and Fraud lists the items that the fraud risk assessment should include:64
• The types of fraud that have some chance of occurring.
• The inherent risk of fraud considering the availability of liquid and saleable assets, organizational
morale, employee turnover, the history of fraud and losses, and other specific business area indi-
cators.
• The adequacy of existing anti-fraud programs, monitoring, and preventive controls.
• The potential gaps in the organization’s fraud controls, including segregation of duties.
• The likelihood of a significant fraud occurring.
• The business impact of fraud.
64
Ibid., p. 18.
Internal Audit Responsibilities During Engagement

Internal auditors are not expected to have the same knowledge as a person whose primary work is inves-
tigating fraud. Internal Auditing and Fraud provides guidance for the auditor conducting engagements:65
• Consider fraud risks in the assessment of internal control design and determination of
audit steps to perform. Internal auditors are not expected to detect fraud, but internal auditors
are expected to obtain reasonable assurance that business objectives for the process under review
are being achieved and material control deficiencies — whether through simple error or intentional
effort — are detected. The consideration of fraud risks is documented in the workpapers, as well
as linkage of fraud risks to specific audit work.
• Have sufficient knowledge of fraud to identify red flags indicating fraud may have been
committed. This knowledge includes the characteristics of fraud, the techniques used to commit
fraud, and the various fraud schemes and scenarios associated with the activities reviewed.
• Be alert to opportunities that could allow fraud, such as control deficiencies. If significant
control deficiencies are detected, additional tests conducted by internal auditors could be used to
identify whether fraud has occurred.
• Evaluate whether management is actively retaining responsibility for oversight of the

fraud risk management program, that timely and sufficient corrective measures have been
taken with respect to any noted control deficiencies or weaknesses, and that the plan for monitor-
ing the program continues to be adequate for the program’s ongoing success.
• Evaluate the indicators of fraud and decide whether any further action is necessary or whether
an investigation should be recommended.
• Recommend investigation when appropriate.
Standard 1120: Individual Objectivity requires that auditors have an impartial and unbiased attitude, mean-
ing that they assume neither deceit or truth from the people in the area being audited. By being skeptical
when performing tests, auditors will be more likely to notice indicators and characteristics of fraud.
Note: Analytical procedures can provide an early indication of fraud.
Benford’s Law is a theory that establishes the rate of occurrence of the different digits in a series of
naturally occurring numbers. For example, Benford’s Law predicts that 1 is the first digit of a number
30% of the time, 2 is the first digit 18% of the time, and onward according to the following series: 3 at
12%, 4 at 10%, 5 at 8%, 6 at 7%, 7 at 6%, 8 at 5%, and 9 at 4%. Based upon plausible assumptions
that people who make up figures tend to distribute their digits fairly uniformly, a simple comparison of
first-digit frequency from the data with the expected distribution according to Benford’s Law should
reveal anomalous results.
65
Ibid., p. 13.
Fraud Indicators (Red Flags)

To identify fraud indicators, auditors should know the risk factors and red flags, which are items or actions
associated with or strongly suggest fraudulent behavior.
There are a few important points to note about red flags:
• It is often the case that an auditor will not come across any red flags. However, the absence of
red flags does not necessarily mean an absence of fraudulent activity. Perpetrators of fraud often
skillfully conceal their actions.
• Although an auditor might detect a red flag, this does not automatically mean that fraud has been
committed. When red flags are identified, the auditor needs to carefully determine if there is an
innocent, rational explanation for its presence or if there is a legitimate reason for concern. An
area that turns up multiple red flags requires extra attention.
Internal Auditing and Fraud provides lists of red flags at both the corporate level and the personal level:
Red flags may relate to time, frequency, place, amount, or personality. Red flags include over-
rides of controls by management or officers, irregular or poorly explained management
activities, consistently exceeding goals/objectives regardless of changing business conditions
and/or competition, preponderance of non-routine transactions or journal entries, problems or
delays in providing requested information, and significant or unusual changes in customers or
suppliers. Red flags also include transactions that lack documentation or normal approval, em-
ployees or management hand-delivering checks, customer complaints about delivery, and poor
IT access controls such as poor password controls.
Personal red flags include living beyond one’s means; conveying dissatisfaction with the job to
fellow employees; unusually close association with suppliers; severe personal financial losses;
addiction to drugs, alcohol or gambling; change in personal circumstances; and developing out-
side business interests. In addition, there are fraudsters who consistently rationalize poor
performance, perceive beating the system to be an intellectual challenge, provide unreliable
communications and reports, and rarely take vacations or sick time (and when they are absent,
no one performs their work).
Conducting a Fraud Investigation

If there is reasonable certainty that fraud has occurred, the CAE should notify the appropriate manage-
ment level, usually the audit committee and perhaps also the board of directors. Management then makes
the decision whether or not to start an investigation.
Note: It is generally not the auditor’s duty to report fraud to individuals outside of the organization,
although the auditor may in some cases need to report fraud to the SEC, a predecessor auditor, a court,
or to a governmental agency.
The specific role of the IAA in a fraud investigation should be outlined in the Charter and also possibly in
policies and procedures related to fraud. The potential roles for the IAA include leading the investigation,
being a supporting resource to another party leading the investigation, or no role at all if the IAA does not
have adequate resources. Whatever role the internal audit takes, the CAE needs to make certain that
independence and objectivity are not impaired.
When conducting a fraud investigation, the internal auditors should:
• Assess the probable level and extent of complicity in the fraud within the organization. This
helps to ensure that the internal auditor avoids providing information to or obtaining misleading
information from anyone who may be involved.
• Determine the knowledge, skills, and other competencies needed to effectively carry out
the investigation. Anyone with connections to the individuals being investigated or company man-
agement should not participate in the investigation.
• Design procedures to identify the perpetrators, the extent of the fraud, the techniques used,
and the cause of the fraud.
• Coordinate activities with management personnel, legal counsel, and other specialists as
appropriate throughout the course of the investigation.
• Be aware of the rights of alleged perpetrators and personnel within the scope of the inves-
tigation and the reputation of the organization itself.
Reporting in a fraud engagement will be ongoing because the board and senior management will want to
be kept informed. Depending on the conclusion, the final report may need to be written in a manner that
provides confidentiality for some of the people involved in the investigation. Legal counsel will also most
likely be involved in writing the final report.
At the conclusion of a fraud investigation, internal auditors should:
• Determine if controls need to be implemented or strengthened.

• Design engagement tests to help disclose frauds in the future.
• Maintain sufficient knowledge of fraud to identify future incidents.
C. Recommend Controls to Prevent and Detect Fraud

A company can protect itself from fraud by maintaining strong controls and risk management processes.
This ongoing effort must include periodically reviewing the risk management process and implementing
recommendations for improvement. The process of creating, maintaining, reviewing, and improving the
fraud risk management process is called fraud risk governance.
Managing the Business Risk of Fraud: A Practical Guide, sponsored by the IIA, AICPA, and ACFE, identifies
five principles for proactively establishing an environment to effectively manage fraud risk. It asserts that
all levels of an organization have roles and responsibilities in managing fraud risk.
Principle 1: As part of an organization’s governance structure, a fraud risk management program should
be in place, including a written policy (or policies) to convey the expectations of the board of directors
and senior management regarding managing fraud risk.
The board, the audit committee, and the IAA are the leaders in fraud risk governance. Management is
responsible for implementing the fraud risk management program’s policies, and all employees need to be
aware of fraud and red flags, follow controls, and report when controls are not being followed.
The IAA assesses this program and evaluates whether it is being properly implemented.
Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific
potential schemes and events that the organization needs to mitigate.
Ongoing risk management should consider these three questions:
• How could someone exploit a weakness in the system?

• How could someone override or circumvent controls?
• How could someone conceal the fraud?
Ideally, people from different parts of business will be included on the risk assessment team in order to get
a wide variety of perspectives on the risks the business faces. The team will need to assess the likelihood
and impact of the risks.
Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where
feasible, to mitigate possible impacts on the organization.
All employees need to be aware of the fraud risk management program so that they know there is an effort
to prevent and detect fraud.
Principle 4: Detection techniques should be established to uncover fraud events when preventive
measures fail or unmitigated risks are realized.
Detection controls should:
• Usually be hidden and operate in the background.

• Be implemented and used in the ordinary course of business.
• Draw on external information to corroborate internal information.
• Formally and automatically communicate deficiencies and exceptions to leadership.
• Use results to enhance and modify other controls.
Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated
approach to investigation and corrective action should be used to help ensure potential fraud is addressed
appropriately and timely.
Support a Culture of Fraud Awareness

With respect to fraud awareness, detection, and prevention, management must set the example with a
“tone at the top.” In other words, honest and ethical management is in a much better position to expect
the same behavior from employees. It is more cost effective to prevent fraud than to detect it, so the goal
should be to create a culture in the company of reporting whenever something does not seem right.
All internal auditors need to have an ethical attitude and unwavering commitment to preventing fraud in all
of their engagements and behaviors.
Whistleblowing
It is not always the internal auditor who discovers something is not right in the company; a middle- or
lower-level employee may come across evidence of wrongdoing or potential wrongdoing. Under most stand-
ard procedures, the employee should follow the chain of command and report any suspicions of fraud to an
immediate superior.
However, there are circumstances where an employee might have legitimate concerns about following the
chain of command and reporting concerns to a direct superior. For example, the wrongdoing or potential
wrongdoing may have been committed by the superior, or the revelation might embarrass the superior. In
such cases, the employee might fear retaliation or being fired.
It is important to the company that potential misdeeds are investigated and that people feel safe reporting
when something does not seem right. Therefore, a company might put in place a whistleblowing policy.
Whistleblowing is the act of reported wrongdoing or suspected wrongdoing outside of the normal chain
of command.
To encourage people to share problems, the whistleblowing system needs to be confidential and anony-
mous. It may include a phone number to call or a specific person to contact. It is also possible that the
whistleblowing process may be facilitated by a third-party entity. In addition to setting up such a system,
management must make sure that all employees know about it and that they feel confident that their
identities will be protected.
Note: In addition to having a strong corporate culture that discourages fraud, management must com-
municate such standards to external parties with whom it conducts business. In this way, the company
can discourage its business partners from proposing fraudulent activities.
D. Forensic Auditing
In forensic auditing, auditing skills are applied to in-depth investigations that have potential legal impli-
cations or consequences (for example, money laundering, funding terrorists or organized crime). The
forensic expert helps the internal auditor gather evidence to prove or disprove suspicions, identify the
parties involved, and acquire and maintain evidence that may be presented in disciplinary or criminal pro-
ceedings.
Depending on the investigation, the forensic expert may come from outside of the internal audit activity or
even outside the company. The internal auditor is not expected to have the same level of expertise as
someone whose primary work is investing fraud cases.
Even if the forensic expert comes from outside the company, the CAE is still responsible for the work of the
forensic expert. The CAE will need to agree to the scope of the work, the expectations, what will and what
will not be done as part of the engagement, and the expected deliverable from the engagement.
Because the case involves potential fraud, the internal auditor must keep in mind that the person who is
being investigated may be attempting to cover his or her tracks. For example, records may have been
changed, hidden, or even destroyed. In such cases, documents may need to be recovered from external
sources or from various electronic storage devices or computers that might be hidden, damaged, or de-
stroyed. In such cases, a high-level IT expert may need to join the forensic auditing team.
Interrogation and Investigation Techniques

An interrogation is different than an interview. In an interview, the internal auditor seeks information.
However, in an interrogation the internal auditor seeks confirmation or ideally a confession. Usually,
interrogations are done after information has been collected and there is a strong suspicion of fraud or
unethical behavior.
Who Interrogates
The nature of an interrogation places the questioning in the legal realm and will involve issues of rights and
law. For example, information revealed in an interrogation may need to stand as evidence in a trial. There-
fore, it is critical that the appropriate person conducts the interrogation, such as a lawyer.
At least two people should conduct the interrogation, an experienced individual to lead the interrogation
and a second person to takes notes and be a corroborating witness. In addition, there will most likely be
legal counsel involved in both the preparation of the interrogation and its execution to make certain that
the company does not place itself at risk of being sued.
Who is Interrogated
The main people who will be interrogated are those who are suspected of committing the fraud, were part
of the fraud, or helped cover it up. Other individuals who may have information about the situation, but
were not involved in the fraud itself, may be interviewed instead of interrogated. After the interrogation,
the suspected individual should not return to work until the investigation is closed because they might
destroy evidence.
Collecting Information – Listening Well

Interrogation questions must be phrased carefully, and the interrogator must listen attentively to the an-
swers. Notes should be taken. Throughout the questioning, the interrogator needs to be flexible, altering
the line of questioning if any unexpected information surfaces. The interrogator also needs to pay attention
to body language and other non-verbal cues because they may enhance or undermine the information
being revealed. For example, nervousness, answers that sound too rehearsed or too perfect, a sudden
refusal to continue, or changing facts might indicate attempts to evade the truth.
Confessions and Admissions

The auditor needs to be aware of the issues related to confessions. A confession is a complete acknowl-
edgement of wrongdoing by the accused. However, the confession may be tainted if the suspect was under
duress (meaning physical or emotional harm, or the threat of physical or emotional harm) while the con-
fession was given. If a confession was not made voluntarily, it may be deemed inadmissible in court.
An admission is not the same as a confession, but it may still be used against the suspect. In an admission,
the accused party acknowledges committing a certain act, but he or she does not confess that there was
intent, nor does the accused party confess to the accusation.
Because of the legal issues involved in criminal investigations, it is best to allow a specialist to make deci-
sions about obtaining confessions, admissions, and other similar evidence from the accused.
Legal Hazards in Fraud Engagements

When the internal auditor conducts a fraud investigation, he or she has to make sure that it is conducted
professionally and within appropriate legal standards. Failing to follow legal requirements may expose the
company to expensive litigation. For example, when interrogating a potential fraud suspect, the internal
auditor should be aware of common and statutory rights, the violation of which may enable the person to
sue the auditor and organization.
The following are some common grounds on which individuals can sue a company that accuses them of
fraud:
• Defamation of character is an unjustifiable or false allegation that the employer (or its agent,
such as an internal auditor) makes to a third party that injures the suspect’s reputation.
There are two kinds of defamation:
o Slander is spoken defamation.
o Libel is written defamation.
• False imprisonment occurs if the employer unjustifiably restrains a person. Note that restraint
does not necessarily need to be physical confinement.
• Malicious prosecution refers to the prosecution of an individual without probable cause. For
example, sometimes employers will pursue a groundless prosecution against an employee in order
to cause harm, bankruptcy, or defamation.
Appendix A Glossary
Appendix A: Glossary
These terms and definitions come directly from the IIA.
Add Value – The internal audit activity adds value to the organization (and its stakeholders) when it
provides objective and relevant assurance, and contributes to the effectiveness and efficiency of govern-
ance, risk management, and control processes.
Adequate Control – Present if management has planned and organized (designed) in a manner that pro-
vides reasonable assurance that the organization’s risks have been managed effectively and that the
organization’s goals and objectives will be achieved efficiently and economically.
Assurance Services – An objective examination of evidence for the purpose of providing an independent

assessment on governance, risk management, and control processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.
Board – The highest level of governing body charged with the responsibility to direct and/or oversee the
activities and management of the organization. Typically, this includes an independent group of directors
(e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does
not exist, the “board” may refer to the head of the organization. “Board” may refer to an audit committee
to which the governing body has delegated certain functions.
Charter – The internal audit charter is a formal document that defines the internal audit activity’s purpose,
authority, and responsibility. The internal audit charter establishes the internal audit activity’s position
within the organization; authorizes access to records, personnel, and physical properties relevant to the
performance of engagements; and defines the scope of internal audit activities.
Chief Audit Executive – Chief Audit Executive (CAE) describes a person in a senior position responsible
for effectively managing the internal audit activity in accordance with the internal audit charter and the
Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others
reporting to the chief audit executive will have appropriate professional certifications and qualifications. The
specific job title of the chief audit executive may vary across organizations.
Code of Ethics – The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to
the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of
internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.
The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal
auditing.
Compliance – Adherence to policies, plans, procedures, laws, regulations, contracts, or other require-
ments.
Conflict of Interest – Any relationship that is, or appears to be, not in the best interest of the organization.
A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities
objectively.
Consulting Services – Advisory and related client service activities, the nature and scope of which are
agreed with the client, are intended to add value and improve an organization’s governance, risk manage-
ment, and control processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation, and training.
Control – Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs
the performance of sufficient actions to provide reasonable assurance that objectives and goals will be
achieved.
Control Environment – The attitude and actions of the board and management regarding the importance
of control within the organization. The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The control environment includes
the following elements:
Glossary CIA Part 1
• Integrity and ethical values.
• Management’s philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.
Control Processes – The policies, procedures (both manual and automated), and activities that are part
of a control framework, designed and operated to ensure that risks are contained within the level that an
organization is willing to accept.
Engagement – A specific internal audit assignment, task, or review activity, such as an internal audit,
control self-assessment review, fraud examination, or consultancy. An engagement may include multiple
tasks or activities designed to accomplish a specific set of related objectives.
Engagement Objectives – Broad statements developed by internal auditors that define intended engage-
ment accomplishments.
Engagement Opinion – The rating, conclusion, and/or other description of results of an individual internal
audit engagement, relating to those aspects within the objectives and scope of the engagement.
Engagement Work Program – A document that lists the procedures to be followed during an engage-
ment, designed to achieve the engagement plan.
External Service Provider – A person or firm outside of the organization that has special knowledge, skill,
and experience in a particular discipline.
Fraud – Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations
to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or
business advantage.
Governance – The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
Impairment – Impairment to organizational independence and individual objectivity may include personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and re-
source limitations (funding).
Independence – The freedom from conditions that threaten the ability of the internal audit activity to
carry out internal audit responsibilities in an unbiased manner.
Information Technology Controls – Controls that support business management and governance as well
as provide general and technical controls over information technology infrastructures such as applications,
information, infrastructure, and people.
Information Technology Governance – Consists of the leadership, organizational structures, and pro-
cesses that ensure that the enterprise’s information technology supports the organization’s strategies and
objectives.
Internal Audit Activity – A department, division, team of consultants, or other practitioner(s) that pro-
vides independent, objective assurance and consulting services designed to add value and improve an
organization’s operations. The internal audit activity helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk
management and control processes.
Appendix A Glossary
International Professional Practices Framework – The conceptual framework that organizes the au-
thoritative guidance promulgated by The IIA. Authoritative Guidance is comprised of two categories - (1)
mandatory and (2) recommended.
Must – The Standards use the word “must” to specify an unconditional requirement.
Objectivity – An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they believe in their work product and that no quality compromises are made. Objectivity
requires that internal auditors do not subordinate their judgment on audit matters to others.
Overall Opinion – The rating, conclusion, and/or other description of results provided by the chief audit
executive addressing, at a broad level, governance, risk management, and/or control processes of the
organization. An overall opinion is the professional judgment of the chief audit executive based on the
results of a number of individual engagements and other activities for a specific time interval.
Risk – The possibility of an event occurring that will have an impact on the achievement of objectives. Risk
is measured in terms of impact and likelihood.
Risk Appetite – The level of risk that an organization is willing to accept.
Risk Management – A process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization’s objectives.
Should – The Standards use the word “should” where conformance is expected unless, when applying
professional judgment, circumstances justify deviation.
Significance – The relative importance of a matter within the context in which it is being considered,
including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.
Professional judgment assists internal auditors when evaluating the significance of matters within the con-
text of the relevant objectives.
Standard – A professional pronouncement promulgated by the Internal Audit Standards Board that delin-
eates the requirements for performing a broad range of internal audit activities, and for evaluating internal
audit performance.
Technology-based Audit Techniques – Any automated audit tool, such as generalized audit software,
test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit
techniques (CAATs).
Model Internal Audit Activity Charter CIA Part 1
Appendix B: Model Internal Audit Activity Charter

The following model charter has been prepared and published by the IIA. The Model is presented as pub-
lished, except that in the Model the IIA presents options of language for a handful of terms. The choices
used for the model presented here are:
• “Name of organization” – Company X
• Internal audit department/activity – internal audit activity
• Board/audit committee/supervisory committee - Board
Purpose and Mission

The purpose of Company X’s internal audit activity is to provide independent, objective assurance and
consulting services designed to add value and improve Company X’s operations. The mission of internal
audit is to enhance and protect organizational value by providing risk-based and objective assurance, ad-
vice, and insight. The internal audit activity helps Company X accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk manage-
ment, and control processes.
Standards for the Professional Practice of Internal Auditing

The internal audit activity will govern itself by adherence to the mandatory elements of The Institute of
Internal Auditors' International Professional Practices Framework, including the Core Principles for the Pro-
fessional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional
Practice of Internal Auditing, and the Definition of Internal Auditing. The chief audit executive will report
periodically to senior management and the board regarding the internal audit activity’s conformance to the
Code of Ethics and the Standards.
Authority
The chief audit executive will report functionally to the board and administratively (i.e., day-to-day opera-
tions) to the chief executive officer. To establish, maintain, and assure that Company X’s internal audit
activity has sufficient authority to fulfill its duties, the board will:
• Approve the internal audit activity’s charter.  
• Approve the risk-based internal audit plan.  
• Approve the internal audit activity’s budget and resource plan.  
• Receive communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters.  
• Approve decisions regarding the appointment and removal of the chief audit executive.  
• Approve the remuneration of the chief audit executive.  
• Make appropriate inquiries of management and the chief audit executive to determine  whether
there is inappropriate scope or resource limitations.  
The chief audit executive will have unrestricted access to, and communicate and interact directly with, the
board, including in private meetings without management present.
Appendix B Model Internal Audit Activity Charter
The board authorizes the internal audit activity to:
• Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent
to carrying out any engagement, subject to accountability for confidentiality and safeguarding of
records and information.
• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques
required to accomplish audit objectives, and issue reports.  
• Obtain assistance from the necessary personnel of Company X, as well as other specialized services
from within or outside Company X, in order to complete the engagement.  
Independence and Objectivity  

The chief audit executive will ensure that the internal audit activity remains free from all conditions that
threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including
matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit
executive determines that independence or objectivity may be impaired in fact or appearance, the details
of impairment will be disclosed to appropriate parties.  
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements ob-
jectively and in such a manner that they believe in their work product, that no quality compromises are
made, and that they do not subordinate their judgment on audit matters to others.  
Internal auditors will have no direct operational responsibility or authority over any of the activities audited.
Accordingly, internal auditors will not implement internal controls, develop procedures, install systems,
prepare records, or engage in any other activity that may impair their judgment, including:
• Assessing specific operations for which they had responsibility within the previous year.  
• Performing any operational duties for Company X or its affiliates.  
• Initiating or approving transactions external to the internal audit department.  
• Directing the activities of any Company X employee not employed by the internal audit activity,
except to the extent that such employees have been appropriately assigned to auditing teams or
to otherwise assist internal auditors.
Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of
internal auditing, safeguards will be established to limit impairments to independence or objectivity.
Internal auditors will:
• Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate par-

ties.  
• Exhibit professional objectivity in gathering, evaluating, and communicating information about the
activity or process being examined.  
• Make balanced assessments of all available and relevant facts and circumstances.  
• Take necessary precautions to avoid being unduly influenced by their own interests or  by others
in forming judgments. 
The chief audit executive will confirm to the board, at  least annually, the organizational independence of
the internal audit activity.  
The chief audit executive will disclose to the board any interference and related implications in determining
the scope of internal auditing, performing work, and/or communicating results.  
Model Internal Audit Activity Charter CIA Part 1
Scope of Internal Audit Activities  

The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence
for the purpose of providing independent assessments to the board, management, and outside parties on
the adequacy and effectiveness of governance, risk management, and control processes for Company X.
Internal audit assessments include evaluating whether:  
• Risks relating to the achievement of Company X’s strategic objectives are appropriately identified
and managed.  
• The actions of Company X’s officers, directors, employees, and contractors are in compliance with
Company X’s policies, procedures, and applicable laws, regulations, and governance standards.  
• The results of operations or programs are consistent with established goals and objectives.  
• Operations or programs are being carried out effectively and efficiently.  
• Established processes and systems enable compliance with the policies, procedures,  laws, and
regulations that could significantly impact Company X.  
• Information and the means used to identify, measure, analyze, classify, and report  such infor-
mation are reliable and have integrity.  
• Resources and assets are acquired economically, used efficiently, and protected  adequately. 
The chief audit executive will report periodically to senior management and the board regarding:
• The internal audit activity’s purpose, authority, and responsibility.  
• The internal audit activity’s plan and performance relative to its plan.  
• The internal audit activity’s conformance with The IIA’s Code of Ethics  and Standards, and action
plans to address any significant conformance issues.  
• Significant risk exposures and control issues, including fraud risks, governance issues,  and other
matters requiring the attention of, or requested by, the board.  
• Results of audit engagements or other activities.  
• Resource requirements.  
• Any response to risk by management that may be unacceptable to Company X.  
The chief audit executive also coordinates activities, where possible, and considers relying upon the work
of other internal and external assurance and consulting service providers as needed. The internal audit
activity may perform advisory and related client service activities, the nature and scope of which will be
agreed with the client, provided the internal audit activity does not assume management responsibility.  
Opportunities for improving the efficiency of governance, risk management, and control processes may be
identified during engagements. These opportunities will be communicated to the appropriate level of man-
agement.  
Responsibility
The chief audit executive has the responsibility to:  
• Submit, at least annually, to senior management and the board a risk-based internal audit plan
for review and approval.
• Communicate to senior management and the board the impact of resource limitations on the in-
ternal audit plan.  
• Review and adjust the internal audit plan, as necessary, in response to changes in Company X’s
business, risks, operations, programs, systems, and controls.  
Appendix B Model Internal Audit Activity Charter
• Communicate to senior management and the board any significant interim changes to the internal
audit plan.  
• Ensure each engagement of the internal audit plan is executed, including the establishment of
objectives and scope, the assignment of appropriate and adequately supervised resources, the
documentation of work programs and testing results, and the communication of engagement re-
sults with applicable conclusions and recommendations to appropriate parties.  
• Follow up on engagement findings and corrective actions, and report periodically to senior man-
agement and the board any corrective actions not effectively implemented.  
• Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and up-
held.  
• Ensure the internal audit activity collectively possesses or obtains the knowledge, skills, and other
competencies needed to meet the requirements of the internal audit charter.  
• Ensure trends and emerging issues that could impact Company X are considered and communi-
cated to senior management and the board as appropriate.  
• Ensure emerging trends and successful practices in internal auditing are considered.  
• Establish and ensure adherence to policies and procedures designed to guide the  internal audit
activity.  
• Ensure adherence to Company X’s relevant policies and procedures, unless  such policies and pro-
cedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise
communicated to senior management and the board.  
• Ensure conformance of the internal audit activity with the Standards, with the following qualifica-
tions:  
o If the internal audit activity is prohibited by law or regulation from conformance with certain
parts of the Standards, the chief audit executive will ensure appropriate disclosures and will
ensure conformance with all other parts of the Standards.  
o If the Standards are used in conjunction with requirements issued by other authoritative bodies,
the chief audit executive will ensure that the internal audit activity conforms with the Standards,
even if the internal audit activity also conforms with the more restrictive requirements of other
authoritative bodies.  
Quality Assurance and Improvement Program

The internal audit activity will maintain a quality assurance and improvement program that covers all as-
pects of the internal audit activity. The program will include an evaluation of the internal audit activity’s
conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of
Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify
opportunities for improvement.
The chief audit executive will communicate to senior management and the board on the internal audit
activity’s quality assurance and improvement program, including results of internal assessments (both on-
going and periodic) and external assessments conducted at least once every five years by a qualified,
independent assessor or assessment team from outside Company X.
Practice Advisories for QAIP CIA Part 1
Appendix C: Practice Advisories for QAIP

Practice Advisory 1300-1: Quality Assurance and Improvement Program
1. The chief audit executive (CAE) is responsible for establishing an internal audit activity whose scope
of work includes the activities in the Standards and in the Definition of Internal Auditing. To ensure
that this occurs, Standard 1300 requires that the CAE develop and maintain a quality assurance and
improvement program (QAIP).
2. The CAE is accountable for implementing processes designed to provide reasonable assurance to the
various stakeholders that the internal audit activity:
• Performs in accordance with the internal audit charter, which is consistent with the Definition of
Internal Auditing, the Code of Ethics, and the Standards.
• Operates in an effective and efficient manner.
• Is perceived by those stakeholders as adding value and improving the organization’s operations.
These processes include appropriate supervision, periodic internal assessments and ongoing
monitoring of quality assurance, and periodic external assessments.
3. The QAIP needs to be sufficiently comprehensive to encompass all aspects of operation and
management of an internal audit activity, as found in the Definition of Internal Auditing, the Code of
Ethics, the Standards, and best practices of the profession. The QAIP process is performed by or
under direct supervision of the CAE. Except in small internal audit activities, the CAE would usually
delegate most QAIP responsibilities to subordinates. In large or complex environments (e.g.,
numerous business units and/or locations), the CAE establishes a formal QAIP function—headed by
an internal audit executive—independent of the audit and consulting segments of the internal audit
activity. This executive (and limited staff) administers and monitors the activities needed for a
successful QAIP.
Practice Advisory 1310-1: Requirements of the Quality Assurance and Improvement Program
1. A quality assurance and improvement program (QAIP) is an ongoing and periodic assessment of the
entire spectrum of audit and consulting work performed by the internal audit activity. These ongoing
and periodic assessments are composed of rigorous, comprehensive processes; continuous
supervision and testing of internal audit and consulting work; and periodic validations of conformance
with the Definition of Internal Auditing, the Code of Ethics, and the Standards. This also includes
ongoing measurements and analyses of performance metrics (e.g., internal audit plan
accomplishment, cycle time, recommendations accepted, and customer satisfaction). If the
assessments’ results indicate areas for improvement by the internal audit activity, the chief audit
executive (CAE) will implement the improvements through the QAIP.
2. Assessments evaluate and conclude on the quality of the internal audit activity and lead to
recommendations for appropriate improvements. QAIPs include an evaluation of:
• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, including
timely corrective actions to remedy any significant instances of nonconformance.
• Adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures.
• Contribution to the organization’s governance, risk management, and control processes.
• Compliance with applicable laws, regulations, and government or industry standards.
• Effectiveness of continuous improvement activities and adoption of best practices.
• The extent to which the internal audit activity adds value and improves the organization’s operations.
(continued)
Appendix C Practice Advisories for QAIP
3. The QAIP efforts also include follow-up on recommendations involving appropriate and timely
modification of resources, technology, processes, and procedures.
4. To provide accountability and transparency, the CAE communicates the results of external and, as
appropriate, internal quality program assessments to the various stakeholders of the activity (such
as senior management, the board, and external auditors). At least annually, the CAE reports to senior
management and the board on the quality program efforts and results.
Practice Advisory 1311-1: Internal Assessments
1. The processes and tools used in ongoing internal assessments include:
• Engagement supervision,
• Checklists and procedures (e.g., in an audit and procedures manual) are being followed,
• Feedback from audit customers and other stakeholders,
• Selective peer reviews of workpapers by staff not involved in the respective audits,
• Project budgets, timekeeping systems, audit plan completion, and cost recoveries, and/or
• Analyses of other performance metrics (such as cycle time and recommendations accepted).
2. Conclusions are developed as to the quality of ongoing performance and follow-up action taken to
ensure appropriate improvements are implemented.
3. The IIA’s Quality Assessment Manual, or a comparable set of guidance and tools, should serve as
the basis for periodic internal assessments.
4. Periodic internal assessments may:
• Include more in-depth interviews and surveys of stakeholder groups.
• Be performed by members of the internal audit activity (self-assessment).
• Be performed by Certified Internal Auditors (CIAs) or other competent audit professionals, currently
assigned elsewhere in the organization.
• Encompass a combination of self-assessment and preparation of materials subsequently reviewed

by CIAs, or other competent audit professionals.
• Include benchmarking of the internal audit activity’s practices and performance metrics against
relevant best practices of the internal audit profession.
5. A periodic internal assessment performed within a short time before an external assessment can
serve to facilitate and reduce the cost of the external assessment. If the periodic internal assessment
is performed by a qualified, independent external reviewer or review team, the assessment results
should not communicate any assurances on the outcome of the subsequent external quality
assessment. The report may offer suggestions and recommendations to enhance the internal audit
activities’ practices. If the external assessment takes the form of a self-assessment with independent
validation, the periodic internal assessment can serve as the self-assessment portion of this process.
6. Conclusions are developed as to quality of performance and appropriate action initiated to achieve
improvements and conformity to the Standards, as necessary.
7. The chief audit executive (CAE) establishes a structure for reporting results of internal assessments
that maintains appropriate credibility and objectivity. Generally, those assigned responsibility for
conducting ongoing and periodic reviews, report to the CAE while performing the reviews and
communicate results directly to the CAE.
8. At least annually, the CAE reports the results of internal assessments, necessary action plans, and
their successful implementation to senior management and the board.
Practice Advisory 1312-1: External Assessments
1. External assessments cover the entire spectrum of audit and consulting work performed by the
internal audit activity and should not be limited to assessing its quality assurance and improvement
program. To achieve optimum benefits from an external assessment, the scope of work should
include benchmarking, identification, and reporting of leading practices that could assist the internal
audit activity in becoming more efficient and/or effective. This can be accomplished through either a
full external assessment by a qualified, independent external reviewer or review team or a
comprehensive internal self-assessment with independent validation by a qualified, independent
external reviewer or review team. Nonetheless, the chief audit executive (CAE) is to ensure the scope
clearly states the expected deliverables of the external assessment in each case.
2. External assessments of an internal audit activity contain an expressed opinion as to the entire
spectrum of assurance and consulting work performed (or that should have been performed based
on the internal audit charter) by the internal audit activity, including its conformance with the
Definition of Internal Auditing, the Code of Ethics, and the Standards and, as appropriate, includes
recommendations for improvement. Apart from conformance with the Definition of Internal Auditing,
the Code of Ethics, and the Standards, the scope of the assessment is adjusted at the discretion of
the CAE, senior management, or the board. These assessments can have considerable value to the
CAE and other members of the internal audit activity, especially when benchmarking and best
practices are shared.
3. On completion of the review, a formal communication is to be given to senior management and the
board.
4. There are two approaches to external assessments. The first approach is a full external assessment
conducted by a qualified, independent external reviewer or review team. This approach involves an
outside team of competent professionals under the leadership of an experienced and professional
project manager. The second approach involves the use of a qualified, independent external reviewer
or review team to conduct an independent validation of the internal self-assessment and a report
completed by the internal audit activity. Independent external reviewers should be well versed in
leading internal audit practices.
5. Individuals who perform the external assessment are free from any obligation to, or interest in, the
organization whose internal audit activity is the subject of the external assessment or the personnel
of such organization. Particular matters relating to independence, which are to be considered by the
CAE in consultation with the board, in selecting a qualified, independent external reviewer or review
team, include:
• Any real or apparent conflict of interest of firms that provide:

1) The external audit of financial statements.
2) Significant consulting services in the areas of governance, risk management, financial reporting,
internal control, and other related areas.
3) Assistance to the internal audit activity. The significance and amount of work performed by the
professional service provider is to be considered in the deliberation.
• Any real or apparent conflict of interest of former employees of the organization who would perform
the assessment. Consideration should be given to the length of time the individual has been
independent of the organization.
• Individuals who perform the assessment are independent of the organization whose internal audit
activity is the subject of the assessment and do not have any real or apparent conflict of interest.
“Independent of the organization” means not a part of, or under the control of, the organization to
which the internal audit activity belongs. In the selection of a qualified, independent external
reviewer or review team, consideration is to be given to any real or apparent conflict of interest the
reviewer may have due to present or past relationships with the organization or its internal audit
activity, including the reviewer’s participation in internal quality assessments.
(continued)
• Individuals in another department of the subject organization or in a related organization, although

organizationally separate from the internal audit activity, are not considered independent for
purposes of conducting an external assessment. A “related organization” may be a parent
organization; an affiliate in the same group of entities; or an entity with regular oversight,
supervision, or quality assurance responsibilities with respect to the subject organization.
• Real or apparent conflict involving peer review arrangements. Peer review arrangements between
three or more organizations (e.g., within an industry or other affinity group, regional association, or
other group of organizations—except as precluded by the “related organization” definition in the
previous point) may be structured in a manner that alleviates independence concerns, but care is
taken to ensure that the issue of independence does not arise. Peer reviews between two

organizations would not pass the independence test.
• To overcome concerns of the appearance or reality of impairment of independence in instances such

as those discussed in this section, one or more independent individuals could be part of the external
assessment team to independently validate the work of that external assessment team.
6. Integrity requires reviewer(s) to be honest and candid within the constraints of confidentiality.
Service and the public trust should not be subordinated to personal gain and advantage. Objectivity
is a state of mind and a quality that lends value to a reviewer(s) services. The principle of objectivity
imposes the obligation to be impartial, intellectually honest, and free of conflict of interest.
7. Performing and communicating the results of an external assessment require the exercise of
professional judgment. Accordingly, an individual serving as an external reviewer should:
• Be a competent, certified internal audit professional who possesses current, in-depth knowledge of
the Standards.
• Be well versed in the best practices of the profession.
• Have at least three years of recent experience in the practice of internal auditing or related consulting
at a management level. Leaders of independent review teams and external reviewers who
independently validate the results of the self-assessment should have an additional level of
competence and experience gained from working previously as a team member on an external
quality assessment, successful completion of The IIA’s quality assessment training course or similar
training, and CAE or comparable senior internal audit management experience.
8. The reviewer(s) should possess relevant technical expertise and industry experience. Individuals with
expertise in other specialized areas may assist the team. For example, specialists in enterprise risk
management, IT auditing, statistical sampling, operations monitoring systems, or control self-
assessment may participate in certain segments of the assessment.
9. The CAE involves senior management and the board in determining the approach and selection of an
external quality assessment provider.
10. The external assessment consists of a broad scope of coverage that includes the following elements
of the internal audit activity:
• Conformance with the Definition of Internal Auditing; the Code of Ethics; and the Standards; and
the internal audit activity’s charter, plans, policies, procedures, practices, and applicable legislative
and regulatory requirements,
• Expectations of the internal audit activity expressed by the board, senior management, and
operational managers,
• Integration of the internal audit activity into the organization’s governance process, including the
relationships between and among the key groups involved in the process,
• Tools and techniques employed by the internal audit activity,
(continued)
• Mix of knowledge, experience, and disciplines within the staff, including staff focus on process
improvement, and
• Determination as to whether or not the internal audit activity adds value and improves the
organization’s operations.
11. The preliminary results of the review are discussed with the CAE during, and at the conclusion of,
the assessment process. Final results are communicated to the CAE, or other official, who authorized
the review for the organization, preferably with copies sent directly to appropriate members of senior
12. The communication includes:
• An opinion on the internal audit activity’s conformance with the Definition of Internal Auditing, the
Code of Ethics, and the Standards based on a structured rating process. The term “conformance”
means the practices of the internal audit activity, taken as a whole, satisfy the requirements of the
Definition of Internal Auditing, the Code of Ethics, and the Standards. Similarly, “nonconformance”
means the impact and severity of the deficiencies in the practices of the internal audit activity are
so significant they impair the internal audit activity’s ability to discharge its responsibilities. The
degree of “partial conformance” with the Definition of Internal Auditing, the Code of Ethics, and/or
individual standards, if relevant to the overall opinion, should also be expressed in the report on the
independent assessment. The expression of an opinion on the results of the external assessment
requires the application of sound business judgment, integrity, and due professional care.
• An assessment and evaluation of the use of best practices, both those observed during the
assessment and others potentially applicable to the activity.
• Recommendations for improvement, where appropriate.
• Responses from the CAE that include an action plan and implementation dates.
13. To provide accountability and transparency, the CAE communicates the results of external quality
assessments, including specifics of planned remedial actions for significant issues and subsequent
information as to accomplishment of those planned actions, with the various stakeholders of the
activity, such as senior management, the board, and external auditors.
Practice Advisory 1312-2: External Assessments: Self-assessment with Independent

Validation
1. An external assessment by a qualified, independent reviewer or review team may be troublesome

for smaller internal audit activities or there may be circumstances in other organizations where a full
external assessment by an independent team is not deemed appropriate or necessary. For example,
the internal audit activity may (a) be in an industry subject to extensive regulation and/or
supervision, (b) be otherwise subject to extensive external oversight and direction relating to
governance and internal controls, (c) have been recently subjected to external review(s) and/or
consulting services in which there was extensive benchmarking with best practices, or (d) in the
judgment of the chief audit executive (CAE), the benefits of self-assessment for staff development
and the strength of the internal quality assurance and improvement program currently outweigh the
benefits of a quality assessment by an external team.
2. A self-assessment with independent [external] validation includes:
• A comprehensive and fully documented self-assessment process, which emulates the external
assessment process, at least with respect to evaluation of conformance with the Definition of Internal
Auditing, the Code of Ethics, and the Standards.
• An independent, on-site validation by a qualified, independent reviewer.
• Economical time and resource requirements—e.g., the primary focus would be on conformance with
the Standards.
(continued)
• Limited attention to other areas—such as benchmarking, review and consultation as to employment

of leading practices, and interviews with senior and operating management—may be reduced.
However, the information produced by these parts of the assessment is one of the benefits of an
external assessment.
3. The same guidance and criteria as set forth in Practice Advisory 1312-1 would apply for a self-
assessment with independent validation.
4. A team under the direction of the CAE performs and fully documents the self-assessment process. A
draft report, similar to that for an external assessment, is prepared including the CAE’s judgment on
conformance with the Standards.
5. A qualified, independent reviewer or review team performs sufficient tests of the self-assessment so
as to validate the results and express the indicated level of the activity’s conformance with the
Definition of Internal Auditing, the Code of Ethics, and the Standards. The independent validation
follows the process outlined in The IIA’s Quality Assessment Manual or a similar comprehensive
process.
6. As part of the independent validation, the independent external reviewer—upon completion of a

rigorous review of the self-assessment team’s evaluation of conformance with the Definition of
Internal Auditing, the Code of Ethics, and the Standards:
• Reviews the draft report and attempts to reconcile unresolved issues (if any).
• If in agreement with the opinion of conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards, adds wording (as needed) to the report, concurring with the self-
assessment process and opinion and—to the extent deemed appropriate—in the report’s findings,
conclusions, and recommendations.
• If not in agreement with the evaluation, adds dissenting wording to the report, specifying the points
of disagreement with it and—to the extent deemed appropriate—with the significant findings,
conclusions, recommendations, and opinions in the report.
• Alternatively, may prepare a separate independent validation report—concurring or expressing

disagreement as outlined above—to accompany the report of the self-assessment.
7. The final report(s) of the self-assessment with independent validation is signed by the self-
assessment team and the qualified, independent external reviewer(s) and issued by the CAE to senior
8. To provide accountability and transparency, the CAE communicates the results of external quality
assessments—including specifics of planned remedial actions for significant issues and subsequent
information as to accomplishment of those planned actions—with the various stakeholders of the
activity, such as senior management, the board, and external auditors.
Practice Advisory 1312-3: Independence of External Assessment Team in the Private Sector
1. All members of the assessment team who perform the external assessment are to be independent
of that organization and its internal auditing activity personnel. In particular, members of the
assessment team are to have no real or perceived conflicts of interest with the organization and/or
its personnel. Areas to be considered in assessing independence of the assessment team include the
following:
• Independent of the organization means not being under the influence of the organization whose
internal auditing activity is being assessed. The selection process for an external assessor is to
consider their real, potential, and perceived conflicts of interest. Conflicts of interest may arise from
past, present or potential future relationships with the organization, its personnel or its internal
auditing activity. Relationships to be considered include those of a personal or commercial nature or
both.
• Within the private sector (i.e., not government related), individuals from within the same
organization but from another department—or from a related organization, although organizationally
separate from the internal auditing activity—are not considered independent for purposes of
conducting an external assessment. A related organization may be a parent company or body, an
affiliate in the same group of companies, or an entity with regular oversight, supervisory, or quality
assurance responsibilities over the organization whose internal audit activity is the subject of the
external assessment.
• Reciprocal external assessment teaming arrangements between three or more organizations (e.g.,
within an industry or other affinity group, regional association, or other group of organizations) may
be structured in a manner that achieves the independence objective. Care is to be taken to ensure
that the issue of independence will not arise and that all team members will be able to fully exercise
their responsibilities without limitation due to matters of confidentiality, etc. Reciprocal external
assessment performance between two organizations is not acceptable for the purposes of an external
assessment.
2. The independence of the assessment team including potential conflicts of interest is to be discussed
with the Board.
Practice Advisory 1312-4: Independence of the External Assessment Team in the Public
Sector
1. The term “public sector” includes all tiers of government and includes government-owned or
controlled authorities or enterprises (the entity). In the public sector, internal audit activities at the
different tiers of government may be independent for the purpose of external assessments.
2. Quasi-governmental bodies, for example the United Nations, the European Commission, include
organizations, bodies, companies who are owned or controlled by multiple governments. Such
international organizations, due to their multilateral nature should follow the guidelines for the
private sector.
3. All members of the assessment team who perform the external assessment are to be independent
of that organization and its internal auditing activity personnel. In particular, members of the
assessment team are to have no real or perceived conflicts of interest with the organization and/or
its personnel. Areas to be considered in assessing independence of the assessment team include the
following:
• Independent of the organization means not being under the influence of the organization whose
internal auditing activity is being assessed. The selection process for an external assessor is to
consider real, potential or perceived conflicts of interests. Conflicts of interests may arise from past,
present or potential future relationships with the organization or its internal auditing activity.
Relationships to be considered include those of a personal or commercial nature or both.
(continued)
• Within the public sector, individuals working in separate internal audit activities in a different entity
within the same tier of government (national, state/province, county, or city government) may be
considered independent for purposes of performing external assessments.
• Where one or more internal auditing activities within the same tier of government report to the same
CAE, individuals are not considered independent for purposes of performing external assessments
even if they work in separated entities. Only assessors independent to each of these entities may
perform external assessments.
• Reciprocal external assessment team arrangements between three or more organizations may be
structured in a manner that achieves the independence objective. Care is to be taken to ensure that
the issue of independence will not arise and that all team members will be able to fully exercise their
responsibilities without limitation due to matters of confidentiality, etc. Reciprocal external
assessment performance between two organizations is not acceptable for the purposes of an external
assessment.
4. The independence of the assessment team including potential conflicts of interest is to be discussed
with the Board.
5. When selecting the team to perform the assessment, the CAE should consider the extent of their
public sector experience.
Practice Advisory 1321-1: Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”
1. Ongoing monitoring and external and internal assessments of an internal audit activity are performed
to evaluate and express an opinion as to the internal audit activity’s conformance with the Definition
of Internal Auditing, the Code of Ethics, and the Standards and, as appropriate, should include
recommendations for improvement.
2. The phrase to be used may be: “in conformance with the Standards,” or “in conformity to the
Standards.” To use one of these phrases, an external assessment is required at least once during
each five-year period, along with ongoing monitoring and periodic internal assessments and these
activities need to have concluded that the internal audit activity is in conformance with the Definition
of Internal Auditing, the Code of Ethics, and the Standards. Initial use of the conformance phrase is
not appropriate until an external review has demonstrated that the internal audit activity is in
conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.
3. The chief audit executive (CAE) is responsible for disclosing instances of nonconformance that impact
the overall scope or operation of the internal audit activity, including failure to obtain an external
assessment within a five-year period, to senior management and the board.
4. Before the internal audit activity’s use of the conformance phrase, any instances of nonconformance
that have been disclosed by a quality assessment (internal or external) which impair the internal
audit activity’s ability to discharge its responsibilities needs to be adequately remedied. In addition,
the following are needed:
• Remedial actions need to be documented and reported to the relevant assessor(s) to obtain
concurrence that the nonconformance has been adequately remedied, and
• Remedial actions and agreement of the relevant assessor(s) therewith need to be reported to senior
Sample Code of Conduct CIA Part 1
Appendix D: Sample Code of Conduct66

Our Values
• The best solutions come from working together with colleagues and clients.
• Effective teamwork requires relationships, respect, and sharing.
• We deliver what we promise and add value beyond what is expected.
• We achieve excellence through innovation, learning, and agility.
• We lead with clients, people, and thought leadership.
• Leadership demands courage, vision and integrity.

Upholding the [Firm] Name
• Our clients and colleagues trust [the firm] based on our professional competence and integrity—
qualities that underpin our reputation. We uphold that reputation.
• We seek to serve only those clients whom we are competent to serve, who value our service, and
who meet appropriate standards of legitimacy and integrity.
• When speaking in a forum in which audiences would reasonably expect that we are speaking as a
representative of [the firm], we generally state only [the firm]’s views and not our own.
• We use all assets belonging to [the firm] and to our clients, including tangible, intellectual and
electronic assets, in a manner both responsible and appropriate to the business and only for legal
and authorized purposes.
Behaving Professionally
• We deliver professional services in accordance with [the firm]’s policies and relevant technical and
professional standards.
• We offer only those services we can deliver and strive to deliver no less than our commitments.
• We compete vigorously, engaging only in practices that are legal and ethical.
• We meet our contractual obligations and report and charge honestly for our services.
• We respect the confidentiality and privacy of our clients, our people, and others with whom we do
business. Unless authorized, we do not use confidential information for personal use, [the firm]’s
benefit, or to benefit a third party. We disclose confidential information or personal data only when
necessary, only when appropriate approval has been obtained, and/or we are compelled to do so
by legal, regulatory, or professional requirements.
• We aim to avoid conflicts of interest. Where potential conflicts are identified, and when we believe
that the respective parties' interests can be properly safeguarded by the implementation of appro-
priate procedures, we will implement such procedures.
• We treasure our independence of mind. We protect our clients' and other stakeholders' trust by
adhering to our regulatory and professional standards, which are designed to enable us to achieve
the objectivity necessary in our work. In doing so, we strive to ensure our independence is not
compromised or perceived to be compromised. We address circumstances that impair or could
appear to impair our objectivity.
• When faced with difficult issues or issues that place [the firm] at risk, we consult appropriate au-
thorities at [the firm] before taking action. We follow our applicable technical and administrative
consultation requirements.
• It is unacceptable for us to receive or pay bribes.
66
Adapted from Enterprise Risk Management – Integrated Framework, COSO.
Appendix D Sample Code of Conduct
Respecting Others
• We treat our colleagues, clients, and others with whom we do business with respect, dignity, fair-
ness, and courtesy.
• We take pride in the diversity of our workforce and view it as a competitive advantage to be nur-
tured and expanded.
• We are committed to maintaining a work environment that is free from discrimination or harass-
ment.
• We try to balance work and private life and help others to do the same.
• We invest in the ongoing enhancement of our skills and abilities.
• We provide a safe working environment for our people.
Corporate Citizenship
• We express support for fundamental human rights and avoid participating in business activities that
abuse human rights.
• We act in a socially responsible manner, within the laws, customs, and traditions of the countries
in which we operate, and contribute in a responsible manner to the development of communities.
• We aspire to act in a manner that minimizes the detrimental environmental impacts of our business
operations.
• We encourage the support of charitable, educational, and community service activities.
• We are committed to supporting international and local efforts to eliminate corruption and financial
crime.
40 Common Forms of Fraud CIA Part 1
Appendix E: 40 Common Forms of Fraud

The following list is taken from Sawyer’s Internal Auditing 5th Edition, pages 1181-1182.
1) Pilfering stamps.
2) Stealing merchandise, tools, supplies, and other terms of equipment.
3) Removing small amounts from cash funds and registers.
4) Failing to record sales of merchandise and pocketing the cash.
5) Creating overages in cash funds and register by under-recording.
6) Overloading expense accounts or diverting advances to personal use.
7) Lapping collections on customers’ accounts.
8) Pocketing payments on customers’ accounts, issuing receipts on scraps of paper or in self-designed
receipt books.
9) Collecting an account, pocketing the money, and charging it off; collecting charged-off accounts
and not reporting.
10) Charging customers’ accounts with cash stolen.
11) Issuing credit for false customer claims and returns.
12) Failing to make bank deposits daily, or depositing only part of the money.
13) Altering dates on deposit slips to cover stealing.
14) Making round-sum deposits; attempting to catch up by end of month.
15) Carrying fictitious extra help on payrolls, or increasing rates or hours.
16) Carrying employees on payroll beyond actual severance dates.
17) Falsifying additions on payrolls; withholding unclaimed wages.
18) Destroying, altering, or voiding cash sales tickets and pocketing the cash.
19) Withholding cash sales receipts by using false charge accounts.
20) Recording unwarranted cash discounts.
21) Increasing amounts of petty cash vouchers and/or totals in accounting for disbursements.
22) Using personal expenditure receipts to support false paid-out items.
23) Using copies of previously used original vouchers, or using a properly approved voucher of the
prior year by changing the date.
24) Paying false invoices, either self-prepared or obtained through collusion with suppliers.
25) Increasing amounts of suppliers’ invoices through collusion.
26) Charging personal purchases to organization through misuse of purchase orders.
27) Billing stolen merchandise to fictitious accounts.
28) Shipping stolen merchandise to an employee or relative’s home.
29) Falsifying inventories to cover thefts or delinquencies.
30) Seizing checks payable to the organization or to suppliers.
31) Raising canceled bank checks to agree with fictitious entities.
32) Inserting fictitious ledger sheets.
33) Causing erroneous footings of cash receipts and disbursement books.
34) Deliberately confusing postings to control and detail accounts.
35) Selling waste and scrap materials and pocketing proceeds.
36) “Selling” door keys or the combinations to safes or vaults.
37) Creating credit balances on ledgers and converting to cash.
38) Falsifying bills of lading and splitting with carrier.
39) Obtaining blank checks and forging the signature.
40) Permitting special prices or privileges to customers, or gaining business to favored suppliers, for
“kickbacks.”

Livre Hock 2019 English Part 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Livre Hock 2019 English Part 1

Uploaded by

Copyright:

Available Formats

CIA Part 1

Essentials of Internal Auditing

Hard copy books purchased from HOCK international or from an authorized

Essentials of Internal Auditing

Brian Hock, CIA, CMA

(866) 807-HOCK or (866) 807-4625

Published January 2019

Acknowledgement is due to the Institute of Internal Auditors for permission to use

© 2019 HOCK international, LLC

This material is designed exclusively to assist people in their exam preparation. No

Brian Hock, CIA, CMA

Exam Introduction ............................................................................................................. 1

Section I – Foundations of Internal Auditing .................................................................. 2

Section II – Independence and Objectivity .................................................................... 17

Section III – Proficiency and Due Professional Care .................................................... 27

Section IV – Quality Assurance and Improvement Program ....................................... 36

Section V – Governance, Risk Management, and Controls ......................................... 45

E. Concepts of Risk and Risk Management .................................................................. 64

Section VI – Fraud Risks............................................................................................... 126

Appendix A: Glossary ................................................................................................... 137

The CIA Part 1 syllabus has six sections:

• Section I: Foundations of Internal Auditing (15%)

Box Styles Used in This Book

Section I – Foundations of Internal Auditing

Within the IPPF there are the following sections:

• The Mission of Internal Audit

As the names indicate, only mandatory guidance must be followed.

Standards & Guidance — International Professional Practices Framework (IPPF)®

• Core Principles for the Professional Practice of Internal Auditing

• Definition of Internal Auditing

• International Standards for the Professional Practice of Internal Auditing (Standards)

• Implementation Guidance — assist internal auditors in applying the Standards.

The Mission of Internal Audit

Exam Tip: Memorize the Mission of Internal Audit.

1) Core Principles for the Professional Practice of Internal Auditing

2) Definition of Internal Auditing

4) International Standards for the Professional Practice of Internal Auditing (Standards)

• Interpretations, which clarify terms or concepts within the statements.

Exam Tip: Memorize the Definition of Internal Auditing.

The Core Principles

2) Demonstrates competence and due professional care.

3) Is objective and free from undue influence (independent).

4) Aligns with the strategies, objectives, and risks of the organization.

5) Is appropriately positioned and adequately resourced.

6) Demonstrates quality and continuous improvement.

8) Provides risk-based assurance.

9) Is insightful, proactive, and future-focused.

10) Promotes organizational improvement.

Exam Tip: Memorize the ten core principles of internal auditing.

Introduction to the Standards

The purpose of the Standards is to:

Note: The IIA’s Standards Glossary is presented in Appendix A.

This textbook is for personal use only by Rashad Fatdakhov ([email protected]).

• The internal auditor, or the person or group making the assessment.

• The user, or the person or group using the assessment.

• The internal auditor, or the person or group offering the advice.

A. The Purpose, Authority, and Responsibility of the IAA

Standard 1000 – Purpose, Authority, and Responsibility

B. The Internal Audit Charter

1) Written by the Chief Audit Executive (CAE).

2) Approved by the senior management and the board or audit committee.

3) Communicated to engagement clients.

The Charter should:

• Performing any operational duties for Company X or its affiliates.  

• Initiating or approving transactions external to the internal audit department.  

• Scope defined in the internal audit charter.  

• Approved engagement work schedule.  