Prévia do material em texto
License Agreement for The IIA’s CIA Challenge Exam Study Guide STUDENT MATERIALS By opening and using The IIA’s CIA Challenge Exam Study Guide student materials (the “Materials”), the user (“User”) hereby agrees as follows: (i) That The Institute of Internal Auditors is the exclusive copyright owner of the Materials. (ii) Provided that the required fee for use of the Materials by User has been paid to The IIA or its agent, User has the right, by this License, to use the Materials solely for his/her own educational use. (iii) User has no right to print or make any copies, in any media, of the materials, or to sell, or sublicense, loan, or otherwise convey or distribute these materials or any copies thereof in any media. ® ® The IIA’s CIA Challenge Exam Study Guide The IIA’s CIA Challenge Exam Study Guide is based on select portions of the Certified Internal Auditor (CIA ) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the study guide is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017. Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright. Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during development and subsequent updates. ® ® ® ® Subject matter experts Farah George Araj, CPA, CIA, CFE, QIAL, Australia Scott Blankenship, CIA, CRMA, CPA, CFE, United States Melissa Clawson, CIA, CRMA, United States Christy Decker-Weber, CIA, CRMA, CPA, CFE, CHIAP Jayson Walter Kwasnik, CIA, CPA, CA, Canada Jessica Minshew, CIA, United States Joanne F. Prakapas, CIA, CRMA, CFE, CPA, CFF, United States James M. Reinhard, CIA, United States Elizabeth Sandwith, CFIIA, United Kingdom Past subject matter experts Pat Adams, CIA Terry Bingham, CIA, CISA, CCSA Raven Catlin, CIA, CPA, CFSA Patrick Copeland, CIA, CRMA, CISA, CPA Don Espersen, CIA Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE James D. Hallinan, CIA, CPA, CFSA, CBA Larry Hubbard, CIA, CCSA, CPA, CISA Al Marcella, PhD, CISA, CCSA Markus Mayer, CIA Vicki A. McIntyre, CIA, CFSA, CRMA, CPA Gary Mitten, CIA, CCSA Lynn Morley, CIA, CGA Lyndon Remias, CIA James Roth, PhD, CIA, CCSA Brad Schwieger, CPA, DBA Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CIT Jim Key, CIA David Mancina, CIA, CPA Part 1: Essentials of Internal Auditing Internal auditing is a discipline that works on behalf of management, the board of directors, and other stakeholders of public and private entities to improve and add value to governance, risk management, and control procedures. Part 1 of The IIA’s CIA Challenge Exam Study Guide looks at a number of the essentials of internal auditing. Section A covers the foundations of internal auditing—The IIA’s International Professional Practices Framework; the purpose, authority, and responsibility of the internal audit activity; the requirements of the audit charter; and the difference between assurance and consulting services. Section B looks at the concepts of independence and objectivity. Section C looks at the concepts of proficiency and due professional care. Section D describes aspects of a quality assurance and improvement program. Section E covers organizational governance and risk, and it looks at risk management within an audit activity charter. Section F focuses on fraud risks—the types of these risks and controls to prevent and detect fraud. Section A: Foundations of Internal Auditing This section is designed to help you: Identify and apply relevant ethical, practical, and legal standards to the audit practice, including The Institute of Internal Auditors’ (The IIA’s) Code of Ethics, International Standards, and Practice Advisories and relevant laws. Explain the International Professional Practices Framework categories of guidance. Explain the Mission of Internal Audit. Describe the Core Principles for the Professional Practice of Internal Auditing. Define internal auditing. Describe compliance with The IIA’s Code of Ethics. Explain how the purpose, authority, and responsibility for an internal audit activity are documented, communicated, and approved. Understand the importance of securing the board’s approval of the internal audit activity charter and audit plan. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides Topic 1: Mission, Definition, and Core Principles This topic discusses The IIA’s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles for the Professional Practice of Internal Auditing and the purpose, authority, and responsibility of the internal audit activity. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standard 1000 Practice Guide, “Demonstrating the Core Principles for the Professional Practice of Internal Auditing” https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Demonstrating-the-Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx The Framework The Institute of Internal Auditors (The IIA) uses the International Professional Practices Framework (IPPF) to organize its authoritative guidance in a manner that is readily accessible. The IPPF, sometimes called the “Red Book,” is intended to help practitioners and stakeholders throughout the world respond to the expanding market for high-quality internal auditing. The IPPF contains both mandatoryThe CAE may additionally choose to include training on professional skepticism. https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Individual internal auditors may ensure that they are acting objectively by consulting with others within the internal audit activity when addressing potentially sensitive areas. According to The IIA Implementation Standard 1130.A1 (Assurance Engagements) Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. In order to follow Implementation Standard 1130.A1, the CAE or audit team management may choose to discuss details of upcoming assignments with potential team members, including the individuals and departments involved, so that the CAE can explore if there is a conflict that would impair or appear to impair an internal auditor’s objectivity. Internal auditors are encouraged to share any concerns they may have so that the CAE or audit team management can determine whether the internal auditor may participate in the engagement. In addition to the internal policy manual, conformance with Standard 1120 may be evidenced by training records and also through signed acknowledgment forms disclosing the existence (or nonexistence) of https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx conflicts. Engagement workpapers documenting team assignments could be compared to the acknowledgment forms to confirm that known conflicts were avoided. Topic 4: Policies Promoting Objectivity This topic discusses the importance of policies that promote objectivity within the internal audit activity, which are rooted in the internal audit charter. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 1120 and 1130 Policies Promoting Objectivity To fully understand and appreciate independence and objectivity, internal auditors should consider the perspectives of their various stakeholders and the conditions that could be perceived as undermining these factors. The IIA Model Charter features a section on independence and objectivity that sets out baseline policies and expectations for the internal audit activity and discusses how they will be maintained. In addition to dictating that internal audit is independent and objective, https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/about-ia/PublicDocuments/PP-The-Internal-Audit-Charter.pdf the charter discusses all other areas of responsibility of internal audit, including any potential areas that could impair objectivity. It should discuss how to overcome those potential impairments, if applicable. Often the CAE will develop an internal audit policy manual or handbook that includes a discussion of organizational independence and internal auditor objectivity, the nature of threats to objectivity, and how internal auditors should handle potential impairments. The manual will often describe the appropriate actions for an auditor to take should he or she become aware of or concerned about such impairments. Categories of threats to objectivity include: Self-review. These threats may arise when an auditor reviews his or her own work. Social pressure. These threats may occur when an auditor is exposed to, or perceives that he or she is exposed to, pressures from relevant groups. Major economic interest. This threat may arise when the auditor has a major, direct economic stake in the performance of the client or fears that significant negative findings could jeopardize the entity’s future and hence the auditor’s own interest as an employee. It may also arise due to performance incentives related to the area under review or when the audit concerns the work or department of an individual who may subsequently make decisions that directly affect the auditor’s employment or salary. Personal relationship. This may arise when an auditor is a close relative or friend of the manager or an employee of the audit customer unit. Familiarity. This threat may occur due to an auditor’s long-term relationship with the audit customer. Cultural, racial, and gender biases. This threat may occur when auditors are biased against another culture, race, or gender. Cognitive biases. This threat may arise from an unconscious and unintentional psychological bias in interpreting information. Section C: Proficiency and Due Professional Care This section is designed to help you: Identify and describe the required knowledge, skills, and competencies for an internal audit activity and how an organization develops and/or procures them. Identify and describe the required knowledge, skills, and competencies that an internal auditor needs to possess to perform his/her individual responsibilities. Explain how to exercise due professional care in an internal audit activity. Describe the importance of professional development and formal certification for internal auditors. Explain how an individual internal auditor’s competency is demonstrated through continuing professional development. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides This section covers the necessary proficiency and due professional care that are required for both internal auditors and the internal audit activity as a whole. Skills, knowledge, and competencies important to the profession of internal audit must be developed and maintained by internal auditors and must be maintained or sourced from an external provider for the internal audit activity to successfully complete necessary engagements. Due professional care ensures that the internal audit activity can rely on all internal auditors to apply the care and skill of a reasonably prudent and competent auditor. Topic 1: Knowledge, Skills, and Competencies https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx This topic discusses the knowledge, skills, and due professional care that a successful internal audit activity needs to fulfill its responsibilities and how individual internal auditors may develop those skills. It also covers the responsibilities of the CAE pertaining to the internal audit activity’s ability to perform engagements with necessary proficiency. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidancefor Standard 1200 IIA Global Internal Audit Competency Framework Internal Audit Knowledge, Skills, and Competencies According to The IIA Attribute Standard 1200, “Proficiency and Due Professional Care” Engagements must be performed with proficiency and due professional care. Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/about-us/about-ia/Pages/Competency-Framework.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx carry out their professional responsibilities. In order to enable relevant advice and recommendations, proficiency encompasses: Current activities. Trends. Emerging issues. Changes that may affect the industry or the internal audit profession may be learned about via continuing professional development. The CAE may help ensure the internal audit activity’s overall proficiency in this regard. Internal auditors generally develop individual proficiency throughout their careers: By obtaining and maintaining appropriate certifications. By gaining experience. Through professional education, including continuing professional development. Internal auditors must be aware of continuing education requirements for any certifications they maintain. Due professional care requires the understanding of the IPPF’s approach to internal auditing as well as organization-specific policies. Implementation Standard 1220.A1 discusses what must be https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx considered by internal auditors when exercising due professional care. According to The IIA Implementation Standard 1220.A1 (Assurance Engagements) Internal auditors must exercise due professional care by considering the: Extent of work needed to achieve the engagement’s objectives. Relative complexity, materiality, or significance of matters to which assurance procedures are applied. Adequacy and effectiveness of governance, risk management, and control processes. Probability of significant errors, fraud, or noncompliance. Cost of assurance in relation to potential benefits. For internal auditors, due professional care requires compliance with the IIA’s Code of Ethics and may entail compliance to the organization’s code of conduct and any additional codes of conduct relevant to other professional designations attained. The CAE is responsible for ensuring conformance with Standard 1200 by the internal audit activity as a whole. The CAE establishes policies and procedures that enable internal auditors to perform engagements with proficiency and due professional care as part of managing the internal audit activity. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx The CAE may use The IIA’s Global Internal Audit Competency Framework or a similar benchmark to establish the criteria by which to assess the proficiency of internal auditors. The criteria may be used to: Create job descriptions. Create an inventory of the competencies needed with the internal audit activity. Develop a strategy for: Recruiting. Assigning. Training. Professional development. The CAE generally thinks about the alignment between the knowledge, skills, and other competencies needed to complete the internal audit plan and the resources available among the internal audit activity and other providers of assurance and consulting services. Conformance with Standard 1200 could be demonstrated using any of the following items: Competency assessments of the internal audit activity Records of a recruitment and training strategy, job descriptions, and resumes https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Internal audit policies and procedures and workpaper templates Evidence that internal audit policies and procedures were communicated and signed acknowledgment that the internal audit staff understands them Evidence supporting annual declaration related to The IIA’s Code of Ethics and the organization’s code of conduct The internal audit plan and engagement plans, which demonstrate the sufficient and appropriate allocation of internal audit staff Topic 2: Knowledge and Competency This topic discusses how internal auditors may show that they possess the knowledge and competencies required by the internal audit activity and how organizations and individuals may use competency assessment tools to identify and develop missing competencies. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standard 1210 IIA Global Internal Audit Competency Framework Demonstrating Proficiency https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/about-us/about-ia/Pages/Competency-Framework.aspx According to The IIA Attribute Standard 1210, “Proficiency” Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications. The IIA’s Global Internal Audit Competency Framework defines the core competencies needed to fulfill IPPF requirements for all occupational levels of the internal audit profession. The Competency Framework may be used by internal auditors as a basis of self- assessment. To build and maintain the proficiency of the internal audit activity, the CAE may develop a competency assessment tool or skills assessment based on the Competency Framework or another benchmark. When using a competency tool to identify proficiency gaps in the internal audit activity, the CAE should consider risks related to fraud and IT as well as technology-based audit techniques, as required by Standards 1210.A2 and 1210.A3. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx According to The IIA Implementation Standard 1210.A2 (Assurance Engagements) Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. According to The IIA Implementation Standard 1210.A3 (Assurance Engagements) Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is technology auditing. Once the CAE has identified gaps in the internal audit activity’s collective proficiency, he or she may also use the Competency Framework to develop plans for filling coverage gaps through hiring, training, outsourcing, and other methods, as described by Standard 1210.A1. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx According to The IIA Implementation Standard 1210.A1 (Assurance Engagements) The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or othercompetencies needed to perform all or part of the engagement. The CAE can encourage professional development of internal auditors through: On-the-job training. Attendance at professional conferences and seminars. Encouraging the pursuit of professional certifications. The proficiency and experience of internal auditors help determine the extent of supervision required for specific audit engagements, as described by Standard 2340. When consulting engagements are being considered and the available internal auditors do not have the required proficiencies, the CAE must decline the engagement or pursue other options, as described in Standard 1210.C1. According to The IIA Implementation Standard 1210.C1 (Consulting Engagements) The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Conformance with Standard 1210 may be evidenced through different means for individual internal auditors, the CAE, and the internal audit activity as a whole. Individual internal auditors may demonstrate conformance by: Resume or curriculum vitae. Records of certifications and continuing professional development. The CAE may demonstrate conformance through: The use of a competency assessment tool. The development of: Internal audit policies. Internal audit procedures. Training materials. Conformance for the internal audit activity as a whole may be demonstrated by: An internal audit plan that includes an analysis of resource requirements. An inventory of available audit staff skills or individual profiles listing qualifications. An assurance map with a list of qualifications of service providers on which the internal audit activity relies. Documented results of internal assessments. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Technical and Soft Skills Technical skills are the hard skills needed to perform the duties of an internal auditor. Some examples of technical skills that may be useful to the internal audit activity are: Accounting. Risk management assurance. Information technology. Data mining and analytics. Negotiation. Change facilitation capabilities. Business/process knowledge. Personal (soft) skills can affect how the recommendations that arise from the applications of technical skills impact the recipients of assurance and advisory services. Some examples of soft skills that may be useful to the internal audit activity are: Written communication. Oral communication. Analytical skills. Critical thinking. Persuasion and collaboration. Topic 3: Due Professional Care This topic discusses the required due professional care that internal auditors must exercise, including how following the IPPF’s systematic and disciplined approach can help auditors apply due professional care. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standard 1220 Practice Guide, “Measuring Internal Audit Effectiveness and Efficiency” IIA Global Internal Audit Competency Framework Demonstrating Due Professional Care According to The IIA Attribute Standard 1220, “Due Professional Care” Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. Obtaining appropriate education, experience, certifications, and training helps internal auditors develop the level of skill and expertise required to perform their duties with due professional care. Additionally, individual auditors should understand and apply the https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Measuring-Internal-Audit-Effectiveness-and-Efficiency-Practice-Guide.aspx https://na.theiia.org/about-us/about-ia/Pages/Competency-Framework.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Mandatory Guidance of the IPPF and may find it helpful to become familiar with the core competencies described in the IIA’s Global Internal Audit Competency Framework. Conformance with the IIA’s Code of Ethics is required, and conformance with the organization’s code of conduct and other codes of conduct may also apply. At the engagement level, due professional care involves comprehending: The objectives of the engagement. The scope of the engagement. The competencies required to execute the audit work. Knowledge of any policies and procedures specific to the internal audit activity and the organization. By following the systematic and disciplined approach of the IPPF and the internal audit activity’s policies and procedures, internal auditors essentially apply due professional care. However, what constitutes due professional care partially depends on the complexities of the engagement. Key Point Internal auditors are not expected to be infallible and are not expected to give absolute assurance that noncompliance or irregularities do not exist. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Implementation Standard 1220.A1, shown elsewhere, and Implementation Standards 1220.A2, 1220.A3, and 1220.C1, shown below, describe some of the elements that internal auditors must consider in exercising due professional care. According to The IIA Implementation Standard 1220.A2 (Assurance Engagements) In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. According to The IIA Implementation Standard 1220.A3 (Assurance Engagements) Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx According to The IIA Implementation Standard 1220.C1 (Consulting Engagements) Internal auditors must exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results. Relative complexity and extent of work needed to achieve the engagement’s objectives. Cost of the consulting engagement in relation to potential benefits. The CAE assumes overall responsibility for ensuring that due professional care is applied throughout the internal audit activity. The CAE typically develops measurement tools, metrics, and a process to assess the performance of individual internal auditors and the internal audit activity as whole. Conformance with Standard 1220 may be reflected in engagement plans, work programs, and workpapers as well as through performance reviews, post-engagement staff meetings, and feedback from audit clients. Topic 4: Continuing Professional Development https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx This topic discusses the crucial task of continuing professional development and how it helps individual auditors demonstrate competency while enhancing the capabilities of the internal audit activity as a whole. According to The IIA In addition to reviewing the contentsof this topic, students can review the following IIA materials: Implementation Guidance for Standard 1230 Continuing Professional Development and Competency According to The IIA Attribute Standard 1230, “Continuing Professional Development” Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development. The internal auditor is ultimately responsible for conforming with Standard 1230. Internal auditors may want to reflect on: Their job requirements. Training policies. Professional education requirements of their profession, organization, or industry. Any certifications or areas of specialization. https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Feedback from recent performance reviews. Assessment results regarding conformance with the Mandatory Guidance of the IPPF. Results of self-assessments. Internal auditors may use a self-assessment tool as the basis for creating a professional development plan. The plan is typically discussed with the CAE and may be used as the basis for the creation of key performance indicators to be used in supervisory reviews, client surveys, and annual performance reviews. The plan may encompass: On-the-job training. Coaching. Mentoring. Other internal and external training. Volunteering. Certification opportunities. Continuing professional development may lead to additional professional competencies that could enhance internal audit work in specific areas. Opportunities to pursue professional development include participating in: Conferences. Seminars. Training programs. Online courses and webinars. Self-study programs. Classroom courses. Conducting research projects. Volunteering with professional organizations. Pursuing professional certifications, such as the CIA. If internal audit client surveys reveal a concern regarding internal auditors’ business acumen, the CAE may establish a training and development policy to support continuing professional development. The policy may specify a minimum number of hours of training for each auditor. To ensure that their internal audit knowledge stays current, internal auditors may seek guidance from the IIA. Internal auditors may demonstrate conformance with Standard 1230 by retaining documentation or evidence of any of the following: Self-assessments against a competency framework or benchmark Professional development and training plans Memberships and participation in professional organizations Subscriptions to sources of professional information Completed training https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Section D: Quality Assurance and Improvement Program This section is designed to help you: Describe the required elements of a quality assurance and improvement program (QAIP), including both internal and external assessments. Describe the requirement of reporting the results of the QAIP to the board or other governing body. Identify appropriate disclosure of conformance versus nonconformance with The IIA’s International Standards for the Professional Practice of Internal Auditing. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx The topics in this section address the mandatory requirement for the internal audit activity to develop and periodically perform the processes in a quality assurance and improvement program. Details covered include the required elements of these programs, including internal and external assessments, the reporting requirements, and how to disclose conformance versus nonconformance with the Code of Ethics or Standards. Topic 1: QAIP Required Elements This topic discusses the importance of quality in the internal audit activity and how quality can be delivered using a quality assurance and improvement program (QAIP) as mandated by Standard 1300. Internal assessments (including ongoing monitoring and periodic self- assessments) and external assessments are described as well as how to establish a QAIP and how such a program and other tools can be used to help measure internal audit activity effectiveness and efficiency. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for 1300 series Practice Guide, “Quality Assurance and Improvement Program” Practice Guide, “Measuring Internal Audit Effectiveness and Efficiency” Quality and the QAIP According to The IIA Attribute Standard 1300, “Quality Assurance and Improvement Program” The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Organizations undergo refinement, and internal processes change and evolve. As an organization changes, auditing services must keep pace. To ensure its consistent relevance and quality, the internal audit activity is required to have a quality assurance and improvement program (QAIP) in place. https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Quality-Assurance-and-Improvement-Program-Practice-Guide.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Measuring-Internal-Audit-Effectiveness-and-Efficiency-Practice-Guide.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Key Point The mandatory scope of a QAIP is limited to the mandatory elements of the IPPF. This includes the Standards, the Code of Ethics, the Core Principles for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. Assessors can evaluate against recommended guidance (implementation guidance and supplemental guidance) or make additional improvement recommendations, but these are not mandatory. Let’s break down the interpretation (shown in italics) and implementation guidance or other IIA guidance (the sub-bullets) for Standard 1300: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. (The term “conformance to the IPPF” is used in the rest of this topic to refer to conformance to these and other mandatory elements of the IPPF.) A well-developed QAIP helps embed the concept of quality in the internal audit activity and operations. Following a general methodology helps ensure quality and conformance to the IPPF. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspxhttps://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx It is crucial that the CAE regularly reviews the IPPF and is aware of any changes that may need to be communicated throughout the internal audit activity. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The QAIP needs to be periodically evaluated and updated to ensure that it adds value. A QAIP is a key way to measure the effectiveness and efficiency of the internal audit activity. The chief audit executive should encourage board oversight in the quality assurance and improvement program. Quality What is quality? Quality is the degree to which a product, service, or process meets the customer’s expectations—the degree to which it is fit for purpose. Rather than being an absolute, quality is relative. Quality does not just happen. It is the combination of the right people, the right systems, and a commitment to excellence. Quality is driven by the leaders of the organization, but it is implemented by everyone at the organization. A formal, structured approach is required to ensure quality. Quality in internal audit is an obligation to meet customer expectations and to meet professional responsibilities by conforming to the IIA’s Standards and Code of Ethics. Internal audit quality includes operating with proficiency and due professional care, undertaking continuing professional development, and conforming to a set of recognized standards. Quality can be assured by implementing a quality assurance program and adhering to its requirements on an ongoing basis. Anderson et al. in Internal Auditing define quality assurance as “the process of assuring that an internal audit function operates according to a set of standards defining the specific elements that must be present to ensure that the findings of the internal audit function are legitimate.” A QAIP ensures that quality is built in to, rather than on to, internal audit operations. After all, “demonstrates quality and continuous improvement” is one of the Core Principles for the Professional Practice of Internal Auditing. Note that “conformance” in regard to the Standards is a technical term from the quality management discipline that implies a principles- based approach. It is not about complying with the letter of the standard (i.e., it is not rules-based). Someone who is in conformance is expected to achieve the spirit of the standard. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx Continuous Improvement Continuous improvement is an ongoing, cyclical process of regularly evaluating and working to improve a product, service, or process, either by a series of incremental improvements or by larger initiatives that may result in breakthrough improvements. A common way to establish continuous improvement in a QAIP is to use a planned, methodological structure such as the Deming cycle, also called the Plan, Do, Check, Act model, as shown in Exhibit 1-15. Exhibit 1-15: Deming Cycle (Plan, Do, Check, Act) As quality guru W. Edwards Deming said, “It is not enough to do your best. You must know what to do, and then do your best.” Using a sound measurement and feedback loop provides information on what the internal audit activity or internal auditor needs to do to continually improve. Embedding continuous improvement into internal audit operations requires: Setting up a performance measurement framework. Regularly reporting on quality metrics and deviations from targets so that corrective actions can be planned and implemented as needed. Periodically reviewing quality criteria themselves for continued validity. Continuous improvement is necessary regardless of whether the internal audit activity is new or established. It is a continuing journey that can add value regardless of internal audit complexity level. QAIP A QAIP is an ongoing and periodic assessment of all assurance and consulting work performed by the internal audit activity. These ongoing and periodic assessments are composed of: Rigorous, comprehensive processes. Continuous supervision and testing of internal audit assurance and consulting work. Periodic evaluations of conformance to the IPPF. Ongoing measurements and analyses, assessments, and implementation of improvements. QAIP evaluation areas can be at the internal audit activity level and the internal audit engagement level. The following things need to be evaluated (some of which are at the internal audit activity level only): Conformance to the IPPF Adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures Completeness of coverage of the entire audit universe Internal audit activity’s contribution to the organization’s governance, risk management, and control (GRC) processes Internal audit activity compliance with applicable laws, regulations, and government or industry standards Internal audit operational risks Effectiveness of continuous improvement activities and adoption of best practices Whether the internal audit activity adds value, improves the organization’s operations, and contributes to the attainment of objectives To implement Standard 1300, the CAE must consider requirements related to its five essential components: Internal assessments External assessments Communication of QAIP results Proper use of a conformance statement https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Disclosure of nonconformance Note that Standard 1310 requires both internal and external assessments. According to The IIA Attribute Standard 1310, “Requirements of the Quality Assurance and Improvement Program” The quality assurance and improvement program must include both internal and external assessments. In preparing to do internal assessments or arranging for external assessments, the CAE is responsible for: Gaining awareness of prior results from both internal and external assessments. Implementing any action plans that come out of internal or external assessments. General considerations for the scope of internal and external assessments include: Ensuring that the scope falls within the responsibilities of the CAE and the internal audit activity as documented in the internal audit charter. Considering the expectations of senior management, the internal audit activity, and other stakeholders. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Assessing internal audit practices against the Standards and any internal audit–related regulatory requirements. Establishing a QAIP Program Exhibit 1-16 shows the QAIP framework adapted from the IIA’s “Quality Assurance and Improvement Program” Practice Guide. Exhibit 1-16: QAIP Framework While CAEs may develop whatever framework works for their internal audit activity, this framework builds quality into the activity by explicitly addressing internal audit governance, professional practice, and communication programs. Exhibit 1-17 expands upon these programs. Exhibit 1-17: Program-Based QAIP Structure https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Quality-Assurance-and-Improvement-Program-Practice-Guide.aspx Governance Professional Practice Communication Internal audit charter IPPF Legislation Independence and objectivity Risk management Resourcing Rules and responsibilitiesRisk-based audit planning Other assurance providers Audit engagement planning Performing the engagement Proficiency and due professional care Quality assurance Communicating results Follow-up Stakeholder communications For each of the program elements listed in Exhibit 1-17: 1. An objective is defined. 2. Criteria are identified for each objective. (Their number may vary by objective.) 3. A quality assurance process (methodology) is developed for each criterion. 4. An assessment is made per the quality assurance process. 5. Results are captured back into the continuous improvement cycle and reported to stakeholders. The right side of Exhibit 1-16 shows the components of the QAIP program. These processes provide quality assurance over the entire internal audit activity and result in findings, observations, and recommendations as well as reporting and follow-up steps. The arrows around the right and top of the diagram show how internal audit processes and the QAIP program are reviewed to keep them current and continually improved for efficiency and effectiveness. QAIP Internal Assessments (Standard 1311) According to The IIA Attribute Standard 1311, “Internal Assessments” Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity. Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. Note that part of the interpretation of Standard 1311 indicates that sufficient knowledge requires at least an understanding of all elements of the International Professional Practices Framework. Internal assessments in a QAIP program address both the internal audit activity as a whole and the internal audit engagement level. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx At the internal audit activity or organization-wide level, the CAE provides assurance that: Policies and procedures are formally documented and are in conformance with the IPPF, and audit work conforms to these policies and procedures. Audit work achieves the general purposes and responsibilities described in the internal audit charter. Audit work is performed per quality standards and has adequate supervision. Audit work conforms to the IPPF or at least correctly reflects the internal audit activity’s statement of conformance (e.g., partially conforms). Internal audit work meets stakeholder expectations. The internal audit activity adds value and improves the organization's operations. Resources for the internal audit activity are used efficiently and effectively. Appropriate mechanisms are established and used to follow up on management actions in response to audit recommendations. Post-engagement client surveys, lessons learned, self- assessments, and other continuous improvements are done. At the internal audit engagement level, the engagement supervisor provides assurance that: Appropriate processes have been used to translate audit plans into specific, appropriately resourced audit engagements. Planning, fieldwork, conduct, and reporting/communicating results demonstrate conformance to the IPPF. For any internal assessment, where appropriate, the assessor(s) provide recommendations for improvement, corrective action plans, and progress against completion. Ongoing Monitoring According to Standard 1311’s interpretation, ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is part of routine policies, practices, processes, tools, and information necessary for evaluating conformance to the IPPF. The focus of ongoing monitoring is at the engagement level. It is achieved through continuous activities conducted on an engagement-by-engagement basis, including engagement supervision, standardized work practices, workpaper procedures and sign-offs, report reviews, assessments of areas of weakness, and any related action plans developed to address those weaknesses. CAEs may review innovations and best practices to develop a number of ongoing monitoring tools for team use, including: Pre-fieldwork audit engagement readiness assessments, including a pre-approved audit scope, clear staff assignments, and budgeted staff hours. Templates to ensure consistency between engagements. Checklists or other automation tools for compliance areas. Key performance indicators (KPIs) such as number of auditors, years of experience, professional development hours, engagement timeliness, and stakeholder satisfaction. Tools to promote efficiency and effectiveness, including budgets, timekeeping systems, audit plan completion status, and monitoring and controlling using variance data. Processes to collect and analyze feedback from internal audit clients and stakeholders regarding the efficiency and effectiveness of internal audit teams. Ongoing monitoring requires adequate supervision in all phases of the engagement, including during the planning, performance, and communication phases. The audit supervisor sets clear expectations during planning and promotes ongoing communications during performance with the supervisor and among team members. The responsible supervising individual follows best practices for workpaper review procedures, including timely sign-off. Exhibit 1-18 shows an example of how ongoing monitoring can use the Deming cycle (the Plan, Do, Check, Act model), introduced earlier in the topic, to continually improve ongoing monitoring processes. (Note that the bullets are not a comprehensive list.) Exhibit 1-18: Deming Cycle (PDCA) Applied to Ongoing Monitoring Source: Quality Assessment Manual for the Internal Audit Activity. © 2017, IIA Foundation. Consistent processes are needed for gathering, summarizing, and analyzing measurement data. Responsibility for measuring and validating data should be established as for any other audit engagement. A continuous improvement framework for ongoing monitoring like the one in Exhibit 1-18 helps the internal audit activity get to this desired level of consistency and quality. Periodic Self-Assessments Periodic-self-assessments as part of a QAIP are conducted to evaluate conformance to the IPPF, according to the interpretation of Standard 1311. These self-assessments are also the basis for self- assessments with independent validation (SAIVs), as is discussed later. The scope of a periodic self-assessment includes evaluating the: Quality and supervision of work performed. Adequacy and appropriateness of internal audit policies and procedures. Ways in which the internal audit activity adds value. Achievement of KPIs. Degree to which stakeholder expectations are met. The focus of a periodic self-assessment needs to be on a holistic, comprehensive review of the Standards, the Code of Ethics, and the internal audit activity. A holistic view also includes a focus on the quality of audit work and adherence to internal audit methodology, identifying and implementing improvements, and monitoring and controlling the activity’s efficiency and effectiveness. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx A periodic self-assessment is typically led by a senior member of the internal audit activity who has extensive experience with the IPPF and is a Certified Internal Auditor (CIA). Self-assessments can include persons who are on the internal audit team or who are assigned elsewhere. This type of assessment is a good IPPF training tool for internal audit staff. The self-assessment can also be done by a dedicated quality assurance team given sufficient knowledge of the IPPF and internal audit practices. Exhibit 1-19 shows elements that could be included in a periodic self- assessment process, including someoptional components. Exhibit 1-19: Self-Assessment Process Frequency of Internal Assessments Key Point Internal assessments need to be performed once every five years at a minimum. However, a best practice (not mandatory) for successful internal audit practice is for periodic self-assessments to be performed at least annually, especially if the IPPF changes or there are significant organizational changes. Larger organizations may conduct periodic internal assessments annually, while smaller or less mature internal audit activities may perform them less frequently (e.g., every two years). Periodic internal assessments can be over a multi-year period, with each period’s results reported separately. QAIP External Assessments (Standard 1312) According to The IIA Attribute Standard 1312,“External Assessments” External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment. The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx The form of an external quality assessment (EQA), also called just an external assessment, can be one of two types: Full external assessment Self-assessment with independent external validation (SAIV) Both types require involvement of a qualified, independent assessor or team from outside the organization. In the former type, assessor(s) do the assessment and provide an opinion. In the latter type, the assessor(s) validate the internal audit activity’s periodic self- assessment. Full External Assessment Exhibit 1-20 reviews the scope of a full external assessment and methods often used to evaluate each component. The only mandatory element of a full external assessment is the first component listed. Exhibit 1-20: Full External Assessment Scope and Methods of Assessment Component Method of Assessment Level of conformance with mandatory elements of IPPF Review internal audit activity’s charter, plans, policies, procedures, and practices for conformance with the Standards and Code of Ethics, and if applicable, legislative and regulatory requirement compliance. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Component Method of Assessment Efficiency and effectiveness of internal audit activity Assess internal audit activity’s processes and infrastructure, including the QAIP. Evaluate internal audit staff’s knowledge, experience, and expertise. Expectations and value Interview the board, senior management, and operations management. Self-Assessment with Independent External Validation (SAIV) The internal audit activity typically conducts a self-assessment and then submits the work for validation by an independent external assessor. The scope of an SAIV usually includes a comprehensive and fully documented process that emulates the full external assessment process. The process must include an evaluation of the internal audit activity’s conformance to the IPPF. The qualified, independent external assessor must conduct the validation on site. The external assessor verifies that the evidence from the self- assessment is adequate to support conformance with the Standards, thus providing independent assurance without bias. Because the external assessor is not mapping out the full assessment and finding evidence for each element, this may free up additional scope for a limited amount of attention given to: Benchmarking. Review, consultation, and employment of leading practices. Interviews with senior and operations management. Comparison of Full External Assessment and SAIV Key differences between full external assessments and SAIVs include the following. The direct cost will be lower for an SAIV than for a full external assessment. SAIVs may be able to be linked more closely to ongoing monitoring, which can be leveraged to further reduce costs. SAIVs enable full external assessments to be less frequent. SAIVs provide an opportunity for staff development but require more intensive internal resource commitments than full external assessments. Internal portions of the SAIV are not independent and objective. SAIVs may give the external person(s) doing the independent validation less opportunity to do a comprehensive overview of the internal audit activity than full external assessments. Occurrence, Frequency, and Type of External Assessments Key Point External assessments are an area of conformance to the IPPF that is not under the direct control of the CAE and the internal audit activity. The board and management need to approve a budget for this type of assessment. This is significant because if the organization decides not to invest in an external assessment, the internal audit activity will not be able to indicate that it conforms to the IPPF. The CAE must discuss the frequency and type of external assessments with senior management and the board. Difficulty getting senior management and the board to approve external assessments can arise in any organization. The CAE works to sell the benefits of these programs to the board and management, such as by highlighting the ability to improve the internal audit activity and add organizational value. Agreeing to set the frequency and type of external assessments so as to stay within budget constraints can also help. In addition to cost, the CAE considers the following. Small internal audit activities that have recently undergone a full external assessment may find an SAIV useful. Frequency may need to account for the size and maturity of the internal audit activity, with smaller or less mature activities leaning toward the minimum frequency of once every five years. The CAE may discuss increasing the frequency given: Changes in CAE or management leadership. Significant changes in internal audit policies or procedures. Mergers of two or more internal audit activities into a single unit. Significant staff turnover. Industry-specific or environmental issues. Independent Assessor/Team Qualifications and Competence The CAE must discuss with the board the qualifications of external assessor(s). Preferred qualifications for external assessors include that they: Are CIAs with knowledge of leading internal audit practices. Have sufficient and recent management-level experience. Have experience with external assessments. Have completed The IIA’s quality assessment training course. Have CAE experience. Possess relevant technical and/or industry expertise. While the team overall needs to have a full set of competencies, there is no need to require each individual to have all required skills. For example, only the team leader may need to be an experienced and professional project team leader. Also, if team size permits, specialists in risk management can provide assistance. In addition to discussing with the board the necessary qualifications of external assessor(s), the interpretation to Standard 1312 indicates that the CAE uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. Competence is assessed in two areas: Professional practice of internal auditing External assessment process This competence can be a mix of theory and experience, but the relevance of that experience matters. Experience with organizations of similar size, complexity, or industry carries more weight than with dissimilar organizations, as does experience with similar technical issues. Independent Assessor/Team Independence and Objectivity The CAE must discuss with the board the independence of the external assessor(s), including any potential conflict of interest. The CAE encourages board oversightin these areas. Prerequisites for these assessments include that the CAE understands: The organization’s procurement policies. Independence requirements. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Situations that may impair independence or objectivity or create a conflict of interest. Independence, objectivity, and lack of a conflict of interest require not being a part of or under the control of the organization to which the internal audit activity belongs. Assessors should have neither an actual nor a perceived conflict of interest. Potential impairments include a past, present, or future relationship with the organization, its personnel, or its internal audit activity. This could include external audits of financial statements, assistance to the internal audit activity, personal relationships, or consulting. Assessor(s) who would not be considered independent include: Individuals from another department at the organization or from a parent, affiliate, or other related organization. Public sector auditors who report to the same CAE even if they work for different entities. Assessor(s) operating reciprocal peer assessments between two organizations. A reciprocal peer assessment is a teaming arrangement in which the internal audit activity for one organization agrees to perform the full external assessment or validation for an SAIV for another organization in exchange for that organization providing a similar service. When such arrangements are bilateral, this is not considered independent. However, a round robin of three or more organizations can create independence, as shown in Exhibit 1-21. Exhibit 1-21: Reciprocal Peer Assessment Teaming of Three or More Organizations Demonstrating QAIP Conformance to Standards 1300, 1310, 1311, and 1312 Demonstrating conformance to Standards 1300, 1310, 1311, and 1312 includes use of relevant board presentations and minutes or documentation of improvement actions taken. In addition, conformance to individual standards includes (but is not limited to) the following types of documentation or evidence: Standard 1300: QAIP documents and internal and external assessment results Standard 1310: Documentation related to Standards 1311 and 1312, benchmarking reports, and requests for services Standard 1311: Evidence of ongoing monitoring activities (KPI and workpaper reviews), documentation of completed self- assessments, QAIP results (e.g., action plans), completed checklists, survey results, and internal audit efficiency and effectiveness KPIs (e.g., budget to actual engagement hours) Standard 1312: External assessor’s report, including degree of conformance, recommendations, benchmarking reports, and requests for services (e.g., due diligence documentation from vetting external assessors) Internal Audit Effectiveness and Efficiency Organizations that use internal auditing effectively are better able to identify business risks and process and system inefficiencies, take appropriate corrective action, and ultimately support continuous improvement. To maintain and enhance the internal audit activity’s credibility, however, its effectiveness and efficiency should be monitored. Measuring the effectiveness and efficiency of the internal audit activity or of individual assurance and consulting engagements involves measuring the quality of and the degree to which internal audit objectives are achieved. Effectiveness involves aligning with objectives or doing the right things; efficiency involves avoiding unnecessary work or doing the things right. Exhibit 1-22 shows an internal audit activity effectiveness and efficiency performance measurement process from The IIA’s Practice Guide “Measuring Internal Audit Effectiveness and Efficiency.” Exhibit 1-22: Internal Audit Efficiency and Effectiveness Measurement Process 1. Define internal audit effectiveness. Review relevant IPPF guidance, including the Standards. Review the strategic plans of the internal audit activity and organization. Review the board, audit committee, and internal audit activity charters. Assess basic, expected, and targeted/preferred internal audit activity deliverables. Formulate an initial definition of internal audit effectiveness and efficiency. Define agreement from key stakeholders of the definition of effectiveness and efficiency. 2. Identify key internal and external stakeholders. Determine key internal and external stakeholders for the activity and organization. Determine who directly or indirectly relies upon the internal audit activity’s work. Determine who benefits, directly or indirectly, from the internal audit activity’s work. Consider who supports the internal audit activity. 3. Develop measurements of internal audit https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Measuring-Internal-Audit-Effectiveness-and-Efficiency-Practice-Guide.aspx effectiveness. Understand key stakeholders’ expectations of the internal audit activity. Understand what internal audit attributes, deliverables, and capabilities key stakeholders value and related shortcomings or advancements in these areas. Develop measurement tools such as a balanced scorecard to document relevant attributes of effectiveness and efficiency and related performance against these. Agree upon effectiveness and efficiency metrics with key stakeholders. 4. Monitor and report results. Establish an agreed-upon format and frequency for reporting that considers the organization’s size, nature, and governance structure. Establish a periodic review of such monitoring and reporting to ensure relevance, efficiency, and effectiveness. Use the results of reporting to shape and guide internal audit activities. Align internal audit activities to the defined measures of internal audit effectiveness and efficiency. Here are some examples of KPIs for measuring internal audit activity effectiveness and efficiency: Level of contribution to the improvement of governance, risk management, and control processes Achievement of key goals and objectives Evaluation of progress against audit activity plan Improvement in staff productivity Increase in efficiency of the audit process Increase in number of action plans for process improvements Adequacy of engagement planning and supervision Effectiveness in meeting stakeholders’ needs Results of quality assurance assessments and internal audit activity’s quality improvement programs Effectiveness in conducting the audit Clarity of communications with the audit client (i.e., the “auditee”) and the board Balanced Scorecard Approach A balanced scorecard approach can be used to develop specific KPIs. A balanced scorecard examines performance from four different perspectives: financial, customer satisfaction, business processes required to accomplish the activity’s mission, and learning and growth to ensure continuous improvement. Exhibit 1-23 lists sample KPIs from these perspectives and Exhibit 1-24 shows how the perspectives themselves can be customized. Both are just illustrative examples. The center of each graphic lists examples of sources for internal audit activity objectives and criteria. The KPIs need to trace back to and align with these objectives. Exhibit 1-23: Aligning KPIs to Stakeholder Expectations with Balanced Scorecard Exhibit 1-24: QAIP Performance Measurements in Custom Balanced Scorecard Source: Adapted from A Balanced Scorecard Framework for Internal Auditing Departments by Mark L. Frigo. Topic 2: Reporting QAIP Results This topic discusses the mandate for the CAE to report QAIP results to senior management and the board. The topic also discusses assessment scales showing degree of conformance. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standard 1320 Practice Guide, “Quality Assurance and ImprovementProgram” Communicating QAIP Results According to The IIA Attribute Standard 1320, “Reporting on the Quality Assurance and Improvement Program” The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosure should include: The scope and frequency of both the internal and external assessments. The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest. Conclusions of assessors. Corrective action plans. Let’s break down this standard’s interpretation (shown in italics) and implementation guidance or other IIA guidance (the sub-bullets): The form, content, and frequency of communicating the results of the quality assurance and improvement program is established https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Quality-Assurance-and-Improvement-Program-Practice-Guide.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx through discussions with senior management and the board. Typically, the CAE meets regularly with senior management and the board to understand and agree upon the expectations for communications. The CAE reviews the internal audit charter and policies and procedures manual for QAIP responsibilities prior to these discussions. The CAE needs to be aware of all internal assessments and any completed external assessments. The results of external and periodic internal assessments are communicated upon completion..., and the results of ongoing monitoring are communicated at least annually. To determine the frequency of reporting the results of ongoing monitoring, survey key stakeholders to determine their needs and expectations (which also helps define the criteria upon which the internal audit activity should be measured). Note that the CAE is responsible for communicating the results of the entire QAIP program. Demonstrating conformance with Standard 1320 can take the form of relevant board meeting and senior management meeting minutes. As part of reporting to the board the results of periodic internal assessments, the CAE typically confirms that internal assessor(s) https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx have “sufficient knowledge” of internal audit practices per Standard 1311. After the board and senior management have received the results of an external assessment, the CAE typically confirms qualifications and independence of the external assessor or external assessment team per Standard 1312. Any actual, potential, or perceived conflicts of interest should be reported to senior management and the board. Conclusions of Assessors Internal and external QAIP assessment reports include an evaluation of the internal audit activity’s overall degree of conformance with the Standards and the Code of Ethics, but such reports can also include an assessment for each standard or standard series. For internal assessments, to reinforce the independence and objectivity of the internal assessment team, the team and the CAE should agree on the reporting medium and format at the start of the assessment. The CAE may share the results of internal assessments, necessary action plans, and their successful implementation with senior management and the board. Providers of QAIP external assessments express an opinion on the entire spectrum of the assurance and consulting work the internal audit activity has or should have performed. Any type of external https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx assessment must conclude as to conformance with the IPPF. The degree of conformance, as addressed below, is part of the assessment. Optionally, the assessor may also provide operational or strategic comments, such as how management can be improved or how the internal audit activity can add more value to the organization. For external assessments, a draft report is prepared either before or after the closing conference. External team members may provide comments for potential inclusion by the full external assessment team leader. After this, the draft is sent to the CAE, who is asked to respond to the recommendations and provide an action plan to address deficiencies or opportunities. The CAE may also make comments on observations and recommendations. The final report, plus CAE comments or action plans, is typically addressed to the CAE with the expectation that copies will be distributed to: The board (typically its audit committee). This is mandatory. Senior management to whom the CAE reports. Any parties who initiated the full external assessment. In contrast, the conclusions of an SAIV are reported to the CAE, who reports to the board. Assessment Scales As interpretation to Standard 1320 states, the results include the assessor’s or assessment team’s evaluation with respect to the https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx degree of conformance. While a QAIP report should include a rating scale to assess the degree of conformance to the Standards, there is no requirement to use a particular scale or model. Exhibit 1-25 compares two assessment scales from The IIA, the left one from the Quality Assessment Manual for the Internal Audit Activity and the right one from “The Path to Quality—Maturity Model for Implementing a QA&IP.” Exhibit 1-25: Comparison of Two Conformance Assessment Scales Since the exhibit provides some guidance regarding what each level means in the “Path to Quality” scale, let’s do the same for the Quality Assessment Manual scale: Generally conforms. This is the top rating in the scale. The internal audit activity has a charter and policies that align to it. The activity’s processes, execution, and results are judged to be in conformance with the Standards and elements of the Code of Ethics in all material aspects. This includes general conformity with the majority of individual standards within the sections (Attribute and Performance) and categories (e.g., 1000s). Individual standards tested also demonstrate conformity. Opportunities for improvement may be identified, but none are in areas related to the acceptable implementation or application of the Standards or the Code of Ethics. Partially conforms. There are deficiencies in internal audit activity practice that are judged to deviate from the Standards or the Code of Ethics, but the activity can still perform its responsibilities. The internal audit activity is making good-faith efforts at conformance but falls short of achieving some major objectives. There are significant areas for improvement related to mandatory IPPF conformance or achieving objectives. Some deficiencies may be beyond the control of the internal audit activity, and these may https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx result in recommendations to senior management or the board that they address these issues. Does not conform. The internal audit activity is not aware of, or is not making good-faith efforts to conform with, or is failing to achieve the objectives of the Standards and/or the Code of Ethics. Deficiencies in practice are judged to be so significant that they seriously impair or preclude the activity from performing adequately in all or in significant areas of its responsibilities. Corrective Action Plans It is the CAE’s responsibility to respond to recommendations from internal and external assessments and provide action plans for remediation. Corrective action plans address areasof nonconformance with the Standards and other opportunities for improvement. The CAE should document in writing a response/action plan and implementation timetable for each recommendation from the final written report. The CAE may consider adding recommendations from external assessments and any related action plans to the internal audit activity’s existing monitoring processes to ensure that improvements become part of ongoing operations. The CAE should communicate to senior management and the board any corrective action plans, either generally as part of the internal https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx audit activity’s monitoring progress or as part of the next QAIP report. Topic 3: Conformance versus Nonconformance Disclosures This topic discusses when it is appropriate to state that the internal audit activity “conforms with” the Standards versus omitting such a statement due to nonconformance. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 1321 and 1322 Practice Guide, “Quality Assurance and Improvement Program” Use of IPPF Conformance Statement https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Quality-Assurance-and-Improvement-Program-Practice-Guide.aspx According to The IIA Attribute Standard 1321, “Use of ‘Conforms with the International Standards for the Professional Practice of Internal Auditing’ ” Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement program. Let’s break down this standard’s interpretation (shown in italics) and implementation guidance or other IIA guidance (the sub-bullets): The internal audit activity conforms with the Code of Ethics and the Standards when it achieves the outcomes described therein. Proper use applies to written or verbal communications. The CAE uses the conformance statement only if he or she understands the QAIP requirements and is familiar with the QAIP results. The CAE understands and periodically discusses the board's expectations regarding use of the conformance statement. All internal audit activities will have the results of internal assessments. If an external assessment has occurred in the past five years but the internal audit activity has not satisfied its internal assessment https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx per the frequency as disclosed to the board, the CAE should consider whether it is still operating in conformance and if it is appropriate to indicate conformance until validated by an internal assessment. Internal audit activities in existence for at least five years will also have the results of external assessments. If the internal audit activity has been in existence for less than five years, use the conformance statement only if a periodic self- assessment supports this conclusion. Do not use the conformance statement if the internal audit activity has been in existence for at least five years but has not completed an external assessment. Do not use the conformance statement if more than five years have passed since the last external assessment. The CAE can continue to use the conformance statement until the next external assessment occurs. However, proper use of a conformance statement requires stopping use if the current internal assessment or the most recent external assessment does not indicate general conformance with the Standards and the Code of Ethics. The internal audit activity cannot resume using the conformance statement until it has remediated the areas of https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx nonconformance and has conducted an external assessment that does show conformance. Key Point Note that the Standards are principles-based. Standards 1321 and 1322 address overall, systemic conformance or nonconformance. In assessing conformance with the Standards, there may be situations where the internal audit activity achieves only partial conformance with one or more standards. In such cases, the activity should consider the overall conformance conclusion when determining its ability to use the conformance statement. Disclosure of Nonconformance According to The IIA Attribute Standard 1322, “Disclosure of Nonconformance” When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. A disclosure of nonconformance is necessary whenever the CAE makes the conclusions as stated in Standard 1322: Nonconformance not only exists but also impacts the overall scope or operation of the internal audit activity. The CAE also discloses the impact of the https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx nonconformance to senior management and the board. Prerequisites to making these conclusions include the CAE understanding: The mandatory elements of the IPPF. How conformance deviations might affect the overall scope of the internal audit activity. The expectations of the board and senior management regarding reporting nonconformance issues. Nonconformance could be related to impairments of independence and objectivity, insufficient access that impairs audit scope, and so on. The CAE would evaluate the nonconforming area to see if it impacts the overall scope or operation of the internal audit activity. Part of this assessment involves determining the degree to which a nonconformance situation may affect the activity’s ability to fulfill its professional responsibilities and/or the expectations of stakeholders. For example, this could be whether the activity can provide reliable assurance on internal controls over financial reporting (ICFR). Demonstrating conformance with Standard 1322 requires maintaining documentation of the occurrence, nature, and overall impact of any nonconformance with the Standards or the Code of Ethics, including any relevant board meeting minutes, memos, emails, or external assessment results. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Section E: Governance, Risk Management, and Control This section is designed to help you: Describe the concept of organizational governance. Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls. Interpret fundamental concepts of risk and the risk management process. Describe globally accepted risk management frameworks appropriate to the organization, including the COSO enterprise risk management (ERM) framework and ISO 31000, “Risk Management.” Examine the effectiveness of risk management within processes and functions. Recognize the appropriateness of the internal audit activity’s role in the organization’s risk management process. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papersand recommended guidance. The Mission of Internal Audit, the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (the Standards) comprise the mandatory guidance. Recommended guidance in the IPPF includes Implementation Guidance and Supplemental Guidance. All of the guidance sources listed above will be discussed throughout this product. The IPPF is shown in Exhibit 1-1. https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Exhibit 1-1: International Professional Practices Framework Note that recommended guidance is endorsed by The IIA, but it is not required, and the IIA recommends using independent expert advice for any specific situations that may arise. Mission of Internal Audit Exhibit 1-2: Mission of Internal Audit The Mission of Internal Audit articulates what internal audit aspires to accomplish in an organization. It demonstrates how practitioners should leverage the entire IPPF to facilitate their ability to achieve the Mission. The placement of the Mission within the IPPF is shown in Exhibit 1-2. According to The IIA Mission of Internal Audit To enhance and protect organizational value by providing risk- based and objective assurance, advice, and insight. https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx Key Point The Mission of Internal Audit is deliberately placed in the IPPF, demonstrating how practitioners should leverage the entire framework to facilitate their ability to achieve the Mission. By requiring that the services provided by internal audit be risk-based and objective, the Mission aligns directly with the expectations of stakeholders. Each requirement serves a different function. The risk basis supports the goal to protect organizational value, and objectivity is one of the main strategic success enablers of the internal audit activity. The Mission makes it clear that internal audit must be focused on increasing the organization’s value and that there are three general types of risk-based and objective activities through which internal audit increases and protects this value: Assurance Advice Insight Assurance work makes up the majority of internal audit activities. It is designed to communicate to the main stakeholders that management: Has deployed appropriate activities to achieve its objectives. Is appropriately managing the risks to those objectives. https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx Has agreed to implement required additional risk mitigation and improvement measures. Advice can be provided through advisory engagements, which are often referred to as consulting engagements. These are designed to provide advice and insight to the organization in a proactive, customer-driven approach. Insight can be provided in a variety of formats, which may include but are not limited to: Assurance engagement reports. Advisory engagement reports. Participation on committees and task forces. Personal meetings. Board reporting. Progress reporting. Core Principles Exhibit 1-3: Core Principles for the Professional Practice of Internal Auditing The Principles set out the basic elements that describe internal audit effectiveness with respect to the aspirations expressed in the Mission of Internal Audit. They serve as fundamental propositions that form the basis for the Code of Ethics and the Standards. The placement of the Core Principles within the IPPF is shown in Exhibit 1-3. https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx According to The IIA Core Principles for the Professional Practice of Internal Auditing Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement. Each Principle may apply to the individual auditor, the audit activity, or both. Though internal audit activities may demonstrate achievement of principles in various ways, each of the Principles must be present and successfully operating for the audit activity to be considered effective. Failure to achieve any one of the Principles suggests that the activity is not as effective as it could be. Consequences of Not Demonstrating Core Principles The consequences that may result from not demonstrating the Core Principles help reinforce the importance of each Principle. For each https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx Principle listed below, an example is given describing a potential negative consequence. Demonstrates integrity. The internal audit activity may lose the trust placed in it and consequently its credibility to provide independent and objective assurance and advice. Demonstrates competence and due professional care. Internal audit risk assessments, the activity’s plan of engagements, and the scope and objectives of engagements may not be sufficient, accurate, or complete. Is objective and free from undue influence (independent). Management and the board are unlikely to trust internal audit observations as accurate and complete. Aligns with the strategies, objectives, and risks of the organization. The internal audit activity risks wasting resources on assessing areas, processes, or issues that do not help the organization manage its key risks and achieve its objectives. Is appropriately positioned and adequately resourced. The results and conclusions of internal audit work may not be treated with sufficient importance to prompt action from management, and independent reporting may be difficult. Demonstrates quality and continuous improvement. Errors may occur in internal audit work, or there may be a perception that the work is not reliable. The internal audit activity may fail to keep up with innovations in technology, methodology, and audit techniques. Communicates effectively. The internal audit activity may be unable to obtain the position, resources, and information it needs to conduct engagements and to effectively express its results, conclusions, and opinions to management and the board. Provides risk-based assurance. Management and the board will not have independent validation that its controls are designed properly and are working as expected to mitigate risks. Is insightful, proactive, and future-focused. The internal audit activity is likely to miss emerging risks, and the value it adds will be limited. Promotes organizational improvement. The value that internal audit adds may be limited, as it may miss opportunities to recommend ways the organization could increase efficiency. Definition of Internal Auditing Exhibit 1-4: Definition of Internal Auditing The Definition of Internal Auditing is mandatory guidance from the IIA and is key to understanding the role and depth of internal auditing. The placement of the Definition within the IPPF is shown in Exhibit 1-Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides This section addresses the closely interconnected areas of governance, risk management, and control. (Internal control is addressed at a high level only in this Challenge Exam Study Guide.) In addition to discussing each of these areas and how they interrelate, topics also cover how culture impacts the control environment and how to address ethics- and compliance-related issues. Topic 1: Organizational Governance This topic shows how governance fits within governance, risk management, and control (GRC), including an overview of The IIA’s Three Lines Model. Governance and assessing the organization’s https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx governance structure are covered from general governance and IT governance perspectives. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 2100 and 2110 Position Paper, “The IIA’s Three Lines Model: An Update of the Three Lines of Defense” Global Technology Audit Guide (GTAG) 17, “Auditing IT Governance” Practice Guide, “Auditing Culture” Governance in GRC Context According to The IIA Performance Standard 2100, “Nature of Work” The internal audit activity must evaluate and contribute to the improvement of the organization's governance, risk management, and control processes using a systematic, disciplined, and risk- based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. Conforming with Standard 2100 requires a thorough understanding of the concepts of governance, risk management, and control (GRC). https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://global.theiia.org/about/about-internal-auditing/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG17.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Culture.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx This understanding starts by knowing the IPPF definitions of these terms: Governance. “The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” Risk management. “A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.” Control. “Any action taken by management, the board, or other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.” Key Point Standard 2100 notes that internal auditors must use a “systematic, disciplined, and risk-based approach.” This type of approach is a differentiating attribute for internal auditing and is a key reason the discipline commands respect. Consistency in approach is vital to ensuring that the internal audit activity is delivering the quality required by the Standards. Internal auditors seeking an understanding of GRC concepts should understand all of the GRC-related Standards: 2100, 2110, 2120, and 2130. It is also important to learn about GRC frameworks and best practices and consider how they might need to be tailored to the organization. Developing an understanding of the organization’s objectives, the business, and so on will help guide this evaluation. Relationship between Governance, Risk Management, and Control Governance, risk management, and control are so interconnected that evaluating and improving one area typically improves the other two areas at the same time. For example: Effective governance activities consider risk when setting strategy. Risk management relies on effective governance (e.g., “tone at the top”). https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx Effective governance relies on internal controls and related communication to the board. Exhibit 1-26 shows how GRC can be thought of as existing in layers. Note that the back-and-forth arrows are feedback loops (not one-way information flows). The governance structure surrounds all activities to ensure that the organization’s values are promoted and key stakeholder needs are considered. Risk management highlights key risks to success or key opportunities. Internal control is where the risk management strategies are executed. Exhibit 1-26: Interrelationship of GRC Elements Source: Anderson et al., Internal Auditing: Assurance and Advisory Services, 4th edition. Stakeholder Responsibilities for GRC While the ultimate responsibility for governance is with the board, senior management and other stakeholders also play important roles. Board Responsibilities for GRC Exhibit 1-27 shows how the board of directors functions like an overarching “umbrella” by providing two broad types of governance to the organization: Strategic direction Governance oversight Exhibit 1-27: Governance “Umbrella” As shown at the top of the exhibit, board responsibilities for GRC start with identifying and understanding the needs of the organization’s stakeholders in part because the board has a fiduciary responsibility to certain stakeholders. Stakeholder interests need to be understood before they can be protected. This includes discovering what would constitute an unacceptable outcome for each stakeholder in the areas of strategy, finance, compliance, and operations. The board: Takes the lead role in governance, including providing strategic direction and guidance toward setting business objectives. Provides governance oversight. Establishes a governance committee. Articulates requirements for reporting to the board. Periodically reevaluates governance expectations. Sets the risk appetite and risk tolerance levels. Interacts directly with internal and external assurance providers. Senior Management Responsibilities for GRC The board provides direction to and empowers senior management to execute the organization’s strategy and governance on a day-to-day basis. Senior management (chief executive officer and finance, ethics, risk, compliance, HR, and IT executives) also provide direct leadership over risk management and control processes, but they delegate the specifics to a risk committee and/or specific line managers who become risk owners. To be effective, senior management needs to understand the limits to the scope of their authority and the board’s governance expectations. This can take the form of determining: Who should be the risk owner for key risks, where in the organization to manage specific risks to enable the most efficient and effective responses, and how to manage those risks. When to direct risk owners to have a lower risk tolerance than the general tolerance level (e.g., multiple significant control deficiencies aggregate to an unacceptable level). How to set reporting requirements (nature,format, timing) for risk owners to ensure sufficient information for senior management’s reporting requirements to the board. How to refine GRC expectations given business changes, changes in risk tolerance levels, and feedback on GRC effectiveness. Responsibilities of Other Stakeholders for GRC A number of other stakeholders are directly or indirectly involved in GRC. Direct involvement starts with line management, especially managers designated as risk owners. Risk owners have responsibilities such as: Evaluating risk management design against risk tolerance. Assessing risk management capabilities, maturity, and operations. Monitoring risks on a daily basis. Providing accurate and timely information and recommendations to senior management and the board. Others directly involved in GRC include members of the supply chain: suppliers, employees, and customers. These stakeholders take an active role in the business and would be impacted by business disruptions. Employees need a livelihood. Customer and supplier obligations need to be fulfilled. Owners, shareholders, and investors are not directly involved in the organization’s business, but they have a strong interest in the organization’s success. Shareholders can strongly influence the board and help determine who is on the board. Regulatory agencies, creditors, and other outside parties may have an interest in the organization and may have influence. Regulatory agencies are responsible for establishing the regulations. Creditors protect their capital by setting stipulations (covenants). Internal Audit’s Role in GRC Internal auditors also play an indirect (assurance and consulting) role in GRC. The CAE may document in the internal audit charter the internal audit activity’s independence by affirming that senior management and the board are responsible and accountable for GRC. The CAE works to understand the business and key organizational roles related to GRC. This can include using GRC frameworks as a guide (especially if adopted by senior management), reviewing board and committee charters and meeting minutes, and reviewing the organization’s mission, vision, key objectives, strategic plan, and key controls. The CAE: Discusses with the board and senior management the best strategies for the internal audit activity to evaluate and contribute to GRC. Considers the maturity level of governance, risk management, and control processes. Assesses risks to GRC (including the impact of culture and the seniority of risk owners). Highlights areas of weakness. Makes recommendations (including adoption of a particular GRC framework). To demonstrate conformance to Standard 2100, the internal audit activity can refer to the roles and responsibilities related to GRC as documented in the internal audit charter, audit plans, or minutes of relevant meetings. Audit plans in particular may provide evidence that the internal audit activity follows a disciplined, systematic, and risk- https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx based approach. Engagement reports can also support that results are relevant and add value to GRC processes. The IIA’s Three Lines Model helps clarify the internal audit activity’s role in GRC. Three Lines Model GRC requires a cohesive and coordinated approach to ensure that limited risk and control resources are deployed effectively, significant risks are identified and managed appropriately, and risk ownership is clear to all. Disconnected risk management efforts can otherwise lead to inefficiencies, coverage gaps, and risk ownership arguments. The IIA’s position paper “The IIA’s Three Lines Model: An Update of the Three Lines of Defense,” helps clarify GRC roles and responsibilities. Exhibit 1-28 shows the model. Exhibit 1-28: Three Lines Model Source: IIA Position Paper, “The IIA's Three Lines Model: An Update of the Three Lines of Defense,” © 2020, The IIA. Key Point Note that the word “defense” was dropped from the Three Lines Model to highlight that organizations don’t exist to manage risk; they exist to achieve their objectives. Risk management therefore needs to both be proactive in helping achieve those objectives and serve as a defense. The Three Lines Model is a principles-based model intended to be adapted to the needs of any organization. Its six principles are as follows: 1. Governance. Governance of an organization requires appropriate structures and processes that enable: Accountability to stakeholders by the board through integrity, leadership, and transparency. Actions by management to achieve objectives, manage risk, and use risk-based decision making and application of resources. Assurance and advice by an independent internal audit activity. 2. Governing body roles. The board establishes appropriate governance structures and ensures that organizational objectives align with the prioritized interests of stakeholders. The governing body role is critical to the Three Lines Model: Accountable to stakeholders for oversight and engages with them for two-way, transparent communications on objectives. Nurtures an ethical and accountable control environment. Delegates responsibility and provides resources to management to achieve organizational objectives while conforming to legal, regulatory, and ethical expectations. Establishes appropriate committees, compliance oversight functions, and an independent, objective, and competent internal audit activity. Determines risk appetite and oversees GRC. 3. Management first and second line roles. Management is defined broadly to include both “front of house” as well as “back office” activities (e.g., HR). Management has both first and second line roles. Positions may have blended roles or specialize in one or the other role. First line roles. First line roles deliver products and services to customers and are responsible for managing risk through leadership, action, development of structures and processes, and resource allocation. They require maintaining a continuous dialogue with the board, including reporting on objective achievement and risk. They involve ensuring compliance with legal, regulatory, and ethical expectations. Second line roles. Second line roles provide complementary expertise, support, monitoring, and challenge to first line roles. They develop, implement, continuously improve, and report on the adequacy and effectiveness of risk management and internal control at a process, systems, and entity level. Roles can be broad enterprise risk management roles or they can be specialized, including compliance, ethics, internal control, IT security, sustainability, and quality assurance. 4. Third line roles. The internal audit activity is the third line role because it is a systematic, disciplined, competent, independent, and objective assurance and advice role for GRC. It remains primarily accountable to the board and reports to it on GRC, achievement of objectives, continuous improvement, and disclosures of impairments. 5. Third line independence. Accountability to the board, unfettered access, freedom from bias and interference, and independence from management responsibilities enable the internal audit activity to have objectivity, authority, and credibility. 6. Creating and protecting value. All roles collectively create and protect value when they align with each other and with the prioritized interests of stakeholders. Alignment requires communication, cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-based decision making. The three lines need to be coordinated to ensure efficiency and effectiveness, but there is no one right way to do this. However, there is a natural division of labor created by the differing risk roles: The first line role has the risk owner role. The second line role has the risk controland compliance role. The third line role has the risk assurance role. While having all three roles is a best practice, if internal audit takes on first or second line roles, the CAE should communicate to the board and senior management the impact of this combination and recommend their separation when appropriate, such as after the organization grows in size or complexity. Other GRC stakeholders, including external auditors, regulators, and other external bodies, are not directly part of any of the three lines. However, they play important roles in GRC. External assurance providers provide additional assurance to: Satisfy legal and regulatory expectations that serve to protect the interests of stakeholders. Satisfy requests by management and the governing body to complement internal sources of assurance. External assurance providers are more effective in GRC when: Their activities are carefully coordinated to avoid duplication of effort. The internal audit activity addresses gaps in their coverage due to their specialized focus areas. Governance According to The IIA Performance Standard 2110, “Governance” The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for: Making strategic and operational decisions. Overseeing risk management and control. Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Communicating risk and control information to appropriate areas of the organization. Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management. Governance is a board and senior management responsibility, not an internal audit activity responsibility. However, the CAE and internal auditors need a clear understanding of the concept of governance and the characteristics of typical governance processes. This includes: Studying best practices and GRC framework principles. Learning about how the organization applies GRC frameworks (if used) given their size, complexity, life cycle, maturity, stakeholder structure, and legal requirements. https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx Noting the direction that the board is providing to management in terms of risk tolerance levels and reporting expectations. The CAE may interview key governance roles and review board and committee charters, meeting agendas, and minutes to: Gain insight into the role the board plays in the organization’s governance, especially regarding strategic and operational decision making. Understand organization-specific processes and assurance activities currently in place. Learn about the board’s and senior management’s understanding and expectations of governance, the requirements of Standard 2110, the nature of governance processes, and the internal audit activity’s role in governance. Governance is a broad concept, and differences will exist (especially when considering governance in a global context, which is also influenced by national culture). However, Exhibit 1-29 lists some commonly identified governance principles considered to be effective. Exhibit 1-29: Commonly Identified Governance Principles Board membership Ensure that the board has correct/proper members, committee structure, meeting protocols, sound and independent judgment about organizational affairs, and periodically reaffirmed membership. Board Ensure that board members have appropriate https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx qualifications qualifications and experience, clear understanding of governance roles, sound knowledge of organizational operations, and independent/objective mindset. Board independence Ensure that the board has sufficient authority, funding, and resources to conduct independent inquiries. Transparent structure Maintain an understanding by executive management and the board of the organization’s operating structure, including structures that impede transparency. Measurable strategy Articulate an organizational strategy against which the success of the overall enterprise and the contributions of individuals are measured. Strategic structure Create an organizational structure that supports the enterprise in achieving its strategy. Governing policy Establish a governing policy for the operation of key activities of the organization. Clear lines Set and enforce clear lines of responsibility and accountability in the organization. Effective interaction Ensure effective interaction among the board, management, internal auditors, external auditors, and other assurance providers. Management oversight Secure appropriate oversight by management, including establishment and maintenance of a strong set of internal controls. Compensation policies Ensure that compensation policies and procedures for senior management and for others encourage appropriate behavior and are consistent with the organization’s ethical values, objectives, strategy, and control environment. Control environment Communicate and reinforce an ethical culture, organizational values, appropriate “tone at the top,” a nonretaliatory environment for employees to raise concerns, and a way to monitor and investigate potential conflicts of interest. Internal audit Use internal auditors effectively, ensuring the adequacy of their independence, resources, and scope of activities and the effectiveness of operations. Risk management Clearly define and implement risk management policies, processes, and accountabilities at the board level and throughout the organization. External audit Effectively use independent outside auditors, ensuring their independence, adequate resources, and scope of activities. Key information disclosure Provide appropriate disclosure of key information, in a transparent manner, to stakeholders. Governance disclosure Disclose the organization’s governance processes, comparing those processes with recognized national codes or best practices. Conflicts of interest Ensure appropriate oversight of related-party transactions and conflict-of-interest situations. Source: Adapted from Anderson and Dahle, Applying the International Professional Practices Framework (IPPF), 4th edition. Given a clear understanding of how the organization approaches governance, the CAE can contemplate whether the current internal audit plan addresses governance processes and their associated risks, including whether the integration requirements of the governance, risk management, and compliance functions are adequate. This may lead to opportunities for the internal audit activity to improve its plans and approaches for conformance with Standard 2110. Internal auditors can use the organization’s adopted governance framework as the basis of evaluation. Organizations may take advantage of governance frameworks to help set their governance objectives. One example is the King Report. King Report The King Report on Corporate Governance is the output of South Africa’s King Committee on Corporate Governance. The latest version is King IV (2016). The report is principles- and outcomes- based, focusing on transparency and disclosures that require entities to explain how the principles are applied. The report provides a model for good governance that requires an integrated approach inclusive of stakeholder interests and a focus on corporate social responsibility. A Code of Corporate Practices and Conduct is included in the report: Discipline. Organizations commit to disciplined behavior that is universally accepted as proper and correct. Transparency. Organizations commit to make it easy for outsiders to analyze the organization’s activities. Independence. Organizations are self-reliant and can manage or avoid conflict. Accountability.Organizations develop ways to accept and acknowledge the positive and negative consequences of their actions. Responsibility. Organizations design corrective action into all processes and consider the needs of all stakeholders in decision making. Fairness. Organizations balance competing interests. Social responsibility. Organizations embed corporate social responsibility programs into their core business model. The King Report addresses the role and function of internal auditing as well as specific reporting requirements, for example, the need for audit committees to approve all appointments and dismissals of the CAE. The report emphasizes effective leadership based on an ethical foundation and the need to fundamentally redesign the organization around sustainability. Innovation, fairness, and collaboration are described as key tools to achieve sustainability. Internal auditors are also placed as central to maintaining proper governance and developing organizational strategy. King III highlighted the imperative to use risk-based auditing, stating: A compliance-based approach to internal audit adds little value to the governance of a company as it merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control. A risk-based approach is more effective as it allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt. It went on to recommend that internal auditors assess the general effectiveness of the system of internal controls, the control environment, and risk management processes. IT Governance According to The IIA Implementation Standard 2110.A2 (Assurance Engagements) The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. According to Anderson et al. in Internal Auditing, IT governance is “the leadership, structure, and oversight processes that ensure the organization’s IT supports the objectives and strategies of the organization.” IT governance is the subset of organizational governance directly related to oversight of IT assets and IT risks. Beginning with the end in mind, the primary outcomes of effective IT governance include the following: IT strategies are aligned with organizational objectives. The board and senior management understand the potential and limitations of IT. IT senior management understands organizational objectives and needs. An IT governance structure is used to apply and monitor this understanding. Risks are identified and managed properly. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx IT investments are optimized to deliver value. IT performance is defined, measured, and reported using meaningful metrics. IT resources are managed effectively. Key Point Because IT is now embedded everywhere throughout most organizations, it is important to understand that it will be part of most areas being audited. All three parts of the IIA CIA exam could have questions that take an IT perspective. IT-related questions in Parts 1 and 2 of the exam will likely be conceptual rather than testing on specific IT details. The alignment of organizational objectives and IT is more about governance and less about technology. Therefore, it is important to take a strategic approach to implementing IT governance. A strategic approach includes: Evaluating alternatives. Ensuring that execution is directed toward objectives. Monitoring risk and performance against financial and nonfinancial goals: A key financial goal is to realize the organization’s strategy and provide competitive advantage. (A counterexample is senior management thinking that IT exists solely to deliver day-to-day services and limiting goals to operational cost savings.) A key nonfinancial goal is to ensure a strong system of internal controls. Strong IT governance promotes good control design; weak IT governance could be the root cause of ineffective and deficient controls. IT governance is a shared responsibility of the board and senior management. That is, the board and senior management “own” IT governance. The board is responsible for overall strategic IT guidance. Senior management carries out the day-to-day direction of IT strategy execution. The board and senior management are responsible for establishing the organization’s IT objectives in alignment with the overall business strategy, for defining IT strategies to achieve business objectives, and for establishing: IT governance policies. Organizational structures that include IT roles and authorities. IT processes. Use of an IT governance framework can provide the organization with a foundation and mechanism for measuring IT’s effectiveness at achieving planned outcomes. IT Governance Framework The IIA’s Global Technology Audit Guide (GTAG) 17, “Auditing IT Governance” provides a general IT governance framework that focuses on the areas shown in Exhibit 1-30. Exhibit 1-30: IT Governance Framework Framework Area Description Strategic alignment IT governance provides the strategic direction for IT and ensures that IT and business strategies are aligned for all IT projects and services. Risk management IT governance can ensure that IT risks are addressed and that enterprise risk management includes risk aspects of IT investments, defined responsibilities for risk management, and a holistic process for analyzing, addressing, and continuously monitoring risks. Value delivery IT governance can drive the maximum value from IT by ensuring that financial value is measured not only in terms of overall return on investment but also in terms of other strategic measures such as IT tactical plan execution, systems uptime, degree of automation in the systems development life cycle, productivity, and revenue generation. https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG17.aspx Framework Area Description Performance measurement IT governance can help in measurement of the achievement of strategic IT objectives, IT performance, and the delivery of promised business functionality (and therefore contribution to profitability). Tools such as continuous monitoring or root cause analysis support these measurements. Resource management IT governance oversees the aggregate funding of IT at the enterprise level and ensures that there is (and will continue to be) adequate IT capability and infrastructure at the organization. An IT governance framework addresses the following components: IT process areas. Change management, information security management, software development, IT project management, etc. IT mechanisms. Standards, policies, and frameworks for directing, monitoring, and measuring IT performance and managing IT risks. IT governance organizational structures. IT roles and reporting lines (see Exhibit 1-31) to meet organizational objectives and formally evaluate and prioritize requirements. Exhibit 1-31: Examples of IT Governance Organizational Structures Governance Body Members ScopeGovernance Body Members Scope IT governance board Chief executive officer, chief financial officer, and chief information officer, plus CAE as nonvoting advisor on risk/control Set business and IT strategy and investment plans. IT steering committee IT senior management and business unit owners Ensure IT strategic alignment. IT portfolio office IT and business program/project managers Develop IT project metrics, monitor, and report. IT architecture office Chief information officer, chief information security officer (CISO), chief operating officer, IT infrastructure managers Determine IT architecture design. Technology council Chief information officer, chief technology officer (CTO),and business unit owners Evaluate technology opportunities. Cybersecurity and data protection council Chief information officer, CTO, CISO, chief risk officer (CRO), chief financial officer, chief operating officer, business unit owners, and CAE as nonvoting advisor on risks/controls Evaluate risk and strategies to protect organization’s information assets. Role of Internal Audit in IT Governance The internal audit activity must assess IT governance per Standard 2110.A2. The activity’s independence puts internal auditing in a neutral position to influence IT governance and recommend change. Providing advice should not impede independence if management takes full responsibility and accountability for implementation and operation of controls. The internal audit activity may include IT governance in its risk universe. Risk-based audit planning can use a root cause analysis framework such as the one shown in Exhibit 1-32 to evaluate potential IT weaknesses. Exhibit 1-32: IT Risk—Root Cause Analysis Framework https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx The model shows three layers of control: Start at the technical configuration layer at the bottom (e.g., poor firewall configuration is identified). Work backwards to potential root causes in IT processes (e.g., poor oversight). Finish with potential root causes in IT governance (e.g., no firewall configuration training). To ensure that here will be opportunities to provide advice, it is imperative that audits of IT governance include both assurance and consulting engagements. Either type of engagement can focus on the organization’s implementation of IT governance practices, which include clearly defined policies, roles, responsibilities, risk appetite alignment, effective communication, “tone at the top,” management of IT value, and clear accountability. Here are some specific areas for review: IT strategic planning. There is a clear definition of IT’s mission and vision, and an IT strategic planning process with major initiatives is in place. IT tactical planning. Project and change management methodologies are used with related controls, clear definitions of expected benefits, and clarity of scope definition. IT delivery process. Operational controls, modification processes, and project management processes are functioning as intended. Actual versus planned benefits are analyzed. Application development methodology. A process such as the systems development life cycle is in place and is used consistently. Current portfolio administration. A process exists and is effective. Overall IT efficiency and effectiveness. IT adds more value than it costs. Management and Board Governance Audits For internal auditors to contribute to the governance area, it is critical that they: Define governance and the organization’s governance processes. Determine what is in versus out of the internal audit scope due to the broad nature of governance. Develop plans aligned with this understanding and start executing. Usually, a single audit of governance overall is not attempted. Rather, the assessment of governance processes is likely to be based on information obtained from numerous audit assignments over time. However, if an overall governance assessment is appropriate, it should include review of: Results of audits of specific governance processes. Results of audits not specifically focused on governance, such as strategic planning, risk management processes, operational efficiency and effectiveness, internal controls over financial reporting (ICFR), IT risks, fraud risks, and law/regulation compliance. Results of management assessments (e.g., compliance assessments, quality audits, or control self-assessments). Governance issues such as adverse events. The CAE’s final audit plan uses a risk-based approach to identify higher-risk governance processes to potentially include as assurance engagements. Consulting services may be preferred when known issues exist or the organization’s governance process is immature. In other cases, continuous monitoring methods can be used, such as assigning internal auditors to observe meetings of governance-related bodies and providing internal audit advice upon request on an ongoing basis. Using Standard 2110 as a Checklist for Potential Audit Coverage Areas Internal audit coverage of governance can consider each of the bullets in Standard 2110 to be part of the risk universe for potential audits of organizational governance: Making strategic and operational decisions Overseeing risk management and control Promoting appropriate ethics and values within the organization Ensuring effective organizational performance management and accountability Communicating risk and control information to appropriate areas of the organization Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management Making Strategic and Operational Decisions Anderson et al. in Internal Auditing indicate that strategy “refers to how management plans to achieve the organization’s objectives.” When assessing how strategic and operational decisions are made: Start by understanding organizational objectives. This could include a review of strategy documents, mission and vision statements, and so on. Assess how strategic and operational decisions are discussed and implemented. https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx Assess whether established, consistent decision-making processes are used. Audit techniques can include: Review of past audit reports, board meeting minutes, the board policy manual, and related governance documents. Interviews with department heads to provide perspective. Overseeing Risk Management and Control Assessing oversight of risk management and control functions can include: Reviewing the process for conducting the annual risk assessment. Reviewing minutes from risk strategy meetings. Reviewing previously conducted risk assessments. Interviewing key risk management persons: compliance, risk, and finance officers. Benchmarking risk management and control processes against relevant sources such as competitors or industry trends. Assessing the level and type of support the internal audit activity provides to the organization’s risk management program, including: Robust and thorough analysis of risk management and internal control systems. Structure and discipline in the risk management program. Organizational and divisional risk assessments. Ongoing formal or informal oversight and input. Promoting Appropriate Ethics and Values within the Organization Audits can assess whether governance activities promote appropriate ethics and values within the organization. Document reviews in this area can include: Mission and value statements, the organization’s code of conduct, and related ethics and values objectives, programs, and activities. Hiring and training processes, anti-fraud and whistleblowing policies/hotlines, and the related investigation process. In addition to document reviews, personnel can be interviewed or surveyed to determine their level of awareness of ethical standards and values. Ensuring Effective Organizational Performance Management and Accountability To assess the effectiveness of organizational performance management and accountability processes, review: The organization’s policies and processes related to staff compensation, objective setting, and performance evaluation. Associated KPIs and incentive plans for appropriate design and execution to prevent or detect unacceptable behavior or excessive risk taking and to promote strategic alignment. Communicating Risk and Control Information to Appropriate Areas of the Organization Assessments of how the area under review communicates riskand control information typically involve: Determining the accuracy, completeness, and timeliness of risk and control information in internal reports, newsletters, relevant memos and emails, and staff meeting minutes. Using surveys and interviews to gauge how well employees understand their risk and control responsibilities and the potential impact of failure to exercise those responsibilities. A potential service the internal audit activity could offer in this area would be to provide education on risk and control topics, especially if targeting identified deficiencies. Coordinating the Activities of, and Communicating Among, the Board, External and Internal Auditors, Other Assurance Providers, and Management Assessments of activity coordination and communication among the board, external and internal auditors, other assurance providers, and management include: Identifying the meetings that include these parties and determining their frequency of occurrence. Reviewing meeting minutes, work plans, and reports. Attending such meetings as participants or observers. Improvement Recommendations for Governance Processes The CAE considers the ramifications of potential governance process observations and may communicate with the board and senior management during all phases of the engagement (planning, evaluating, and reporting) as appropriate. Here are some examples of recommendations that might be made: Finding ways to improve the flow of information to the board (e.g., more relevant, complete, timely, accurate, and forward-looking) Avoiding subjectivity by objectively analyzing execution of past strategies Assessing measurement processes and metrics for degree of alignment to strategy Analyzing past ethics- or value-based code violations or trends Assessing post-merger integration plans and progress toward their execution Demonstrating conformance to Standard 2110 can be made through multiple separate internal audit reports on individual governance https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx processes. Alternatively, an overall report on governance can be prepared that summarizes observations and recommendations from relevant assurance and consulting engagements. Topic 2: Culture, the Control Environment, and Engagements This topic introduces the control environment and how to audit it. The impact of organizational culture on the control environment and on individual engagement risks and controls is also addressed. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 2100, 2110, and 2130 Practice Guide, “Auditing Culture” Control Environment The IPPF glossary defines the control environment as follows. The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Culture.aspx Integrity and ethical values. Management’s philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel. Much as the foundation of a house determines whether the structure will stand the test of time, the control environment is the foundation for the system of internal controls. It sets the tone for how controls are perceived. A good foundation can result in a control-conscious culture that applies rigor to control design and implementation; a poor foundation can have a pervasive impact on the system of internal controls. It is important to see how the control environment fits in the context of the entire system of internal controls. One way to see this context is to study the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework cube, shown in Exhibit 1-33. Exhibit 1-33: COSO Internal Control—Integrated Framework Cube Source: Internal Control—Integrated Framework, COSO. Key Point The key point about this cube is that a system of internal controls requires a number of interconnected elements to function effectively. Note that this is just one of several internal control frameworks, and the internal audit activity needs to fully understand and support whichever framework the organization has chosen to adopt. The control environment forms a critical foundation for the other components of internal control that need to be integrated: risk assessment, control activities, information and communication, and monitoring activities. The top of the cube shows the three categories of objectives that an organization works to achieve using the system of internal controls: operations, reporting, and compliance objectives. The final side of the cube shows the organization’s structure to reinforce that the system of internal controls needs to be integrated into the organization at multiple layers that are more and more detailed. Given this context, let’s explore each of the elements of the control environment listed in the control environment definition. Integrity and Ethical Values COSO’s Internal Control—Integrated Framework has five principles related to the control environment. Each principle contains points of focus, which are optional characteristics that management may decide to evaluate in terms of whether or not they are present and functioning. The principle related to integrity and ethical values and its points of focus are as follows: The organization demonstrates a commitment to integrity and ethical values. Sets the tone at the top. Establishes standards of conduct. Evaluates adherence to standards of conduct. Addresses deviations in a timely manner. (This and later quotations from the framework are copyrighted by COSO [© 2013] and are used with permission. Note that the points of focus are helpful in organizing the content below; however, the guidance includes information from IIA materials and other sources.) Sets the “Tone at the Top” The tone at the top is one of the most important elements of culture. For example, an attitude of ignoring the rules on the part of those at the top tends to pervade to lower levels. People may either adopt the same attitude or leave the organization, which results in fewer people remaining who show integrity. The tone at the top encompasses the following concepts: Top management and the board lead by example, considering stakeholder expectations. The tone is shown through the actions and decisions of management, leadership and communication that is provided, and responses to deviations. The tone at the top is fundamental to the proper functioning of the internal control system. The tone at the top is further expressed in the form of mission statements, value statements, codes of conduct, principles, policies and practices, directives, and guidelines. The operating style and the conduct of senior management and the board and the risk tolerances they set create an atmosphere that subordinates pick up on—for good or for ill. A consistent tone helps pull the organization together, while a poor or inconsistent tone creates unintended consequences such as poor risk awareness, poor risk responses, poorly defined or ignored controls, or lack of improvement given feedback. The history and culture of an organization directly influence the control environment. Culture supports the control environment when it creates behavioral expectations that reinforce commitment to ethics, integrity, oversight, and performance evaluation.Establishes Standards of Conduct According to The IIA Implementation Standard 2110.A1 (Assurance Engagements) The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics- related objectives, programs, and activities. Standards of conduct can include ethics programs, a written code of ethics, a written code of conduct, and related entity-level policies and procedures. An organization could have a combined code of ethics and conduct. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx A strong ethical culture is the foundation of good governance. An ethical culture is created through a robust ethics program that sets expectations for acceptable behaviors in conducting business in the organization and with external parties. It includes: Effective board oversight. Strong tone at the top and senior management involvement. Organization-wide commitment. A customized code of conduct. Timely follow-up and investigation of reported incidents and consistent disciplinary action for offenders. Ethics training and communications. Ongoing monitoring systems. An anonymous incident reporting system. Ethics is everyone’s responsibility: The board oversees the ethical climate and ensures that management has sound ethics-related objectives and programs via assurance from internal auditing. Senior management promotes and exemplifies an ethical tone at the top and creates explicit strategies to support and enhance the ethical culture, including ethics training. Line managers’ attitudes and behaviors create an ethical subculture for their areas. Outsourced service providers (e.g., customs clearance) can create reputation risks for unethical actions on the behalf of the organization. Contracts should include things like anti-bribery and conflict-of-interest clauses. There may be a chief ethics officer and/or designated person (ombudsman) for ethics advice. A written code of ethics will likely include principles that the majority of boards or organizational managers would agree are considered desirable in conducting business. The board and senior management will come to consensus on the set of principles that are considered acceptable behavior at the organization. Note that due to the need for consensus, corporate ethics will likely not match the personal ethics of all persons. Components of a written code of ethics may include principles related to honesty, integrity, transparency, fair dealing, clear delegation, positive personnel practices, and so on. A written code of conduct provides behavioral guidance and rules for staff (and outsourced service providers who have been delegated responsibility for organizational processes) when taking actions or making decisions. The code clarifies the expectations of the board and senior management as to what is considered right versus wrong. It provides guidance on common gray areas or difficult decisions and highlights associated risks. A code of conduct may address the following subjects: Conflicts of interest Confidentiality Fair dealing Proper use of organizational assets Gifts and gratuities Compliance with laws, rules, and regulations Compliance with voluntary standards such as for corporate social responsibility Reporting of illegal or unethical behavior For example, a written statement about conflicts of interest should: Generally define conflicts of interest. Address the expected behavior for employees, other corporate agents, and suppliers. Include provisions for activities, investments, or other interests that reflect on the entity’s integrity or reputation. Policies and procedures for the control environment are determined by the board and are at the entity level. They form the basis for more detailed policies and procedures at the division, operating unit, and business function levels. In addition to stating requirements, a best practice is to provide the rationale for adherence, which could cite a related law or regulation or key risks, such as to customer safety or company reputation. Control environment policies and procedures include defined accountabilities for business functions with control environment implications. This includes safeguarding of assets, product safety, and guidelines on developing compensation systems in ways that minimize unintended consequences. Evaluates Adherence to Standards of Conduct One way to evaluate adherence to standards of conduct is to require staff to recertify annually that they understand, accept, and adhere to the code. Best practices include teaching the standards of conduct to new employees using quarterly or biannual training sessions. Policies and procedures also need processes for evaluating compliance and addressing shortcomings. This includes ensuring that: There is a process for enforcing consequences. Training or guidance occurs. There is a process to seek and address root causes of the shortcomings. There is a process for keeping policies and procedures up to date given new laws, regulations, values, etc. Addresses Deviations in a Timely Manner Standards of conduct should contain a process for monitoring and enforcing the code, including how potential deviations will be investigated and addressed and how disciplinary actions will be applied. Failure to enforce or being too slow in enforcing consequences creates a control environment risk, because persons may see a lack of enforcement as a tone from the top that these standards are not important and can be ignored. Management’s Philosophy and Operating Style COSO’s Internal Control—Integrated Framework does not have a principle related directly to management’s philosophy and operating style. However, the prior discussion of the tone at the top and how management enforces standards of conduct are just a few of the many examples in this topic of how the philosophy and operating style of management impacts the control environment. Organizational Structure The principle in COSO’s Internal Control—Integrated Framework related to organizational structure and its point of focus are as follows: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Considers all structures of the entity. Considers All Structures of the Entity Organizations develop structures to accomplish their objectives, including: Legal entity structures (e.g., partnerships, subsidiaries). Organizational structures (e.g., hierarchical, matrix). Geographic market structures (e.g., regional divisions). Supply chain structures (e.g., outsourced processes and services). Many of these types of structures are addressed in Part 3 of these materials. The main point in regard to the control environment is that management needs to consider how such structures impact achievement of objectives, related risks, and controls. For example, a structure may help keep authorities and responsibilities separate or concentrate too much control in a given entity or individual. Structures can be reviewed for continued relevance, effectiveness, and efficiency. Assignment of Authority and Responsibility The Internal Control—Integrated Framework principles related to the assignment of authority and responsibility and their points of focus are as follows: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Establishes oversight responsibilities. Applies relevant expertise. Operates independently. Provides oversight for the system of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Establishes reporting lines. Defines, assigns, and limits authorities and responsibilities. Establishes OversightResponsibilities The board of directors establishes oversight responsibilities by creating oversight committees and processes that align with the organization’s objectives. Applies Relevant Expertise Examples of the board applying relevant expertise include: Exercising fiduciary responsibilities to shareholders/owners with due professional care (e.g., reviewing financial statements and disclosures). Delving into management’s plans and performance by asking probing questions and following up on corrective actions. Operates Independently Examples of how the board operates independently include setting expectations for and evaluating the conduct of the CEO in regard to ethical values, integrity, and performance. Provides Oversight for the System of Internal Control Examples of how the board provides oversight for the system of internal control include: Overseeing definition and application of the organization’s code of conduct. Requiring assessments of board oversight effectiveness and continually improving. Establishes Reporting Lines Reporting lines are how managers in various organizational or other structures execute their assigned authorities and responsibilities, including reporting information to higher levels. These lines should be documented and understood by the relevant parties. Defines, Assigns, and Limits Authorities and Responsibilities The board retains some authority over significant decisions and delegates other areas of authority and responsibility to management, who in turn do so with their subordinates. Limitations to authority include segregation of duties. Human Resource Policies and Practices The principle in COSO’s Internal Control—Integrated Framework related to HR policies and practices and its points of focus are as follows: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Establishes policies and practices. Evaluates competence and addresses shortcomings. Attracts, develops, and retains individuals. Plans and prepares for succession. Establishes Policies and Practices HR policies and practices: Establish the necessary level of competence for a given role. Indicate the basis for requirements (e.g., legal compliance). Specify the skills and conduct that will be required for achieving objectives and supporting internal control. Establish specific accountabilities. Evaluates Competence and Addresses Shortcomings HR policies and practices form the basis for evaluating competence and addressing shortcomings. Role descriptions provide guidance on the expected level of competence required to achieve the organization’s objectives. This starts with the skills and conduct that are needed to ensure that the system of internal control is effective. For example: Skills could include proficiency with the enterprise resources planning system an organization uses for its business transactions and knowledge of the system's transaction authorization requirements. Conduct could include consistently adhering to those authorization requirements. Management evaluations may address knowledge, skills, experience, degree of judgment the role requires, and limitations of authority. They may also assess whether the required level of competence is appropriate from a cost-benefit perspective. Attracts, Develops, and Retains Individuals Management determines the appropriate number of individuals for each role and whether this is adequate to achieve objectives and reduce internal control risks to an acceptable level. The processes for seeking out qualified candidates, training or mentoring them, evaluating competence, and retaining personnel are also reviewed for quality and compliance. Plans and Prepares for Succession For roles or business functions considered essential for accomplishing the organization’s key objectives, management has plans for replacing key persons or entities (e.g., a key supplier) or otherwise fulfilling those objectives in absence of the individual or entity. Competence of Personnel The Internal Control—Integrated Framework principle related to competence of personnel and its points of focus are as follows: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Enforces accountability through structures, authorities, and responsibilities. Establishes performance measures, incentives, and rewards. Evaluates performance measures, incentives, and rewards for ongoing relevance. Considers excessive pressures. Evaluates performance and rewards or disciplines individuals. Enforces Accountabilities Through Structures, Authorities, and Responsibilities The board and management hold persons accountable for accomplishing objectives and fulfilling internal control responsibilities by exercising their authority as authorized by the organizational structure, reporting lines, and defined responsibilities. An escalation process to higher levels of authority exists to ensure that enforcement occurs and is consistently applied. Establishes Performance Measures, Incentives, and Rewards Management promotes achievement of objectives and fulfilling of internal control responsibilities through use of cost-effective performance measures, incentives, and rewards. Rewards and incentives are discussed more in Part 3 of these materials. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance These programs are assessed for cost-benefit and alignment to objectives. Considers Excessive Pressures Performance measures, incentives, and rewards may create excessive pressures on individuals or entities, creating a risk of subversion of internal controls to achieve organizational objectives. Management makes necessary adjustments to mitigate this risk. Evaluates Performance and Rewards or Disciplines Individuals Management evaluates performance against performance measures and adherence to standards of conduct and ensures that appropriate rewards or discipline occur and are consistent. Basis for Evaluating Ethics Organizational standards of conduct are the basis for assessing adherence to organizational ethics and values. There are stated values as well as operating values. An important aspect of the effectiveness of codes of ethics or conduct is the degree to which these function as the basis for the values of the organization and its people. Values are beliefs about right versus wrong that guide people’s and organizations’ decisions and actions, especially in situations that require making tradeoffs between conflicting objectives. Inherent in values is a set of priorities or criteria that help people determine which values are more important than others. There are two types of values: Stated values. These are ideal or written values, such as written codes of ethics and/or conduct. Operating values. These are cultural values that guide actual organizational behavior. If there is little difference between stated and operating values, then the codes of ethics and/or conduct may be considered effective. However, if there is a disconnect between the two types of values, it will be difficult for staff to determine what is “acceptable.” The operating values, even if dysfunctional, may become the status quo. For example, a peer might say, “That’s the theory, but this is how it is really done,” or, “This is what you have to do around here if you want to get ahead.” Auditing the Control Environment When auditing the control environment, the internal audit activity considers the risk of control environment failures as they develop the annual audit plan and as they plan each individual engagement. Key Point If the effectiveness of the control environment is not considered in an audit engagement, there is a risk that the assessment of the adequacy of controls will be incomplete or misleading. Audits of thecontrol environment: Start with a risk assessment to help set audit scope, frequency, and rotation. Take into account planning considerations as individual engagements are planned. Require assessment criteria. Require selection of tools and techniques to use. Each of these areas is discussed more next. Control Environment Risk Assessment and Audit Scope A control environment risk assessment can use the elements from the IPPF definition of control environment as potential audit scope areas. These elements are repeated below along with examples of situations that may influence the risk assessment. (Note that these examples may apply to more than one of the control environment elements.) Integrity and ethical values. Lack of code of conduct/ethics or inability to evaluate adherence; high fraud rate. Management’s philosophy and operating style. Frequent management override of controls; lack of consideration of risk in management decision making. Organizational structure. Ineffective board oversight or control environment monitoring; silos that promote department objectives over organizational objectives. Assignment of authority and responsibility. Unclear job descriptions; insufficient separation of duties. HR policies and practices. Compensation and incentive structures that create a high risk of inappropriate behavior or risk taking; poor or nonexistent background or reference checks; no whistleblower policy or hotline. Competence of personnel. Key function turnover resulting in ineffective supervision; lack of key personnel competence (e.g., favoritism to unqualified family or associates). In addition to assessing the risks of failure of each of these elements individually, it is also important to consider the interaction of the elements with one another. Given risk assessments in each of these or other areas, the CAE selects the scope of the audit or series of audits. The scope could encompass all elements, either for the organization as a whole or limited to a specific division or business unit. Alternately, control environment elements could be assessed as part of the scope of other audits such as an audit of a specific business process. For example, an audit of accounts payable (A/P) might add an audit step to determine how familiar A/P staff are with expectations for ethical behavior. The CAE also determines the frequency and rotation of control environment audits and how to integrate the results of multiple audits while avoiding duplication of effort. Planning Considerations and Assessment Criteria Because control environment audits involve discussion of sensitive issues and often require interviews with board/audit committee members and senior management, some special planning considerations apply, including but not limited to: Considering staffing the audit with experienced persons to enhance credibility and recommendation acceptance. Consulting legal counsel for some areas such as pending investigations. Ensuring that the internal audit activity’s reporting structure as documented in the charter is sufficiently independent to enable appropriate access and audit scope. Considering how differences in national culture or national laws/regulations would impact how the engagement or its recommendations would be received. Another sensitive task for the CAE is to determine the criteria against which the control environment will be assessed. The CAE should clearly articulate and communicate the audit scope and criteria to be used, which may help with getting buy-in from the board and senior management. These criteria could be based on: An organization’s rating system. A defined internal control framework’s principles. A maturity model. An industry standard or other benchmarking subject. Specific objectives provided by legal counsel. In general, a best practice is to use an internal control framework the first time the control environment is audited at an organization. This can help ensure that the criteria are well rounded and complete. Tools and Techniques for Auditing the Control Environment Auditing the control environment is an example of auditing “soft controls,” which means there will be subjectivity in the assessments and direct evidence may be difficult to gather. Selecting tools and techniques may require thinking outside the box. Examples include: Using surveys to test the effectiveness of control environment elements such as ethics. Using networking and discussions to evaluate if the actions of management align with their talk. Leveraging internal auditors’ knowledge of the organization’s inner workings to provide corroboration on the effectiveness of controls. “Auditing by walking around” and being visible and observant, which can help: Uncover intangible clues that prompt deeper assessments. Reveal persons who are willing to provide opinions anonymously. Assessing how management has reacted to past audits and recommendations. Reviewing materials and experiences from internal auditor participation in committees, task forces, work groups, or ethics and compliance program implementations. Using data analytics to uncover anomalies. Culture's Impact on Control Environment The IIA’s Practice Guide “Auditing Culture” cites the definitions of culture and conduct from St-Onge et al. in Measuring Conduct and Culture: https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Culture.aspx Culture represents the invisible belief systems, values, norms, and preferences of the individuals that form an organization. Conduct represents the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals. Culture exists whether intentionally created or not at multiple levels: National culture affects the desired objectives of an organizational culture. Researching the cultures of the various countries where the organization’s business units are located and where they primarily do business is a best practice. Organizational culture drives how the organization conducts business and executes its strategies. Subcultures likely exist at different campuses, in different departments, etc. Since internal auditors are part of the organization’s culture, it is difficult to be objective when evaluating culture. However, due to the internal audit activity’s deliberate steps taken to be independent and objective, the activity is in the best position of any of the three lines of defense to evaluate culture. The internal audit activity is also in a position to lead by example. Internal auditors should be living and promoting organizational values (per Standard 2110). Poor organizational culture may be the root cause of many control environment issues. A toxic culture can erode the effectiveness of https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx other control layers. Risk factors include: Unreasonable deadlines or performance targets. Incentives not aligned with values. Employees with little or no risk training. Organizational silos or other information impediments. Mistrust toward auditors. Dislike of controls or disregard of “inconvenient” laws or regulations. Poor senior management accountability. Inability to accept evidence that disproves beliefs. A belief that “this could never happen here.” Failure to enforce standards of conduct. Conversely, healthy organizational cultures have common characteristics: Positive tone at the top. The board and senior management define, proactively model, and enforce accountability for desired organizational values, including in their strategies. Clear communication. Management sets explicit expectations in all communications, daily interactions, and meetings with employees, customers, and third parties. Open dialogue. Management listens to feedback or constructive criticism and has tools like ethics hotlinesor open-door policies to encourage dialogue. Employee engagement. Objective-setting and strategy discussions are inclusive, such as by listening to personal objectives and evaluating how they align to strategy. Incentives aligned with core values. Compensation and incentives align with the organization’s core values and risk appetite. Assessments of Culture An organization’s management and board are responsible for risk management related to culture and conduct. The internal audit activity can aid management and the board with this task by providing targeted assessments of culture. Assessments can review: Root causes for both those areas with culture deficiencies and those deemed to be operating with best practices (to benchmark culture impact). Roles and responsibilities of the governance structure. Programs for communicating values, strategies, and objectives. Code of conduct, ethics, and sexual harassment training program effectiveness. Incentives, hiring programs, disciplinary actions, escalation protocols, or treatment of whistleblowers. Existing information sources for culture insights, such as employee survey data. Audits of culture can take place in formal engagements, but ongoing monitoring can often be very effective. Ongoing monitoring includes auditors being observers or participants in risk management meetings or quarterly financial results meetings. If internal auditors are skilled at reading body language or “reading the room,” the reaction of people to things like bad news or risk occurrences can be telling in regard to the culture. Assessments of Ethical Climate The internal audit activity can conduct an entity-wide review of ethics- related policies and processes. Such an evaluation might consider using a maturity model. For each attribute to be tested, the board and/or senior management can choose the desired level of maturity to use as a benchmark. Then the internal audit activity can determine the actual level through testing. When getting started, it is important to determine to whom the organization’s ethical principles and code-of-conduct rules apply. Directors and employees are required to adhere to these principles and rules; suppliers, business partners, contractors, and third-party service providers may also be required to abide by them. Key areas for an ethical climate assessment to address include: Whether ethical values are consistent among policy statements. Whether any policies lack ethics statements and, if so, whether they should be added. Whether ethics statements are consistently expressed to enable staff to have a cohesive, easily understood picture of expected behavior. Whether statements are specific and concrete enough to be meaningful. An entity-wide employee survey is a common tool for ethical climate assessments. Culture and Engagements When conducting an individual assurance or consulting engagement, the internal audit activity considers organizational culture as a risk factor when setting audit scope. The risk is of a disconnect between stated and operating values for the persons in the engagement area because these values, positive or negative, are inherent to how that work is getting done. Self-assessment exercises, surveys, and questionnaires can be used to measure how well the key parties in the area being audited (e.g., parties in joint ventures) understand organizational values, how well their own goals and objectives align with those values, and the degree to which they see others in the organization living by those stated values. Depending on the audience, questionnaires could: Ask the board to trace their policies back to core values and identify any gaps. Ask whether annual staff training programs on board policies and procedures occur in the audit area and ask for descriptions of such programs. Ask whether audit area staff are required to confirm their compliance with board policies and procedures at least annually. Internal auditors need to be aware that self-assessments, surveys, and questionnaires measure perceptions but that such perceptions may or may not be accurate. Another consideration is that one way to get buy-in from the manager of the area being audited and add value is to allow that person to add survey items related to culture issues they are interested in, such as a sales manager asking sales staff about whether they feel undue pressure related to sales goals. Audit programs can also be developed to test for each specific value in the written code of conduct. For example, an audit program to assess “We value and respect all individuals” may focus primarily on HR policies and procedures and observations of related behavior. If there is a second-line-of-defense compliance function for a particular value (e.g., health and safety), the internal audit activity will still need to evaluate the effectiveness of those programs. Topic 3: Risk and Risk Management This topic introduces the subject of risk and the GRC process of risk management from the perspective of the organization’s efforts in this area. It also addresses risk-based audit planning. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standard 2120 Practice Guide, “Assessing the Risk Management Process” Risk Concepts The IPPF glossary defines risk as follows: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-the-Risk-Management-Process-Practice-Guide.aspx A key element of risk is the notion that it always involves uncertainty. Both positive and negative events can be uncertain. Negative risks are sometimes called threats; positive risks are sometimes called opportunities. Anderson et al. in Internal Auditing define an opportunity as “an action or potential action that creates or alters goals or approaches for creating, preserving, or realizing value.” Here are some fundamental concepts of risk: Achieving strategic and operational objectives and succeeding in business requires putting the organization’s assets and resources at some degree of risk. Risks taken should be commensurate with the potential reward. Risks are not single-point estimates. Rather, there will be a range of possible outcomes associated with a risk, such as from worst case to most likely to best case. Risk management should reduce the likelihood of negative events and increase the likelihood of positive events. An event, also called an issue, is the occurrence or realization of a risk (threat or opportunity). Note that an organization may adopt its own risk terminology, and it is the internal auditor’s responsibility to learn such organization-specific terms and their definitions. Risk Appetite The IPPF glossary defines risk appetite as “the level of risk that the organization is willing to accept.” Some related terms defined by Anderson et al. in Internal Auditing follow: Tolerance. “The boundaries of acceptable outcomes related to achieving business objectives.” Inherent risk. “The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists assuming there are no internal controls in place.” Controllable risk. “The portion of inherent risk that management can reduce through day-to-day operations and management activities.” Residual risk. “The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk).” Note that responses include application of internal controls or other risk management measures. Exhibit 1-34 presents a conceptual-level view of how the risk assessment4. According to The IIA Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx The strategic focus of internal audit is clearly aligned with the expectations of key organizational stakeholders. The Definition of Internal Auditing focuses the image of internal auditing in six significant ways. It describes internal auditing as an independent, objective activity. Independence refers to a structure that allows for the audit activity’s freedom to determine audit or assurance scope, to perform the work judged necessary to achieve engagement objectives, and to communicate the results. Objectivity refers to the personal ability to be non-biased, which allows auditors to be responsive to their customers and to add value through their objective analyses and recommendations for improvement. The definition explicitly recognizes the consulting role of internal audit in providing advice to the organization, in addition to assurance activities. This conveys a proactive, customer-driven approach where internal audit plays a role in organizational governance, risk management, and control activities. By stating that internal auditing is designed to “add value and improve an organization’s operations,” the definition articulates the expectation that the internal audit activity will add value to the organization. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx By referring to the organization’s objectives, the definition focuses on the whole organization. This requires auditors to understand the strategic objectives of the organization and the goals and objectives that support it and to view problems and solutions from a broad perspective. The definition recognizes internal auditing’s legacy of delivering services with a tried-and-true, systematic, and disciplined approach that results from being a standards-based profession. The definition charges internal auditors with a broad and involved role to play in the organization’s governance and risk management processes. Underlying the terminology is the understanding that controls exist to help the organization manage risk and promote effective governance processes. Internal auditing differs from external auditing, which serves third parties who require reliable financial information based on reliable supporting records. Drawing further distinctions between internal and external auditors as well as other related review functions can help clarify what internal auditing is and what it is not. These distinctions are described below: External auditors/financial auditors. These auditors provide an attestation solely based on the financial reports and statements generated by an organization. The work of external and financial auditors is historical in nature and is critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt issuance) about an organization based on its financial statements when taken as a whole. Compliance. Compliance reviews typically serve to determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such. Regulators. These auditors work for regulating bodies that review compliance with specific regulations as well as the overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of corporations or agencies that are regulated by the specified regulating body. Government auditors. Government auditors typically work for departments, ministries, or agencies of a government and provide assurance regarding program requirements, performance audits, budget reviews, and management audits. The Standards Exhibit 1-5: Standards The Standards are a set of principles-based, mandatory requirements consisting of: Statements of core requirements for the professional practice of internal auditing and the evaluation of performance effectiveness that are internationally applicable at organizational and individual levels. Interpretations that clarify terms or concepts within the Standards. The placement of the Standards within the IPPF is shown in Exhibit 1- 5. The Standards comprise two main categories: Attribute Standards address the attributes of organizations and individuals performing internal auditing. Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. Attribute and Performance Standards apply to all internal audit services. Implementation Standards expand upon existing Attribute and Performance Standards by providing the requirements specifically applicable to assurance (.A) or consulting (.C) services. These requirements are discussed as applicable throughout the text. Many of the Standards use the words “must” or “should.” These terms have specific meaning within the IPPF. The word “must” specifies an unconditional requirement; the word “should” is used where conformance is expected unless, when applying professional judgment, circumstances justify deviation. Purpose, Authority, and Responsibility According to The IIA Attribute Standard 1000, “Purpose, Authority, and Responsibility” The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Standard 1000 requires that the purpose, authority, and responsibility of the internal audit activity be clearly defined and approved by senior management and the board. Creating an understanding of the purpose, authority, and responsibility allows the internal audit activity to best support overall organizational goals and objectives and to strengthen internal controls and corporate governance. Exhibit 1-6 reviews the key elements characterizing internal audit activity purpose, authority, and responsibility. Exhibit 1-6: Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Purpose Provide risk-based and objective assurance, advice, and insight. Support organizational objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and controlprocess works to address inherent risk to objectives but still results in some level of residual risk. Exhibit 1-34: Conceptual View of Risk Assessment Process Source: Adapted from “Enterprise Risk Management: What’s New? What’s Next” seminar, The Institute of Internal Auditors. Here are additional considerations related to risk appetite: The purpose of setting a risk appetite is to limit risks to organizational objectives to an acceptable level. This is done by comparing the cost to the benefits of control. Because the future is uncertain, there is no way to completely eliminate risk. (Some amount of residual risk will remain.) Risk appetite helps the board and management prioritize potential strategies and resource allocations. Risk appetite can be defined at a high level and at increasing levels of detail. Risk appetite can differ between business units or products (with higher risk being acceptable for areas with higher potential for reward). Risk appetite can change based on changes in the external environment. Internal auditors can learn about the organization’s risk appetite by reviewing the organization’s risk management policies and discussing the organization’s risk management philosophy with the board, senior management, or risk management officers. The chief financial officer and external auditors can also help define financial reporting risk appetite. (Typically this is highly risk-averse.) Enterprise Risk Management (ERM) The IPPF glossary defines risk management as “a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.” COSO’s Enterprise Risk Management: Integrating with Strategy and Performance defines enterprise risk management (ERM) as: The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value. It does not refer to a function, group, or department within an entity. Every organization exists to deliver value to its stakeholders. Value is created when the benefits from resource investments exceed the cost of those resources. (The opposite would mean that value is being eroded.) Value is preserved when resources deployed in daily operations sustain the things creating the benefits, such as maintaining customer loyalty. ERM exists to help organizations understand the nature of the risks they are facing, determine the amount of risk they are willing and able to accept, and proactively respond to risks to: Create and preserve value (and realize it by delivering actual benefits to stakeholders). Achieve organizational objectives. Improve deployment of resources using a risk-based approach. Reduce volatility and improve stability (a key objective of shareholders and lenders). Key Point ERM is likely to be effective in creating value when the organization’s ERM capabilities are aligned with each other and are fully integrated into operations. Managers should not just manage their own risks within their own organizational “silos.” Integration is a sign of ERM maturity that helps prioritize tradeoffs and improves timeliness. The organization’s mission, vision, and values need to drive the strategy, business objectives, and performance objectives to result in value. Enterprise risk management: Validates that the strategy and objectives align with the mission, vision, and values. Projects the results and implications of the chosen strategy. Enumerates and evaluates the risks to the strategy and performance. Risk Governance and Other ERM Roles The organization’s governance functions (the board and senior management) are responsible for supporting and championing the use of ERM. This function also creates demand for relevant, reliable, and timely risk analysis and reporting. The board is responsible for ensuring that risks are managed and that there is an adequate ERM system in use. The board may establish a risk committee, or the audit committee may have this responsibility. In practice, the board will delegate the operation of the ERM framework to management. Senior management may, in turn, create specialized risk management roles and add ERM to the scope of duties of other roles, such as: Chief risk officer. Financial executives. Line managers and employees. (Risk management is everyone’s responsibility.) Internal auditors. Independent outside auditors. External stakeholders, including customers, creditors, financial analysts, suppliers, and outsourced service providers. Key Point Management owns ERM, not internal auditing, but the internal audit activity is important in monitoring and recommending improvements in the organization’s ERM practices. A key need and opportunity for adding value for the internal audit activity is to assess ERM practices and recommend improvements. Internal auditors also may provide other services such as: Educating the board and senior management on the importance or methods of ERM. Facilitating risk management training sessions. Promoting risk language and use of the organization’s framework in internal audit activity work. Risk Culture Effective risk management depends on the organization having a culture that is open to the discussion of positive and negative risks. For ERM to function properly, persons at all organizational levels need to be able to raise or escalate risk issues without fear of retaliation. This enables: The ERM process to be transparent. A high level of organizational risk awareness. A culture that is not ready for ERM can undermine the hard work of persons performing risk analysis and reporting even when policies and procedures are in place to ensure that ERM occurs. For example, if the results of a risk analysis are not discussed or incorporated into decisions, then the process will be ineffective. While culture shifts are difficult and time-consuming, some steps to start transforming a culture to better leverage ERM might include periodic forums for discussing risk or creating clear risk management roles and responsibilities in the organization. Consulting engagements may be the best way to work to improve risk culture. ERM Process Overview A generic ERM process consists of identifying and categorizing risks, evaluating their impact and likelihood and doing other forms of analysis and prioritization, selecting and implementing risk responses in a timely fashion (possibly including planning for specific scenarios), and communicating and reporting on risks and responses. ERM needs to be an ongoing process. New risks continually arise and their risk ratings change, so a best practice is to match risk assessment frequency to the velocity of risk profile changes. Methods to continually acquire new risk information include: Management call programs. Quarterly risk committee involvement. Specific risk topic discussions at each audit committee or board meeting. Automated tools to capture and understand risk indicators. Steps in the ERM process are discussed more next. Risk Identification and Categorization An organization identifies and categorizes the risks it encounters to ensure that important risks are captured. Risks in the same category could also potentially be addressed by creating a response that addresses several related risks. A common approach for risk identification and categorization is to have a brainstorming session to identify as many risks as possible and then place the identified risks into categories. A good place to start is to use a generic risk model, such as the one from Internal Auditing by Anderson et al., as shown in Exhibit 1-35. Exhibit 1-35: Generic Risk Model Strategic Risks Compliance Risks Reporting Risks External: Changes in laws and regulations Competition Change in markets Industry Technology Internal: Reputation Strategic Satisfiedcustomers Governance External: Contractual Regulatory Litigation Permits Internal: Ethics Policies Fraud and illegal acts External: Accounting and financial reporting Taxation Internal: Budgeting Performance measures Internal control and regulatory reporting Information Resources Access Availability Data integrity Infrastructure Privacy Operation Risks Process: Supply chain capacity Process execution Health and safety Business continuity Cycle time Catastrophic events Lack of product innovation People: Labor supply Leadership, key employees Incentives Empowerment Change readiness Communications Financial: Interest rates Foreign exchange rates Capacity Default Concentration Capital availability Cash management Commodity pricing Duration Source: Adapted from Anderson et al., © 2017. Internal Auditing: Assurance and Advisory Services, 4th Edition. Exhibit 1-36 summarizes some common risk identification approaches. Exhibit 1-36: Common Risk Identification Approaches Technique Description Example Event inventories Detailed listings of potential events common to companies within a particular industry, process, etc. Lists of typically encountered events in a custom software development project Internal analysis Detailed analysis of information; data from ongoing operations or other business units, customers, suppliers, or external sources New product launch analysis that examines internal data and events affecting the success of competitors’ products Escalation or threshold triggers Comparison of transactions/events against predefined criteria alerting management to areas of concern that may require assessment or fast response Review of the organization’s pricing structure when competitors’ prices reach a specific threshold Technique Description Example Facilitated workshops and interviews Facilitator-led events to draw on the knowledge and experience of management, staff, and stakeholders regarding achievement of objectives Focus group with accounting team led by a financial controller to identify events that have an impact on the organization’s external financial reporting Process flow analysis Combination of inputs, tasks, and responsibilities in a process; internal and external factors or events that could impact process objectives Medical lab making process maps for the receipt and testing of samples and then evaluating the process maps for risks Leading key indicators Qualitative or quantitative measures that help identify upcoming changes to risks Monitoring loan payment patterns to mitigate potential for default Loss event data methodologies Examination of past individual loss events to identify trends and root causes; assessment of whether to treat the root cause or address individual events Insurance company examining a historical database of accident claims to identify the root cause of the accidents Source: Adapted from Enterprise Risk Management—Integrated Framework and Enterprise Risk Management—Integrating with Strategy and Performance, © 2004 and 2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. Analysis: Impact, Likelihood, and Heat Maps Management analyzes every identified risk by determining two risk factors (definitions are from Anderson et al., Internal Auditing): Impact. “The adverse effect of a risk outcome.” Likelihood. “The odds or probability of the risk occurring.” Examples of some common likelihood and impact factors are shown in Exhibit 1-37. Exhibit 1-37: Common Likelihood and Impact Factors Likelihood Factors Impact Factors Probability based on history or cycles Complexity of activities Change or stability (e.g., employee turnover or new laws) Control environment Control process effectiveness Materiality (e.g., dollar loss) Potential reputation or brand damage Importance of the related objective to the organization’s mission Velocity of occurrence, duration, and/or pervasiveness of the event Recovery costs Both impact and likelihood can be defined using subjective or objective methods. Organizations determine the scales they want to use and assign meanings to each category. A subjective scale is not quantifiable or measurable but is instead a set of general categories such as negligible, low, medium, high, and extreme. An objective scale may add a monetary value range to each level (for impact) or a percentage range (for likelihood). Key Point An important audit consideration is that risk analysis scales be used consistently across the enterprise and that people using the scales have a shared understanding of the meanings of each element. Next, a heat map is used to determine each risk’s overall rating or severity. A heat map, also called a risk assessment model, is a two- axis risk assessment chart or grid that places impact on one axis and likelihood on the other to create a combination assessment of a risk’s overall rating. A risk rating, also called severity, is a combination assessment of a risk’s impact and likelihood. Organizations define the categories and what risk ratings to put in each category. Exhibit 1-38 shows an example of a heat map from Anderson et al. in Internal Auditing. It includes examples of the monetary impact and percentage ranges that might be used. (Such ranges will vary based on the size of the organization or other factors.) Exhibit 1-38: Heat Map Source: Anderson et al., Internal Auditing: Assurance and Consulting Services, 4th edition. Each risk identified in the earlier parts of the process can be mapped to a specific location on the heat map. (Note how each cell created in the grid is assigned a number.) For example, if data privacy risks are considered high in impact and probable in likelihood, privacy risks would be placed in box 21 and be considered a critical risk. Risks in higher- numbered boxes get more analysis in general, but all get some form of response. The process of placing risks on the heat map is best performed in a team session to capture the consensus of the persons with the best understanding of the risks being discussed. For risk management at the enterprise-wide level, it is important to involve senior management (if available), operations management, and more experienced internal auditors. The next step in the analysis phase is to link each risk back to one or more specific business objectives. This shows what areas of the organization would be impacted. Risk categories, such those shown in Exhibit 1-35, will help with this exercise. For example, risks in the strategic risks category will likely trace back to strategic objectives. Performing this process could result in modifying a risk’s impact. It also helps ensure completeness, because it could reveal more risks that need to be mapped. Many organizations further refine the risk analysis process to account for other risk factors, such as urgency of response needed and so on. These additional considerations may result in modifying a risk’s overall rating or be a consideration when choosing a risk response. Risk Responses For each risk analyzed, the organization determines a response that will be cost-effective, meaning that the cost of the response is not greater than the cost of the impact if the event were to occur. Categories of risk responses include: Acceptance. No action is taken to decrease risk impact or likelihood. The organization is willing to accept the risk at the current level rather than spend resources on it (or no viable plan can be devised). Avoidance. A decision is made to exit or divest of the activities giving rise to the risk (e.g., exiting a product line or country of operations). Pursuit. Exploit the risk if taking such a risk is advantageous to the organization or is necessary to achieve a particular business objective (e.g., entering a new product line or region). Reduction. Action is taken to reduce or mitigate the risk impact, likelihood, orboth. Implementing controls is an example. Sharing. The risk impact or likelihood is reduced by transferring or sharing a portion of the risk with a third party. Insurance, outsourcing, and partnering are examples. Risk Scenario Planning Certain extreme events, such as disruptive competitive innovations, cybersecurity threats, or commodity cost volatility, may require developing more detailed risk response plans, perhaps as part of an overall business continuity plan. Making plans for such events helps keep ERM processes proactive and helps avoid a potential ERM deficiency in which the process primarily just maps past business events into the future. Risk Communication and Reporting Risk communication and reporting need to leverage the organization’s IT so that risk data can be efficiently collected and risk analysis information can be presented in a timely fashion in an easily digestible format. To avoid information overload, present the right level of information at the right level of detail for the audience’s decision- making needs. Communications regarding risk management include providing the rationale for using ERM along with the guidelines for applying it appropriately. This includes communicating risk appetite levels and other management expectations. Specific communications and reports about risk also need to occur with the board and at every level of management. Risk Management Standards 2120 and 2120.A1 According to The IIA Performance Standard 2120, “Risk Management” The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. According to The IIA Implementation Standard 2120.A1 (Assurance Engagements) The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives. Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts. Let’s break down the first part of Standard 2120’s interpretation (shown in italics) and implementation guidance or other IIA guidance (the sub-bullets). The interpretation starts with the following preamble: Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that: https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Organizational objectives support and align with the organization’s mission. Review strategic and business plans, discuss with the board and senior management, and interview mid-level management to gain insight on alignment and risk appetite at the business unit level. Significant risks are identified and assessed. Important risk categories include strategic, compliance, reporting (including financial reporting), IT resources (including cybersecurity), and operational (including processes, people, and financial) risks. The internal audit activity should alert management to new or inadequately addressed risks. The internal audit activity may consider using an established ERM framework. Appropriate risk responses are selected that align risks with the organization’s risk appetite. The CAE discusses risk appetite, risk tolerance, and risk culture with senior management and the board and reviews related policies and meeting minutes. The internal audit activity provides recommendations and action plans for improving risk responses. The internal audit activity may independently perform gap analyses to look for significant risks not being identified or addressed. Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. The internal audit activity should have a process in place to plan, audit, and report on ERM. Interview staff at various levels to determine if the organization’s objectives, significant risks, and risk appetite are sufficiently articulated and understood. The internal audit activity may review board minutes to determine whether the most significant risks are communicated in a timely fashion and the board is acting to ensure that management is responding appropriately. If the CAE concludes that management is taking on unacceptable levels of risk, the CAE must discuss the matter with senior management and may discuss it with the board, per Standard 2600, “Communicating the Acceptance of Risks.” https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx Key Point It is important for internal auditors to identify whether risk information is used in decision making and whether risk responses are appropriate to the organization’s risk appetite and ERM strategy. Let’s break down the remainder of Standard 2120’s interpretation and implementation guidance or other IIA guidance. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. Internal auditors should attain an understanding of the organization’s current ERM environment and responses to prior risks. Internal auditors consider the organization’s size, complexity, life cycle, maturity, stakeholder structure, and changes in laws, competitors, etc. Internal auditors review ERM maturity to determine how much to rely on the organization’s ERM assessments. An organization may believe it has higher maturity than it has in actual practice. Highly regulated industries tend to have higher levels of ERM maturity. The internal audit activity typically also does its own risk assessments. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. It is important to know how the organization does ERM and oversees it before starting to implement Standard 2120. Demonstrating conformance to this standard can use the internal audit charter, internal audit plans, and related ERM meeting minutes. The internal audit activity will evaluate the responsibilities of the board and those in key ERM roles by reviewing completed risk assessments and reports. The internal audit activity may evaluate the adequacy and timeliness of remedial actions by reviewing control designs and testing the controls and monitoring procedures. In addition to assessing the organization’s ERM, the internal audit activity should also take the necessary steps to ensure that it is managing and correcting deficiencies related to its own risks, such as audit failure, false assurance, and reputation risks. Risk-Based Audit Planning According to The IIA Performance Standard 2010, “Planning” The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Internal auditors cannot evaluate every possible risk facing an organization. The multiple sources of potential engagements coupled with the related scope of work require the efficient use of limited internal audit resources. A risk assessment framework for audit planning provides a systematic way for the CAE and the internal audit activity to assess internal and external risk factors and develop an annual audit plan. Interpretation helps us understand how to develop the risk-based audit planning framework: The CAE is responsible for developing a risk-based plan. The CAE takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activitiesor parts of the organization. If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Frameworks for assessing and developing risk-based audit plans will vary between organizations. An organization’s size, formality, management team dynamics, industry, regulatory requirements, and other demographics are some of the potential influencing factors. Most risk-based frameworks for internal audit planning include the steps listed in Exhibit 1-39. Exhibit 1-39: Risk-Based Assessment Framework for Internal Auditing Step Description Determine the audit universe. Identifies all organizational sources of potential engagements and all potential auditable units. Also identifies specific activities (auditable activities) in a functional area at risk. Auditable units may vary depending on the industry or nature of the organization; for example, locations, processes, products, or divisions may be considered. Example: A list of all organizational units/processes (can be hundreds of items). Step Description Examine organizational risk factors. Develops and applies standard risk assessment methodology for qualitative and quantitative measurement(s) of risk within and across all auditable units. Assesses internal and external organizational risks based on their impact on organizational objectives more than on the extent of change in specific functions. Considers potential engagement sources. Involves discussing the audit universe with organizational senior managers to identify levels of risk, planned new activities, and/or process changes. Incorporates ERM results (if the organization has an ERM process). Considers other internal and external assurance activities. Example: Consideration of size of revenue or assets, visibility of areas, liquidity or cash flow, results of other reviews, and reported problems. Step Description Prioritize audits. Evaluates proposed engagements. Establishes criteria and ranks the risks based on their significance to organizational objectives and risk appetite. Considers if the internal audit staff is sufficient to cover all the primary risks and whether some can be delayed and/or handled by other assurance providers. Leads to the annual audit plan. Example Identification of the most important areas to audit during the upcoming year based on high-level risk evaluations, planned process changes, and requests from management coupled with the internal audit resources available. According to The IIA Implementation Standard 2010.A1 (Assurance Engagements) The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. Internal audit activities can leverage their organization’s ERM framework—if one exists—and apply it to the selection of audit engagements, engagement criteria, and audit tools. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Once a risk-based annual audit plan exists, the next step is to perform individual engagement planning, which also includes a risk assessment component. Topic 4: Risk Management Frameworks Organizations may choose to implement enterprise risk management in different ways. Best practice has shown that using a framework can improve the efficiency and effectiveness of ERM. By formally organizing risk management responsibilities and activities in a framework, an organization is better positioned to achieve its strategic objectives. Use of a framework helps to ensure that risk management activities are focused on ERM (rather than on risk management at the functional level) and that risk is being proactively managed (not just reduced). There are numerous ERM models. They generally vary in their focus and complexity. Some are highly specialized frameworks applicable to specific situations (e.g., IT security, insurance). Here we will look at two major frameworks: COSO’s ERM framework and ISO 31000. A discussion of internal audit activity assurance over ERM follows discussion of these frameworks. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Assessing the Risk Management Process” Practice Guide, “Assessing the Adequacy of Risk Management using ISO 31000” COSO’s ERM Framework The COSO (The Committee of Sponsoring Organizations of the Treadway Commission) ERM framework is called Enterprise Risk Management—Integrating with Strategy and Performance. The purpose of this framework is to help organizations accelerate growth and enhance performance by integrating ERM at every organizational level and applying the principles of the framework to everything from strategic decision making to performance management. The COSO ERM framework addresses the evolution of ERM as integral to development and achievement of strategy through effective organizational performance and value creation. Supporting an organization’s mission, vision, and core values is a key differentiator. The model describes the connection between strategy, business objectives, performance (what the organization strives to achieve), and ERM components (what is needed to achieve the objectives). https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-the-Risk-Management-Process-Practice-Guide.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-the-Adequacy-of-Risk-Management-Practice-Guide.aspx This framework introduces key ERM concepts and a common ERM language and provides principles-based guidance. It addresses the need for organizations to improve their approach to managing risk to meet the growing demands in business. The COSO ERM framework is applicable to all industries and all types of risk. It has gained broad acceptance by many organizations globally. Components of COSO ERM Framework The COSO ERM framework consists of five interrelated components, shown in Exhibit 1-40. Exhibit 1-40: Components of COSO ERM Framework Component Description Governance and culture Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity. Strategy and objective setting ERM, strategy, and objective setting work together in strategic planning. A risk appetite is established and aligned with strategy; business objectives implement strategy while forming a basis for identifying, assessing, and responding to risk. Component Description Performance Risks to achievement of strategy and objectives are identified and assessed. Risks are prioritized by severity (impact and likelihood) in the context of risk appetite. The organization selects risk responses and takes a portfolio view of the amount of risk it has assumed and reports key risks to stakeholders. Review and revision By reviewing entity performance, an organization can consider ERM component effectiveness as the organization changes and what revisions are needed. Information, communication, and reporting ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization. Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. Strategy and objective setting, performance, and reviewand revision represent common processes that flow through an organization. The other components—governance and culture and information, communication, and reporting—are supporting aspects of ERM. Principles of COSO ERM Framework These five components are supported by a set of 20 principles—the things the organization would do as part of the ERM process. The principles, listed in Exhibit 1-41, provide senior management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives. Exhibit 1-41: Principles of COSO ERM Framework Component Principles Governance and culture 1. Exercises board risk oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. 2. Establishes operating structures—The organization establishes operating structures in the pursuit of strategy and business objectives. 3. Defines desired culture—The organization defines the desired behaviors that characterize its desired culture. 4. Demonstrates commitment to core values— The organization demonstrates a commitment to its core values. 5. Attracts, develops, and retains capable individuals—The organization is committed to building human capital in alignment with the strategy and business objectives. Component Principles Strategy and objective setting 6. Analyzes business context—The organization considers potential effects of business context on risk profile. 7. Defines risk appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value. 8. Evaluates alternative strategies—The organization evaluates alternative strategies and potential impact on risk profile. 9. Formulates business objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy. Performance 10. Identifies risk—The organization identifies risk that impacts the performance of strategy and business objectives. 11. Assesses severity of risk—The organization assesses the severity of risk. 12. Prioritizes risks—The organization prioritizes risks as a basis for selecting risk responses. 13. Implements risk responses—The organization identifies and selects risk responses. 14. Develops portfolio view—The organization develops and evaluates a portfolio view of risk. Component Principles Review and revision 15. Assesses substantial change—The organization identifies and assesses changes that may substantially affect strategy and business objectives. 16. Reviews risk and performance—The organization reviews entity performance and considers risk. 17. Pursues improvement in enterprise risk management—The organization pursues improvement of enterprise risk management. Information, communication, and reporting 18. Leverages information and technology—The organization leverages the entity’s information and technology systems to support enterprise risk management. 19. Communicates risk information—The organization uses communication channels to support enterprise risk management. 20. Reports on risk, culture, and performance— The organization reports on risk, culture, and performance at multiple levels and across the entity. Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. The components and principles of the framework do not represent isolated, stand-alone concepts. COSO states that enterprise risk management is not static. It is integrated into the development of strategy, the formulation of business objectives, and the implementation of those objectives through day-to-day decision making. More information on COSO’s Enterprise Risk Management— Integrating with Strategy and Performance can be found on the COSO website, at www.coso.org. ISO 31000 Framework ISO 31000:2018, “Risk management—Guidelines,” is a simple and concise international standard and framework for the systematic development of enterprise risk management. It can be used successfully by any size or type of organization because the organization can adapt the framework to the proper scope and environmental context. The purpose of ISO 31000 is to help organizations manage uncertainty. It provides a guide for managing risk based on key principles, a framework, and a process. ISO 31000 Principles ISO 31000 is a principles-based standard intended to generate transparency and credibility within the risk management function. The principles describe characteristics of effective and efficient risk management and should be used as a foundation for establishing an organization’s ERM processes. Assessments of the organization’s overall risk management process can use these key principles as an audit approach to ensure that the process is complete and effective. This is just one of several audit approaches that will be addressed in this topic. An audit based on ERM principles would assess the extent to which each principle is true for the risk management process. Exhibit 1-42 provides an overview of the ISO 31000 principles (these are paraphrased) along with examples of how they can be used as audit tests. Exhibit 1-42: ISO 31000 Principles and Related Audit Tests Principle Audit Test (Extent to which the following are true) Integrated Risk management is an integral part of all activities in an organization. Risk management is not an add- on task. Structured and comprehensive Risk management should follow a structured and comprehensive approach to provide consistent results. The organization has its own framework or uses a standard framework. Principle Audit Test (Extent to which the following are true) Customized Risk management is customized to the organization’s operating environment, culture, and objectives. Rather than being an out-of-the- box process, the process matches the organization’s operations. Inclusive Risk management is inclusive of all stakeholders, providing improved communications and risk management awareness. There should be appropriate and timely involvement of stakeholders. Dynamic Risk management uses an iterative cycle to generate continual improvement, organizational learning, and quick response to changing environments and emerging risks. The process is regularly reviewed for organizational and environmental relevance. Risk management matures along with other organizational processes. Principle Audit Test (Extent to which the following are true) Best information available Risk management makes use of the best historical, current, and future-oriented information available. Relevant stakeholders need timely and clear information. Obtaining information can be expensive, and so the process has guidance on what constitutes sufficient information. The process documents areas of uncertainty and how best to address uncertainty. Information is timely if it is available when decisions need to be made. Behavioral and cultural factors Risk management is influenced by organizational culture and staff behavior. The process is appropriate to the competence and culture of those who use it. Continuous improvement Learning and experience are used to continually improve risk management. ERM has a deliberate process for gathering, considering, and incorporating feedback related to the efficiency and effectiveness of the program. ISO 31000 Framework Components The ISO 31000 framework components assist in integrating risk management into all organizational activities and functions. These components, which should work together and be customized as needed to achieve the organization’s own objectives, include: Leadership and commitment. Oversight by top management ensures that a risk management approach is integrated into all activities,promoting the value to the organization and stakeholders. Integration. Risk management should be a key aspect of governance. It should be aligned to the organizational purpose, strategy, objectives, and operations. Design. The framework should be designed to fit the context of the organization and demonstrate the commitment to risk management. Implementation. Success requires stakeholder engagement and awareness. The framework ensures that a risk management process is included in all activities. Evaluation. To evaluate the effectiveness of the framework, auditors should measure performance against indicators and expected behaviors. Improvement. Organizations should continually monitor and adapt the framework to address identified gaps and incorporate enhancements. ISO 31000 Cycles At a high level, the ISO 31000 framework is a cyclical process that begins with top executives expressing a strong commitment to risk management and mandating its adoption based upon the principles described above. The framework is then designed and customized. Once implemented, it is monitored and reviewed to enable continual improvement. The implementation phase has its own cycle, as shown in Exhibit 1- 43. Exhibit 1-43: ISO 31000 Implementation Phase Process Framework Assurance Based on ISO 31000 Process Elements Assurance of management’s overall risk management process can use the process elements of ISO 31000 as an audit approach. For each of the following elements, it is essential to substantiate with sufficient audit evidence that management’s expressions of intent are being satisfied in practice. Communication and consultation. Structured and ongoing communication and consultation occur with parties affected by operations. Establish context. The external environment (political, social, etc.) and internal environment (strategies, structures, ethics, etc.) are understood as a prerequisite of identifying the full range of risks. Risk identification. Identifying risks uses a formal, structured process that considers risk sources, impact areas, potential events, causes, and consequences. Risk analysis. A formal technique is used to consider each risk’s impact and likelihood. Risk evaluation. A method is used to rank the relative importance of each risk so that a treatment priority can be established. Determine risk treatment. Rational decisions are made about risk treatment (acceptance, avoidance, pursuit, reduction, and sharing). Monitoring and review. Progress of treatment plans, existence and effectiveness of controls, avoidance of proscribed activities, and environment changes are monitored and reviewed. Record and report. Reports are made in the appropriate frequency and level of detail to the appropriate parties. How the ISO 31000 and COSO ERM Frameworks Compare The ISO 31000 and COSO ERM frameworks are very similar. Both approaches: Help organizations achieve their business objectives through the effective management of internal and external risks. Recognize the importance of embedding a risk management mentality in the culture of the organization. Recognize the importance of the “tone at the top” in risk management. Are deliberately broad in focus yet allow for more detail-level integration. Recognize that risk management is a complex iterative process requiring multidisciplinary skills to implement and manage properly. While the risk management processes are parallel in nature, there are some differences. One difference is in terminology. ISO 31000 uses “risk treatment,” whereas COSO employs “risk response.” Another difference is that the components of COSO ERM and ISO 31000 do not align precisely, as is shown in Exhibit 1-44. Exhibit 1-44: Differences Between COSO ERM and ISO 31000 Components COSO ERM Components ISO 31000 Components Governance and culture Leadership and commitment (Process: communication and consultation) Strategy and objective setting Integration Design (Process: scope, context, criteria) Performance Identifies risk Assesses severity of risk Prioritizes risks Implements risk responses Develops portfolio view Implementation (Process: risk identification) (Process: risk assessment) (Process: risk analysis) (Process: risk treatment) Review and revision Evaluation Improvement (Process: monitoring and review) Information, communication, and reporting (Process: communication and consultation) (Process: recording and reporting) Assessments of ERM Internal audit activity assessments of the organization’s ERM typically occur either when the organization has no real ERM process or if the CAE determines that management’s assessment of its ERM effectiveness is not reliable. Otherwise, the internal audit activity can typically rely on the organization’s own ERM assessment. ERM assessments can provide: Assurance on the risk management process itself (addressed here). Assurance on significant risks and management assertions of control as part of a risk-based audit (addressed elsewhere). Follow-up on risk treatment plan status or planned control remediations (addressed here). Assessments of the risk management process itself are a good way for the internal audit activity to help the organization adopt or improve its risk management systems. Note that if there is resistance to the idea of performing risk assessments at all (e.g., it is considered a non-beneficial or time-consuming bureaucratic exercise), the internal audit activity is likely facing a risk culture issue. ERM assessments start with a gap analysis that evaluates current capabilities, processes, and systems. If any essential elements are missing, the organization’s efforts to manage significant risks will be ineffective. Here are some considerations: In addition to the nature and significance of risks, consider the competence and experience of persons performing ERM. Avoid duplication of effort with compliance functions and risk management specialists. An assurance map (see Practice Advisory 2050-2) can help ensure coordination. Key objectives of internal audit activity assessments of the organization’s ERM may include the following: Management has a vision for the risk management process. Business strategy risks are identified and prioritized. Management and the board have determined the general level of risks and the risks required for the chosen strategy to be tolerable. Management’s ongoing monitoring includes periodic reassessments of risks and the effectiveness of controls. Risk management roles periodically report on ERM results to the board (or risk committee/audit committee) and senior management. Management assesses the risk profile of strategies or opportunities that use innovation. Assessment approaches can include: Assessments based on ongoing monitoring. Assessments based on a maturity model. Resource-based assessment approaches (top-down, bottom-up, or combination). Assessments that rely on ISO 31000 principles and/or process elements. Adoption of more than one approach can yield the most informative and useful results. The approach(es) selected should be tailored to the organization’s needs. Key Point Regardless of the assessment approach(es) selected, always include normal control-based assurance that determines whether: Risks are being effectively identified and appropriately analyzed. There is adequate and appropriate risk treatment and control. There is effective monitoring and review by management to detect changes in risks and controls. Assessments and follow-up also include process and documentation reviews, analytical techniques, recommendations, and follow-up on risk treatment plan status. Assessments based on ongoing monitoring and on a maturity model and resource-based assessment approaches are discussed more next. Assessments Based on Ongoing Monitoring A good example of assessing ERM using ongoing monitoring is for internal auditors to be present in risk managementmeetings at the levels being assessed. Observations such as these can help determine if there are gaps between the design and implementation of ERM. A combination of ongoing monitoring and separate evaluations is a best practice. Note that the more effective the ongoing monitoring, the less need there may be for separate evaluations. Because ongoing evaluations are done in real time, they can be adapted to dynamically changing conditions. Assessments Based on a Maturity Model Risk culture and risk management maturity level play a role in the organization’s risk attitude, which the ISO defines as an “organization’s approach to assess and eventually pursue, retain, or turn away from risk.” Exhibit 1-45 shows an example of a risk management maturity model. Internal auditors can assess the organization’s actual position as part of assessing the organization’s ERM process, but note that it may not be necessary or practical for an organization to aspire to the highest level. A level of 2 or 3 may be acceptable. Conversely, an organization may need a push to a higher level if the culture is ready. Exhibit 1-45: Risk Management Maturity Model Stage Culture Governance Process Stage Culture Governance Process 1: Initial Risk belongs to the internal audit activity. CAE/audit committee chair Risk-based auditing 2: Repeatable Risk is considered on an as-needed basis. Business managers As-needed risk and control self- assessment process 3: Defined Internal audit and control functions share risk information. All levels of management and board Common risk language and risk assessment process used by internal audit and control functions 4: Managed Risk is integrated into strategic planning; risk appetite is communicated. Executives and board Common risk language and consistent risk assessment processes in all of organization 5: Optimized Risk is integrated into all decision making, compensation, and goals. Total participation Common risk language and aggregated risk reporting through the organization Source: The IIA’s “Assessing the Risk Management Process” Practice Guide. The organization’s desired level of ERM maturity can help set the scope of ERM assessments and serve as evaluation criteria. Depending on maturity, scope/criteria may include: The organization has a process to manage the risk of noncompliance with external laws and regulations (this is the minimum scope) and with internal policies and procedures. The internal audit activity does not have management responsibility for ERM. There is a common risk language, and consistent risk assessment processes are used. An ERM framework is used and adapted to the organization and business environment. Leading risk management practices (e.g., industry and professional guidance) are used. Resource-Based Assessment Approaches Because assessing an entire risk management process is a labor- and time-intensive exercise, the CAE should develop an approach that considers the available resources while fulfilling audit objectives. Three examples include a top-down, bottom-up, or combination approach. Exhibit 1-46 compares these approaches. Exhibit 1-46: Types of ERM Audit Assessment Approaches Top-Down Approach Effective methods Interviews Document reviews Participants Board members (e.g., audit and/or risk committee chairs) Senior management Group/division management Limitations Low level of detail. Assessment may take a governance focus due to the participants involved. Board and senior management views may not represent remainder of organization, especially regarding culture. Bottom-Up Approach Effective methods Interviews Surveys Document reviews Walkthroughs Participants Line managers Supervisors Limitations Surveys may be confusing without a risk process/language background. Feedback may be inconsistently distributed across participants. Participants may not make time (indicative of low priority given to ERM). Combination Approach Effective methods Interviews with higher-level personnel Surveys with lower-level personnel Document reviews Participants Board members (e.g., audit and/or risk committee chairs) Senior management Group/division management Line managers Limitations While this approach can be more comprehensive, it could be more expensive/time-consuming, and any of the prior limitations may still apply. A top-down assessment is good for strategic-level identification and evaluation of exposures. These assessments can serve as a catalyst to get the organization moving toward its desired ERM maturity level. Internal auditors performing such assessments should understand the business and its strategy as well as external environment and stakeholder risk priority changes. Interviews (or brainstorming sessions) can get board members or senior management engaged by leading off with targeted questions, such as: What risks can impact strategy realization and could risk management enhance performance relative to these risks? What would we hate to see reported in the media? What unique risks exist in our industry? Bottom-up assessments are more likely to be limited-scope engagements because it can be difficult to assess ERM at the detail level. The scope can instead be defined based on specific objectives such as for specific locations or strategic objectives. Here are some examples of questions internal auditors could ask of line managers or other participants: Do you seek information from field personnel to get early warning of emerging risks? Are risk management resources sufficient? Are risk management roles for you and your subordinates defined clearly enough? Combination approaches can be used when the benefits of both methods are desired and there is budget available for its greater administrative cost. Here are a few examples of questions that one could ask of participants to determine how the top and bottom interact: How are differences of opinion on a risk or its priority shared between senior and line management and how are they settled? Do you feel pressured to go along with the group opinion (groupthink)? Are there discussions of how a risk could impact other business units, how one risk may naturally offset another risk, or how addressing one risk may create new risks? ERM Process and Documentation Reviews In addition to gathering information from persons involved in ERM, internal auditors can review ERM processes and related documentation. Internal auditors seek evidence that there is structured analysis and documentation of risks, including the following: An overall strategy for managing risk information from multiple sources is in place. Guidelines for the creation, modification, deletion, and sharing of risk information exist. A risk register exists and is used. A risk register is a spreadsheet or document that links risks to organizational objectives, provides an assessment of each risk, including its impact and probability, identifies the risk owner, and identifies the response or key control to address the risk. A risk communications process exists that has the necessary infrastructure for communicating risk information throughout the organization. A risk reporting process provides quarterly communications with management and the audit committee, has reports that clearly link the risk universe back to shareholder value, and is focused on transparency and education. Decision making and performance measurement processes integrate risk information. To gather evidence, the internal audit activity may review these and other sources: Prior risk assessments, control-self assessments, or external assurance reports Risk management process flows Risk appetite and strategy documents Board minutes Business cases for capital projects Management discussion and analysis (MD&A) in financial statements Results of risk monitoring activities Once the various documents are gathered, internal auditors assessthe quality of the documentation against the criteria they have determined for the engagement. This can include assessing: The extent and formality of the documentation. (Note that less formality does not necessarily mean less effectiveness.) Whether the documents such as risk registers make monitoring risks more efficient. Whether technology is leveraged where appropriate to make the process cost-effective. Note that if the purpose of the assessment is to make a formal statement to external parties, be sure to retain the documentation. Analytical Techniques Risk management analytical techniques can include performing root cause analysis of detected faults or statistical analysis of incident trends. Recommendations Recommendations resulting from ERM assessments should be appropriate to management’s current and desired ERM maturity levels. Follow-up of Risk Treatment Plan Status The internal audit activity also needs to follow up on the status of risk treatment plans and related control remediation plans. Follow-up activities include ensuring that monitoring provides management with an assessment of progress against milestones and validating that plan status reports to the board are accurate and timely. Topic 5: Process and Function Risk Management Effectiveness This topic follows the recommended engagement planning steps as presented in Standard 2200 and in the “Assessing the Risk Management Process” Practice Guide to provide a systematic process for examining the effectiveness of risk management within https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx processes and functions as part of a risk-based audit plan during an engagement. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Assessing the Risk Management Process” Assessing ERM on an Engagement A best practice when conducting an individual engagement that includes a risk assessment component is to follow the engagement planning steps as presented in Standard 2200 and further detailed in The IIA’s Practice Guide “Engagement Planning: Establishing Objectives and Scope.” Each of these steps is adapted for use in a risk management assessment context in The IIA’s Practice Guide “Assessing the Risk Management Process.” Here we provide a brief overview of the process in that Practice Guide. Understand the Context and Purpose of the Engagement Internal auditors develop an understanding of the organization’s overall risk management maturity level in the context of the organization’s size, industry, and regulatory environment. In particular, there must be an assessment as to whether management has https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-the-Risk-Management-Process-Practice-Guide.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Engagement-Planning-Establishing-Objectives-and-Scope-Practice-Guide.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-the-Risk-Management-Process-Practice-Guide.aspx articulated objectives for risk management. Given this understanding, the internal audit engagement requires: Identifying the principles at work in the organization’s risk management process. Evaluating whether those principles are appropriate and effective. In planning the assessment, internal auditors should review Implementation Guidance for Standard 2120, “Risk Management,” and consider elements including: Mission, vision, strategy, and objectives. Risk management frameworks used and methods of risk management and oversight. Robustness of risk management roles, responsibilities, and activities. Historically experienced risks, current risks, and changes that may introduce new risks. Stakeholder expectations for the internal audit activity to provide assurance in the area being audited that the risk management process is effective. Preparations can include reviewing prior assessments, understanding and mapping risk management process flows (flowcharts), and interviewing relevant stakeholders. https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx Gather Information to Understand the Risk Management Process Given an understanding of the areas relevant to the engagement, internal auditors should gather information to support a preliminary risk assessment. The manager of every business area should have at least some risk information, because every area should be managing risk. Internal auditors may need to look in less obvious areas for this information. For example, business cases for projects or initiatives contain risk assessments that could be reviewed. Conduct a Preliminary Risk Assessment According to The IIA Implementation Standard 2210.A1 (Assurance Engagements) internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. An effective way to perform and document an engagement-level risk assessment is to create a heat map (risk assessment model) of significant risk exposures including errors, fraud, and noncompliance. Establish Engagement Objectives https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx According to The IIA Performance Standard 2210, “Engagement Objectives” Objectives must be established for each engagement. An example of an overall objective could be to provide management with insight into their ERM maturity. Standard 2210.A2 adds that assurance engagement objectives must consider the probability (i.e., likelihood) of significant exposures including, errors, fraud, and noncompliance. For an assurance engagement, according to Standard 2210.A3, adequate criteria are needed to evaluate risk management, and if internal auditors find that senior management and the board have already established adequate criteria (i.e., a risk management framework is in place), then that criteria must be used for the evaluation. If none exist, internal auditors should work with management and/or the board to develop internal and external criteria and leading practices. Note that for less mature organizations, consulting engagements may be more appropriate. Establish Engagement Scope https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx According to The IIA Performance Standard 2220, “Engagement Scope” The established scope must be sufficient to achieve the objectives of the engagement. At a minimum, the scope of any assessment regarding risk management should confirm whether any identified risk-related processes are followed and comply with external criteria. The engagement scope may include evaluating: The effectiveness of governance structures supporting the audit area’s risk management policies, procedures, and activities. The sufficiency and operating effectiveness of the audit area’s risk management policies, procedures, and activities, including alignment with the organization’s risk appetite, stakeholder expectations, and industry standards. The adequacy of dedicated risk management resources in the audit area. Clearly defined risk management and assurance roles. Explicit consideration of risk in strategy setting, clear expectations related to risk treatment, and processes for classification, escalation, tracking, and reporting. Existence of risk registers, rating criteria, and other tools. Allocate Resources https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx According to The IIA Performance Standard 2230, “Engagement Resource Allocation” Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the natureand complexity of each engagement, time constraints, and available resources. The CAE or internal auditors assigned to the engagement determine whether the quantity of resources and mix of competencies available are sufficient to perform the engagement with due professional care. Another consideration when allocating resources is the impact that the culture and control environment will have on the engagement’s requirements. A top-down, bottom-up, or combined approach may be considered, but a bottom-up approach may be most appropriate for auditing processes and functions. Document the Work Program Documents gathered may include process maps for the process or function, the area’s risk register, and summaries of interviews and surveys. It is important to document the rationale used for decisions regarding the assessment of the organization’s risk management maturity level and any criteria used to assess the risk management process. https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx Topic 6: Internal Audit Role in the Organization’s ERM This topic addresses what internal audit activities are and are not acceptable in regard to the organization’s ERM process. The topic focuses on potential consulting roles. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Interaction with the Board” Position Paper, “The Role of Internal Auditing in Enterprise- Wide Risk Management” Practice Guide, “Internal Audit and the Second Line of Defense” Internal Audit’s Role in the Organization’s ERM Exhibit 1-47 presents a range of ERM activities, differentiating between roles the internal audit activity should and, equally important, should not undertake. Roles in the far left area are core internal audit roles the activity should undertake. These are all assurance activities. The area in the center includes consulting and other non-assurance activities that are still legitimate internal audit activity roles but require https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Interaction-With-the-Board-Practice-Guide.aspx https://global.theiia.org/about/about-internal-auditing/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Internal-Audit-and-the-Second-Line-of-Defense-Practice-Guide.aspx some safeguards, and activities in the far right are roles the activity should not undertake. Exhibit 1-47: Internal Audit’s Role in ERM The key factors to take into account regarding the role of internal audit are whether the particular activity raises any threats to internal audit’s independence and objectivity and whether it is likely to improve the organization’s governance, risk management, and control processes. Key Point Carefully review the “roles internal audit should not undertake” in the graphic above. These are all things for which the board, senior management, or other management levels should be responsible and accountable. Because assurance activities are addressed elsewhere, this topic focuses primarily on the center of the graphic, as this represents an area that requires judgment. These consulting or non-project, value- added internal audit activities are discussed more next. Consulting or Non-Project Internal Audit Activities for ERM According to The IIA Implementation Standard 2120.C1 (Consulting Engagements) During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. According to The IIA Implementation Standard 2120.C2 (Consulting Engagements) Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx According to The IIA Implementation Standard 2120.C3 (Consulting Engagements) When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. The internal audit activity’s knowledge of and reputation in risk management frequently results in organizations seeking out the activity’s involvement as the organization embeds risk management into its culture and practices. In some cases, internal audit may be asked to take the lead on enterprise risk management or some portion of it, even though this type of activity will be in violation of Standard 2120.C3 if internal auditors assume any management responsibility. Also, internal audit cannot give objective assurance on any part of the risk management framework for which it is responsible. Key Point Whenever the internal audit activity consults with management to set up or improve risk management processes, its plan of work should include a clear strategy and time line for migrating the responsibility for these activities to members of management. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx If there is no ERM function, the internal audit activity advises on how to set one up and consults on the best ERM methodology for the organization. The activity’s ERM role should be discussed with senior management and the board and codified in the internal audit charter. Here are some potential ERM consulting areas. (Note how all of them are carefully worded to avoid taking on any actual management responsibility.) Assess articulation of strategies and business objectives. Champion ERM and introduce its concepts, frameworks, and risk language by providing workshops or coaching that highlights ways ERM could add value. Use specific examples that leverage the internal audit activity’s overall knowledge of the organization. Provide insight on the nature and effectiveness of the control environment. Facilitate risk appetite setting. Brainstorm risk events. Provide management with internal audit tools and techniques for analyzing risks and controls. Facilitate assessment and risk priority setting. Advise on additional risk criteria. Advise on choice of risk response/treatment. Assist management with monitoring external and internal environments, such as by providing a central point for coordinating, monitoring, and reporting on risks. Provide audit results that highlight risk management methodologies to show their effectiveness. Some internal audit activities may consider some ongoing or informal activities to be non-project work and therefore not consulting work. Others will consider this a form of consulting. Regardless of how such activities are categorized, they need to comply with the Standards, including refraining from taking on management responsibility. An example of non-project, value-added work could include providing the board (especially new board members) with white papers on industry risks or accounting rule changes. As an organization’s ERM processes mature, consulting tends to become less of a focus and assurance takes on priority. More mature organizations not only are already doing many of the right things in regard to ERM but may have specialist roles such as a risk manager. An assurance focus then provides the independent and objective view that the first line (management) and second line (compliance) cannot provide. Consulting Safeguards Safeguards for consulting on ERM include: Making it clear to management that they are responsible for risk management, including by documenting the nature of internal audit responsibilities in the internal audit charter and related policies and procedures. Abstaining from actually managing any of the risks on behalf of management. Instead, the internal audit activity may challenge orsupport management’s decision-making process or provide other advice. Recognizing any work beyond assurance activities as consulting engagements. Implementation Standards related to consulting engagements should be followed. Consulting versus Second-Line Roles While there will be some areas of overlap in the knowledge, skills, and values between internal auditors and second-line-of-defense functions related to ERM (such as a risk manager or a financial controller), it is important for internal auditors to know their limitations. Most second-line-of-defense roles will have areas of expertise and knowledge that are outside the body of knowledge for most internal auditors. This can include: How to use and interpret complex risk quantification and modeling techniques. Knowledge of the details of implementing risk responses (e.g., financial risk transfer). If specialized skills are needed, the internal audit activity needs to recognize its limitations and acquire the expertise or not undertake the work. Interaction with the Board in Relation to ERM Performance Standard 2060, “Reporting to Senior Management and the Board,” indicates that the CAE’s periodic reporting to senior management and the board must include significant risk exposures and control issues. An effective internal audit activity provides the board with assurance in these areas and suggests governance, risk management, and control improvement opportunities. Developing both formal and informal communication channels and strong relationships is important to enable discussion of sensitive matters, such as management’s failure to manage strategic and/or operational risk or an executive’s ethically questionable behaviors and actions (including fraud). Here are some considerations for communications: Clear, relevant, and frequent communication between the CAE and members of the board is essential. Formal board meetings are best served if all presentation materials are relevant, complete, and risk-based. A quarterly or similar meeting should include risk themes, for example, a review of emerging risks. The CAE also helps the https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx board to understand changes in the regulatory and business environment related to governance, risk management, and control. The CAE may also need to have frequent informal discussions with the chair or other board members, in part to establish trust and rapport. One of the most important aspects of interacting with the board is gaining their confidence that the internal audit activity is fully engaged with senior management to monitor and treat risks, stay alert to emerging risks, and align with stakeholders on risk attitudes. Use of a risk-based audit plan is itself a confidence-building tool. Such a plan helps build stakeholder confidence when it is grounded on: A thorough understanding of the risk appetite of the board and senior management. CAE discussions with the board and management on how to best prioritize projects and resources so as to provide the most value in helping them assess risks. Regular review of the audit plan with the board and senior management will give them opportunities to set new priorities and adapt to internal and external environment changes. Section F: Fraud Risks This section is designed to help you: Define fraud and the conditions that must exist for fraud to occur. Discriminate among the major types of fraud. Identify common types of fraud associated with the engagement area during the engagement planning process. Determine if fraud risks require special consideration when conducting an engagement. Complete a process review to improve controls to prevent fraud and recommend changes. Provide examples of fraud risk management controls. Use computer data analysis, including continuous online monitoring, to detect fraud. Support a culture of fraud awareness, and encourage the reporting of improprieties. Describe the features of an effective whistleblower hotline. Demonstrate an understanding of forensic auditing techniques. Demonstrate an understanding of fraud interrogation/investigative techniques. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides This section discusses the basics of fraud and internal audit’s responsibilities regarding fraud. Understanding the various types of fraud, the threats fraud poses, and fraud controls is a crucial task for internal audit, even though internal audit is often not tasked with the actual detection and investigation of fraudulent activities. Topic 1: Fraud Risks and Types This topic covers fraud risk and the types of fraud. The topic also discusses fraud risks that are present when conducting an engagement. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Engagement Planning: Assessing Fraud Risks” Practice Guide, “Internal Auditing and Fraud” Fraud Risks and Types According to The IIA Implementation Standard 2120.A2 (Assurance Engagements) The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. In order to evaluate the potential for the occurrence of fraud, internal auditors must first understand what fraud is and the different types of fraud that may occur. The IPPF glossary defines fraud as: Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Internal-Auditing-and-Fraud-Practice-Guide.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Fraud risk is the probability that fraud will occur and the potential consequences to the organization when it occurs. Note that the specific legal definition of fraud may vary by jurisdiction. Fraud is an area where the services of outside experts are often retained. The internal auditor’s responsibilities for detecting fraud during engagements include: Considering fraud risks in the assessment of control design and determination of audit steps to perform. Having sufficient knowledge of fraud to identify red flags indicating that fraud may have been committed. Being alert to opportunities that could be considered conducive for fraud, such as control weaknesses. Evaluating the indicators of fraud and deciding whether any further action is necessary or whether an investigation should be recommended. Notifying the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation. Examples of Fraudprocesses. Determine if organizational governance, risk management, and control processes are in place and functioning properly. Communicate any opportunities for improvement or risk exposures to the appropriate management level (and the board/audit committee as appropriate). Add value and improve an organization’s operations. Authority Provide appropriate unfettered access to records, personnel, and physical properties. Maintain full and open access with the audit committee, board of directors, or other appropriate governing authority. Secure necessary internal and external resources to accomplish audit activity objectives as planned. Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Responsibility Document the objectives and scope of the engagement as well as the methodology to be used. Ensure that internal audit activity staff have sufficient knowledge, skills, experience, and/or professional certifications to fulfill the engagement charter. Communicate the results of the internal audit activity or other matters that the chief audit executive determines necessary to senior management, the audit committee, the board, or other governing body of the organization. Consider the coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process. Do not perform management activities. Standard 1000 introduces several concepts that are crucial to understand when following the mandatory and recommended guidance contained within the IPPF. The internal audit charter is a critical document that records the agreed-upon purpose, authority, independence and objectivity, reporting structure, and responsibility of an organization’s internal audit activity. It establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx and physical properties; and defines the scope of internal audit activities. The chief audit executive (CAE) is defined in the IPPF glossary as “a person in a senior position responsible for effectively managing the internal audit activity....” This person is charged with the creation of the internal audit charter and with the task of reviewing and presenting the audit charter for board approval periodically. The specific job title and/or responsibilities of the CAE may vary across organizations, and the position may be outsourced as well. For example, in organizations with smaller audit activities, the CAE may also be responsible for conducting engagements. It should be understood that the duties of the CAE are the duties of the internal audit activity as a whole, with these duties typically being managed by the CAE. The CAE should report to the board, which helps maintain internal audit independence. The board is defined in the IPPF glossary as “the highest level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable.” It may refer to an audit committee, which is a subset of the broader board to oversee certain functions (e.g., internal audit, external auditors, financial concerns). If a board or audit committee does not exist, the term may refer to the head of an organization. Topic 2: Internal Audit Charter Requirements This topic discusses the required information, approval requirements, and typical components of an internal audit charter. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: IIA Model Charter Implementation Guidance for Standards 1000 and 1010 Audit Charter and Approval The internal audit charter provides a recognized statement of the purpose, authority, and responsibility of internal audit for review and acceptance by management and for approval by the board. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board. Before writing or revising the internal audit charter, the CAE typically reviews the IPPF to refresh his or her understanding of the Mission of https://na.theiia.org/about-ia/PublicDocuments/PP-The-Internal-Audit-Charter.pdf https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx Internal Audit and the elements that must be included in the charter, which are governed by Standard 1010. According to The IIA Attribute Standard 1010, “Recognizing Mandatory Guidance in the Internal Audit Charter” The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board. The CAE is required to review the internal audit charter periodically and present it to senior management and the board for review. The CAE and the board may agree on the frequency of review and reaffirmation for the charter, sometimes accomplished by establishing a standing annual agenda item with the board. If questions arise in the interim, the charter may be referenced and updated as needed. To recognize the mandatory elements of the IPPF in the internal audit charter, the CAE may make specific statements that use language from applicable standards, such as Standard 1010, directly. Alternatively, the CAE may use language and content throughout the https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx internal audit charter that require conformance with Mandatory Guidance. Key Point Once the charter is adopted, it is important for the CAE to monitor the IIA’s Mandatory Guidance and discuss any changes that may be warranted during the next charter review with senior management and the board. Elements of the Internal Charter Let’s examine the typical elements of an internal audit charter, using the IIA Model Charter as an example. The introductory section explains the overall role and professionalism of the internal audit activity. Relevant elements of the IPPF are often cited in the introduction. In Exhibit 1-7, the Mission of Internal Audit and the Definition of Internal Auditing are both used to craft the “Purpose and Mission” section. The “Standards for the Professional Practice of Internal Auditing” section conforms with the requirements of Standard 1010. https://na.theiia.org/about-ia/PublicDocuments/PP-The-Internal-Audit-Charter.pdf https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx Exhibit 1-7: Introduction The “Authority” section specifies the internal audit activity’s full access to the records, physical property, and personnel required to perform engagements. In the Model Charter, this section also covers the organization and reporting structure, as seen in Exhibit 1-8. Some charters may useFraud is perpetrated by a person knowing that it could result in some unauthorized benefit to him or her, to the organization, or to another person, and it can be perpetrated by persons outside or inside the organization. Some common fraud schemes include the following: Asset misappropriation involves stealing cash or assets (supplies, inventory, equipment, information) from the organization. In many cases, the perpetrator tries to conceal the theft, usually by adjusting the records. Skimming occurs when cash is stolen from an organization before it is recorded on the organization’s books and records. Disbursement fraud occurs when a person causes the organization to issue a payment for fictitious goods or services, inflated invoices, or invoices for personal purchases. Expense reimbursement fraud occurs when an employee is paid for fictitious or inflated expenses. Payroll fraud occurs when a person causes the organization to issue a payment by making false claims for compensation. Financial statement fraud involves misrepresenting the organization’s financial statements, often by overstating assets or revenue or understating liabilities or expenses. Information misrepresentation involves providing false information, usually to those outside the organization. Corruption is the misuse of entrusted power for private gain. Corruption includes bribery and other improper uses of power. Bribery is the offering, giving, receiving, or soliciting of anything of value to influence an outcome. Bribes may be offered to key employees or managers such as purchasing agents who have discretion in awarding business to vendors. A diversion is an act to divert a potentially profitable transaction to an employee or outsider. Related-party activity is a situation where one party receives some benefit not obtainable in a normal arm’s-length transaction. Tax evasion is intentional reporting of false information on a tax return to reduce taxes owed. By purposely structuring pricing techniques improperly, management can improve their operating results to the detriment of other organizations and one or more countries’ taxation systems. Internal controls must pass a cost-benefit test, and so not all controls can be designed with a literal zero tolerance for fraud. Developing Fraud Knowledge According to The IIA Implementation Standard 1210.A2 (Assurance Engagements) Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Developing sufficient knowledge to evaluate the risk of fraud requires learning about the fraud triangle and common red flags of fraud in various types. Standard 1210.A2 also requires evaluating the manner in which fraud is managed by the organization. This process may be called an organization-wide fraud prevention, detection, and investigation program. Organizations may develop sub-programs for specific areas of fraud. Fraud Triangle The fraud triangle is a set of three conditions that, if present in the right proportions, suggest the possibility of fraud: opportunity, motive, and rationalization. The fraud triangle is shown in Exhibit 1-48. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Exhibit 1-48: The Fraud Triangle These three conditions can be described as follows: Opportunity. A process may be designed properly for typical conditions. However, a window of opportunity may arise for something to go wrong or that creates circumstances for the control to fail. An opportunity for fraud may exist due to poor control design or lack of controls. For example, a system can be developed that appears to protect assets but is missing an important control. Anyone aware of the gap may be able to take advantage of it without much effort. Persons in positions of authority can create opportunities to override existing controls (i.e., management override) because subordinates or weak controls allow them to circumvent the rules. Motive (also called incentive or pressure). While people can rationalize their acts, there needs to be an incentive that entices them to behave that way. A key motivator is the gratification of a desire, such as greed, or an addiction. Power is a great motivator. Power can be career-related or simply gaining esteem in the eyes of family or coworkers. For instance, some computer frauds are done just to show that the hacker has the power to do it. A third motivator is pressure, from either unrealistic job requirements, physical stresses, or outside parties. Rationalization. Fraud perpetrators must be able to justify their actions to themselves as a psychological coping mechanism, allowing them to believe that they have done nothing wrong and are “normal people.” For example, these individuals might consider that they were entitled to the stolen item or that if executives break the rules, it must be right for others to do so as well. Some people will do things that are defined as unacceptable behavior by the organization yet are commonplace in their culture (e.g., bribery) or were accepted by previous employers. As a result, these individuals will not comply with rules that don’t make sense to them. Some people may have periods of financial difficulty in their lives, have succumbed to a costly addiction, or are facing other pressures. Consequently, they will rationalize that they are just borrowing the money and, when their lives improve, they will pay it back. Others may feel that stealing from a company is not bad, thereby depersonalizing the act. Key Point It is important to remember that it isn’t failures in systems, policies, procedures, or controls that cause fraud—it’s people. People may take advantage of these failures, but it is still a human activity, so much of the discussion regarding detecting fraud relates to understanding the motivations and rationalizations of people. Although internal auditors may not be able to know the exact motive or rationalization leading to fraud, they are expected to understand enough about internal controls to identify opportunities for fraud. Auditors also should understand fraud schemes and scenarios and be aware of the signs that point to fraud and how to prevent such schemes or scenarios. Information available from The IIA and other professional associations or organizations should be reviewed to ensure that the auditor’s knowledge is current. Red Flags of Fraud The internal auditor is a potential “early warning system” for the organization by detecting the indicators of fraud, often called red flags. Red flags are signs that indicate both the inadequacy of controls in place to deter fraud and the possibility that some perpetrator has overcome weak or absent controls to commit fraud. Fraud red flags may surface at any stage of the internal audit. Red flags are only warning signs; they are not proof that fraud has been committed. Red flags may relate to time, frequency, place, amount, or personality. They include items such as: Overrides of controls by management or officers. Lack of separation of duties. Irregular or poorly explained management activities. Constantly exceeding goals/objectives regardless of business conditions or competition. Too many nonroutine transactions or journal entries. Problems or delays in providing requested information. Significant or unusual changes in customers or suppliers. Transactions that lack documentation or normal approval. Employees or management hand-delivering checks. Customer complaints about delivery. Employees exhibiting significant behavioral changes. Poor IT access controls. Environmental Red Flags Environment may be viewed on a macro or micro level. The macro level refers to conditions that affect an entire industry, a country, or a global region, while the micro levelrefers to specific organizations. Examples of macro-level red flags include: Stiff competition, unfair trade practices, or economic downturns that create pressure to perform or lead to layoffs that place economic pressures on individuals. These conditions may generate the motive to commit fraud. Recently deregulated or poorly regulated industries in which absence or laxity of controls creates opportunity for fraud, for example, the ease of accessing cash in the business or the complexity and opacity of transactions. An industry or cultural trend toward dishonesty and disregard of law and regulation (e.g., a history of corrupt practices by certain types of government contractors, a pattern of bribe taking by government officials). Perpetrators may point to a history or climate of acceptance as rationalization for fraud. The same types of red flags may be seen on the micro or organizational level: Financial motive from the loss of a lucrative contract, the pressure to improve financial performance to obtain a loan or before issuing stock, or a research and development failure that threatens the organization’s product pipeline. Reorganizations that disrupt control policies and create fraud opportunity. Failure to screen may lead to hiring with the motive to commit fraud (e.g., hiring supervisors who fail to implement, enforce, and monitor control policies). Failure to train all personnel in the organization’s ethical code. This can contribute to a culture that easily rationalizes small and large acts of fraud, including theft, bid rigging, kickbacks, and conflicts of interest. Two particular types of micro environments offer special opportunities for fraud and challenges for internal auditing: international organizations and organizations that rely heavily on technology. International organizations. Internal audits of multinational corporations may uncover many types of red flags that result from the difficulty of maintaining controls in a decentralized and multicultural organization. Bribery may be occurring in both directions: Employees may be receiving kickbacks, and large, poorly described expenditures may mask bribes to foreign officials. Managers may carry ghost employees on the payroll. Differences in exchange rates can be exploited. Organizations dependent on computer technology. Computer systems can be used to steal assets or intellectual property, facilitate identity theft, tamper with controls and records, and then hide the fraud. Internal auditors look for red flags of ineffective security controls: poor network administration that fails to define and enforce appropriate levels of access, lack of reports showing unauthorized access to the system, use of passwords by unauthorized users, users’ failure to use password protocols, lack of firewalls to detect intruders, or users inviting intruders into a system through careless internet use. Industry-Specific Red Flags It has been estimated that four industries alone account for more than 70% of white-collar fraud: financial services, insurance, manufacturing, and energy. Organizations in such industries therefore may see a significant return on investment from assurance that controls are adequate and operating correctly related to fraud prevention and detection. The financial services sector—which includes banks, savings and loan institutions, credit card companies, investment firms, and finance companies—may often already satisfy at least two of the components of fraud: motive and opportunity. The industry is highly competitive, with high sales incentives, so both organizations and individuals may be motivated to take unacceptable risks or misstate sales and earnings. Similarly, the insurance sector offers ready access to cash through fraudulent claims or payouts to nonexistent clients or mis-evaluation of underwritten properties. Opportunity in the manufacturing sector includes complicated procurement processes and lax oversight that allows cost overruns and discrepancies. Closely held technology companies offer opportunity for fraud to the handful of decision makers who know the product. In the energy sector, a decentralized structure, often international, allows greater opportunity for fraud and for bribery to cover it up. It may be difficult to evaluate assets or track profits. Customers may not be able to verify what and how much they are actually receiving. Perpetrator Red Flags People committing fraud often display certain behaviors or characteristics that may serve as warning signs or red flags. Personal red flags include: Living beyond one’s means. Conveying dissatisfaction with the job to fellow employees. Unusually close association with suppliers. Severe personal financial losses. Addiction to drugs, alcohol, or gambling. Change in personal circumstances. Developing outside business interests. In addition, there are those who consistently rationalize poor performance, perceive beating the system to be an intellectual challenge, provide unreliable communications and reports, and rarely take vacations or sick time (and when they are absent, no one performs their work). Perpetrators may be employees or managers. Perpetrator Red Flags—Employees An organization’s management and internal auditors need to be trained to understand and identify the potential warning signs of employee fraudulent conduct, which fall into the three main categories of the fraud triangle. Auditors look for behavioral signals, like a pattern of complaints against an employee, a decline in employee morale or attendance, abrupt resignations or evasiveness in answering questions, and a lack of cooperation or an adversarial attitude during an audit. Other red flags may signal the techniques used to commit the fraud. These include: Unexplained variances (e.g., abnormally high expenses versus previous periods). Unusual shortages in cash or inventories. Missing or altered documents. Invoice items inconsistent with the charge code or business function. Approval circumventions (e.g., splitting orders to stay below approval thresholds). Vendors with generic names or post office box addresses. Manual transactions in an area characterized by automated transactions. Even amounts in an environment characterized by irregular amounts. Duplicate payments. Using a fictitious “middle man” to divert company cash or assets. Perpetrator Red Flags—Managers Managers who are committing fraud against (instead of on behalf of) their companies exhibit many of the same red flags as their employees. They may have additional needs that stem from company expectations. They may be late with reports, play favorites, and demand loyalty from employees. Managers may have significantly more opportunities for fraud. Financial Statement Red Flags Although external auditors are responsible for reviewing financial statements and identifying financial statement fraud, internal auditors may be asked to consult on the preparation of the financial statement in order to avoid problems during the external audit. The CAE may also need to form an overall opinion on the internal controls over financial reporting (ICFR) based on all assurance and consulting activity performed during the period. Internal auditors may be in a position to detect irregularities before they become a public, costly embarrassment to the organization. Some red flags that may be associated with financial statements follow. Fictitious revenues. Unusual growth in income or profitability, earnings growth despite recurring negative cash flows in some parts of the organization, highly complex transactions (like those used by the Enron Corporation, which board members and many financial experts said they could not follow), end-of-reporting-period transactions (e.g., channel loading, or building sales through special incentives at the cost of sales in later periods), sales or income attributedto unknown companies or areas, absence of documentation for posted sales. Improper asset valuation. Changes made to inventory counts, fictitious sales accounts, unacknowledged and uncollected liabilities, fictitious assets supported by fictitious documents. Concealed liabilities. Unposted invoices from vendors, calling an expense an asset (which can be depreciated or amortized), debts assumed by shell companies (off-balance-sheet accounting), reliance on subjective valuations, unusually low expenses or purchases, unusually low level of loss (e.g., returns or warranty), irregular accounting entries that reduce tax liabilities. Improper disclosures. Poor communication of standards about disclosure, ineffective boards of directors. In general, a heavy concentration of authority in one individual or area (usually combined with poor controls), evasiveness, a history of dishonesty or disrespect for laws and regulations, the potential for significant financial reward for certain individuals—these can all be general red flags for financial statement fraud. What to Do About Red Flags An internal audit is not a fraud investigation. Identification of red flags directs the scope of current and subsequent audit steps until sufficient evidence is gathered to form an objective conclusion regarding the existence of fraud. When fraud is suspected, a best practice is for the internal auditor to refer the case to the CAE, who will secure appropriate resources for further investigation, such as a certified fraud examiner or an IT security specialist. Internal auditors assist fraud investigators by furnishing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. The succeeding auditor/investigator should be briefed on fraud risks in the engagement, red flags noticed, fraud tests implemented to date, and preliminary findings. To be better prepared to support fraud investigations, internal auditors should be aware of how investigations are conducted. Topic 2: Fraud Controls This topic discusses internal audit’s role in recommending and assessing controls to prevent and detect fraud and how education can improve an organization’s fraud prevention efforts. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Internal Auditing and Fraud” Practice Guide, “Engagement Planning: Assessing Fraud Risks” https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Internal-Auditing-and-Fraud-Practice-Guide.aspx Preventing and Detecting Fraud After internal auditors have considered fraud scenarios and identified and prioritized fraud risks, they should determine which controls, if any, are in place to mitigate those risks. This can be done by expanding the fraud risk matrix to include existing controls. The fraud risk assessment team identifies preventive and detective controls in place to address each fraud risk and assesses the likelihood and significance of each potential fraud. Entity-level anti- fraud controls are key elements to this exercise and may include: Whistleblower hotline and whistleblower protection policy. Board oversight. Results of continuous monitoring. Code of conduct. Tone of management’s communications regarding fraud risk tolerance. Hiring and promotion guidelines and practices. Continuous auditing. The presence of these elements may indicate a strong control environment that can help prevent fraud. Control activities should also include the appropriate authority limits and segregation of incompatible duties. Internal auditors consider not only the existence of the internal controls; they also assess the effectiveness of the controls through periodic testing. The resulting fraud risk and control matrix should be included in engagement workpapers. Detective controls are designed to provide warnings or evidence that fraud is occurring or has occurred. Simultaneous use of preventive and detective controls enhances any fraud risk management program’s effectiveness. Fraud detection methods need to be flexible, adaptable, and continuously changing to meet the changes in the risk environment. An effective way for an organization to learn about existing fraud is to provide employees, suppliers, and other stakeholders with a variety of methods for reporting their concerns. Ways to collect this information include: Code-of-conduct confirmation. Whistleblower hotline. Exit interviews. Proactive employee survey. Other methods for fraud detection include surprise audits in high fraud risk areas, continuous monitoring of critical data, and routine and/or ad hoc matching of data against relevant transactions, vendor lists, employee rosters, and other data. Fraud Awareness Education Fraud training is usually a key factor in the deterrence of fraud. Training can cover the organization’s expectations for employees’ conduct, the procedures and standards necessary to implement internal controls, and employee roles and responsibilities to report misconduct. Employee fraud training needs to be tailored to the organization and the employees’ positions within the organization. Tailored training is more effective than generic training, allowing employees to better understand their role in the organization’s fraud detection system. Periodic training throughout an employee’s career reinforces awareness of fraud and its cost to the organization. Regardless of the training method selected, a key goal of the training is to test the employee’s comprehension of the fraud training. Topic 3: Forensic Auditing This topic discusses the role internal audit plays when using forensic auditing and some of the different forensic auditing techniques available to internal auditors. Fraud Investigations The internal audit activity plays an important role in contributing to the overall governance of a fraud risk management program. This is primarily evident from the independent assurance the activity provides to the board and management that the controls in place to manage fraud risks are designed adequately and operate effectively. Key Point The role of the internal audit activity in investigations needs to be defined in the internal audit charter as well as in the fraud policies and procedures. For example, internal audit may have the primary responsibility for fraud investigations, may act as a resource for investigations, or may refrain from involvement in investigations entirely. This may vary from organization to organization, based on organizational policy or relevant local laws. There are several reasons internal audit may not participate in investigations, including that the activity may: Have the responsibility for assessing the effectiveness of investigations. Lack the appropriate resources. Lack internal auditors holding specialized training or certifications necessary to gather evidence. Investigators versus Internal Auditors Investigators interview individuals, such as witnesses, to gather evidence to support a suspicion of fraud and to establish the scope of the fraud and the degree of complicity. While some internal auditors are also qualified investigators, when this is not the case, it is important that the internal auditors not conduct themselves as investigators. The two roles should be separate and distinct. However, internal audit involvement in fraud investigation can be acceptable as long as the impact on internal auditing’s independence is recognized and handled appropriately. In some cases, in addition to using contractors, the internal audit activity may use non-audit employees of the organization to assist. It is often important to assemble the investigation team without delay. In organizations where primary responsibility for the investigation function is not assigned to internal audit, the activity may still be askedto assist, for example, by: Monitoring the investigation process to help the organization follow relevant policies and procedures and applicable laws and statutes. Locating and/or securing misappropriated or related assets. Evaluating and monitoring the organization’s internal and external post-investigation reporting and communication plans and practices. Monitoring the implementation of recommended control enhancements. Investigation Policies and Procedures Management is responsible for developing controls for the investigation process, including policies and procedures for effective investigations, preserving evidence, handling the results of investigations, reporting, and communications. Such standards are often documented in a fraud policy; internal auditors may assist in the evaluation of the policy. Such policies and procedures need to consider the rights of individuals, the qualifications of those authorized to conduct investigations, and the relevant laws where the fraud occurred. The policies should also consider the extent to which management will discipline employees, suppliers, or customers, including taking legal measures to recover losses or civil or criminal prosecution. It is important for management to clearly define the authority and responsibilities of those involved in the investigation, especially the relationship between the investigator and legal counsel. It is also important for management to design and comply with procedures that minimize internal communications about an ongoing investigation, especially in the initial phases. The policy needs to specify the investigator’s role in determining whether a fraud has been committed. Either the investigator or management will decide if fraud has occurred, and management will decide whether the organization will notify outside authorities. A judgment that fraud has occurred may in some jurisdictions be made only by law enforcement or judicial authorities. The investigation may simply result in a conclusion that organization policy was violated or that fraud is likely to have occurred. Fraud Investigation Process A fraud investigation consists of gathering sufficient information about specific details and performing the procedures necessary to determine whether fraud has occurred, the loss or exposures associated with the fraud, who was involved, and how it happened. An investigation plan is developed for each investigation, following the organization’s investigation procedures. The lead investigator determines the knowledge, skills, and other competencies needed to carry out the investigation effectively and assigns competent, appropriate people to the team who have no potential conflict of interest with those being investigated or with any of the employees in the organization. The plan should consider the following investigative activities: Gathering evidence through surveillance, interviews, or written statements Documenting and preserving evidence, considering legal rules of evidence and the business uses of the evidence Determining the extent of the fraud Determining the techniques used to perpetrate the fraud Evaluating the cause of the fraud Identifying the perpetrators The investigator may conclude at any point that the complaint or suspicion is unfounded. The investigator then follows the organization’s process to close the case. Investigation Evidence The collection and preparation of evidence is critical to understanding the fraud or misconduct, and it is needed to support the conclusions reached by the investigation team. The investigation team may use computer forensic procedures or data analysis. All reports, documents, and evidence obtained should be recorded chronologically in an inventory or log. Some examples of evidence include: Memos and correspondence, both in hard copy and electronic form (such as emails or information on personal computers). Computer files, general ledger postings, etc. IT or system access records. Security timekeeping logs, videos, or access badge records. Internal phone records. Public or internal customer or vendor information, such as contracts, invoices, and payment information. Public records, such as business registrations or property records. Social networking sites. The level and extent of complicity in the fraud throughout the organization needs to be assessed. This assessment can be critical to not destroy or taint crucial evidence and to avoid obtaining misleading information from persons who may be involved. Interrogations Generally the accused is interrogated by two people: 1) an experienced investigator and 2) another individual who takes notes and functions as a witness if needed. It is essential that all information obtained from the interrogation is rendered correctly. Investigative activities need to be coordinated with management, legal counsel, and other specialists such as HR and insurance risk management as appropriate. Investigators need to be knowledgeable and cognizant of the rights of persons within the scope of the investigation. The investigator has the responsibility to ensure that the investigation process is handled in a consistent and prudent manner. Fraud Reporting and Communicating Reporting and communicating consists of the various oral, written, interim, or final communications to senior management and/or the board regarding the status and results of fraud investigations. Communications may include the reason for beginning the investigation, time frames, observations, conclusions, resolution, and recommendations to improve controls. Some additional considerations concerning fraud reporting are: Submitting a draft of the proposed final communications to legal counsel for review. Notifying senior management and the board in a timely manner when significant fraud or erosion of trust occurs or a fraud may have a material effect on financial statements (e.g., a previously undiscovered adverse effect on the organization’s financial position and its operational results for one or more years). The investigation needs to adequately secure evidence collected, maintaining chain-of-custody procedures appropriate for the situation. According to The IIA Performance Standard 2400, “Communicating Results” Internal auditors must communicate the results of engagements. According to The IIA Performance Standard 2410, “Criteria for Communicating” Communications must include the engagement’s objectives, scope, and results. As specified in these standards, distribution of investigation results should be appropriately limited and information should be treated in a confidential manner. Implementation Guide 2600 notes that information regarding fraud comes under the category of “highly significant risks that the CAE judges to be beyond the organization’s tolerance level.” In addition, communication of results should take care to protect internal whistleblowers. https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx In the case of fraud, local laws may accelerate communication of investigation reports to the board and may require reporting to local authorities as well. Resolution Management and the board (not the internal audit activity or the investigator) are responsible for resolving fraud incidents once a fraud scheme and perpetrators have been fully investigated and evidence has been reviewed. When disclosures are voluntary rather than mandatory, management or the board determines whether to inform entities outside the organization after consultation with legal counsel, HR personnel, and the CAE. The organization may be required to notify law enforcement, regulators, insurers, bankers, and external auditors of instances of fraud. Any comments made by management to the press, law enforcement, or otherexternal parties may be coordinated through legal counsel in accordance with organizational policies. Internal communications are used by management to reinforce its position relating to integrity, to demonstrate that it takes appropriate action when organizational policy is violated, and to show why internal controls are important. Lessons Learned After the fraud has been investigated and communicated, management and the internal audit activity consider lessons learned. For example: How did the fraud occur? What controls failed? What controls were overridden? Why wasn’t the fraud detected earlier? What red flags were missed by management? What red flags did internal audit miss? How can future fraud be prevented or more easily detected? What controls need strengthening? What internal audit plans and audit steps need to be enhanced? What additional training is needed? These sessions need to stress the importance of acquiring up-to-date information on perpetrators and fraud schemes. Internal auditors typically assess the facts of investigations and advise management relating to remediation of control weaknesses that lead to the fraud. Internal auditors may design steps in audit programs or develop “auditing for fraud” programs to help disclose the existence of similar frauds in the future. Engagement Fraud Risks According to The IIA Implementation Standard 2210.A2 (Assurance Engagements) Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. To ensure adequate review of the risks relevant to each engagement, internal auditors may conduct a fraud risk assessment as part of engagement planning. A full fraud risk assessment consists of five key steps: Identify relevant fraud risk factors. Identify potential fraud schemes and prioritize them based on risk. Map existing controls to potential fraud schemes and identify gaps. Test operating effectiveness of fraud prevention and detection controls. Document and report the fraud risk assessment. Note that internal auditors may not conduct a full fraud risk assessment during engagement planning. They may also consider and discuss fraud risk with senior management or review the organization’s fraud risk assessment, if available, instead of conducting their own assessment. Opportunity is the only factor in the fraud triangle that organizations can control directly. Internal auditors should note that those who https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx engage in fraudulent activities may rationalize fraud not only for their own benefit but also for the benefit of the organization or an external individual or organization. Based on the information gathered, internal auditors can begin contemplating potential fraud scenarios and fraud risks relevant to the area or process under review. Brainstorming fraud scenarios is an effective way to determine the characteristics and circumstances unique to the specific area or process that may produce opportunities and incentives for fraud. Internal auditors should brainstorm with individuals diverse in their knowledge, perspective, and relationship to the area or process under review. Forensic Auditing Techniques Forensic investigations and fraud examinations will depend heavily on computer forensics, computer data imaging, electronic evidence discovery, and the analysis of structured and unstructured data. Some examples of forensic auditing techniques include the following: Rules-based descriptive tests and reporting use historical data with simple and complex analytical weighted tests to identify areas of risk. Alerts will be produced when a specific condition is met. Keyword search scans free text fields and unstructured data sources to identify suspicious or high-risk language. Topic modeling uses text analytics to identify suspicious phrases, high-risk topics, or unusual patterns of behavior in the free text components of data. Beyond keyword searching, topic modeling seeks to cluster, quantify, and group the key noun or noun phrases in the data, enabling the investigative team to quickly gain an understanding of what information may have been compromised. Linguistic analysis also uses text analytics, identifying the emotive tone of the communication. It identifies angry, frustrated, secretive, harassing, or confused communications. Pattern and link analysis is a data visualization technique that finds hidden patterns and relationships in vast, seemingly unrelated data sources. Bibliography The following references were used in the development of Part 1 of The IIA’s CIA Challenge Exam Study Guide. Please note that all website references were valid as of April 2020. “About the Profession.” The Institute of Internal Auditors, na.theiia.org/about-us/about-ia/Pages/About-the-Profession.aspx. Adams, Pat, Sally Culter, Bruce McCuaig, Sajay Rai, and James Roth. Sawyer’s Internal Auditing, sixth edition. Lake Mary, Florida: The Institute of Internal Auditors Research Foundation, 2012. “All in a Day’s Work: A Look at the Varied Responsibilities of Internal Auditors.” The Institute of Internal Auditors, na.theiia.org/about- ia/PublicDocuments/06262_All_In_A_Days_Work-Rev.pdf. American Institute of Certified Public Accountants. “Management Antifraud Programs and Controls.” New York: American Institute of Certified Public Accountants, Inc., 2002. Anderson, Urton, and Andrew J. Dahle. Applying the International Professional Practices Framework, fourth edition. Lake Mary, Florida: The Institute of Internal Auditors, 2018. Anderson, Urton, and Andrew J. Dahle. Implementing the Professional Practices Framework, second edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. Anderson, Urton, and Andrew J. Dahle. Implementing the International Professional Practices Framework, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. Anderson, Urton, et al. Internal Auditing: Assurance and Advisory Services, fourth edition. Lake Mary, Florida: The Institute of Internal Auditors, 2017. “AS/NZS ISO 31000:2009, “Risk Management—Principles and Guidelines.” Standards Australia/Standards New Zealand, www.standards.govt.nz. “Assessing the Adequacy of Risk Management Using ISO 31000” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “Assessing the Risk Management Process” (IPPF Practice Guide). Lake Mary, Florida: The Institute of Internal Auditors, 2019. Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. “The Audit Committee: Purpose, Process, Professionalism.” The Institute of Internal Auditors, www.yumpu.com/en/document/view/36619613/the-audit-committee- purpose-process-professionalism. “Auditing External Business Relationships” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. “Auditing Privacy Risks” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Auditing Techniques” course. Altamonte Springs, Florida: The Institute of Internal Auditors. “Basel III: International Regulatory Framework for Banks.” Bank for International Settlements, www.bis.org/bcbs/basel3.htm? m=3%7C14%7C572. Baxter, Ralph. “The Role of Spreadsheets in Today’s Corporate Climate.” ITAudit, Vol. 9, December 2006. Biegelman, Martin T., and Joel T. Bartow. Executive Roadmap to Fraud Prevention and Internal Control—Creating a Culture of Compliance. Hoboken, New Jersey: John Wiley and Sons, 2006. “Business Continuity Management” (Global Technology Audit Guide [GTAG] 10). The Institute of Internal Auditors, 2009. Chartered Professional Accountants Canada (CPA Canada), www.cpacanada.ca. “Chief Audit Executives—Appointment, Performance Evaluation, and Termination” (IPPF PracticeGuide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “COBIT 5: Enabling Processes.” ISACA, www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product- page.aspx. “COBIT 2019 Framework: Introduction and Methodology.” Schaumburg, Illinois: ISACA (www.isaca.org), 2018. Coenen, Tracy L. “The Fraud Files: The True Cost of Fraud.” Wisconsin Law Journal, May 24, 2006. Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrated Framework. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2004. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrating with Strategy and Performance. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2017. Committee of Sponsoring Organizations of the Treadway Commission. Fraud Risk Management Guide. 2016. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework. Jersey City, New Jersey: American Institute of Certified Public Accountants, 1994. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework (2013). Jersey City, New Jersey: American Institute of Certified Public Accountants, 2013. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Over Financial Reporting—Guidance for Smaller Public Companies. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2006. “Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition” (Global Technology Audit Guide [GTAG] 3). The Institute of Internal Auditors, 2015. “Coordinating Risk Management and Assurance” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Corporate Governance: A Practical Guide.” London Stock Exchange, www.ecgi.org/codes/documents/rsmi_lse_guide2004.pdf, 2004. Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. “Corporate Governance Principles and Recommendations with 2010 Amendments.” ASX Corporate Governance Council, www.asx.com.au/documents/asx- compliance/cg_principles_recommendations_with_2010_amendments .pdf. “Corporate Social Responsibility: Opportunities for Internal Audit” course. Altamonte Springs, Florida: The Institute of Internal Auditors. Daft, Richard L., and Dorothy Marcic. Understanding Management, tenth edition. Boston, Massachusetts: Cengage Learning, 2015. “Demonstrating the Core Principles for the Professional Practice of Internal Auditing” (IPPF Practice Guide). Lake Mary, Florida: The Institute of Internal Auditors, 2019. Directory of Software Products for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Elkington, John. Cannibals with Forks: Triple Bottom Line of 21st Century Business. Stony Creek, Connecticut: New Society Publishers, 1998. “Engagement Planning: Assessing Fraud Risks” (IPPF Practice Guide). Lake Mary, Florida: The Institute of Internal Auditors, 2017. “Enterprise Risk Management: What’s New? What’s Next” seminar. Altamonte Springs, Florida: The Institute of Internal Auditors. “Environmental, Health, and Safety Guidelines.” International Finance Corporation, www.ifc.org/wps/wcm/connect/topics_ext_content/ifc_external_corpo rate_site/sustainability-at-ifc/policies-standards/ehs-guidelines. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx “Evaluating Corporate Social Responsibility/Sustainable Development” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Financial Reporting Council (FRC), www.frc.org.uk/Home.aspx. “Formulating and Expressing Internal Audit Opinions” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. Fraser, John, and Hugh Lindsay. 20 Questions Directors Should Ask About Internal Audit. Toronto, Ontario: The Canadian Institute of Chartered Accountants, 2004. Fraud Examiners Manual, 2003 edition. Austin, Texas: Association of Certified Fraud Examiners, 2003. “Frequently Asked Questions,” The Institute of Internal Auditors, na.theiia.org/about-us/about-ia/Pages/Frequently-Asked- Questions.aspx. Frigo, Mark L. A Balanced Scorecard Framework for Internal Auditing Departments. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2002. Galloway, David. Internal Auditing: A Guide for the New Auditor, second edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2002. Global Reporting Initiative, www.globalreporting.org. Glover, Hubert D., and James C. Flag. Effective Fraud Detection and Prevention Techniques Practice Set. Altamonte Springs, Florida: The Institute of Internal Auditors, 1993. Gray, Glen L. Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2004. “Guidance on Risk Management, Internal Control and Related Financial Business Reporting.” Financial Reporting Council, 2014. Hubbard, Larry. Control Self-Assessment: A Practical Guide. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Hutton, David W. The Change Agents’ Handbook. Milwaukee, Wisconsin: ASQ Quality Press, 1994. “The IIA’s Global Internal Audit Competency Framework.” Altamonte Springs, Florida: The Institute of Internal Auditors, 2013. “The IIA’s Three Lines Model: An Update of the Three Lines of Defense.” Lake Mary, Florida: The Institute of Internal Auditors, 2020. “IIA Position Paper on Resourcing Alternatives for the Internal Audit Function.” Altamonte Springs, Florida: The Institute of Internal Auditors. “Independence and Objectivity” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. “Information Technology Risks and Controls, 2nd Edition” (Global Technology Audit Guide [GTAG] 1). The Institute of Internal Auditors, 2012. Institute of Chartered Accountants in England and Wales (ICAEW), www.icaew.com. The Institute of Directors in Southern Africa (IoDSA), www.iodsa.co.za. The Institute of Internal Auditors, www.theiia.org. “Integrated Auditing” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “Interaction with the Board” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. Internal Audit Foundation. Sawyer’s Internal Auditing, seventh edition. Lake Mary, Florida: Internal Audit Foundation, 2019. Internal Audit Reporting Relationships: Serving Two Masters. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003. “Internal Auditing and Fraud” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. International Professional Practices Framework (IPPF), 2017 Edition. Lake Mary, Florida: The Institute of Internal Auditors, 2017. “International Standards for the Professional Practice of Internal Auditing (Standards),” na.theiia.org/standards-guidance/mandatory- guidance/Pages/Standards.aspx. “Interpersonal Skills—Abilities Needed to Interact With Others Effectively.” The Institute of Internal Auditors. (As of April 2018, this publication is suppressed.) ISO 14001:2015, “Environmental Management Systems.” ISO, www.iso.org/standard/60857.html. ISO 26000:2010, “Guidance on Social Responsibility.” ISO, www.iso.org/standard/42546.html. ISO 31000:2018, “Risk Management—Guidelines.” ISO, www.iso.org/standard/65694.html. ISO 31010:2009, “Risk Management—Risk Assessment Techniques.” ISO, www.iso.org/standard/51073.html. ISO Guide 73:2009, “Risk Management—Vocabulary.” ISO, www.iso.org/standard/44651.html. Jerskey, Pamela. “AutomatedWorkpapers Made Easy.” Keith, Jonnie T. “Killing the Spider.” Internal Auditor, April 2005. “King IV Report,” Institute of Directors of Southern Africa. www.iodsa.co.za/page/KingIVReport, 2016. “The Laws That Govern the Securities Industry—Sarbanes-Oxley Act of 2002.” Securities and Exchange Commission, www.sec.gov/about/laws.shtml. Mainardi, Robert L. Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology. Hoboken, New Jersey: John Wiley, 2011. “Managing and Auditing IT Vulnerabilities” (Global Technology Audit Guide [GTAG] 6). The Institute of Internal Auditors. “Managing the Business Risk of Fraud, A Practical Guide.” The Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners, 2008, global.theiia.org/standards- guidance/Public%20Documents/fraud%20paper.pdf. Marcella, Albert J., Jr., and Carol Stucki. Privacy Handbook. Hoboken, New Jersey: John Wiley and Sons, 2003. Marks, Norman. “Auditing Governance Processes.” Internal Auditor (Ia), February 2012. Mautz, Robert K. Internal Control in U.S. Corporations: The State of the Art. New York: Financial Executives Research Foundation, 1980. McNamee, David. Business Risk Assessment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. McNamee, David. “Risk Management and Risk Assessment.” Pleier Corporation, www.pleier.com/rmra.htm. “Measuring Internal Audit Effectiveness and Efficiency” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. Miccolis, Jerry A., Kevin Hively, and Brian W. Merkley. Enterprise Risk Management: Trends and Emerging Practices. Altamonte Springs, Florida: The Institute of Internal Auditors, 2001. “Model Internal Audit Activity Charter.” The Institute of Internal Auditors, global.theiia.org/standards-guidance/recommended- guidance/Pages/Model-Internal-Audit-Activity-Charter.aspx. “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” Organisation for Economic Co-operation and Development, www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_ 1_1,00.html. Operational Auditing. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. “The Path to Quality.” The Institute of Internal Auditors, na.theiia.org/services/quality/Public_Documents/Path to Quality.pdf. Pickett, K. H. Spencer, and Jennifer M. Pickett. The Internal Auditing Handbook, second edition. West Sussex, England: John Wiley and Sons, 2003. “Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control.” The Institute of Internal Auditors, 2005. PriceWaterhouseCoopers. Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. PriceWaterhouseCoopers. Corporate Governance and the Board— What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Privacy Rights Clearinghouse, www.privacyrights.org. Quality Assessment Manual for the Internal Audit Activity, 2017 IPPF Aligned. Lake Mary, Florida: Internal Audit Foundation, 2017. Quality Assessment Manual, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. “Quality Assurance and Improvement Program” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. Reding, Kurt F., Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sri Ramamoorti, Mark Salamasick, and Cris Riddle. Internal Auditing: Assurance and Consulting Services. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation, 2007. “Reliance by Internal Audit on Other Assurance Providers” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.” Association of Certified Fraud Examiners, www.acfe.com/report-to-the-nations/2018/. “Revised Guidance for Directors on the Combined Code.” Financial Reporting Council, www.ecgi.org/codes/documents/frc_ic.pdf. Rife, Randal. “Planning for Success.” Internal Auditor (Ia), October 2006. “Risk Assessment in Practice.” COSO, www2.deloitte.com/content/dam/Deloitte/global/Documents/Governan ce-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf, 2012. “The Role of Internal Auditing in Enterprise-Wide Risk Management.” The Institute of Internal Auditors, global.theiia.org/standards- guidance/Public%20Documents/PP%20The%20Role%20of%20Intern al%20Auditing%20in%20Enterprise%20Risk%20Management.pdf, 2009. Roth, James. Control Model Implementation: Best Practices. Altamonte Springs, Florida: The Institute of Internal Auditors, 1997. Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing—Instructor’s Guide. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003. Sobel, Paul. “Internal Auditing’s Role in Risk Management.” bookstore.theiia.org/internal-auditings-role-in-risk-management, March 2011. Steinberg, Richard M., and Deborah Pojunis. “Corporate Governance: The New Frontier.” Internal Auditor (Ia), December 2000. “The Three Lines of Defense in Effective Risk Management and Control.” Altamonte Springs, Florida: The Institute of Internal Auditors, 2013. Verschoor, Curtis C. Audit Committee Briefing: Understanding the 21st Century Audit Committee and Its Governance Roles. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000. Verschoor, Curtis C. Governance Update 2003: Impact of New Initiatives on Audit Committees and Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003. “What Is COBIT 5?” ISACA, www.isaca.org/COBIT/Pages/default.aspx. Index A assets improper valuation [1] auditing [1] auditors [1] audit plan [1] authority of internal audit activity [1] B balanced scorecard [1] C codes of conduct [1] Committee of Sponsoring Organizations frameworks Enterprise Risk Management—Integrating with Strategy and Performance [1] concealed liabilities [1] conduct, codes of [1] control(s) [1] control environment [1] , [2] Core Principles for the Professional Practice of Internal Auditing [1] COSO frameworks Enterprise Risk Management—Integrating with Strategy and Performance [1] culture [1] , [2] D Definition of Internal Auditing [1] disclosures [1] E effectiveness [1] efficiency [1] enterprise risk management [1] , [3] See also: risk environmental red flags [1] EQAs (external quality assessments) [1] ERM (enterprise risk management) [1] , [3] See also: risk ethics [1] , [2] external auditing [1] external auditors [1] external quality assessments [1] F fictitious revenues [1] financial statement red flags [1] forensic auditing [1] fraud awareness [1] fraud:motive [1] fraud:opportunity [1] fraud:rationalization [1] red flags [1] risk assessment [1] risks [1] training [1] triangle [1] G Global Technology Audit Guide, “Auditing IT Governance” [1] governance information technology [1] principles [1] GTAG (Global Technology Audit Guide), “Auditing IT Governance” [1] H heat maps [1] I impact of risk [1] improper asset valuation [1] improper disclosures [1] independence [1] industry-specific red flags [1] information technology governance [1] internal auditing [1] internal auditors [1] internal quality assessments [1] International Organization for Standardization, ISO 31000, “Risk management—Guidelines” [1] International Professional Practices Framework Core Principles for the Professional Practice of Internal Auditing [1] Definition of Internal Auditing [1] Mission of Internal Audit [1] Standards See: International Standards for the Professional Practice of Internal Auditing InternationalStandards for the Professional Practice of Internal Auditing 1000, “Purpose, Authority, and Responsibility” [1] 1210.A2 [1] 1300, “Quality Assurance and Improvement Program” [1] 1310, “Requirements of the Quality Assurance and Improvement Program” [1] 1311, “Internal Assessments” [1] , [2] 1312, “External Assessments” [1] 1322, “Disclosure of Nonconformance” [1] 2010, “Planning” [1] 2010.A1 [1] 2060, “Reporting to Senior Management and the Board” [1] 2110, “Governance” [1] , [2] 2110.A2 [1] 2120, “Risk Management” [1] 2120.A1 [1] 2210.A2 [1] ISO 31000, “Risk management—Guidelines” [1] K King Report on Corporate Governance [1] L liabilities, concealed [1] likelihood of risk [1] M maturity model approach to assessing risk management [1] Mission of Internal Audit [1] motive, and fraud [1] N nonconformance [1] O objectivity [1] opportunity, and fraud [1] P perpetrator red flags [1] Practice Guides “Auditing Culture” [1] “Measuring Internal Audit Effectiveness and Efficiency” [1] purpose of internal audit activity [1] R rationalization, and fraud [1] red flags of fraud [1] responsibility of internal audit activity [1] risk assessment [1] , [2] categorization [1] fraud [1] heat maps [1] identification [1] impact [1] likelihood [1] management [1] rating [1] reporting [1] responses [1] risk-based audit plan [1] S SAIVs (self-assessments with independent external validation) [1] scope [1] self-assessments [1] self-assessments with independent external validation [1] Standards See: International Standards for the Professional Practice of Internal Auditing T Three Lines Model [1] V values [1] License Agreement for The IIA’s CIA® Challenge Exam Study Guide The IIA’s CIA® Challenge Exam Study Guide Part 1: Essentials of Internal Auditing Section A: Foundations of Internal Auditing Topic 1: Mission, Definition, and Core Principles The Framework Mission of Internal Audit Core Principles Definition of Internal Auditing The Standards Purpose, Authority, and Responsibility Topic 2: Internal Audit Charter Requirements Audit Charter and Approval Topic 3: Assurance versus Consulting Assurance and Consulting Services Topic 4: IIA Code of Ethics Conformance Purpose of the Code of Ethics Section B: Independence and Objectivity Topic 1: Organizational Independence Organizational Independence Topic 2: Impairments to Independence Impairments to Independence Topic 3: Individual Internal Auditor’s Objectivity Assessing and Maintaining Objectivity Topic 4: Policies Promoting Objectivity Policies Promoting Objectivity Section C: Proficiency and Due Professional Care Topic 1: Knowledge, Skills, and Competencies Internal Audit Knowledge, Skills, and Competencies Topic 2: Knowledge and Competency Demonstrating Proficiency Topic 3: Due Professional Care Demonstrating Due Professional Care Topic 4: Continuing Professional Development Continuing Professional Development and Competency Section D: Quality Assurance and Improvement Program Topic 1: QAIP Required Elements Quality and the QAIP QAIP Internal Assessments (Standard 1311) QAIP External Assessments (Standard 1312) Internal Audit Effectiveness and Efficiency Topic 2: Reporting QAIP Results Communicating QAIP Results Topic 3: Conformance versus Nonconformance Disclosures Use of IPPF Conformance Statement Disclosure of Nonconformance Section E: Governance, Risk Management, and Control Topic 1: Organizational Governance Governance in GRC Context Three Lines Model Governance King Report IT Governance Management and Board Governance Audits Topic 2: Culture, the Control Environment, and Engagements Control Environment Basis for Evaluating Ethics Auditing the Control Environment Culture's Impact on Control Environment Culture and Engagements Topic 3: Risk and Risk Management Risk Concepts Enterprise Risk Management (ERM) Risk Management Standards 2120 and 2120.A1 Risk-Based Audit Planning Topic 4: Risk Management Frameworks COSO’s ERM Framework ISO 31000 Framework Assessments of ERM Topic 5: Process and Function Risk Management Effectiveness Assessing ERM on an Engagement Topic 6: Internal Audit Role in the Organization’s ERM Internal Audit’s Role in the Organization’s ERM Interaction with the Board in Relation to ERM Section F: Fraud Risks Topic 1: Fraud Risks and Types Fraud Risks and Types Developing Fraud Knowledge Fraud Triangle Red Flags of Fraud Topic 2: Fraud Controls Preventing and Detecting Fraud Fraud Awareness Education Topic 3: Forensic Auditing Fraud Investigations Engagement Fraud Risks Forensic Auditing Techniques Bibliography Indexa separate section for the organization and reporting structure, which may also delve into specific functional responsibilities. Exhibit 1-8: Authority The “Independence and Objectivity” section of the charter describes the importance of internal audit independence and objectivity and how these will be maintained, as seen in Exhibit 1-9. Exhibit 1-9: Independence and Objectivity The “Responsibilities” section of the charter lays out major areas of ongoing responsibility. As seen in Exhibit 1-10, the scope of engagements may be listed separately from other areas of ongoing responsibility. Exhibit 1-10: Responsibilities The “Quality Assurance and Improvement Program” section, shown in Exhibit 1-11, describes the expectations for developing, maintaining, evaluating, and communicating the results of a quality assurance and improvement program. Exhibit 1-11: Quality Assurance and Improvement Signatures at the end of the charter document agreement among the CAE, a designated board representative, and the individual to whom the CAE administratively reports. As seen in Exhibit 1-12, the dates and the titles of the signatories are included in this section. Exhibit 1-12: Signatures Topic 3: Assurance versus Consulting This topic discusses the difference between the assurance and consulting services that are provided by the internal audit activity. Assurance and Consulting Services Internal auditors provide a variety of assurance and consulting (advisory) services. The IPPF glossary defines assurance services as: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. The glossary defines consulting services as: Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Assurance and consulting services are referenced in Implementation Standards listed with Attribute Standard 1000 in the IPPF, seen below. According to The IIA Implementation Standard 1000.A1 (Assurance Engagements) The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx According to The IIA Implementation Standard 1000.C1 (Consulting Engagements) The nature of consulting services must be defined in the internal audit charter. Let’s look at some key differences between assurance and consulting, and some examples of the different types of services internal auditors may provide. Assurance Services Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, system, or other subject matter. Three parties are generally involved in assurance services: The person or group directly involved with the entity, operation, function, process, system, or other subject matter—the client The person or group making the assessment—the internal auditor The person or group using the assessment—the user or stakeholder The nature and the scope of the assurance engagement are determined by the internal auditor. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Assurance services are at the core of internal auditing. While others can provide consulting services, internal audit has the knowledge of the organization and the independence to provide the board with the information, facts, and conclusions they need to make appropriate decisions. Assurance work makes up the majority of internal audit activities. Examples of assurance services may include: Financial. Performance. Compliance. System security. Due diligence. Strategic. Consulting Services Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. They generally involve two parties: The person or group offering the advice—the internal auditor The person or group seeking and receiving the advice—the engagement client The nature and the scope of a formal consulting engagement are subject to agreement with the engagement client. Such agreements should be formalized in writing. Consulting services can include any advisory activity that improves the organization’s governance, risk management, controls, and compliance. The following are examples of different types of consulting services. Advisory consulting engagements. These engagements are designed to offer advice and might include: Advising on control design. Advising during development of policies and procedures. Participating in an advisory role for high-risk projects. Advising on certain enterprise risk management activities. Recommending solutions to key issues or challenges facing the organization. Training consulting engagements. These engagements are educational in nature and might include: Training on governance, risk management, and internal control. Benchmarking internal areas with comparable areas of similar organizations to identify best practices. Post-mortem analysis—that is, determining lessons learned from a project after it is completed. Facilitative consulting engagements. These engagements might include: Facilitating an organization’s risk assessment process. Facilitating management’s control self-assessment. Facilitating a task force charged with redesigning controls and procedures for a new or changed area. Acting as a liaison between management and independent outside auditors, government agencies, vendors, and contractors on control issues. Consulting may range from formal engagements, defined by written agreements, to informal activities, such as participating in standing or temporary management committees or project teams. Internal auditors may be requested to help in special consulting engagements, such as participation in a merger or acquisition project or in an emergency engagement. These may require departure from normal or established procedures for conducting consulting engagements. The following are common examples of consulting activities: Business process improvement Risk and control self-assessment Continuous monitoring of controls Internal control review Forensic audits Operational readiness (product launch, new service or system) Governance principles and practices Ethics training Internal control training Participation on committees Consistent with the IIA’s Code of Ethics, a consulting engagement should never be conducted in an attempt to circumvent assurance engagement requirements such as the need to provide an opinion at the end of an engagement. Services once conducted as an assurance engagement may be performed as a consulting engagement—if deemed appropriate. Blended Engagements Assurance and consulting services are not mutually exclusive, so an audit activity can have both assurance and consulting components. A blended engagement may consolidate elements of assurance and consulting activities. A blended engagement may take the form of a due diligence engagement to provide assurance and consulting services in support of management's evaluation of an acquisition candidate, for example. In other instances, individual components of an engagement may be specified as assurance or consulting. Thisblending of the two types of services can add value and create efficiencies. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx However, if assurance and consulting services are blended, it must be ensured that there are no conflicts of independence, objectivity, or otherwise with regard to roles and responsibilities. Topic 4: IIA Code of Ethics Conformance This topic discusses the IIA’s Code of Ethics, including its four key components: Integrity Objectivity Confidentiality Competency According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: IPPF Code of Ethics Implementation Guides Purpose of the Code of Ethics https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx Exhibit 1-13: The Code of Ethics The purpose of the IIA's Code of Ethics is to promote an ethical culture in the profession of internal auditing. It is necessary and appropriate for the profession of internal auditing. The Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: Principles that are relevant to the profession and practice of internal auditing. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx The Code of Ethics applies to both entities and individuals that perform internal audit services. The placement of the Code of Ethics within the IPPF is shown in Exhibit 1-13. According to The IIA Code of Ethics Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Key Point It is especially important for the CAE to uphold the Code of Ethics, thereby setting the tone for the value of ethics among the team. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable and, therefore, the member, certification holder, or candidate can be liable for disciplinary action. We will now focus on each of the four main principles in the Code of Ethics, starting with integrity. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Integrity The Code of Ethics describes integrity as follows: The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. The Rules of Conduct specify that internal auditors: 1. Shall perform their work with honesty, diligence, and responsibility. 2. Shall observe the law and make disclosures expected by the law and the profession. 3. Shall not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the organization. 4. Shall respect and contribute to the legitimate and ethical objectives of the organization. While the principle of integrity applies to all auditors, it may be implemented differently from the perspective of the CAE compared to the perspective of the individual auditor. As the leader of the internal audit activity, the CAE should cultivate a culture of integrity by acting with integrity and adhering to the Code of Ethics. In order to assist in cultivating that culture, the CAE may: Require internal auditors to agree in writing to follow the IIA’s Code of Ethics and any additional ethics-related policies. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Emphasize the importance of integrity by providing training that demonstrates integrity and other ethical principles. Effectively managing the internal audit activity includes proper engagement supervision and periodic reviews of internal auditors’ performance, which provide opportunities to discuss how integrity may be challenged and applied in real situations. The CAE should also maintain a working environment in which internal auditors feel supported when expressing legitimate, evidence-based observations, conclusions, and opinions, even if they are not favorable. For the individual auditor, integrity may be considered primarily a personal attribute, making it difficult to measure, enforce, or guarantee. In simple terms, internal auditors are expected to tell the truth and do the right thing, even when it is uncomfortable or difficult to do so. Objectivity The Code of Ethics describes objectivity as follows: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Objectivity is defined in the IPPF glossary as: An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. The Rules of Conduct specify that internal auditors: 1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. The CAE may create relevant policies and procedures, for example, regarding gifts or requiring internal auditors to complete a form disclosing potential conflicts of interest and impairments to objectivity. For internal auditors, objectivity can be best pursued by providing a balanced assessment, ensuring that they are not unduly influenced in forming judgments, and avoiding conflicts of interest and impairments. The Standards provide a systematic and disciplined internal audit approach that can assist with ensuring objectivity. Confidentiality The Code of Ethics describes confidentiality as follows: Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. The Rules of Conduct specify that internal auditors: 1. Shall be prudent in the use and protection of information acquired in the course of their duties. 2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethicalobjectives of the organization. Information includes data in physical form and in electronic form. Confidentiality involves protecting information from being disclosed to unauthorized individuals, both within and outside the organization. Internal auditors should understand laws and regulations related to confidentiality and information security as well as any policies specific to their organization or the internal audit activity. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx To properly follow confidentiality laws and regulations, organizations usually issue information security policies. To better understand the impact of legal and regulatory requirements and protections, the CAE should consult with legal counsel. Organizational policies and procedures may require that specific authorities, such as legal counsel, review and approve business information before external release. The CAE may implement additional policies, processes, and procedures for the internal audit activity and external consultants to follow, typically closely aligned with the IPPF’s Mandatory Guidance. During meetings or training of the internal audit activity, the CAE may discuss principles, rules, policies, and expectations related to confidentiality. Ultimately, internal auditors are responsible for practicing confidentiality, which may be most evident when receiving confidential, proprietary, or personally identifiable information during the course of an audit engagement. To comply with the Rules of Conduct related to the confidentiality principle, internal auditors must follow established procedures for disclosure. Internal auditors should not use insider financial, strategic, or operational knowledge to bring about personal financial gain. Competency The Code of Ethics describes competency as follows: Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. The Rules of Conduct specify that internal auditors: 1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing. 3. Shall continually improve their proficiency and the effectiveness and quality of their services. The CAE is responsible for ensuring the competency of the internal audit activity as a whole. However, individual internal auditors are responsible for their own conformance with the competency principle, the Rules of Conduct, and the relevant standards and for obtaining the knowledge, skills, and experience needed to perform their responsibilities and to continually improve their proficiency and quality of service. To ensure the competency of the internal audit activity as a whole, the CAE should inventory the skills and experience of individual auditors, https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx align them with the competencies needed to fulfill the internal audit plan, and identify any gaps in coverage. The CAE may address deficiencies by: Providing training and mentorship. Rotating internal audit staff. Bringing in guest auditors. Hiring external service providers. The CAE should also develop polices and procedures that include regularly reviewing individual performance and should encourage educational and training opportunities when possible. To gain insight into their level of competency, proficiency, and effectiveness and to find areas for potential growth, internal auditors should regularly assess themselves. Internal auditors should also seek constructive feedback from peers, supervisors, and the CAE. Internal auditors may build their competencies by pursuing educational and mentorship opportunities and supervised work experiences that enable them to expand their skills. Properly supervised internal audit engagements play a large role in facilitating the development of internal auditors, because most internal audit activities have limited resources. Individual internal auditors are responsible for taking the necessary actions to obtain any continuing professional education and development hours they may need. They should be aware of the current requirements for maintaining the active status of any credentials they hold. Most certifications require the completion of ethics training and continuing professional development. Section B: Independence and Objectivity This section is designed to help you: Define independence and objectivity in terms of internal audit. Interpret organizational independence of the internal audit activity. Explain the importance of independence in an internal audit activity. Explain the reporting relationships for internal auditors. Identify whether the internal audit activity has any impairments to its independence. Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity. Analyze policies that promote objectivity. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides This section covers the crucial requirements for the internal audit activity to be independent and individual internal auditors to be objective. Lacking either of these crucial traits can render the results of engagements and the recommendations of internal audit unreliable and inaccurate, to the detriment of the organization. Topic 1: Organizational Independence This topic discusses the organizational independence of the internal audit activity, including the importance of independence and functional reporting. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 1100, 1110, 1111, 1112 Organizational Independence According to The IIA Attribute Standard 1110, “Organizational Independence” The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. Independence is defined in the IPPF glossary as “the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.” These conditions often stem from the organizational placement and assigned responsibilities of internal audit. The assigned roles and responsibilities for internal audit vary from organization to organization based on factors such as: Organizational size. Type of operations. https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspxCapital structure. Legal and regulatory environment. If the internal audit activity does not have sufficient organizational status and autonomy, the ability to effectively manage the independence of its work and reports is subject to question. Standard 1110 is effectively achieved when the CAE reports functionally to the board. Some examples of this functional reporting involve the board: Approving the internal audit charter. Approving the risk-based internal audit plan. Approving the internal audit budget and resource plan. Receiving communications from the CAE on the internal audit activity’s performance relative to its plan and other matters. Evaluation and compensation of the CAE. Appointment and removal of the CAE. According to The IIA Implementation Standard 1110.A1 (Assurance Engagements) The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Functional oversight requires the board to create the right working conditions to permit the operation of an independent and effective internal audit activity. The board monitors the ability of the internal audit activity to operate independently. The IIA recommends that the CAE report administratively to the CEO, indicating that the CAE is in a senior position with the authority to perform duties unimpeded. However, in some cases, the CAE has an administrative reporting line to a member of senior management, which enables the requisite stature and authority of internal audit to fulfill responsibilities. The essential point is that the CAE will have unrestricted access to report sensitive matters to the highest level of governance in the organization. Generally, the CAE, the board, and senior management discuss and agree upon internal audit's responsibility, authority, and expectations as well as the necessary organizational placement of internal audit and CAE reporting relationships to enable internal audit to fulfill its duties. The internal audit charter will reflect the decisions reached during those discussions. According to The IIA Attribute Standard 1111, “Direct Interaction With the Board” The chief audit executive must communicate and interact directly with the board. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx In addition to the administrative reporting relationship to the CEO and/or senior management, the CAE typically has a direct functional reporting relationship with the board or audit committee, as seen in Exhibit 1-14. Exhibit 1-14: Internal Audit Reporting Structure With such a relationship, the CAE will have many opportunities to communicate and interact directly with the board, such as during audit committee and/or full board meetings, as well as through the ability to directly contact the chair or any member of the board. Access to these meetings allows the CAE to absorb strategic business and operational developments as well as raise high-level risk, system, procedure, or control issues at an early stage. A private meeting with the board, without senior management present, is formally conducted at least annually to discuss matters and issues. CAEs without direct access to the board can share Standard 1111 (as well as Standards 1100 and 1110), recommended governance practices, and board/audit committee best practice studies to pursue https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx a stronger relationship and direct access. CAEs in this situation may consider written communications to the board until a direct line of communication is available. In addition to the audit committee, the board and/or senior management also play a major role in setting the tone and substance of the internal audit activity. According to The IIA Attribute Standard 1100, “Independence and Objectivity” The internal audit activity must be independent, and internal auditors must be objective in performing their work. As seen in Standard 1100, independence is viewed as an attribute of the internal audit activity, whereas objectivity is an attribute of the individual auditor. The attribute of the internal audit activity relates to its organizational independence. Objectivity Objectivity is defined in the IPPF glossary as: An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Maintaining this impartial state of mind and avoiding conflicts of interest is prerequisite to any value being gained from internal audit work. It is the responsibility of the CAE to ensure that internal audit staff are not placed in situations where they feel unable to make objective professional judgments. The CAE should monitor potential conflicts of interest and bias within the internal audit activity and make assignments accordingly to avoid problems. One strategy for an individual internal auditor to ensure that he or she is acting objectively is to consult with others in the internal audit activity when addressing potentially sensitive areas. The CAE may use an internal audit policy manual or handbook that describes expectations and requirements for an unbiased mindset. To reinforce the importance of those policies, some CAEs will hold routine workshops or training on fundamental concepts. CAE Roles Beyond Internal Auditing The IIA recommends that the CAE not have operational responsibilities beyond the internal audit activity. If the CAE does have other operational responsibilities, such as risk management or compliance, the CAE typically discusses the independence concerns and the potential objectivity impairment with the board and senior management. According to The IIA Attribute Standard 1112, “Chief Audit Executive Roles Beyond Internal Auditing” Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence and objectivity. To address the risks of impairment in situations where the CAE is asked to take on a role outside of internal audit, the CAE should gain an understanding of any proposed role that falls outside of internal auditing and speak with senior management and the board about the reporting relationships, responsibilities, and expectations related to the role. In situations where the CAE has roles outside of internal audit, the board and/or senior management will implement safeguards to limit the impairment. Examples include: Periodically evaluating CAE responsibilities. Developing alternate processes to obtain assurance related to the additional areas of responsibility. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx Being aware of the potential objectivity impairment when considering internal audit risk assessments. When the CAE is asked to take on a role outside of internal audit, documentation of any safeguards that were established to address potential impairments may be used to demonstrate conformance with Standard 1112. The CAE can also demonstrate conformance by showing that other assurance providers have assessed the areas where the CAE had undertaken additional roles beyond internal auditing. Ensuring Independenceand Objectivity in Small Audit Activities The 1100 section of the Standards is an area where there could be a high degree of challenge for smaller internal audit activities. Small audit shops may encounter challenges with independence and objectivity because of the reporting structure or the newness of the activity, closer associations with management, weaker organizational governance, and the existence of additional responsibilities outside the core activity. The IIA suggests the following approaches to addressing this challenge: The CAE must maintain open communications with the board and senior management regarding the critical need for auditor independence and objectivity. In areas where auditors may have been given operational responsibilities, the CAE should provide various alternatives for how those areas might be audited. In organizations where close working relationships are expected, engagements should always be performed with objectivity in mind. When issuing a report where independence or objectivity could not be achieved at an acceptable level, the CAE must disclose that fact in the audit report, including the reasons and the related impact. Topic 2: Impairments to Independence This topic discusses what impairments may hinder the independence of the internal audit activity. This can be caused by issues stemming from the individual auditor’s personal impairments, such as conflict of interest, as well as structural and operational limits caused by reporting structures and resource limitations. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standard 1130 Practice Guide, “Interaction with the Board” Impairments to Independence https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Interaction-With-the-Board-Practice-Guide.aspx According to The IIA Attribute Standard 1130, “Impairment to Independence or Objectivity” If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend on the impairment. Disclosing impairments to independence or objectivity, in accordance with Standard 1130, gives auditors the opportunity to perform the requested service and provide the needed audit information but at the same time empowers the customers to determine for themselves whether or not to rely on the audit results. This must be disclosed before accepting consulting engagements, in accordance with Implementation Standard 1130.C2. According to The IIA Implementation Standard 1130.C2 (Consulting Engagements) If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement. Examples of impairment to organizational independence and objectivity may include: https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Personal conflict of interest. Scope limitation. Restrictions on access to records, personnel, and properties. Resource limitations. Assurance services provided within a period after an internal audit consulting engagement. The final example may be completed without impairment by following Implementation Standard 1130.A3. According to The IIA Implementation Standard 1130.A3 (Assurance Engagements) The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided the internal objectivity is managed when assigning resources to the engagement. To fully understand and appreciate independence and objectivity, it is important that internal auditors consider the perspectives of their various stakeholders and the conditions that could be perceived as undermining or appearing to undermine independence and objectivity. Examples of organizational independence impairments include the following, which can also undermine internal auditor objectivity: https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx The CAE has broader functional responsibility than internal audit and executes an audit of a functional area that is also under the CAE’s oversight. The CAE’s supervisor has broader responsibility than internal audit, and the CAE executes an audit within his or her supervisor’s functional responsibility. The CAE does not have direct communication or interaction with the board. The budget for the internal audit activity is reduced to the point that internal audit cannot fulfill its responsibilities as outlined in the charter. The first example is specifically governed by Implementation Standard 1130.A2, which requires that audits in an area under the CAE's oversight be overseen by a party outside the internal audit activity. According to The IIA Implementation Standard 1130.A2 (Assurance Engagements) Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity. When internal auditors observe what they believe to be an impairment, typically they will begin to address it by discussing the https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx situation with an internal audit manager or the CAE to determine whether it is truly an impairment and how to best proceed. The determination of who must receive the details of an impairment is dependent on the expectations of the internal audit activity and the CAE responsibilities to senior management and the board as described in the internal audit charter as well as the nature of the impairment. This requires that the CAE have a clear understanding of independence and objectivity requirements. Documents that may demonstrate conformance with Standard 1130 include the internal audit policy manual, board meeting minutes, memos to file, or reports that contain such disclosures of impairments to independence and objectivity. Topic 3: Individual Internal Auditor’s Objectivity This topic discusses how the internal audit activity should monitor and promote objectivity for individual internal auditors. This includes policy decisions that the CAE may make that will greatly affect objectivity, such as compensation and promotion policies. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 1120 and 1130 Assessing and Maintaining Objectivity According to The IIA Attribute Standard 1120, “Individual Objectivity” Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Conflict of interest is a situation in which an internal auditor has a competing professional or personal interest. It exists even if no unethical or improper act results. It can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. In order to implement Standard 1120, the CAE will first want to understand policies or activities within the organization and within internal audit that could enhance or hinder objectivity.