Raleigh, NC CIA Review Course 2020 “New Exam Format” Part I Essentials of Internal Auditing Garland Granger, CPA, CIA, CFE Professional Accounting Seminars, Inc. 5406 Garden Lake Drive, 2-H Greensboro, NC 27410 336.681.7397Parti Essentials of Internal Auditing Table of Contents Summary of Part 1. Guidance for Multiple-Choice Questions. Guidance for Exam Preparation. Study Unit 1 ~ Foundations of Internal Auditing. Study Unit 2 — independence, Objectivity, Proficiency, Care, & Quality. Study Unit 3— Governancs Study Unit 4 — Risk Management. Study Unit 5 - Controls: Types and Framework... Study Unit 6 - Controts: Application... Study Unit 7 — Fraud Risks and Controls..Summary of Part 1 4. The CIA exam for Part 1 includes 125 multiple-choice questions and one has 2.5 hours to complete the exam. 2. Content specifications — A significant portion of those topics are tested at the proficiency level. However, many of these topics are tested at the basic level. Refer to the IIA content specification to determine the areas testes for these requirements. Percentage Study Tested Units Foundations of Internal Auditing 15% 1-2 Independence and Objectivity 15% 1-2 Proficiency and Due Professional Care 18% 1-2 Quality Assurance and Improvement Programs 7% 1-2 Governance, Risk Management, and Controls 35% 3-6 Fraud Risks 10% 7 Preparatory Information The material in this manual comes from Gleim’s CIA Review book. There are 7 study units in his book. There are 7 corresponding study units in these notes. The notes are intended to highlight the key information that you should know in order to pass the exam. You should go through the outlines in this manual prior to reading the study units in Gleim’s book. Once you have read both portions, you should then answer the questions at the end of the study units in Gleim You should also note that the sentences in this manual that come directly from the Standards will be in bold letters. Key words or phrases will also be in bold letters because they are important to know. Instructor Contact Information You can contact Garland at his email address — a3ia am or call him at 336.681.7397 if you have any questions or recommendations for improvement in the review course.Guidance for Multiple-Choice Questions Multipie-Choice Questions Techniques There are several techniques used to prepare a multiple-choice question for the exam. It is important to be able to recognize the type of question being asked The following list contains several of these techniques. A B. c. Asstraight knowledge question. There are no tricks to answering these questions. You need to know the material to get them right. Application questions require that one apply the concepts in a given situation. These are the more difficult questions. A true or false question. “Which of the following answers is false with respect to . (0r it could be which is true)". Remember that if the question asks for a false answer, three of the answers are true and if they ask for a true answer, three of the answers are false. The use of NOT or EXCEPT FOR within the question. “All of the following answers are correct except for......... The use of the words “primary, objective, or primary objective”. The answer generally will be the broadest answer. Normally, when you see this type of question, you will have one answer that is the objective and three answers with an application of the concept with a procedure. A procedure is not an objective One type of question will require that you know that three of the answers are incorrect more than knowing that the fourth answer is correct. The question was not written so that you knew the correct answer but that you recognized that the other three are will not work. An incomplete answer is not necessarily a wrong answer. For example, the objective of internal audit is to add value and improve operations. If the answer to a question regarding the objective of 1A only listed one of the two objectives and no other answer listed both, then the one listed objective would be the correct, but incomplete, answer. Warnings and Advice A. Avoid answers with the words All, Always, and Only. They are too limiting since there are often options in everything we do in internal audit. Rarely are those words used in a correct answer. For long questions, read the last sentence from the body of the question first to determine the content of the question. Then read the information after reading the last sentence looking for the purpose of the question. For really tong questions, | recommend that you skip them until you have completed all of the shorter questions because they can use up too much time, Do the long questions last. Rank the questions as a 1, 2, or 3. A“1” question is defined as one when you know the correct answer. Answer that question immediately. A “2" is any question when you have eliminated one or two answers but arenot sure of the correct answer. On a sheet of paper, write down the number of the question and the possible correct answers. Skip it until you have completely answered all of your 1s. A “3” is any question that is extremely long ‘or for which you have no idea about the answer. Mark it as a3 and do those questions last. Never leave them blank and try to determine if any answers might be eliminated because of certain words such as all, only, or always in an answer. This approach will help you focus first on the questions that you know. Then you can focus on the questions when you have eliminated one or two answers. By the time you review these questions, the nerves will be gone and your mind will be clearer. Also, by working the questions you know first, you may remember the information needed to answer a 2 question. You are on your own with a 3 but you should think about the question and examine the answers to determine if you can eliminate an answer or two. You do not want to waste time on these questions. Remember that before you work a 3 you should work the long questions that you skipped earlier if you think you can solve the question.Guidance for Exam Preparation ove te ciebare i a exam My manual is an outline of the main points from the Gleim study units (7) that one must know to pass the exam. You must realize that there is a difference between understanding and learning. My only objective is to help you understand the material that could be tested. Your goal is to then learn the material sufficiently to pass the exam. Leaming involves studying the material and working additional questions until you feel comfortable that you know the material. My approach is to lecture on the material in a study unit followed by working selected multiple-choice questions to reinforce your understanding of the material. After we finish the course, your responsibilty is to learn the material we have covered together. B. The question most often asked of me is “How much time should | spend preparing for the exam?" My answer is very simple. The best way to determine the amount of time you might need to study will be dictated by the percentage of questions you answer correctly during the course. If you get a high percentage of the questions correct that we work together, you probably have a good understanding of the material. You will only eed to reinforce this material by studying the notes and working additional questions until you fee! comfortable with your knowledge base If, on the other hand, you miss a high percentage of the questions we work together, you probably do not have a good understanding of the material. As we discuss the questions during the class, your goal is to make sure you understand why you missed the question. in my estimation, you will need to spend more time on that subject studying the notes and working many more questions to reinforce the learning process C. cannot easily give you a number of hours that you should prepare because it will be based upon the information in B above. However, to be on the safe side, I would attempt to spend about 3 hours per study unit outside of this course. You may find that on some study units, you will need less time and on others you will need more time. Study until you feel comfortable with the entire body of information tested. Try not to have any weaknesses in any subject area. However, one must realize that one does not need to know 100% of the material included in Gleim. It is very important that you know all of the material in the notes of this course since they represent about 92 - 96% of what is normally tested. D. Assuming you are using the Gleim manuals, | always recommend that you ead the answers to each multiple-choice question even if you get the answer correct. By learning why three of the answers are incorrect, you are also learning the material so that you will not miss that question in the future. Always read Gleim's answers.Study Unit 1 Foundations of Internal Auditing |. Applicable Guidance A Mandatory guidance is based on the iHA’s International Professional Practices Framework. \t contains mandatory guidance and strongly recommended guidance. Mandatory guidance consists of three parts. 4. The Definition of Internal Auditing, a. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 2. The Code of Ethics (discussed later in this unit) 3. The Standards. They serve the following four purposes: a. Guide adherence with the mandatory elements of the International Professional Practices Framework b. Provide a framework for performing and promoting a broad range of value-added internal auditing. c. Establish the basis for the evaluation of internal audit performance. d. Foster improved organizational processes and operations. The Standards are represented by four areas. 1. Attribute standards gover the responsibilities, attitudes, and actions of the IA activity and the people who they serve. 2. Performance standards govern the nature of IA and provide quality criteria for evaluating the IA function's performance. 3. Interpretations — IA attempts to clarify any concepts and terminology related to either Attribute or Performance standards. 4. Implementation standards expand upon the individual Attribute or Performance standards that apply to all engagements. Strongly recommended guidance 1. Position papers, practice advisories, and practice guides are all designed to give strong recommendations for implementation of the standards but do not carry the same weight as the Mandatory Guidance issues. Purpose, authority, and responsibility of the IA activity 1. The purpose is to provide independent, objective assurance and consulting services designed to add value and improve an organization's operations. 2. Authority to perform the tasks of IA rests with the Board of Directors and is exhibited through the charter.3. Responsibility is to provide the organization with assurance and consulting services that will add value and improve the organization's operations. Codes of Ethical Conduct for Professionals — Core Principles A. Components of an ethical code 1 Integrity 2. Objectivity ~ being unbiased. 3. Confidentially 4. Competency Purpose of the Code of Ethics ‘A. Every profession needs a code of ethics because it establishes a minimum level of behavior that members of that profession should adhere to in order to maintain the type of behavior that guides members in the conduct of their professional responsibilities. The Code establishes principles that guide internal auditors and delineates the Rules for proper behavior. The Code cannot address every issue intemal auditors will face but provides a framework for making ethical decisions in such cases. Therefore, it is important that internal auditors understand the primary essence of the Code in order to properly apply the concepts to unusual situations. B. Tobe effective, enforcement of the Code is vital through disciplinary action taken by the IIA for unethical conduct. One may know the Code but still not act ethically. Code of Ethics AL Integrity — internal auditors: Shall perform their work with honesty, diligence, and responsibility. 2 Shall observe the law and make disclosures expected by the law and the profession 3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization 4, Shall respect and contribute to the legitimate and ethical objectives of the organization. B. Objectivity — intemal auditors: Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization 2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 3. Shall disclose all material facts known to them that, if not disclosed, ‘may distort the reporting of activities under review. C. Confidentiality — internal auditors:D. 1, Shall be prudent in the use and protection of information acquired in the course of their duties. 2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization Competency - internal auditors: 1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 2. Shall perform internal audit services in accordance with the ‘Standards for the Professional Practice of Internal Auditing 3. Shall continually improve their proficiency and the effectiveness and quality of their services. V. Internal Audit Charter A The purpose, authority, and responsibility of the intemal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Audit, the Code of Ethics, the Standards, and the Definition of Internal Audit). The CAE must periodically review the internal audit charter and present it to senior management and the board for approval. 1. Senior management and the Board must mutually agree to the following items: a, The objectives and responsibilities of IA. b. The expectations of IA c. The function and reporting lines of the CAE. d. The level of authority of IA. 2. The charter is drafted and presented to senior management and the Board for review and approval. Once approved, it is formally presented to the Board for approval a. The minutes from the Board meeting provides evidence of approval b. The CAE retains the approved charter. 3. The charter is a formal, written document. An auditee must not be able to place a scope limitation on the IA activity by refusing to make data available. 4, The engagement client must be informed about the purpose, authority, and the responsibility of IA to prevent any misunderstandings about access to people and records. 5. |Awill always refer to the charter whenever there are disagreements regarding their responsibilities. 6. The CAE is responsible for periodically assessing whether IA, as defined in the charter, continues to be adequate to enable the activity to accomplish its objectives.The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of the Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management. Definitions 1. Chief Audit Executive (CAE) — a senior level position that manages the internal audit function for a company by following the charter and the Mandatory Guidance issued by the IIA. 2. The Board of Directors — the governing group that is responsible for overseeing the organizational activities. The Board can have an Audit Committee as a sub-committee of Board members who act as a liaison between intemal and external auditors and the full Board‘Study Unit 4 Foundations of Internal Auditing Questions +. _ Which Standards expand upon the other categories 5. Objectivity isan ethical requirement forall persons of Standards? Sogagod in bo profesional prac of inemal ‘auditing. One aspect of objectivity requires A. Performance Standards, BL Attribute Standards. A. Performance af professional duties in accordance wih relevant laws. implementation Standards. He peaeenaeientiin \voidance of conflict of intares D. Allof the choices are correct. C.. Retraining from using confidential information for unethical or illegal advantage, 2._The purpose of the internal audit activity can be D. Maintenance of an appropriale level of ‘best described as professional expertise. A. Adding value to the organization. B. Providing additional assurance regarding fair resontation of financial statements. 6. In complying with The lIA's Code of Ethics, an ‘ntemal auditor should CC. Expressing an opinion on the adequate design ‘and functioning ofthe system of internal contol ‘Assuring the absence of any fraud that wouk! materally affect the financial statements. ‘A. Use individual judgment in the application of the principles set forth in the Code. , 'B. Respect and contribute to the objectives of the organization oven ifits engaged in legal activites. C. Go beyond the limitation of personal technical skills to advance the interest of the organization. D. Primarily apply the competency principle in establishing trust 3, The Standards consist of thres types of Standards. ‘Which Standards apply to the characteristics of providers of internal auditing services? A. Implementation Standards. B. Performance Standards . Attribute Standards. D, 77 Which situation is most likely a violation of The WN’ Independence Standards. Sade of Ethics? ‘A. Reporting apparent violations of antitrust ‘statutes by aflcers to government regulators. 1B. Cooperating with the government's criminal Investigation of the organization. CC. Reporting apparent violations of antirust statutes By officers to the boarc of directors. 4. 4 formal code of ethics should do all ofthe “allowing except A. Effectively communicate acceptabie values to allmembers immedi violent crime observed 2. Commitee agen vate ton ._Immeditelyrepertng a vlen crime cbse euiders ° Reflect only legal standards of conduct for individuals and the organization. 1D. Provide @ method of policing and iscipining ‘members of the organization for violations. 8. The llAs Cade of Ethics requres intemal auditors © parform their work with Honesty, iigence, and responsibilty. Timeliness, scbrlety, and clay Knowledge, skils, and competencies. Punetualiy, objectvly, and responsibility. voeE8. Anintemal auditor discovered some materia! ‘naffcencies n'a purchasing uncon. The’ purchasing manager Is the internal auditor s next-door Feighbor and best frend. In accordance with The IlA's (Cogs of Ethics, the interna auctor should A, Objectively include tho facts of te ease in the ‘engagernent communicators. B._ Not repor the incident because of loyalty fo the fiend Include the facts of the case in a special communication submitted only to the friend. D. Not report tne friend unless the activity is egal 10. In their reporting, intemal auditors are required by The tlA's Code of Ethics to A. Present sulficient factual information without revealing confidential matters that could be Setrimental to the organization 8. Disclose all material information obtained by the aucitor as ofthe date af the final ‘engagement communication. ©. Obtain factual information within the ‘established time and budget parameters. 9. Disclose material facts known to the internal auditor thal could distort the final engagement communication if not revealed 111. Which ofthe following situations is violation of ‘The IIA's Code of Ethics? |A. An internal auditor, with the knowledge and Consent of management, accepted a token fit rom a customer ofthe organization that fas not presumed to impair and ded not imoair judgment, B. Knowing that management was aware of the situation, an intemal auditor purposely left a ‘escription of an unlawful practice out of the final engagement communication. . An internet auditor shared techniques with internal austors from another organization 1D. Based upon knowledge of the probable Success of he employers business, an lntemal aucitor invested in a mutual fund that ‘Specialized in the same industy. 42. ‘Which ofthe folowing actions takan by a cif audit executive (CAE) could be considered professionally sthical under The lIA's Code of Ethics? A. The CAE decides to delay an engagement at abranch so that his nephew, the branch Manager, will have time to “clean things up, 8. Tosave organizatonal resources, the CAE >>SBDOOSOA a ovwo0000mIndependence, Objecti Section Unit 2 ity, Proficiency, Care and Quality 1 Independence of the Internal Audit Activity (IAA) The Attribute Standards on Independence states that the JAA must be independent, and internal auditors must be objective in performing their work. A 1 2. Independence refers to an organizational characteristic of the entire internal audit activity. Independence is accomplished through the organizational level to which the activity reports and the ability to gain access to information. There is a dual reporting that is both functional and administrative a. Functionally, IA reports to the board which gives IA the authority to audit all areas of the organization b. Administratively, IA reports to senior management which aids in 1A fulfiling its organizational responsibilities. It represents the freedom from conditions that threaten the ability of the internal audit activity or the CAE to carry out internal audit responsibilities in an unbiased manner. The CAE should have unrestricted access to both senior management and the Board. IA must have support of the CEO to be fully independent. Independence is enhanced when the IAA is free to gain access to any necessary information to complete the engagement within its scope. The chief audit executive should report to a level within the organization that allows the JA activity to fulfill its responsibilities. The CAE must confirm to the board, at least annually, the organizational independence of the IA activity. 1 2. 3. The CAE should have direct lines of communication with the audit committee, board of directors, and other governing authorities The Board should approve the hiring and termination of the CAE to enhance independence. The Board approves all decisions regarding the performance evaluation, appointment, or removal of the CAE. The Board approves the annual compensation and salary adjustment of the CAE. The Board receives communication from the CAE regarding issues as part of internal controls and communications that might not include the CEO The Board approves the charter. The Board approves the internal risk assessment and the audit plan.