Chap 1:

1.1 NATURE OF INTERNAL AUDIT

Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance process.

The adoption of current “Definition of Internal Audit” reflected two inportant elements:
(i) Acceptance that internal audit could in fact provide both assurance and consulting services.
(ii) The scope of internal audit work had broadened from pure controls to risk management, control, and
governance

Element:
(1) Helping the organisation accomplish its objectives
- Operation objective (operational and financial performance goals, safeguarding resources against loss)
- Reporting objective (internal/external financial/non-financial report ~ reliability, timeliness,
transparency, or other items)
- Compliance objective (adherence to laws and regulation, entity’s policies)

(2) Evaluating and improving the effectiveness of risk management, control, and governance
processes.
Risk managerment:
 Strategic implemented in respect of business risks operate effectively
- Business risk  anythinh that stops a company a achieving its objectives
Ex: new competitor, non-payment cusstomer, loss of key member of staff,..
- Director’s responsible for identifying the risk and implement strategies to manage the risk
- IA  assist director
+ identify the risk
+ design, implement internal control to mitigate the risk (including risk due to fraud)
Internal control
 Director  responsible for designing, implementing and assessing the effectiveness of internal
control
 IA  assist director
 Def: is process and procedures within a business to stop things go wrong
 Objectivies
- Safeguard the company’s assets
- Prevent and detect fraud
- Safeguards the shareholder’s investment
- To comply with laws and regulations
- The business can run effectively
 Director is main responsible design, implement, monitor of internal control
 Internal audit is assist director to assess the effectiveness of internal control.
Coporate governance
(3) Assurance and consulting activity designed to add value and improve operations.
Q5: What is the difference between internal assurance services and internal consulting services?

Internal assurance services Internal consulting services

Engagement A three-party relationship, A two-party relationship, involving:

parties involving: - Internal Auditor
- User - Customer
- Internal auditor
- Auditee

Application of While the Attribute and Performance Standard apply equally to both assurance
Standard and consulting services, there is a set of Implementation Standards for each type
of services.

More stringent Less stringent

Engagement Providing independent Providing assist advisory to add value and

purpose assessment improve the organisation.

Engagement Third- party exist No third- party exist

communication
Example of blended engagements:

Example Engagements example Example consulting

assurance components components
Risk management: internal - Assess the adequacy of Facilitate the annual risk
auditing provides assurance the existing risk management assessment process - Advise on
and consulting services in program different
support of the against best practices strategies that may be used
organization’s risk - Evaluate the completeness to manage key risks. Train
management program of the enterprise risk risk owners on their risk
universe and management
reasonableness of the risk responsibilities
ratings - Advise management on
- Assess whether the the steps necessary to
information provided by initiate an enterprise-wide
management to the board is risk management program
accurate, relevant, and
comprehensive
(4) Independence and objectivity
Q6: What is the difference between independence and objectivity as they pertain to internal auditors?

Independence Objectivity

Independence refers to the organisation status of the internal Objectivity refers to the mental attitude
 audit function. of individual internal auditors.

To achieve the degree of independence, CAE has direct and Individual objectivity: Internal auditors
unrestricted access to senior management and the board must have an impartial, unbiased attitude
through a dual-reporting relationship. and avoid any conflict of interest.
- CAE reports functionally to the board. - CAE reports
administrative reporting to the senior management.

3 pillars for rffectives internal audit service incuded: independence & objectivity, proficiency, due
professional care
 S1110 – organizational independence
 Examples of functional reporting to the board involve the board:
Approving the internal audit charter
Approving the risk-based internal audit plan
Approving the internal audit budget and resource plan
Receiving communications from the chief audit executive on the internal audit activity’s
performance relative to its plan and other matters.
Approving decisions regarding the appointment and removel of the CAE
Approving the remuneration of CAE
Making appropriate inquiries of management and CAE to determine whether there are
inappropriate scope or resource limitations.
- Administrative reporting is concerned the day-to-day operations of the Internal audit activities
(between internal audit and management (CEO)
 S113 – impairment to idependence or objectivities
Exam focus: state the chief audit executive (CAE) responsibilities of maintaining the
organisational independence of the internal audit activities
 Objectivities is impaired if: tính khách quan bị suy giảm
Internal audittor provided assurance services for an activity. for which the
internal auditor had responsibilities within the previous year
 Objectivities is presuned not to be impaired if: ko bị suy giảm
IA provide assurance service
thought it had previously performed consulting services. Because
provided nature of the consulting did not impair objectivity.
 Independence and objectivity may be impaired: có thể bị suy giảm
If assurance services are providedd within 1 year after a fomal consulting
engagement
=> Step can be taken to minimize the affects of impairment by:
1. assigning different auditors to perform each ò the services
2. establish independence mgt and supervision
3. defining separate accoutabiliyy for the result of the project
4. disclosing the presumed impairment

Standard 1111 – Direct Interaction with the Board

Standard 1120 – Individual Objectivity: Internal auditors must have an impartial, unbiased attitude and
avoid any conflict of interest.
(Standard 1200 – Proficiency and Due Professional Care
Standard 1210 – Proficiency
Standard 1220 – Due Professional Care
Standard 1230 – Continuing Professional Developmet)
(5) A system and disciplined approach (the engagement process)

1.2 VALUE PROPOSITION OF IA FOR KEY STAKEHOLDERS = Assurance + Insight +

Objective

Assurance Insight Objective

Governance, Risk, and Control Catalyst, Analyses, and Integrity, Accountability, and
Assessments Independence

Internal audit provides assurance Internal audit is a catalyst for With commitment to integrity
on the organisation’s improving an organisation’s and accountability, internal
governance, risk management, effectiveness and efficiency by audit provides value to BOD
and control processes to help the providing insight and and senior management as an
organisation achieve its strategic, recommendations based on objective source of
operational, financial, and analyses and assessments of data independent advice.
compliance objectives. and business processes.

IPPF:
1. Misson of internal audit
2. Mandatory guidance
- Core principles for the professional practice of internal auditing
- Definition of internal auditing
- Code of ethics
- international standards for the professional practice of internal auditng (standard)
3. recommend guidance
- Implementation guidance
- Supplemental guidance

1.3 INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK

1. Mission (sứ mệnh): Add value
- Internal audit activities must be directed at increasing the organization’s value or at protecting it
- There are 3 general types of activities that comprise the services internal audit provides: Risk-based and
objective assurance/advice/insight.
2. Mandatory Guidance (hướng dẫn bắt buộc):
- Core Principles for the Professional Practice of Internal Auditing
1. Demonstrates integrity
2. Demonstrates competence and due professionalcare
3. Is objective and free from undue influence (independent)
4. Aligns with the strategies, objectives, and risks of the organization 5. Is appropriately positioned and
adequately resourced
6. Demonstrates quality and continuous improvement
7. Communicates effectively
8. Provides risk-based assurance
9. Is insigntful, proactive, and future-focused
10. Promotes organizational improvement

- Definition of Internal Audit (phần 1.1)

- Standards:
AS Attrubute Standards address the characteristics of organizations and parties performning internal audit
activities
PS Performance Standards describe the nature of internal audit activities and provide criteria against
which the performance of these services can be evaluated.
- Code of Ethics:
4 Principles + 10 Rules
1. Integrity: establish trust and thus provides the basis for reliance on their judgment.
1.1 Shall perform their work with honesty, diligence, and responsibility
1.2 Shall observe the law and make disclosures expected by the law and the profession
1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.
1.4 Shall respect and contribute to the legitimate and ethical onjectives of the orgazation

2. Objectivity:
2.1 Shall not practicipate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationship that may be in conflict
with the interests of the organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional judgement
2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review

3. Confidentiality:
3.1 Shall be predent in the use and protection of information acquired in the course of their duties
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives of the organization

4. Competency:
4.1 Shall engage only in those services for which they have necessary knowledge, skills, and experience.
4.2 Shall perform internal audit services in accordance with the International Standards for the
Professional Practice of Internal Auditing
4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.
(Implementation Guidance & Supplemental Guidance)

1.4 GOVERNANCE
Definition: Governance is defined as the combination of processes and structures implemented by the
board to inform, direct, manage, and monitor the activities of the organisation toward the achievement of
its objectives.
Governance has two majour components:
+, Strategic direction: (i) business model, (ii) overall objectives, (iii) approach to risk taking, (iv) limit of
organization conduct
+, Oversight includes (i) risk management activities performed by senior management and risk owners
and (ii) internal and external assurance activities.
The BOARD is the highest-level governing body charged with the responsibility to direct and oversee the
organization’s acitivities and hold the senior management accountable. The board may refer to a
committee (audit committee). It also has the ultimate responsibilities for oversight.
AUDIT COMMITEE: promote the independence of the internal and external auditor by protecting them
from management’s influence.
Function regarding to internal auditor:
- Selecting or removing the CAE and setting his or her compensation
- Approving the internal audit charter; Reviewing and approving theinternal audit’s work plan
- Resolving disputes between the internal audit activity and managemet
- Communicating with the CAE, who attends all audit committee meetings
- Reviewing the internal audit activity’s work product
- Ensuring that engagement results are given due consideration
- Overseeing appropriate corrective action for deficiencies noted by internal audit activity
- Making appropriate inquiries of management and the CAE to determine whether audit scope and
budgetary limitations impede the internal audit activity to meet its responsibility.

Functions of audit committee regarding the external audit activity:

- Selecting the external auditing firm and negotiating its fee
- Overseeing and reviewing the work of the external auditor
- Resolving disputes between the external auditor and management
- Reviewing the external auditor’s internal control and audit report.

Management performs day-to-day governance function. Senior management carries out the board
directives to achieve objectives.
Senior management (BOD) determines who is risk owner and how specific risks will be managed.
Senior managemet can best execute (thực hiện) its governance responsibilities by:
- Establishing a risk committee, for example a chief risk officer (CRO)
- Articulating reporting requirements.

Risk owners are responsible for (i) evaluating the adequacy of the design and implement of risk
management activities, (ii) establishing moitoring activities, (iii) ensuring the information to be reported
to senior management and the board is accurate, timely, and avaiable.
Roles of IA in governance:
(BOD design & implement governance NOT IA)
The internal audit activity must assess and make appropriate recommendations to improve the
organisation's governance processes for:
- Reviewing the organisation policies relating to:
- Compliance with laws and regulations
- Ethics
- Conflict of interests
- Investigation fraud allegations
- Reviewing organisational risk and governance
- Providing information on employee conflicts of interest, misconduct, fraud, and other outcomes of the
organisation’s ethical procedures.

1.5 RISK MANAGEMENT PROCESS

Definition: Risk management is a process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement of its objectives.
Control conducted by management to mitigate (giảm thiểu) risks to acceptable levels. Risk managemet
process includes: (1) identification of context, (2) risk identification, (3) risk assessment and
prioritization, (4) risk response, (5) risk monitoring
Roles in risk management process
The internal audit function plays an important role in evaluating the effectiveness of and recommending
improvements to ERM Enterprise Risk Management./The internal audit activity may be directed to
examine, evaluate, report, or recommend improvements. The board have an oversight function that risk
managemet processes are in place, adequate, and effective.
Management ensures that sound risk management processes are functioning. Core internal audit roles:
Reviewing the management of key risks
Evaluating the reporting of key risks
Evaluating risk management processes
Giving assurance that the risks are correctly evaluated
Giving assurance on the risk management processes
Roles internal audit should not undertake
Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses on management’s behalf
Accountability for risk management

Internal audit:
- Can do  assurance or Consulting activities
- Should not do
1. Risk appeticle (risk taking – risk adverse – risk neutral)
 2. Taking decision on risk reponse
3. Implementing risk response on behalf of mgt
4. Accountability for risk managerment
In their role as internal auditors, there are a number of things they should not do to maintain independence
and objectivity. First, auditors should not determine the risk appetite of the organization, as the
organization may be inclined to take risks for high returns, avoid risks, or be risk neutral. Second, they
should not decide on risk responses; instead, they should only evaluate and make recommendations on
risk management processes. Third, auditors should not perform risk responses on behalf of management,
as this may create a conflict of interest. Finally, they should not be responsible for the organization’s risk
management, but only evaluate and report on the effectiveness of those risk management processes.
Adhering to these principles helps internal auditors perform their role well and protects the integrity of
the audit process.
1.6 IN-HOUSE vs OUTSOURCED
As with “Outsourced with in house management”, plus:
- Risks remain with the organization but reside with someone who is not an employee - Management may
have less control
- In-house manager is unlikely to be audit trained and may not have the knowledge to ensure audit quality
is maintained.
In-house Out-sourced

Provided exclusively or Conducted by a service provider contracted to the organisation,

predominately in-house staff and with the service provider also managing the internal audit function.
managed in-house by an Manager of the service provider contract is conducted in-house by
employee an employee of the organization who is unlikely to have
knowledge and experience of internal auditing.
of the organization

Internal audit services are Internal auditor is delivered by one or more service providers.
delivered by in-house staff. Passive management by organization, with management of internal
Actively managed by an in-house audit acitivities generally left to the service provider.
manager.

Knowledge of organization Fewer employee shortages

business, objective, risks, systems Flexibility
ad culture Agility ro respond Can provide specialist skills not avaiable in-house
quickly to emerging issues
No conflict of interest
More direct control over quality
of audit work
REVIEW QUESTION
Q1: What are three components of the internal audit value proposition set forth by The IIA?
Q2: How does The IIA define internal auditing? + its elements
Q3: What are four categories of business objectives discussed in this chapter?
 - Strategic objectives: pertain to the value creation choices management makes on behalf of the
organisation's stakeholder
- Operation objective (operational and financial performance goals, safeguarding resources against loss)
- Reporting objective (internal/external financial/non-financial report ~ reliability, timeliness,
transparency, or other items)
- Compliance objective (adherence to laws and regulation, entity’s policies)
Q4: What are the definitions of governance, risk management, and control provided in this chapter?
Q7: Describe the role of the internal audit function in the governance process
Q8: Describe the role of the internal audit function in the risk management process
Q9: Describe the role of the internal function in control [PS 2130]
The internal audit activity must assist the organisation in maintaining effective controls by evaluating
their effectiveness and efficiency and by promoting continuous improvement. The internal audit activity
must evaluate the adequacy and effectiveness of controls in responding to risks within the organisation’s
governance, operations, and information systems regarding the:
- Achievement of the organisation’s strategic objectives.
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations and programs.
- Safeguarding of assets.
- Compliance with laws, regulations, policies, procedures, and contracts. - Internal auditors must
incorporate knowledge of controls gained from consulting engagements into evaluation of the
organisation’s control processes.
MULTI-CHOICE QUESTIONS
Q1: Which of the Standard expands upon the other categories of Standard?
A. Performance Standards (nature + criteria)
B. Attribute Standards (characteristics)
C. Implementation Standards (recommend guidance)
D. All of the choices are correct
Implementation Standards expand upon the Attribute andPerformance Standards. They provide
requirements applicable to specific engagements.
Q2: The purpose of the IA activity can be best described as:
A. Adding value to the organisation
B. Providing additional assurance regarding fair presentation of FSs.
C. Expressing an opinion on the effectiveness of internal control
D. Assuring the absence of any fraud that would materially affect the FSs.
Because it belongs to IA’s definition. Internal auditing is an independent, objective assuranceand
consulting activity designed to add value and improve an organization’soperations.
Q3: According to the IIA Standards, which of the following is not included in the scope of the
internal audit function
A. Appraising the efectiveness and efficiency of operations and programs.
B. Reviewing the strategic management process, assessing the quality of management decision making
both quatitatively and qualitatively and reporting the results to the audit committee
C. Reviewing the means of safegoarding assets
D. Complying with the laws, regulations, policies, procedures, and contracts.

(C1)Because it doesn’t not belong to the scope if the IA’s function

(C2) Scope of internal audit function: (control, risk mgt, governance)
a. Operational auditing
b. Not function
c. Operational auditing
d. Compliance auditing

Q4: The Standards consist of the three types of Standards. Which standards apply to the
characteristics of providers of IA services?
A. Implementation standards
B. Performance standards
C. Attribute standards
D. Independence standards
IPPF attribute standard states that Attribute Standards concern the characteristics of organizationsand
parties providing internal auditing services.
Q5: A formal code of ethics should do all of the following except:
A. Effectively communicate acceptable values to all members
B. Communicate the org’s value system to outside
C. Reflect only legal standards of conduct for individuals and the organization
D. Provide a method of policing and disciplining members of the organization for violations
It is not involved in code of ethics (4 principles + 10 rules). An ethical organization aspires to a higher
standard of behavior than mere legality.

Q6: A typical code of ethical conduct for financial managers or management accountants in an org
requires all of the following except:
A. Integrity and a refusal to compromise professional values for the sake of personal goals
B. Independece from conflic of economic interest
C. Independence from conflicts of professional interest
D. Subjectivity in presenting information, preparing reports and making analyses => objectivity
The code of ethical conduct for financial managers or management accountants in an organization
should require credibility in presenting in formation, preparing reports, and making analyses.
(Objectivity)
Q7: Objectivity is an ethical requirement for all persons engaged in the processional practice of IA.
One aspect of objectivity requires:
A. Performance of professional duties in accordance with relevant laws.
B. Avoidance of conflict of interest
C. Refraining from using confidential information for unethical or illegal advantages
D. Maintenance of an appropriate level of professional expertise
Commitment to independence from conflicts of economicor professional interest is an aspect of
objectivity.
Q8: In complying with The IIA’s Code of Ethics, an internal auditor should:
A. Use individual judgement in the application of the principles set forth in the Code
B. Respect and contribute to the objectives of the org even if it is engaged in illegal activities
C. Go beyond the limitation of personal technical skills to advance the interest of the org
D. Primaryly applied competency principle in establishing trust
The IIA’s Code of Ethics includes principles that internal auditors are expected to apply and up hold.
They are interpreted by the Rules ofConduct, behavior norms expected of internal auditors. That a
particular conduct is notmentioned in the Rules of Conduct does not prevent it from being unacceptable
ordiscreditable. Consequently, a reasonable inference is that individual judgment isnecessary in the
application of the principles and the Rules of Conduct.
Q9: In which of the following situations does the auditor potentially lack objectivity?
A. An auditor reviews the procedures for a new electronic data interchange connection to a major
customer before it is implemented
B. A former purchasing assistant performs a review of internal controls over purchasing four months
after being transferred to the internal audit department
C. An auditor recommends standard of control and performance measure for a contract with a service
organization for the processing of payroll and employee benefits
D. A payroll accounting employee assists an auditor in verifying the physical inventory of small moters
IIA standard 1130 Impairment to Independence and Objectivity state that person transferred to IA
department should not be assigned to audit those activities at least 1 year.

Q10: Which of the following actions would be a violation of auditor independence?

A. Continuing an audit assignment at a division for which the auditor will soon be responsible as the
result of a promotion
B. Reducing the scope of an audit due to budget restrictions
C. Participating on a task force which recommends standards for control of a new distribution system
D. Reviewing a purchasing agent’s contract drafts prior to their execution
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry
out internal audit responsibilities in an unbiased manner.

Q11. The IIA’s Code of Ethics includes which of the following two essential components
A. Definition of internal auditing and administrative directives
B. Principles and rules of conduct
C. Intergrity and objectivity
D. Confidentiality and competency
The IIA’s Code of Ethics extends beyond the definition ofinternal auditing to include two essential
components: (1) Principles that are relevant to the profession and practice of internal auditing and (2)
Rules of Conduct that describe behavior norms expected of internal auditors.
Q12: A Certified Internal Auditor (CIA) is working in a non-internal audit position as the director
of purchasing. The CIA signs a contract to procure a large order from the supplier with the best
price, quality, and performance. Shorty after signing the contract, the supplier presents the CIA
woth a gift of significant monetary value. Which of the following statements regarding the
acceptance of the gift of correct?
A. Acceptance of the gift would be prohibited only if it were noncustomary
B. Acceptance of the gift would violate the IIA Code of Ethics and would be prohibited for a CIA
C. Since the CIA is no longer acting as an internal auditor, acceptance of the gift would be governaned
only by the organization’s code of conduct (kickback)
D. Since the contract was signed before the gift was offered, acceptance of the gift would not violate
either the IIA Code of Ethics or the organization’s code of conduct. (kickback)
Members of The Institute of Internal Auditors andrecipients of, or candidates for, IIA professional
certifications are subject todisciplinary action for breaches of The IIA’s Code of Ethics.
Rule of Conduct 2.2under the objectivity principle states, “Internal auditors shall not accept anythingthat
may impair or be presumed to impair their professional judgment.”

Chap 2: INTERNAL AUDIT EVIDENCE AND WORKING PAPER

Sufficiet appropriate internal audit evidence
- Persuasive audit evidence
1. Sufficient
2. Competent
3. Relevant
4. Useful
Audit procedures
- Common audit procedures: analytical procedures, enquiry (send confirmation),
inspection, observation, recaculation and reperformance
Working paper:

CHAP 3:
Classification of engagements

Financial auditing Compliance auditing Operational auditing Performance auditing

A financial A compliance audit An operational audit A performance

auditing provides assesses in specific assesses the audit may provide
assurance areas as part of IA’s efficiency and assurance about the
regarding role in effectiveness of an organization’s key
financial organizational organization’s performance
reporting to governance. They operation such as: indicators. Internal
management and also follow-up and - Process (functional) auditors assess an
the board (for report on engagements organization’s
example, certify management’s - Program-results ability to measure
that the FSs are response to engagements its performance,
fairly stated in all regulatory body recognize,
material aspects) reviews. For deficiencies, and
example: take corrective
Environmental actions
auditing.
 Assessment of IC Compliance Measures used to A balanced scored
over financial adherence to assess effectiveness is useful for
reporting: - policies, plans, and efficiency performance
reporting on the procedures, laws, include the measurement
effectiveness of regulations, following: (SWOT analysis)
IC contracts, or other - The productivity
requirements (IIA ratio measures output
Glossary) relative input
- The productivity
index measures
production potential
- The resource usage
rate measures
resource use relative
to available resources
- The operating ratio
measures the
operational
efficiency of an
organization
1. What are the main reasons for conducting an assurance engagement?
There are several reasons for performing assurance engagements including:
(i) The engagement was identified in the internal audit plan
(ii) The engagement is part of an annual requirement to evaluate the organization’s system of internal
controls for external reporting purposes.
2. What three steps are generally involved in conducting a process-level risk assessment?
This involves the following three steps:
1. Identify potential fraud scenarios. Brainstorming with individuals involved in the process is an
effective way to identify the possible means by which individuals, working alone or in collusion with
others, could circumvent the process.
2. Understand potential fraud impact. The potential impact of each fraud scenario should be determined.
3. Determine whether to test for specific fraud risks. Based on the first two steps, the internal auditor can
assess, based on the inherent risk of fraud within the process, whether specific tests should be designed to
determine the vulnerability for fraud
3. What types of information may process owners have available that will help an internal auditor
understand the process?
The following may be available from process owners or others familiar with the process that may provide
useful information regarding how the process work:
● Policies relating to the process
● Procedure’s manuals
● Organizational chart
● Job descriptions for people involved in the process
● Process maps or flow charts depicting the overall how of the process
● Narrative descriptions of key tasks or portions of the process
● Copies of key contracts with customers, vendors, outsourcing partners
● Relevant information regarding laws and regulations affecting the process
● Other documentation that may have been developed to support required
reporting on the effectiveness of the system of internal controls.

4. Why must an internal auditor understand how entity-level controls may influence the
performance of a process before auditing that process?
Entity-level controls have a general meaning for the various types of audit engagements and can also be
more specific to a type of audit engagement. In general, entity-level controls are controls that are
pervasive throughout the organization versus designed for a specific division or operation such as
specifically for finance, manufacturing, research & development, etc
Entity-level controls are the overriding controls for overseeing that management directives pertaining to
the organization as a whole are implemented and enforced.
They may also be considered as higher-level controls that are more general in nature or impact a broader
audience.
These controls define an organization’s corporate culture and values. They also relate to internal values as
well as external forces such as laws, regulations, and professional standards. The entity-level controls
impact the way in which personnel operate and operational processes are designed and implemented. It
includes control environment, risk assessment, monitoring.
Deficiencies in entity-level controls can circumvent well designed controls within a process and in fact
become inherent risks to the effective operation of controls at the process level

5. What are the three most common ways of documenting a process flow?
The three most common ways of documenting a process flow as follow:
Process maps: attempt to depict the broad inputs, activities, workflows, and interactions with other
processes and outputs. They provide a framework to understand the activities and subprocesses.
Flowcharts: include additional information, frequently depicting computer systems and applications,
document lows, detailed risks and controls, manual versus automated steps, elapsed time for steps in the
process, owners of key steps, and any additional information needed to help the reviewer understand the
process and its low. Flowcharts include high-level flowcharts and detailed flowcharts.
It includes high-level flowcharts and detailed flowcharts:
+ High-level flowcharts: the purpose of high-level flowcharts is to depict broad inputs, tasks, workflows,
and outputs. A high-level flowchart helps reviewers understand the overall activities, systems, reports, and
interfaces with other processes or subprocesses. This understanding will provide a frame of reference
for identifying key subprocesses. Flowchart and systems that may be considered for the scope of the
engagement.
+ Detailed flowcharts: while the high-level flowchart is an important starting point, it does not provide the
depth and level of detail needed to support the internal auditor’s judgments regarding the design of the
process. A detailed flowchart documents the more specific inputs, tasks, actions, systems, decisions,
and outputs. In addition to provide additional information that enhances the understanding of the process.
Narrative memoranda: provide information about the process low using only written words; there is no
attempt to use symbols to depict the low. It is common to combine flowcharts with supplemental narrative
information to create a hybrid from of documentation.

6. What are the key questions that must be answered when evaluating the design adequacy of
controls?
Does the internal auditor understand what an “acceptable level” of risk is, based on management’s risk
tolerance levels for the process?
- Do the key controls, taken individually or in the aggregated, reduce the corresponding process-level
risks to acceptable levels?
- Are there additional compensating controls from other processes that further reduce risks to acceptably
low levels?
- Does it appear that key controls, if operating effectively, will support the achievement of process-level
objectives?
- To the extent appropriate, does the process design address design address effectiveness and efficiency of
operations, reliability of reporting, compliance with applicable laws and regulations, and achievement of
strategic objectives?
- What gaps, if any, exist that impede the process?

7. What factor should an internal auditor consider when determining which controls to test?
● Are there higher-level controls that might by themselves provide reasonable assurance that the relevant
risks are managed sufficiently?
● Are there other compensating controls that address multiple risk?
● Was the design of controls assed as being adequate?
● When do the key controls operate and based on the period within scope for the engagement is it
practical to test certain key controls?
● Have there been changes in the process during the period that result in certain key controls operating for
only a portion of the period within scope?

MULTI-CHOICE QUESTIONS
Q1: Which of the following is not likely to be an assurance engagement objective?
A. ,,,
B. All cash disbursement transactions must be process
C. Assess compliance with health and safety laws and regulations.
D. Determine the operating effectiveness of fixed asset controls.
Because C is a compliance auditing and D is an operational auditing

Q2: Which of the following auditee-prepared documents will likely be of greatest assistance to the
internal auditors in their assessment of process design are least relevant when conducting an
assurance adequacy?
A. Policies and procedures manual
B. Organization charts and job descriptions
C. Detailed flowcharts and job descriptions
D. Narrative memorandum listing key tasks for portions of the process.
Because while policies and procedures manuals, organization charts and job descriptions, and
memoranda listing key tasks will all be helpful, only detailed flowcharts provide the internal auditor with
a start to finish view of how the process operates, including key risks and controls.

Q3: Which of the following controls is not likely to be an entity level control?
A. All employees must receive ongoing training to ensure they maintain their competence
B. All cash disbursement transactions must be approved before they are paid
C. All employees must comply with the Code of Ethics and Business Conduct
D. An organization wide risk is conducted annually
Because it is control procedure to meet a specific objective

Q4: Which of the following external risks is least likely to impact the accuracy of financial
reporting?
A. The standard-setting body in the organization’s country issues a new financial accounting standard.
B. A recent judicial court case increases the likelihood that pending litigation will result in an unfavorable
outcome.
C. Changes standard industry contracts now allow for netting of payables and receivables
D. Competitor pressures cause the organization to pursue new sales channels.
A, B, C related to information on the financial statements and the way information is presented in the
financial statements. Therefore, they directly impact on the accuracy of financial reporting

Q5: Which of the following controls is likely to be at least relevant when evaluating the design
adequacy of the cash collections process?
A. Calculating the amount of cash received
B. Documenting the rationale for selecting the bank account into which the deposit will be made
C. Matching the total deposits to the amounts credited to customer’s accounts receivable balances
D. Segregating the preparation of deposit slips from the adjustment of customer account balances
Because A, C, D related to information of the cash collections process and the way related information is
presented in the cash collections process. Therefore, they directly impact on evaluating the design
adequacy of the cash collections process.

Q6: All the following are examples of assurance services except:

A. Financial engagement
B. Compliance engagement
C. Due diligence engagement
D. Training engagement
Correct. Training engagement is a part of consulting. The IIA’s Glossary defi nes assurance services as
“objective examination[s] of evidence for the purpose of providing an independent assessment on
governance, risk management, and control processes for the organization. Examples may include
financial, performance, compliance, system security, and due diligence engagements.
Q7: All the following are examples of consulting services except:
A. Legal counsel engagement
B. System security engagement
C. Service engagement
D. Facilitation engagement
System security engagement is a part of assurance services. The IIA’s Glossary defines consulting
services as “advisory and related client service activities, the nature and scope of which are agreed with
the client and are intended to add value and improve an organization’s governance, risk management,
and control processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation, and training.”
Lưu ý của cô:
Ôn 1,2,3 và 1 phần chương 4 (trọng tâm c1 lthuyet)
Lí thuyết, MCQ chap 1,2,3,4
Case c4
Câu 1 (lý thuyết 3đ)
Câu 2 (3-4c MCQ gthich)
Câu 3: Case (1đ) – ttự câu 2 chap 4
 Issue : ngx – hậu quả/ ảnh hưởng - kiến nghị cuả KTV nằm
trong internal audit report
Đối với risk managerment và coporate governance thì phải xem ai là
ng chịu trách nhiệm chính và mqh yto risk managerment và
coporate governance vs internal audit
Chap 3:
Các dạng cv mà KTV nội bộ có thể thực hiện đc
Assurance engagement and consulting engagement (sự khác biệt)
Case: internal audit review và assess effectiveness of internal
control. Thì đây là assurance engagement hay consulting
engagement
Các đầu mục của lập kế hoạch
Engagement process (technical kỹ thuật, conclusion kết luận,
observe: qsat and recomendation
- Observe: chuẩn mực (criterial) là ntn và thực tế DN
(condition- ngx của thte và hậu quả của thte)
- Make recommendation
Vai trò của mgt và vtro của internal audit lq đến risk mgt
Risk mgt có vtro ntn vs qtri rủi ro
Internal audit có vtro qtrinh qtri rro này
Liệt kê 2 activities lq đến qtrinh qtri rủi ro mà internal audit ko nên
thực hiện vì nó có thể làm ảnh hưởng/ suy giảm đến tính độc lập
khách quan của kiểm toán nội bộ (chap 1)
Chap 4:
Case ques 2 (nhưng nd sẽ thay đổi về internal control đã học ở các
học phần phía dưới)
Định nghĩa internal audit
Có thể thực hiên cả assurance engagement and consulting assurance
nhưng phải sau 12 tháng – MCQ (lq IPPF)
Nhận định xem cái nào là assurance service, cái nào là consulting
service
Senerio bối cảnh rủi ro

Chap 1:
1. What are the three components of the internal audit value proposition set forth by The IIA?
Assurance = governance, risk , and control
Insight = catalyst, analyses, and assessments
Objectivity = integrity, accountability, and independence
2. How does The IIA define internal auditing?
Internal auditing ia an independent, objective assurance and consulting activity designed to add value and
improve an organization's opoerations
3. According to COSO, what are the four categories of business objectives?
 Strategic objectives: pertain to the value creation choices management makes on behalf of the
organization's stakeholders
 Operations objectives: pertain to the effectiveness and efficiency of organization's operations
 Reporting objectives: the reliability of internal and external reporting of financial and non-
financial information
 Compliance objectives: adherence to applicable laws and regulations
4. What are the definitions of governance, risk management, and control provided in this chapter?
 Governance is the process conducted by the board of directors to authorize, direct, and oversee
management toward the achievement of the organization's objectives.
 Risk management is the process conducted by management to understand and deal with
uncertainties (risks and opportunities) that could affect the organization's ability to achieve its
objectives
 Control conducted by management to mitigate risks to acceptable levels
5. What is the difference between internal assurance services and internal consulting services?
Assurance and consulting engagements differ in three respects: the primary purpose of the engagement,
who determines the nature and scope of the engagement, and the parties involved.

The primary purpose of internal assurance services is to assess evidence relevant to subject matter of
interest to someone and provide conclusions regarding the subject matter. The internal audit function
determines the nature and scope of assurance engagements, which generally involve three parties: the
auditee directly involved with the subject matter of interest, the internal auditor making the assessment
and providing the conclusion, and the user relying on the internal auditor's assessment of evidence and
conclusion

The primary purpose of internal consulting services is to provide advice and other assistance, generally at
the specific request of engagement customers. The customer and the internal audit function mutually
agree on the nature and scope of consulting engagements, which generally involve only two parties: the
customer seeking and receiving the advice, and the internal auditor offering and providing the advice.
6. What is the difference between independence and objectivity as they pertain to internal auditors?
Independent auditors provide their financial reporting assurance services for the benefits of third parties.
Internal auditors provide their financial reporting assurance service for the benefits of management and
board of directors
7. What are the three fundamental phases in the internal audit engagement process?
planning the engagement
performing the engagement
communicating engagement outcomes.
8. What is the relationship between auditing and accounting?
Accounting is the collection, classification, summarization, and communication of financial data. It helps
reduce a tremendous mass of detailed information into manageable and understandable proportions.

Internal auditing is reviewing the measurements and communications of a accounting for propriety.
Auditing emphasizes proof, the support for financial statements and data.
9. What is the primary difference between internal and external financial reporting assurance
services?
External (Independent) audit firms provide their financial reporting assurance services primarily for the
benefits of third parties.

Internal audit function helps the organization achieve its business objectives by evaluating and improving
the effectiveness of governance, risk management, and control processes and by providing insight through
consulting services.
10. What are some of the factors that have fueled the dramatic increase in demand for internal
audit services over the past 30 years?
globalization
increasingly complex corporate structure
e-commerce and other technological advances
a global economic downturn
devastating corporate scandals
a groundswell of new laws and regulations and professional guidance
11. What types of procedures might an internal auditor use to test the design adequacy and
operating effectiveness of governance, risk management, and control processes?
• Inquiring of managers and employees.
• Observing activities.
• Inspecting resources and documents.
• Reperforming control activities.
• Performing trend and ratio analysis.
• Performing data analysis using computer-assisted audit techniques.
• Gathering corroborating information from independent third parties.
• Performing direct tests of events and transactions.
12. Consulting activities
1. Advisory services designed to provide guidance on effective governance, risk management, and control
process.
2. Training on current and emerging governance, risk management, and control process concepts.
12. What is co-sourcing? Why might an organization choose to cosource its internal audit function?
Co-sourcing means that an organization is supplementing its in-house internal audit function to some
extent via the services of third-party vendors a third-party service provider include circumstances in
which the thirdparty vendor has specialized internal audit knowledge and skills that the organization does
not have in-house and circumstances in which the organization has insufficient in-house internal audit
resources to fully complete its planned engagements
13. How is The IIA's leadership organization structured?
The IIA headquarters' executive leadership team is headed by the president and CEO. Hundreds of
volunteers, including the IIA's Global Board of Directors.
14. What are the two categories of guidance included in the IPPF?
Category 1: Mandatory Guidance (The core principles for the Professional Practice of Internal Auditing,
the Code of Ethics, the Standards, the Definition of Internal Auditing)
Category 2: Strongly Recommended Guidance. (Implementation Guidance and Supplemental Guidance)
15. What are the three parts of the CIA exam?
Internal Auditing Basics
Internal Audit Practice
Internal Audit Knowledge Elements
16. What is the major objective of The IIARF?
Mission: To shape, expand, and advance knowledge of internal auditing.
Vision: To be a vital resource for impactful internal audit and related stakeholder research.
Strategy: To consistently set the standard for helping practitioners and academics achieve excellence in
the internal audit profession.
17. What are the seven inherent personal qualities listed in the chapter that are common among
successful internal auditors?
Integrity. Passion. Work ethic. Curiosity. Creativity. Initiative. Flexibility.
18. What are the four areas outlined in The IIA's Internal Auditor Competency Framework?
1. Interpersonal Skills
2. Tools and Techniques
3. Internal Audit Standards, Theory, and Methodology
4. Knowledge Areas
19. What are the character traits, known as the 5 Cs, that are required for success in the internal
audit profession?
 Competence: the skills and knowledge required to provide assurance and advisory services that
add value.
 Credibility: the ability to inspire trust based on consistent competence and integrity.
 Connectivity: the ability to understand the needs of each of the stakeholders individually within
the greater whole of the organization.
 Communication: instituting methods of relaying information (orally and in multiple written
forms) and listening to the individuals served.
 Courage: the personal fortitude to remain independent and objective and to stand by the results of
the engagements conducted.
20. Why is it imperative that internal auditors have integrity?
People with integrity build trust, which in turn establishes the foundation for reliance on what they say
and do.
21. How many core competencies are included in the IIA's Global Internal Auditor Competency
Framework and for what general job levels are they recommended?
10 core competencies
1. Improvement and Innovation
2. Internal Audit Delivery
3. Communication
4. Persuasion and Collaboration
5. Critical Thinking
6. IPPF
7. Governance, Risk, and Control
8. Business Acumen
9. Internal Audit Management
10. Professional Ethics
22. What are the three common ways individuals enter the internal audit profession?
1. Began careers in public accounting
2. Hired directly out of school
3. Moved from a different department of the organization
23. Do most people who work in internal auditing spend their entire careers there? Explain.
No, experience in an internal audit function serves as an excellent training ground for aspiring business
executives. Many internal auditors use the expertise they gain in internal auditing as a stepping stone into
financial or non-financial management positions.
24. What options does an individual have if he or she chooses to be a career internal auditor?
1. Progress upward through the ranks of a single organization's internal audit function into internal audit
management.
2. Stay in internal auditing but advance up the ladder toward Internal audit management, moving from
one organization to another.
3. Move upward through the various levels in a professional service firm that provides internal assurance
and consulting services.

Chap 3:
1. Which of the following is not an appropriate governance role for an organization's board of
directors?
a. evaluating and approving strtegic objectives.
b. influencing the organizations's risk-taking policy.
c. Providing assurance directly to theird parties that the organization's governance processes are effective.
d. establishing broad boundaries of conduct, outside of which the organization should not operate.
2. Which of the following are typically governance responsibilities of senior management?
I. Delgating risk tolerance levels to risk managers.
II. Monitoring day-to-day performance of specific risk management activities
III. establishing a governance committee of the board.
IV. Ensuring that sufficient information is gathered to support reporting to the board.
a. I and IV.
b. II and III
c. I, II, and IV.
d. I, II, III and IV.
3. ABC utility company sells electicity to residential customers and is a member of an industry
association that provides guidance to electric utilities, lobbies on behal fo the industry and
facilitates sharing among its members. From ABC's perspective, what type of stakeholder is the
industry association?
a. Directly involved the operation of the company.
b. Interested in the success of the company.
c. Influences the company
d. Not a stakeholder.
4. Who is responsible for establishing the strategic objectives of an organization?
a. The board of directors ( A or B)
b. Senior management
c. Consensus among all levels of management
d. The board and senior management jointly.
5. Who is ultmately responsible for indentifying new or emerging key risk areas that should be
covered by the organization's governance process?
a. the board of directors
b. senior management
c. risk owners
d. the internal audit function
6. What are the three different types of stakeholders that the board must understand? Give
examples of each type.
Stake Holders - are directly involved in the operation of the organization's business
Interested - not directly involved but are interested in the organization's business; that is, they are affected
by the success or other outcomes of the business.
Influence - some stakeholders who are neither directly involved nor interested in the success of an
organization's business, but these stakeholders may nonetheless influence aspects of the organization's
business and, as a result, the organization's success.
7. What types of outcomes might a board need to consider to understand stakeholders'
expectations?
Some of the needs and expectations are self-evident. For example, customers expect that products are
generally free of defects and vendors expect obligations to be paid on time. However, other expectations,
such as shareholders' desire for dividends versus share price growth, may require some research and
analysis to fully understand. Boards may be able to determine these expectations through internal
discussions, but they also may need to discuss expectations directly with key stakeholders.
8. Why are there arrows flowing in both directions between the different elements of governance
depicted in exhibit 3-2?
there are arrows that represent the flow of information throughout the governance structure. The board
provides direction to senior management to guide them in carrying out the risk management activities.
Senior management in turn provides direction to lower levels of management who are responsible for the
specific controls. However, lower level managers are accountable to senior management with regard to
the success of those controls. And senior management is accountable to provide the board assurances
regarding the effectiveness of risk management activities. The arrows in the exhibit depict that flow of
direction and accountability from one layer to the next.
9. What are some key U.S. regulations that have been written in response to adverse business
events?
a. Securities Act of 1933
b. Securities Exchange Act of 1934
c. Foreign Corrupt Practices Act of 1977
d. SOX
e. Dodd-Frank Wall Street Reform and Consumer Protection Act
10. The Internal Audit function should not:
a. Assess the organization's governance and risk management processes
b. provide advice about how to improve the organization's governance and risk management processes.
c. oversee the organization's governance and risk management processes
d. Coordinate its governance and risk management-related activities with those of the independent outside
auditor.
11. Which of the following would NOT be considered a first line of defense in the Three Lines of
Defense model?
a. A divisional controller conducts a peer review of compliance with financial control standards.
b. An accounts payable clerk reviews supporting documents before processing an invoice for payment.
c. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed
properly.
d.A production line worker inspects finished goods to ensure the company's quality standards are met.
12. Which of the following would be considered a first line of defense in the Three Lines of Defense
Model?
a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the
required payment date.
b. A divisional compliance and ethics officer conducting a review of employee training records to ensure
that all marketing and sales staff have completed the required FCPA training.
c. The external audit team observes the counting of inventory on December 31.
d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-
Oxley compliance with internal controls over financial reporting.
13. Which of the following would be considered a second line of defense in the Three Lines of
Defense model?
a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the
required payment date.
b. A divisional compliance and ethics officer conducting a review of employee training records to ensure
that all marketing and sales staff have completed the required FCPA training.
c. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met.
d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-
Oxley compliance with internal controls over financial reporting.
14. Companies in industries that are heavily regulated may be subject to audits by the regulator's
auditors/ While not specifically covered in the Three Lines of Defense model, such auditors would
most likely be considered:
a. Part of the first line of defense.
b. Part of the second line of defense.
c. Part of the third line of defense.
d. Not a line of defense
15. Which of the following is not a role of the internal audit funtion in best practice governance
activities?
a. Support the board in enterprisewide risk assessment.
b. Ensure the timely implementation of audit recommendations
c. Monitor compliance with the corporate code of conduct
d. Discuss areas of significant risks.
16. Which of the following statements regarding corporate governance is NOT correct?
a. Corporate control mechanisms include internal and external mechnisms.
b. The compensation scheme for management is part of the corporate control mechanisms.
c. The dilution of shareholders wealth resulting from employee stock options or employee sotkc bonuses
is an accounting issue rather a corporate governance issue.
d. The internal audit function of a company has more responsibility than the board for the company's
corportate governance.
17. What types of business events tend to drive new legislation and guidance?
a. Economic downturns
b. Fraud or other corporate wrongdoing
c. Elections or other political changes
d. Economic growth
18. Which of the following represent the best governance structure
operating management - risk
executive management - oversight role
internal auditing

CHAP 4
1. According to COSO ERM, all of the following are elements of an organization's internal
environment except:
a. setting organizational objectives
b. establishing risk appetite
c. assigning authority and responsibility
d. having predominantly indpendent directors on the board.
2. Which of the following external events will most likely impact a defense contractor that relies on
large government contracts for its success?
a. economic event
b. natural environment event
c. political event
d. social event
3. Which of the following is not an example of a risk-sharing strategy?
a. outsourcing a noncore, high-risk area
b. selling a nonstrategic business unit
c. hedging against interest rate fluctuations.
d. buying an insurance policy to protect against adverse weather.
4. An organization tracks a website hosting anonymous blogs about its industry. Recently,
anonymous posts have focused on potential legislation that could have a drastic affect on this
industry. Which fo the following may create greatest risk if this organization makes business
decisions based on the information contained on this website?
a. appropratenes of the information
b. timeliness of the information
c. accessibility of the information
d. accuracy and reliability of the information
5. Who is responsible for implementing ERM?
a. the chief financial officer
b. the chief audit executive
c. the chielf compliance officer
d. management throughout the organization
6. Which of the following is not a potential value driver for implementing ERM?
a. Financial results will improve in the short run.
b. There will be fewer surprises from year to year.
c. There will be better information available to make risk decisions.
d. An organization's risk appetite can be aligned with strategic planning.
7. Which of the follwing is the best reason for the CAE to consider the organiztion's strategic plan
in devloping the annual internal audit plan?
a. to emphaiseze the imprtance of the internal audit function to the organiation.
b. to ensure that the internal audit plan will be approved by senior management.
c. To make recommendations to improve the strategic plan.
d. To ensure that the internal audit plan supports the overall business objectives.
8. When senior magement accepts a level of residual risk that the CAE believes is unacceptable to
the organization, the CAE should:
a. Report the unaccetable risk level immediately to the chair of the audit committee and the independent
outside audit firm partner.
b. Resign his or her position in the organization
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to
the audit committee.
d. Accept senior management's position because it establishes the risk appetite for the organization.
9. The CAE is asked to lead the enterprise risk assessment as part of an organization's
implementation of ERM. Which of the following would not be relevant with respect to protecting
the internal audit function's independence and the objectivity of its internal auditors?
a. a cross-section of management is involved in assessing the impact and likelihoood of each risk
b. risk owners are assigned responsiblity for each key risk
c. a member of senior magement presents the results of the risk assemssment to the board and
commuicates that it represents the organizaton's risk profile
d. the internal audit function obtains assistance from an outside consultant in the conducto fo the formal
risk assessment session.
10. An internal audit engagement was included in the approved internal audit plan. This is
considered a moderately high-risk audit based on the internal audit function's risk model. It is
currently on a two-year audit cycle. Which of the following will likely have the greatest impact on
the scope and approach of the internal audit engagement?
a. the area being audited invloves the processing of a high volume of transactions.
b. certain components of the process are outsourced.
c. a new system was implemented during the year, which changed how the transactions are processed.
d. the total dollars processed in this area are material.
11. A manufacturing company has identified teh following risk: "Failure of employees to conduct
required quality control procedures may result in a high level of customer returns." To which type
of objective does this risk most directly relate?
a. Strategic
b. Operations
c. Reporting
d. Compliance
12. A risk that a new competitor will significantly reduce the market share of an organization's
product likely relates to which type of objective?
a. Strategic
b. Operations
c. Reporting
d. Compliance