FOCUSNOTES2015

Wiley CiAexcel exAm RevieW

FOCUSNOTES2015

Wiley CiAexcel exAm RevieW

PART 1Internal Audit Basics

S. RAO VALLABHANENI

Cover image: John Wiley & Sons, Inc.Cover design: John Wiley & Sons, Inc.

Copyright © 2015 by S. Rao Vallabhaneni. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photo-copying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permis-sion should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you pur-chased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

ISBN 978-1-119-09526-2 (Paperback); ISBN 978-1-119-09747-1 (ebk); ISBN 978-1-119-09759-4 (ebk); ISBN 978-1-119-09525-5 (Part 2); ISBN 978-1-119-09519-4 (Part 3); ISBN 978-1-119-09533-0 (Set)

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

Contents

Preface ...............................................................................................................................viiCIA Exam Study Preparation Resources ............................................................................. ixCIA Exam-Taking Tips and Techniques .............................................................................. xiiiCIA Exam Content Specifi cations ......................................................................................xv

Domain 1 Mandatory Guidance (35–45%) ................................................................... 1 Defi nition of Internal Auditing .................................................................................... 1 International Standards ............................................................................................. 2 IIA’s Code of Ethics ................................................................................................135

Domain 2 Internal Control and Risk (25–35%) .........................................................138 Types of Controls ...................................................................................................138 Management Control Techniques ..........................................................................156 Internal Control and Alternative

Control Frameworks ...........................................................................................160 Risk Vocabulary and Concepts ..............................................................................180 Fraud Risk Awareness ...........................................................................................191

ftoc.indd vftoc.indd v 22/02/13 8:50 AM22/02/13 8:50 AM

Contents vi

Risk Factors, Red Flags, and Symptoms of Fraud .................................................193 Acts, Traits, and Profi les of

Fraud Perpetrators ............................................................................................ 204

Domain 3 Conducting Internal Audit Engagements—Audit Tools and Techniques (28–38%) .........................................................................210

Data-Gathering Tools and Techniques ...................................................................210 Data Analysis and Interpretation ........................................................................... 226 Process Mapping ................................................................................................. 257 Audit and Legal Evidence .................................................................................... 263

Appendix Sarbanes-Oxley Act of 2002 .................................................................... 273 Title II—Auditor Independence ..............................................................................274 Title III—Corporate Responsibility ........................................................................ 275 Title IV—Enhanced Financial Disclosures ............................................................ 277

About the Author.............................................................................................................. 279Index ................................................................................................................................ 281

ftoc.indd viftoc.indd vi 22/02/13 8:50 AM22/02/13 8:50 AM

Preface

The Wiley CIAexcel Exam Review Focus Notes 2014 are developed for each of the three parts of the Certified Internal Auditor (CIA) Exam 2014 sponsored by The Institute of Internal Auditors (IIA). The purpose of the Focus Notes is to digest and assimilate the vast amounts of knowledge, skills, and abilities tested on the CIA exam in a clear, concise, easy-to-read, and easy-to-use format anywhere and any time to achieve success in the exam.

Each of the Focus Notes book topics is organized in the same way as the Wiley CIAexcel Exam Review book topics, that is, one Focus Notes book for each of the three-part review books. This clear linkage makes the exam study time more efficient and long-lasting, and provides the ability to recall important concepts, tools, and techniques, and the IIA Standards tested on the CIA exams. The Focus Notes can be used with any other study materials that you have determined works best for you to prepare for the CIA Exam. The Focus Notes provide a quick and easy refresher to the material that you are studying.

The Wiley Focus Notes are similar to index cards and flash cards in terms of purpose. The Focus Notes complement and supplement, not substitute, the Wiley Review books, where the former provides a summarized theory and the latter provides a detailed theory.

For those students who are exclusively studying the Wiley’s preparation resources, we sincerely recommend the CIA Exam candidate to study the Focus Notes and Glossary section for each part a few weeks prior to taking the actual exam for maximum retention and recall of the subject matter, assuming that the candidate has previously studied the Wiley CIAexcel Exam Review books.

fpref.indd 7 02-05-2014 09:50:38

Preface viii

The Focus Notes books will be especially useful to auditors who are traveling on an audit assignment, as well as others who are not traveling, due to their small and compact size, giving portability. The simplified sum-maries included in this material will help you learn the essential knowledge as well as help you retain them for years to come. The Focus Notes books can also be used as desk references on a post-exam basis, similar to a dictionary.

fpref.indd 8 02-05-2014 09:50:38

CIA Exam Study Preparation Resources

We recommend the following study plan and three review products for each Part of the CIA Exam to succeed in the exam:

• Read each part’s review book (Theory)

• Practice the web-based online test bank software (Practice)

• Reinforce the theoretical concepts by studying the Focus Notes (Theory)

A series of review books have been prepared for the candidate to utilize for all three parts of the new CIA exam. Each part’s review book includes a comprehensive coverage of the subject matter (theory) followed by some sample practice multiple-choice (M/C) questions with answers and explanations (practice). The sample practice M/C questions included in the review book are taken from Wiley’s web-based online test software to show you the flavor of questions. Each part’s review book contains a glossary section, which is a good source for answering M/C questions on the CIA Exam.

The web-based online test bank software is a robust review product that simulates the format of the actual CIA Exam in terms of look and feel, thus providing intense practice and greater confidence to the CIA Exam can-didates. The thousands of sample practice questions (5,275 plus) included in the online test bank can provide greater confidence and solid assurance to CIA exam candidates in that they are preparing well for all the required topics tested in the exam. All practice questions include explanations for the correct answer and are organized by domain topics within each part. Visit www.wiley.com.

flast.indd 9 02-05-2014 09:50:27

CIA Exam Study Preparation Resources x

The following is a part summary showing the number of sample practice questions included in the online test bank and the number of questions tested in the actual CIA Exam.

Part SummaryWiley Sample Practice

QuestionsCIA Exam Actual Test

Questions

Part 1 750+ 125

Part 2 725+ 100

Part 3 3,800+ 100

Total Questions in Three Parts 5,275+ 325

Focus Notes provide a quick review and reinforcement of the important theoretical concepts, which are pre-sented in a summary manner taken from the details of the review books. The Focus Notes can be studied just before the exam, during travel time, or any other time available to the student.

When combined, these three review products provide a great value to CIA Exam students and we are positive that they will recognize the value when they see it, feel it, and experience it.

flast.indd 10 02-05-2014 09:50:28

CIA Exam Study Preparation Resources xi

We suggest a sequential study approach in four steps for each part of the exam, as follows:

Step 1. Read the glossary section at the end of each part’s review book for a better understanding of key technical terms

Step 2. Study the theory from the each part’s review book

Step 3. Practice the multiple-choice questions from the online test bank for each part

Step 4. Read the Focus Notes for each part for a quick review and reinforcement of the important theoreti-cal concepts

In addition, the CIA Exam candidates should read Practice Guides from The Institute of Internal Auditors (IIA) because these guides provide detailed guidance for conducting internal audit activities. They include detailed pro-cesses and procedures, such as tools and techniques, audit work programs, and step-by-step audit approaches, as well as examples of audit deliverables. These Practice Guides are not included in the Wiley’s Review Books due to their voluminous size and the fact that they are available from the IIA (www.theiia.org).

flast.indd 11 02-05-2014 09:50:28

flast.indd 12 02-05-2014 09:50:28

CIA Exam-Taking Tips and Techniques

The types of questions a candidate can expect to see on the CIA Exam are objective and scenario-based multiple-choice (M/C) questions. Answering the M/C questions requires a good amount of practice and effort.

The following tips and techniques will be helpful in answering the CIA Exam questions:

• Stay with your first impression of the correct choice.

• Know the subject area or topic. Don’t read too much into the question.

• Remember that questions are independent of specific country, products, practices, vendors, hardware, software, or industry.

• Read the last sentence of the question first followed by all choices and then the body (stem) of the question.

• Read the question twice or read the underlined or circled keywords twice, and watch for tip-off words, such as not, except, all, every, always, never, least, or most, which denote absolute conditions.

• Do not project the question into your organizational environment, practices, policies, procedures, stand-ards, and guidelines. The examination is focusing on The Institute of Internal Auditors’ (IIA’s) Professional Standards and Publications and on the CIA’s exam syllabus (i.e., content specifications).

• Try to eliminate wrong choices as quickly as possible. When you get down to two semifinal choices, take a big-picture approach. For example, if choices A and D are the semifinalists, and choice D could be a part of choice A, then select choice A; or if choice D could be a more complete answer, then select choice D.

flast.indd 13 02-05-2014 09:50:28

CIA Exam-Taking Tips and Techniques xiv

• Don’t spend too much time on one question. If you are not sure of an answer, move on, and go back to it if time permits. The last resort is to guess the answer. There is no penalty for guessing the wrong answer.

Remember that success in any professional examination depends on several factors required of any student such as time management skills, preparation time and effort levels, education and experience levels, memory recall of the subject matter, state of the mind before or during the exam, and decision-making skills.

flast.indd 14 02-05-2014 09:50:28

CIA Exam Content Specifications

Part 1 of the CIA Exam is called internal audit basics and the exam duration is 2.5 hours (150 minutes) with 125 multiple-choice questions. The following is a breakdown of topics in that Part.

Domain I: Mandatory Guidance (35–45%)*

A. Definition of internal auditing (P)**

B. International standards (P)

C. Code of Ethics (P)

Domain II: Internal Control and Risk (25–35%)

A. Types of controls (e.g., preventive, detective, input, and output) (P)

B. Management control techniques (A)

C. Internal control framework characteristics and use (e.g., COSO and Cadbury) (A)

D. Alternative control frameworks (A)

*Indicates the relative range of weights assigned to this topic area for both theory and practice sections in the CIA Exam.

**Indicates the level of difficulty for each topic in the CIA Exam expressed as (A) for Awareness and (P) for Proficiency. (A) = Candidates must exhibit awareness (i.e., knowledge of terminology and fundamentals) in these topic areas. (P) = Candidates must exhibit proficiency (i.e., thorough understanding and ability to apply concepts) in these topic areas.

flast.indd 15 02-05-2014 09:50:28

CIA Exam Content Specifications xvi

E. Risk vocabulary and concepts (A)

F. Fraud risk awareness (A)

• Types of fraud (A)

• Fraud red flags (A)

Domain III: Conducting Internal Audit Engagements – Audit Tools and Techniques (28–38%)

A. Data gathering

• Review prior audit reports and other relevant documentation as part of a preliminary survey of the engagement area (P)

• Develop checklists/internal control questionnaires as part of a preliminary survey of the engagement area (P)

• Conduct interviews as part of a preliminary survey of the engagement area (P)

• Use observation to gather data (P)

• Conduct engagement to assure identification of key risks and controls (P)

• Use non-statistical (judgmental) sampling method (P)

flast.indd 16 02-05-2014 09:50:28

CIA Exam Content Specifications xvii

B. Data analysis and interpretation

• Use computerized audit tools and techniques (e.g., data mining and extraction, and continuous monitor-ing) (P)

• Conduct spreadsheet analysis (P)

• Use analytical review techniques (e.g., ratio estimation, variance analysis, budget vs. actual, trend analy-sis, and other reasonableness tests) (P)

• Draw conclusions (P)

C. Data reporting

• Report test results to auditors in charge (P)

D. Documentation and work papers

• Develop work papers (P)

E. Process mapping (P)

F. Evaluate relevance, sufficiency, and competence of evidence (P)

• Identify potential sources of evidence (P)

flast.indd 17 02-05-2014 09:50:28

flast.indd 18 02-05-2014 09:50:28

11 Focus on: Mandatory Guidance (35–45%) 1

DEFINITION OF INTERNAL AUDITING

The globally accepted defi nition of internal auditing states the fundamental purpose, nature, and scope of internal auditing:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization ’s operations. It helps an organization accomplish its objectives by bring-ing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

c01.indd 1c01.indd 1 22/02/13 8:49 AM22/02/13 8:49 AM

2Focus on: Mandatory Guidance (35–45%)1

INTERNATIONAL STANDARDS

Internal auditing is conducted in diverse legal and cultural environments; within organizations that vary in pur-pose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, conformance with The Institute of Internal Auditors ’ International Standards for the Professional Practice of Internal Auditing ( Standards ) is essential in meeting the responsibilities of internal auditors and the internal audit activity. These standards are drawn from the Inter-national Professional Practice Framework (IPPF).

If internal auditors or the internal audit activity are prohibited by law or regulation from conformance with cer-tain parts of the Standards , conformance with all other parts of the Standards and appropriate disclosures are needed.

If the Standards are used in conjunction with standards issued by other authoritative bodies, internal audit communications may also cite the use of other standards, as appropriate. In such a case, if inconsistencies exist between the Standards and other standards, internal auditors and the internal audit activity must conform with the Standards and may conform with the other standards if they are more restrictive.

The purpose of the Standards is to:

• Delineate basic principles that represent the practice of internal auditing.

• Provide a framework for performing and promoting a broad range of value-added internal auditing.

c01.indd 2c01.indd 2 22/02/13 8:49 AM22/02/13 8:49 AM

3Focus on: Mandatory Guidance (35–45%)1

INTERNATIONAL STANDARDS (CONTINUED)

• Establish the basis for the evaluation of internal audit performance.

• Foster improved organizational processes and operations.

The structure of the Standards is divided between Attribute and Performance Standards . Attribute Stan-dards address the attributes of organizations and individuals performing internal auditing (numbered from 1000 to 1322). Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured (numbered from 2000 to 2600). The Attribute and Performance Standards are also provided to apply to all internal audit services.

Implementation Standards are also provided to expand on the Attribute and Performance Standards , by providing the requirements applicable to assurance or consulting activities.

Assurance services involve the internal auditor ’s objective assessment of evidence to provide an indepen-dent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. Generally there are three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter—the process owner; (2) the person or group making the assessment—the internal auditor; and (3) the person or group using the assessment—the user.

c01.indd 3c01.indd 3 22/02/13 8:49 AM22/02/13 8:49 AM

4Focus on: Mandatory Guidance (35–45%)1

Consulting services are advisory in nature and generally are performed at the specifi c request of an engage-ment client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice—the internal auditor; and (2) the person or group seeking and receiving the advice—the engagement client. When performing consulting services, the internal auditor should maintain objectivity and not assume management responsibility.

INTERNATIONAL STANDARDS (CONTINUED)

c01.indd 4c01.indd 4 22/02/13 8:49 AM22/02/13 8:49 AM

5Focus on: Mandatory Guidance (35–45%)1

Attribute Standards (1000 to 1322)

Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defi ned in an internal audit charter, consistent with the defi nition of Internal Auditing, the Code of Ethics, and the Standards . The chief audit executive (CAE) must periodically review the internal audit charter and present it to senior manage-ment and the board for approval (IIA Standard 1000).

The nature of assurance services provided to the organization must be defi ned in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defi ned in the internal audit charter. The nature of consulting services must be defi ned in the internal audit charter.

The internal audit charter is a formal document that defi nes the internal audit activity ’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity ’s position within the organization, including the nature of the CAE ’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defi nes the scope of inter-nal audit activities. Final approval of the internal audit charter resides with the board.

c01.indd 5c01.indd 5 22/02/13 8:49 AM22/02/13 8:49 AM

6Focus on: Mandatory Guidance (35–45%)1

Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels (IIA Standard 1100).

c01.indd 6c01.indd 6 22/02/13 8:49 AM22/02/13 8:49 AM

7Focus on: Mandatory Guidance (35–45%)1

Organizational Independence The CAE must report to a level within the organization that allows the internal audit activity to fulfi ll its respon-sibilities. The CAE must confi rm to the board, at least annually, the organizational independence of the internal audit activity. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results (IIA Standard 1110).

Organizational independence is effectively achieved when the CAE reports functionally to the board. Exam-ples of functional reporting to the board involve the board:

• Approving the internal audit charter.

• Approving the risk based internal audit plan.

• Receiving communications from the CAE on the internal audit activity ’s performance relative to its plan and other matters.

• Approving decisions regarding the appointment and removal of the CAE.

• Making appropriate inquiries of management and the CAE to determine whether there are inappropriate scope or resource limitations.

c01.indd 7c01.indd 7 22/02/13 8:49 AM22/02/13 8:49 AM

8Focus on: Mandatory Guidance (35–45%)1

Direct Interaction with the Board The CAE must communicate and interact directly with the board. Direct communication occurs when the CAE regularly attends and participates in board meetings that relate to the board ’s oversight responsibilities for auditing, fi nancial reporting, organizational governance, and control. The CAE ’s attendance and participation at these meetings provide an opportunity to be apprised of strategic business and operational developments and to raise high-level risk, systems, procedures, or control issues at an early stage. Meeting attendance also pro-vides an opportunity to exchange information concerning the internal audit activity ’s plans and activities and to keep each other informed on any other matters of mutual interest. Such communication and interaction also occurs when the CAE meets privately with the board, at least annually (IIA Standard 1111).

c01.indd 8c01.indd 8 22/02/13 8:49 AM22/02/13 8:49 AM

9Focus on: Mandatory Guidance (35–45%)1

Individual Objectivity Internal auditors must have an impartial, unbiased attitude and avoid any confl ict of interest. “Confl ict of inter-est” is a situation in which an internal auditor who is in a position of trust has a competing professional or personal interest. Such competing interests can make it difficult to fulfi ll his or her duties impartially. A confl ict of interest exists even if no unethical or improper act results. A confl ict of interest can create an appearance of impropriety that can undermine confi dence in the internal auditor, the internal audit activity, and the profes-sion. A confl ict of interest could impair an individual ’s ability to perform his or her duties and responsibilities objectively (IIA Standard 1120).

c01.indd 9c01.indd 9 22/02/13 8:49 AM22/02/13 8:49 AM

10Focus on: Mandatory Guidance (35–45%)1

Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment must be dis-closed to appropriate parties. The nature of the disclosure will depend on the impairment. “Impairment to organizational independence and individual objectivity” may include, but is not limited to, personal confl ict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limita-tions, such as funding (IIA Standard 1130).

The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent on the expectations of the internal audit activity ’s and the CAE ’s responsibili-ties to senior management and the board as described in the internal audit charter, as well as the nature of the impairment. The following must be noted:

• Internal auditors must refrain from assessing specifi c operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which he or she had responsibility within the previous year.

• Assurance engagements for functions over which the CAE has responsibility must be overseen by a party outside the internal audit activity.

• Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

• If internal auditors have potential impairments to independence or objectivity relating to proposed consult-ing services, disclosure must be made to the engagement client prior to accepting the engagement.

c01.indd 10c01.indd 10 22/02/13 8:49 AM22/02/13 8:49 AM